{"id":6129,"date":"2023-11-07T11:15:37","date_gmt":"2023-11-07T11:15:37","guid":{"rendered":"\/cybersecurity-blog\/?p=6129"},"modified":"2023-11-09T11:40:38","modified_gmt":"2023-11-09T11:40:38","slug":"script-tracer","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/script-tracer\/","title":{"rendered":"Analyze Script Execution in ANY.RUN Using Script Tracer"},"content":{"rendered":"\n<p><strong>Script tracer <\/strong>makes it easy to trace and deobfuscate the execution flow of scripting programs within <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=scripttracer&amp;utm_content=landing&amp;utm_term=071123\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>\u2019s interactive cloud sandbox environment. This feature is available to all users and works in all of our supported Window OS \u2014 from Windows 7 to Windows 11. With Script tracer, you can analyze<strong> JScript, VB Script, VBA, and Macro 4.0.<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"3398\" height=\"1894\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/1-1024x571.png\" alt=\"\" class=\"wp-image-6131\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/1-1024x571.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/1-300x167.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/1-768x428.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/1-1536x856.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/1-2048x1142.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/1-370x206.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/1-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/1-740x412.png 740w\" sizes=\"(max-width: 3398px) 100vw, 3398px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Why should you analyze scripts?&nbsp;<\/h2>\n\n\n\n<p>In the sandbox, you&#8217;ll often analyze more than just standard .exe files, since attackers also execute code using scripting languages like JScript.&nbsp;<\/p>\n\n\n\n<p>Scripting languages are powerful tools for performing a wide range of tasks in Windows, and malware authors exploit this capability. As a result, you&#8217;ll see an increasing number of malware samples written in scripting languages.&nbsp;<\/p>\n\n\n\n<p>In Windows, you&#8217;ll encounter various types of scripting code, including:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>JScript<\/strong>: similar in syntax to JavaScript but runs within the Windows Script Host&nbsp;<\/li>\n\n\n\n<li><strong>VBScript<\/strong>: native to Windows and used for system administration tasks&nbsp;<\/li>\n\n\n\n<li><strong>VBA (Visual Basic for Applications<\/strong>): used in Microsoft Office files for automating tasks like updating columns with formulas in tables&nbsp;<\/li>\n\n\n\n<li><strong>Macro 4.0<\/strong>: old scripts written in Macro 4.0, often found in Office documents&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Script tracer gives you an insight into script execution&nbsp;<\/h3>\n\n\n\n<p>Before this update, as an ANY.RUN user, you could already see the outcome of script execution \u2014 like which processes started or what the command line initiated. However, you couldn&#8217;t really see what attackers did within these scripts: API calls, OS version checks, WMI requests and so on.&nbsp;<\/p>\n\n\n\n<p>Script Tracer fills this knowledge gap. <strong>Now you get detailed insights into deobfuscated activities happening within scripts and office documents<\/strong>. It&#8217;s similar to debugging in any programming language, where you can step through each line of code. The difference is that we filter events to show only the key ones, avoiding information overload.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nNot an ANY.RUN user? You\u2019re missing out on the best interactive malware analysis tool&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/#register\/\" rel=\"noopener\" target=\"_blank\">\nGet started free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">How does the Script tracer work?&nbsp;<\/h2>\n\n\n\n<p>There are two main ways to access the Script tracer reports: from a tracer icon in the process tree for those processes where the tracer activated, and from the in-depth Advanced process details report. Let\u2019s break them down:&nbsp;<\/p>\n\n\n\n<p><strong>1. New indicator in the process tree<\/strong>&nbsp;<\/p>\n\n\n\n<p>You can open the tracer report by clicking on the icon. The same is also available in process details.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"361\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/2-1024x361.png\" alt=\"\" class=\"wp-image-6133\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/2-1024x361.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/2-300x106.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/2-768x271.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/2-370x131.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/2-270x95.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/2-740x261.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/2.png 1496w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><strong>2. A new tab in Advanced process details<\/strong>&nbsp;<\/p>\n\n\n\n<p>In Advanced process details, you will now see a <strong>new Script tracer menu<\/strong> section for processes where the feature has activated, and it will automatically have sub-sections for those types of scripts that have worked.&nbsp;<\/p>\n\n\n\n<p>Script tracers shows <strong>detailed information<\/strong> on each event that was recorded:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"571\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/3-1024x571.png\" alt=\"\" class=\"wp-image-6134\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/3-1024x571.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/3-300x167.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/3-768x428.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/3-1536x856.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/3-2048x1142.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/3-370x206.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/3-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/3-740x412.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Usually, you&#8217;ll deal with string data and we display it in three types of events:&nbsp;<\/p>\n\n\n\n<ol class=\"wp-block-list\" start=\"1\">\n<li>function <strong>entry<\/strong>.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol class=\"wp-block-list\" start=\"2\">\n<li>function <strong>parameters<\/strong>.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol class=\"wp-block-list\" start=\"3\">\n<li>and function <strong>exit<\/strong>.&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>If other elements break up the input and output flow, a <strong>connecting line<\/strong> appears on the left. This line helps you see the relationship between the function&#8217;s input and output. For easier analysis, clicking on a<strong> <\/strong>row pins it to the workspace so you don&#8217;t lose track. You can <strong>pin <\/strong>a single event or multiple events to visualize a specific program flow branch:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"463\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/4-1024x463.png\" alt=\"\" class=\"wp-image-6135\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/4-1024x463.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/4-300x136.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/4-768x348.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/4-1536x695.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/4-370x167.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/4-270x122.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/4-740x335.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/4.png 1538w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>If a function receives a long parameter, the full data, including its HEX representation, will be displayed. For extremely long parameters, a &#8220;Show more&#8221; button appears. Clicking it takes you to Static Discovering, where you can view the complete HEX data, regardless of length.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"654\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/5-1024x654.png\" alt=\"\" class=\"wp-image-6136\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/5-1024x654.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/5-300x192.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/5-768x491.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/5-1536x981.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/5-370x236.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/5-270x173.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/5-740x473.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/5.png 1573w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Script tracer\u2019s use cases&nbsp;&nbsp;<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>View VBE compiled scripts<\/strong>&nbsp;<\/h3>\n\n\n\n<p>Using the tracer, we can view compiled VBE scripts: the script execution process, namely requested functions, transferred data, etc. On this screenshot we can see that the contents of the file are unreadable:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"640\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/6-1024x640.png\" alt=\"\" class=\"wp-image-6137\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/6-1024x640.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/6-300x187.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/6-768x480.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/6-370x231.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/6-270x169.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/6-740x462.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/6.png 1268w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>But using the Script tracer we can see what commands are executed by this script.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"814\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/7-1024x814.png\" alt=\"\" class=\"wp-image-6138\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/7-1024x814.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/7-300x238.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/7-768x610.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/7-370x294.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/7-270x215.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/7-740x588.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/7.png 1027w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/9d613449-16c4-4733-8ac8-d23057a3d6ac\/?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=scripttracer&amp;utm_content=task&amp;utm_term=071123\" target=\"_blank\" rel=\"noreferrer noopener\">Check the sample \u2192<\/a>&nbsp;<\/p>\n\n\n\n<p><strong>Get and download command returns<\/strong>&nbsp;<\/p>\n\n\n\n<p>The Script tracer also allows us to see things that we cannot see otherwise, such as what a certain request returns. In the screenshot below we can see that the cmd process command line contains the command <strong>dir<\/strong>, but we cannot see what this command returns.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"484\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/8-1024x484.png\" alt=\"\" class=\"wp-image-6139\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/8-1024x484.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/8-300x142.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/8-768x363.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/8-370x175.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/8-270x128.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/8-740x350.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/8.png 1199w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>But with the help of our new feature, you can see the return of such commands and even download it.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1475\" height=\"618\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/9-1024x429.png\" alt=\"\" class=\"wp-image-6140\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/9-1024x429.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/9-300x126.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/9-768x322.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/9-370x155.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/9-270x113.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/9-740x310.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/9.png 1475w\" sizes=\"(max-width: 1475px) 100vw, 1475px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"720\" height=\"490\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/10.png\" alt=\"\" class=\"wp-image-6141\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/10.png 720w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/10-300x204.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/10-370x252.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/10-270x184.png 270w\" sizes=\"(max-width: 720px) 100vw, 720px\" \/><\/figure>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/d8275584-b486-4e7a-8295-2fd58f22228c\/?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=scripttracer&amp;utm_content=task&amp;utm_term=071123\" target=\"_blank\" rel=\"noreferrer noopener\">Check the sample \u2192<\/a>&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Script usage by executable files<\/h3>\n\n\n\n<p>Did you know that scripts can be executed not only by the script engine, but also by <strong>executable files<\/strong>? Here&#8217;s an example with <strong>WMIC<\/strong> that loads vbscript and executes it. The malware utilizes WMIC to collect information on the infected device\u2019s OS and hardware:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"622\" height=\"398\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/11.png\" alt=\"\" class=\"wp-image-6142\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/11.png 622w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/11-300x192.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/11-370x237.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/11-270x173.png 270w\" sizes=\"(max-width: 622px) 100vw, 622px\" \/><\/figure>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/b8a413f8-9f9e-4eda-8f2b-e3a17a4eae0f\/?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=scripttracer&amp;utm_content=task&amp;utm_term=071123\" target=\"_blank\" rel=\"noreferrer noopener\">Check the sample \u2192<\/a>&nbsp;<\/p>\n\n\n\n<p><strong>Analyze VBS and JS-based malware <\/strong>&nbsp;<\/p>\n\n\n\n<p>What about malware? What if you come across malware that&#8217;s entirely VBS-based? That&#8217;s not a problem! <a href=\"https:\/\/any.run\/malware-trends\/wshrat\" target=\"_blank\" rel=\"noreferrer noopener\">WSHRat<\/a> malware can be a great example to see how it all works. &nbsp;<\/p>\n\n\n\n<p>For example, here the malware makes a WMI query to &#8220;<strong>winmgmts:\\\\\\localhost\\root\\SecurityCenter2&#8243;<\/strong>, more likely to enumerate installed antivirus solutions. Thus, the Script tracer allows us to look inside the malware without using time-consuming methods like reverse engineering and debugging.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"793\" height=\"277\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/13.png\" alt=\"\" class=\"wp-image-6144\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/13.png 793w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/13-300x105.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/13-768x268.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/13-370x129.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/13-270x94.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/13-740x258.png 740w\" sizes=\"(max-width: 793px) 100vw, 793px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"610\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/12-1024x610.png\" alt=\"\" class=\"wp-image-6143\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/12-1024x610.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/12-300x179.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/12-768x458.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/12-1536x916.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/12-2048x1221.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/12-370x221.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/12-270x161.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/12-740x441.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Script execution process<\/figcaption><\/figure>\n\n\n\n<p>But you don&#8217;t even have to do that! We have created a lot of signatures and for your convenience we have indicators in the process details window that describe the scripts and malware actions.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"580\" height=\"583\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/14.png\" alt=\"\" class=\"wp-image-6145\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/14.png 580w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/14-298x300.png 298w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/14-150x150.png 150w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/14-70x70.png 70w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/14-370x372.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/14-270x271.png 270w\" sizes=\"(max-width: 580px) 100vw, 580px\" \/><\/figure>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/14852d31-01cf-4a03-95fe-b1af8b4b9525\/?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=scripttracer&amp;utm_content=task&amp;utm_term=071123\" target=\"_blank\" rel=\"noreferrer noopener\">Check the sample \u2192<\/a>&nbsp;<\/p>\n\n\n\n<p><strong>Check Microsoft Office macros and scripts&nbsp;<\/strong>&nbsp;<\/p>\n\n\n\n<p>Microsoft office isn\u2019t left behind: you don&#8217;t need to use different utilities to investigate macros and scripts, now they are available in a few clicks. Here is an example of executing a malware VB script with a network request:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"548\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/15-1024x548.png\" alt=\"\" class=\"wp-image-6146\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/15-1024x548.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/15-300x160.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/15-768x411.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/15-370x198.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/15-270x144.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/15-740x396.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/15.png 1047w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/8c467bb2-f22e-41fc-910a-b8b528761ba7\/?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=scripttracer&amp;utm_content=task&amp;utm_term=071123\" target=\"_blank\" rel=\"noreferrer noopener\">Check the sample \u2192<\/a>&nbsp;<\/p>\n\n\n\n<p>We support other Microsoft office file formats, too.&nbsp; Have a look at Powerpoint with the cmd start command line.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1020\" height=\"417\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/16.png\" alt=\"\" class=\"wp-image-6147\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/16.png 1020w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/16-300x123.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/16-768x314.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/16-370x151.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/16-270x110.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/16-740x303.png 740w\" sizes=\"(max-width: 1020px) 100vw, 1020px\" \/><\/figure>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/c4340c03-ba77-4584-bd65-83b02b558a1b\/?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=scripttracer&amp;utm_content=task&amp;utm_term=071123\" target=\"_blank\" rel=\"noreferrer noopener\">Check the sample \u2192<\/a>&nbsp;<\/p>\n\n\n\n<p><strong>Dive into more complicated cases&nbsp;<\/strong>&nbsp;<\/p>\n\n\n\n<p>Is there anything trickier? Yes, there is &#8211; we have a <strong>visible Windows API<\/strong>! Look at this sneaky malicious document, built on the basis of alloc and request. It will not remain a secret for our users.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"840\" height=\"422\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/17.png\" alt=\"\" class=\"wp-image-6148\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/17.png 840w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/17-300x151.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/17-768x386.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/17-370x186.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/17-270x136.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/11\/17-740x372.png 740w\" sizes=\"(max-width: 840px) 100vw, 840px\" \/><\/figure>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/e51ddc01-3830-44b9-bb46-765de218232f\/?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=scripttracer&amp;utm_content=task&amp;utm_term=071123\" target=\"_blank\" rel=\"noreferrer noopener\">Check the sample \u2192<\/a>&nbsp;<\/p>\n\n\n\n<p><strong>Are you interested in trying Script tracer \u2014 along with the full range of ANY.RUN capabilities? <\/strong>Simply request a trial today.&nbsp; Request a trial today and enjoy 14 days of free access to our Enterprise plan.&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article_bottom&amp;utm_campaign=scripttracer&amp;utm_content=trial&amp;utm_term=071123\" target=\"_blank\" rel=\"noreferrer noopener\">Request trial \u2192<\/a>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Script tracer makes it easy to trace and deobfuscate the execution flow of scripting programs within ANY.RUN\u2019s interactive cloud sandbox environment. This feature is available to all users and works in all of our supported Window OS \u2014 from Windows 7 to Windows 11. With Script tracer, you can analyze JScript, VB Script, VBA, and [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":6149,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[54,34,55,56],"class_list":["post-6129","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-service-updates","tag-features","tag-malware-analysis","tag-release","tag-update"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Analyze Script Execution in ANY.RUN Using Script Tracer - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Trace and deobfuscate the execution flow of scripting programs within ANY.RUN\u2019s interactive cloud sandbox environment.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/script-tracer\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Vlad Ananin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/script-tracer\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/script-tracer\/\"},\"author\":{\"name\":\"Vlad Ananin\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Analyze Script Execution in ANY.RUN Using Script Tracer\",\"datePublished\":\"2023-11-07T11:15:37+00:00\",\"dateModified\":\"2023-11-09T11:40:38+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/script-tracer\/\"},\"wordCount\":1085,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"features\",\"malware analysis\",\"release\",\"update\"],\"articleSection\":[\"Service Updates\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/script-tracer\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/script-tracer\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/script-tracer\/\",\"name\":\"Analyze Script Execution in ANY.RUN Using Script Tracer - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2023-11-07T11:15:37+00:00\",\"dateModified\":\"2023-11-09T11:40:38+00:00\",\"description\":\"Trace and deobfuscate the execution flow of scripting programs within ANY.RUN\u2019s interactive cloud sandbox environment.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/script-tracer\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/script-tracer\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/script-tracer\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Service Updates\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/service-updates\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Analyze Script Execution in ANY.RUN Using Script Tracer\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Vlad Ananin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/564ed55b05884a34062108096c0ed973?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/564ed55b05884a34062108096c0ed973?s=96&d=mm&r=g\",\"caption\":\"Vlad Ananin\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/vlad-ananin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Analyze Script Execution in ANY.RUN Using Script Tracer - ANY.RUN&#039;s Cybersecurity Blog","description":"Trace and deobfuscate the execution flow of scripting programs within ANY.RUN\u2019s interactive cloud sandbox environment.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/script-tracer\/","twitter_misc":{"Written by":"Vlad Ananin","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/script-tracer\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/script-tracer\/"},"author":{"name":"Vlad Ananin","@id":"https:\/\/any.run\/"},"headline":"Analyze Script Execution in ANY.RUN Using Script Tracer","datePublished":"2023-11-07T11:15:37+00:00","dateModified":"2023-11-09T11:40:38+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/script-tracer\/"},"wordCount":1085,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["features","malware analysis","release","update"],"articleSection":["Service Updates"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/script-tracer\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/script-tracer\/","url":"https:\/\/any.run\/cybersecurity-blog\/script-tracer\/","name":"Analyze Script Execution in ANY.RUN Using Script Tracer - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2023-11-07T11:15:37+00:00","dateModified":"2023-11-09T11:40:38+00:00","description":"Trace and deobfuscate the execution flow of scripting programs within ANY.RUN\u2019s interactive cloud sandbox environment.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/script-tracer\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/script-tracer\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/script-tracer\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Service Updates","item":"https:\/\/any.run\/cybersecurity-blog\/category\/service-updates\/"},{"@type":"ListItem","position":3,"name":"Analyze Script Execution in ANY.RUN Using Script Tracer"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Vlad Ananin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/564ed55b05884a34062108096c0ed973?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/564ed55b05884a34062108096c0ed973?s=96&d=mm&r=g","caption":"Vlad Ananin"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/vlad-ananin\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/6129"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=6129"}],"version-history":[{"count":3,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/6129\/revisions"}],"predecessor-version":[{"id":6165,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/6129\/revisions\/6165"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/6149"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=6129"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=6129"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=6129"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}