Advanced File Analysis System

HIPS/ PFW/ Operating System Protection Evasion

Attempts to identify installed AV products by installation directory Show sources

file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\SbieCtrl.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Windows\Installer\SandboxieInstall64.exe

Lowering of HIPS/ PFW/ Operating System Security Settings

Attempts to block SafeBoot use by removing registry keys Show sources

registry_delete

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option

Malware Analysis System Evasion

A process attempted to delay the analysis task. Show sources

api_process_name

WmiPrvSE.exe tried to sleep 360 seconds, actually delayed analysis time by 0 seconds

Detects VirtualBox through the presence of a file Show sources

file_query

C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe

Creates a hidden or system file Show sources

file_write

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1139ddc.TMP

Malicious Document

The office file has a unconventional code page: ANSI Cyrillic; Cyrillic (Windows)

The office file has a macro. Show sources

content

The file appears to have no content.