Analysis

Category Package Started Completed Duration Options Log
FILE js 2019-09-11 19:03:17 2019-09-11 19:03:47 30 seconds Show Options Show Log
route = internet
procdump = 1
2019-09-11 20:03:18,000 [root] INFO: Date set to: 09-11-19, time set to: 19:03:18, timeout set to: 200
2019-09-11 20:03:18,015 [root] DEBUG: Starting analyzer from: C:\ljxoi
2019-09-11 20:03:18,015 [root] DEBUG: Storing results at: C:\rqHTbn
2019-09-11 20:03:18,015 [root] DEBUG: Pipe server name: \\.\PIPE\UIhabV
2019-09-11 20:03:18,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-09-11 20:03:18,015 [root] INFO: Automatically selected analysis package "js"
2019-09-11 20:03:18,529 [root] DEBUG: Started auxiliary module Browser
2019-09-11 20:03:18,529 [root] DEBUG: Started auxiliary module Curtain
2019-09-11 20:03:18,529 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-09-11 20:03:19,621 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-09-11 20:03:19,621 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-09-11 20:03:19,621 [root] DEBUG: Started auxiliary module DigiSig
2019-09-11 20:03:19,638 [root] DEBUG: Started auxiliary module Disguise
2019-09-11 20:03:19,638 [root] DEBUG: Started auxiliary module Human
2019-09-11 20:03:19,638 [root] DEBUG: Started auxiliary module Screenshots
2019-09-11 20:03:19,653 [root] DEBUG: Started auxiliary module Sysmon
2019-09-11 20:03:19,653 [root] DEBUG: Started auxiliary module Usage
2019-09-11 20:03:19,653 [root] INFO: Analyzer: Package modules.packages.js does not specify a DLL option
2019-09-11 20:03:19,653 [root] INFO: Analyzer: Package modules.packages.js does not specify a DLL_64 option
2019-09-11 20:03:19,746 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\wscript.exe" with arguments ""C:\Users\user\AppData\Local\Temp\greendotdot.js"" with pid 1964
2019-09-11 20:03:19,855 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-09-11 20:03:19,855 [lib.api.process] INFO: 32-bit DLL to inject is C:\ljxoi\dll\utHwxegV.dll, loader C:\ljxoi\bin\DCMGZxw.exe
2019-09-11 20:03:19,887 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\UIhabV.
2019-09-11 20:03:19,887 [root] DEBUG: Loader: Injecting process 1964 (thread 420) with C:\ljxoi\dll\utHwxegV.dll.
2019-09-11 20:03:19,887 [root] DEBUG: Process image base: 0x00AE0000
2019-09-11 20:03:19,903 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ljxoi\dll\utHwxegV.dll.
2019-09-11 20:03:19,903 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00B06000 - 0x77110000
2019-09-11 20:03:19,903 [root] DEBUG: InjectDllViaIAT: Allocated 0x1d8 bytes for new import table at 0x00B10000.
2019-09-11 20:03:19,903 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-09-11 20:03:19,903 [root] DEBUG: Successfully injected DLL C:\ljxoi\dll\utHwxegV.dll.
2019-09-11 20:03:19,903 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1964
2019-09-11 20:03:21,914 [lib.api.process] INFO: Successfully resumed process with pid 1964
2019-09-11 20:03:21,914 [root] INFO: Added new process to list with pid: 1964
2019-09-11 20:03:21,961 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-09-11 20:03:21,977 [root] DEBUG: Process dumps enabled.
2019-09-11 20:03:22,023 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-09-11 20:03:22,023 [root] INFO: Disabling sleep skipping.
2019-09-11 20:03:22,023 [root] INFO: Disabling sleep skipping.
2019-09-11 20:03:22,023 [root] INFO: Disabling sleep skipping.
2019-09-11 20:03:22,023 [root] INFO: Disabling sleep skipping.
2019-09-11 20:03:22,023 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1964 at 0x747e0000, image base 0xae0000, stack from 0x356000-0x360000
2019-09-11 20:03:22,023 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Local\Temp\greendotdot.js".
2019-09-11 20:03:22,023 [root] INFO: Monitor successfully loaded in process with pid 1964.
2019-09-11 20:03:22,039 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-09-11 20:03:22,039 [root] DEBUG: DLL unloaded from 0x00AE0000.
2019-09-11 20:03:22,039 [root] DEBUG: DLL loaded at 0x74960000: C:\Windows\SysWOW64\SXS (0x5f000 bytes).
2019-09-11 20:03:22,071 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-09-11 20:03:22,086 [root] DEBUG: DLL loaded at 0x74480000: C:\Windows\SysWOW64\jscript (0xb2000 bytes).
2019-09-11 20:03:22,101 [root] DEBUG: DLL loaded at 0x75470000: C:\Windows\syswow64\WINTRUST (0x2d000 bytes).
2019-09-11 20:03:22,101 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-09-11 20:03:22,101 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-09-11 20:03:22,101 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\SysWOW64\CRYPTSP (0x16000 bytes).
2019-09-11 20:03:22,101 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-09-11 20:03:22,101 [root] DEBUG: DLL loaded at 0x74950000: C:\Windows\SysWOW64\MSISIP (0x8000 bytes).
2019-09-11 20:03:22,101 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-09-11 20:03:22,101 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\SysWOW64\wshext (0x16000 bytes).
2019-09-11 20:03:22,101 [root] DEBUG: DLL loaded at 0x748A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\COMCTL32 (0x84000 bytes).
2019-09-11 20:03:22,118 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-09-11 20:03:22,118 [root] DEBUG: DLL loaded at 0x74450000: C:\Windows\SysWOW64\scrobj (0x2d000 bytes).
2019-09-11 20:03:22,118 [root] DEBUG: DLL unloaded from 0x76C00000.
2019-09-11 20:03:22,118 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\RpcRtRemote (0xe000 bytes).
2019-09-11 20:03:23,012 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-09-11 20:03:24,023 [root] DEBUG: DLL unloaded from 0x758B0000.
2019-09-11 20:03:24,023 [root] DEBUG: DLL unloaded from 0x74450000.
2019-09-11 20:03:24,023 [root] DEBUG: DLL unloaded from 0x74480000.
2019-09-11 20:03:24,039 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1964
2019-09-11 20:03:24,039 [root] DEBUG: GetHookCallerBase: thread 420 (handle 0x0), return address 0x00AE2FBD, allocation base 0x00AE0000.
2019-09-11 20:03:24,039 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00AE0000.
2019-09-11 20:03:24,039 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00AE0000.
2019-09-11 20:03:24,039 [root] DEBUG: DumpProcess: Module entry point VA is 0x00002F3B.
2019-09-11 20:03:24,053 [root] INFO: Added new CAPE file to list with path: C:\rqHTbn\CAPE\1964_1280935612344412492019
2019-09-11 20:03:24,053 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x22a00.
2019-09-11 20:03:24,053 [root] DEBUG: DLL unloaded from 0x75140000.
2019-09-11 20:03:24,053 [root] INFO: Notified of termination of process with pid 1964.
2019-09-11 20:03:24,944 [root] INFO: Process with pid 1964 has terminated
2019-09-11 20:03:30,013 [root] INFO: Process list is empty, terminating analysis.
2019-09-11 20:03:31,028 [root] INFO: Created shutdown mutex.
2019-09-11 20:03:32,042 [root] INFO: Shutting down package.
2019-09-11 20:03:32,042 [root] INFO: Stopping auxiliary modules.
2019-09-11 20:03:32,042 [root] INFO: Finishing auxiliary modules.
2019-09-11 20:03:32,042 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-09-11 20:03:32,042 [root] WARNING: File at path "C:\rqHTbn\debugger" does not exist, skip.
2019-09-11 20:03:32,042 [root] INFO: Analysis completed.

MalScore

1.5

Benign

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-09-11 19:03:17 2019-09-11 19:03:46

File Details

File Name greendotdot.js
File Size 18899 bytes
File Type ASCII text, with very long lines, with no line terminators
MD5 fc91551858e8b34e2007ae2d203f551b
SHA1 fabcbba0a0a40b889d28cbe14e9bb0029807cac1
SHA256 a3ba475b44577eff7fb17fc44ace8430681788677178dd2a4572947ff3084595
SHA512 7304b9d3b40303ecd4ac0cc2e5f37b51d2d79d32ab36c476010b255aa83476ae102eaaf2018ee57955872469ff76b8e89029b9e9510dd18bfc3c9525688a2106
CRC32 40FDA754
Ssdeep 384:Fg4blSmlSyXb0bT2h2KU4PBwTBFsSf4cJ/PqTfVb:FgolSmlSkoT2xUXFXn/PqB
TrID
  • Unknown!
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Possible date expiration check, exits too soon after checking local time
process: wscript.exe, PID 1964
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/SaferIdentifyLevel
DynamicLoader: ADVAPI32.dll/SaferComputeTokenFromLevel
DynamicLoader: ADVAPI32.dll/SaferCloseLevel
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: OLEAUT32.dll/
DynamicLoader: CRYPTSP.dll/CryptReleaseContext

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

C:\Users\user\AppData\Local\Temp\greendotdot.js
C:\Windows\Fonts\staticcache.dat
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
C:\Users\user\AppData\Local\Temp\greendotdot.js
C:\Windows\Fonts\staticcache.dat
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\DA0C75D6
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\xef\xab\xb0\xc9\x8cEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\wscript.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{70FAF614-E0B1-11D3-8F5C-00C04F9CF4AC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\DA0C75D6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\xef\xab\xb0\xc9\x8cEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
advapi32.dll.SaferIdentifyLevel
advapi32.dll.SaferComputeTokenFromLevel
advapi32.dll.SaferCloseLevel
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
gdi32.dll.GdiIsMetaPrintDC
ole32.dll.CoCreateInstance
advapi32.dll.UnregisterTraceGuids
oleaut32.dll.#500
cryptsp.dll.CryptReleaseContext
Local\MSCTF.Asm.MutexDefault1

Process Tree

  • wscript.exe 1964 "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Local\Temp\greendotdot.js"

wscript.exe, PID: 1964, Parent PID: 2480
Full Path: C:\Windows\SysWOW64\wscript.exe
Command Line: "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Local\Temp\greendotdot.js"

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name wscript.exe
PID 1964
Dump Size 141824 bytes
Module Path C:\Windows\SysWOW64\wscript.exe
Type PE imageexecutable
MD5 02759353d79f662386e1bb7691fcca4a
SHA1 e87c22660662e9e9b40444f3b94a7055444cfa40
SHA256 f7c59b99337ba6c3afc50ede2237cc5b1cd517a18bf0c2ac9c10a83cac0b70b6
CRC32 49901147
Ssdeep 3072:LLbG4QQ4gNTUIF3x1/OKCEiWunMU2xwDqsm/CDku4r5Txt9x:LHG4QQdjT9zU8wmsmxNT5x
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename f7c59b99337ba6c3afc50ede2237cc5b1cd517a18bf0c2ac9c10a83cac0b70b6
Download

Comments



No comments posted

Processing ( 2.592 seconds )

  • 1.464 Strings
  • 0.322 ProcDump
  • 0.29 Static
  • 0.26 CAPE
  • 0.088 Deduplicate
  • 0.084 TrID
  • 0.049 BehaviorAnalysis
  • 0.022 TargetInfo
  • 0.007 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.057 seconds )

  • 0.011 antiav_detectreg
  • 0.006 ransomware_files
  • 0.004 infostealer_ftp
  • 0.003 antidbg_windows
  • 0.003 antiav_detectfile
  • 0.003 infostealer_im
  • 0.003 ransomware_extensions
  • 0.002 persistence_autorun
  • 0.002 antianalysis_detectreg
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_mail
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 api_spamming
  • 0.001 virtualcheck_js
  • 0.001 betabot_behavior
  • 0.001 heapspray_js
  • 0.001 decoy_document
  • 0.001 cerber_behavior
  • 0.001 stealth_timeout
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn

Reporting ( 0.0 seconds )

Task ID 90430
Mongo ID 5d79451b28518285356324fc
Cuckoo release 1.3-CAPE
Delete