Automated Malware Analysis Report For

ID: 71345 Cookbook: browseurl.jbs Time: 11:22:46 Date: 07/08/2018 Version: 23.0.0 Table of Contents

Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Signature Overview 5 AV Detection: 6 Bitcoin Miner: 6 Software Vulnerabilities: 6 Networking: 6 System Summary: 6 Hooking and other Techniques for Hiding and Protection: 6 Malware Analysis System Evasion: 6 Anti Debugging: 7 Language, Device and Operating System Detection: 7 Behavior Graph 7 Simulations 7 Behavior and APIs 7 Antivirus Detection 7 Initial Sample 7 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Yara Overview 8 Initial Sample 8 PCAP (Network Traffic) 8 Dropped Files 8 Memory Dumps 8 Unpacked PEs 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 Dropped Files 9 Screenshots 9 Startup 9 Created / dropped Files 9 Contacted Domains/Contacted IPs 11 Contacted Domains 11 Contacted URLs 12 Contacted IPs 12 Public 12 Static File Info 12 No static file info 12 Network Behavior 12 Network Port Distribution 12 TCP Packets 13 UDP Packets 13 DNS Queries 13

Copyright Joe Security LLC 2018 Page 2 of 16 DNS Answers 13 HTTP Request Dependency Graph 13 HTTP Packets 13 Code Manipulations 14 Statistics 14 Behavior 14 System Behavior 14 Analysis Process: iexplore.exe PID: 2056 Parent PID: 548 14 General 15 File Activities 15 Registry Activities 15 Analysis Process: iexplore.exe PID: 1900 Parent PID: 2056 15 General 15 File Activities 15 Registry Activities 16 Analysis Process: wscript.exe PID: 3104 Parent PID: 2056 16 General 16 File Activities 16 Registry Activities 16 Key Created 16 Disassembly 16

Overview

General Information

Joe Sandbox Version: 23.0.0 Analysis ID: 71345 Start date: 07.08.2018 Start time: 11:22:46 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 1m 56s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: browseurl.jbs Sample URL: http://aqc223.adfrend.com/friendly.js Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies EGA enabled Analysis stop reason: Timeout Detection: MAL Classification: mal56.expl.mine.win@5/9@1/1 Cookbook Comments: Adjust boot time Correcting counters for adjusted boot time Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtProtectVirtualMemory calls found.

Detection

Strategy Score Range Reporting Detection

Threshold 56 0 - 100 Report FP / FN

Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 5 0 - 5 false

Classification

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Signature Overview

Copyright Joe Security LLC 2018 Page 5 of 16 • AV Detection • Bitcoin Miner • Software Vulnerabilities • Networking • System Summary • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • Language, Device and Operating System Detection

Click to jump to signature section

AV Detection:

Antivirus detection for dropped file

Bitcoin Miner:

Found strings related to Crypto-Mining

Software Vulnerabilities:

Potential browser exploit detected (process start blacklist hit)

Networking:

Downloads compressed data via HTTP

Downloads files

Downloads files from webservers via HTTP

Performs DNS lookups

Urls found in memory or binary data

System Summary:

Classification label

Creates files inside the user directory

Creates temporary files

Reads ini files

Reads software policies

Spawns processes

Uses an in-process (OLE) Automation server

Found graphical window changes (likely an installer)

Uses new MSVCR Dlls

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Found WSH timer for Javascript or VBS script (likely evasive script)

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Behavior Graph

Hide Legend Behavior Graph Legend: ID: 71345 URL: http://aqc223.adfrend.com/friendly.js Process Startdate: 07/08/2018 Signature Architecture: WINDOWS Score: 56 Created File DNS/IP Info Is Dropped Antivirus detection Found strings related started for dropped file to Crypto-Mining Is Windows Process

Number of created Registry Values

iexplore.exe Number of created Files

Visual Basic 8 37 Delphi

dropped Java

friendly.js.b9ht2v...ial:Zone.Identifier, ASCII .Net C# or VB.NET C, C++ or other language started started Is malicious

Potential browser exploit detected (process start blacklist hit)

iexplore.exe wscript.exe

aqc223.adfrend.com

173.208.193.181, 49171, 49172, 80 dropped dropped WII-KC-WholeSaleInternetIncUS United States

C:\Users\user\AppData\...\friendly[1].js, HTML C:\Users\user\...\friendly.js.b9ht2vr.partial, HTML

Simulations

Behavior and APIs

Time Type Description 11:23:26 API Interceptor 421x Sleep call for process: iexplore.exe modified 11:23:50 API Interceptor 2x Sleep call for process: wscript.exe modified

Antivirus Detection

Initial Sample

Source Detection Scanner Label Link http://aqc223.adfrend.com/friendly.js 0% virustotal Browse

Source Detection Scanner Label Link C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59K 100% Avira PUA/CryptoMiner.Gen Z\friendly[1].js C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4 100% Avira PUA/CryptoMiner.Gen R\friendly.js.b9ht2vr.partial

Unpacked PE Files

No Antivirus matches

Domains

Source Detection Scanner Label Link aqc223.adfrend.com 0% virustotal Browse

URLs

Source Detection Scanner Label Link http://aqc223.adfrend.com/friendly.js 0% virustotal Browse http://aqc223.adfrend.com/friendly.js 0% Avira URL Cloud safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Screenshots

Startup

System is w7 iexplore.exe (PID: 2056 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 1900 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2056 CREDAT:275457 /prefetch:2 MD5: CA1F703CD665867E8132D2946FB55750) wscript.exe (PID: 3104 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\fri endly.js' MD5: 979D74799EA6C8B8167869A68DF5204A) cleanup

Created / dropped Files

C:\Users\SAMTAR~1\AppData\Local\Temp\~DF01346E7BD5F72CD3.TMP Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: FoxPro FPT, blocks size 258, next free block index 16711424

Copyright Joe Security LLC 2018 Page 9 of 16 C:\Users\SAMTAR~1\AppData\Local\Temp\~DF01346E7BD5F72CD3.TMP Size (bytes): 29989 Entropy (8bit): 1.5449829905758383 Encrypted: false MD5: 8130C3A6952FC493FA5F6EC39295E090 SHA1: 35926EF1820B8C44FF6C450FE8C2E1F2AED56862 SHA-256: 37E99ECED0122D5F230F07BA7C7FE5E5A5B381853A4A435C8D00D7E4700BCBDE SHA-512: F192A2EF2A5BE9DBBE4E252EDAF57748F48C4CD9F73860B7E3DC495A6FBDFC55E95DE4068FE09EBC0D6E9AB5 9E645034184C2AAE7C1953A787AC6094B95C6679 Malicious: false Reputation: low

C:\Users\SAMTAR~1\AppData\Local\Temp\~DF442007127DB870C9.TMP Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: data Size (bytes): 12981 Entropy (8bit): 2.8326739835194443 Encrypted: false MD5: BCC796EAEFCEEC052188CAACC8D4CAFC SHA1: 625B8D8CEA3F6FE31BE37B849D89904522961296 SHA-256: E9336A2665B887E5507782A9831C3B9162A5D4AEDAA0E3645AB3C92092C62CA0 SHA-512: E094E014D68E236160A77E96ACEAD30264D013FE7200EBD57D9928BAAAB3DB7B41B718EC4320DEEEAB60E6E6 8F25A04731AC716F641F08629C013E9BD3FDD8C8 Malicious: false Reputation: low

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{899453F1-9A23-11E8-B3E3-CCDA62336E41}.dat Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 32344 Entropy (8bit): 1.7952268015278676 Encrypted: false MD5: EB3FA6865F05937651AD47B606D65620 SHA1: 867E3DDF6BFFDE2E44C4AFD721E2B0B2E6C94D37 SHA-256: 73958600453C6A50E140A4959F00CFC01C4C2243D289DFF1FF30546C579E86CD SHA-512: F806CEF5CCCEC46458B86C7BA7B0FA415F262A79C7392258C828FED4D72FCC3B886136755202060800A5B7DFE5 9F0F85D77E547AD1D23BDEB7DA0BF82DA8CF1D Malicious: false Reputation: low

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{899453F3-9A23-11E8-B3E3-CCDA62336E41}.dat Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 19032 Entropy (8bit): 1.6010720089232622 Encrypted: false MD5: 88EFACC234B7DDCCF0A46C6D13043FC0 SHA1: CD304A1505A7E14EB59731CC3FD5BB73435267B7 SHA-256: 3C683558E6898E534A8B005BC1CD87B3A623858FA02EACFFE6435F7E8F82082B SHA-512: 338F8AAABC174B871899F9226EC000991982E38BDC14026AFAE300A3FA300E1FAF8609D02B72689DFBCB11F487 D6985E98FACE9B750C0D2FD5C335C7957ED92C Malicious: false Reputation: low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\friendly.js.b9ht2vr.partial

Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: HTML document, ASCII text, with no line terminators Size (bytes): 292 Entropy (8bit): 5.2794367444469295 Encrypted: false MD5: 4E54C3B70993814E4B0E23C537F5DE1E SHA1: E474955F620256BA3FFBBDD114E3603C26BBCB74 SHA-256: 8E3F46FADC59F4A482C1BA9FD119DBB31C29A1247731A3D886058AFEF127233E SHA-512: 40D28C90DA7A125BDDC2C8CDA6297C3FC948E50A33F7C9634904D978FEAD79D00D13E3FC49C9FC52EBA60A861 FCC1760CE5911DE6BC1E8855FA1B95B0815424E Malicious: true Antivirus: Antivirus: Avira, Detection: 100%, Browse Copyright Joe Security LLC 2018 Page 10 of 16 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\friendly.js.b9ht2vr.partial

Reputation: low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\friendly.js.b9ht2vr.partial:Zone.Identifier

Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 26 Entropy (8bit): 3.9500637564362093 Encrypted: false MD5: FBCCF14D504B7B2DBCB5A5BDA75BD93B SHA1: D59FC84CDD5217C6CF74785703655F78DA6B582B SHA-256: EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 SHA-512: AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E 3973DDEFC68966F974E124307B5043E654443B98 Malicious: true Reputation: low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\friendly.js:Zone.Identifier Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: very short file (no magic) Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false MD5: ECCBC87E4B5CE2FE28308FD9F2A7BAF3 SHA1: 77DE68DAECD823BABBB58EDB1C8E14D7106E83BB SHA-256: 4E07408562BEDB8B60CE05C1DECFE3AD16B72230967DE01F640B7E4729B49FCE SHA-512: 3BAFBF08882A2D10133093A1B8433F50563B93C14ACD05B79028EB1D12799027241450980651994501423A66C276A E26C43B739BC65C4E16B10C3AF6C202AEBB Malicious: false Reputation: low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\friendly[1].js

\samr Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: Hitachi SH big-endian COFF object, not stripped Size (bytes): 116 Entropy (8bit): 4.053374040827533 Encrypted: false MD5: 080E701E8B8E2E9C68203C150AC7C6B7 SHA1: 4EF041621388B805758AE1D3B122F9D364705223 SHA-256: FE129AE2A7C96708754F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D SHA-512: C11D88B8E355B7B922B985802464B693F75BA4C2A62F9137A15842CA82F9B6B3ED13059EDC0DF1C04E7DE43719 D892B4C0D22BB67BE0D57EAB368BA1BC057E79 Malicious: false Reputation: low

Contacted Domains/Contacted IPs

Contacted Domains

Copyright Joe Security LLC 2018 Page 11 of 16 Name IP Active Malicious Antivirus Detection Reputation aqc223.adfrend.com 173.208.193.181 true false 0%, virustotal, Browse unknown

Contacted URLs

Name Process http://aqc223.adfrend.com/friendly.js C:\Program Files\Internet Explorer\iexplore.exe

Contacted IPs

No. of IPs < 25%

25% < No. of IPs < 50% 50% < No. of IPs < 75%

75% < No. of IPs

Public

IP Country Flag ASN ASN Name Malicious 173.208.193.181 United States 32097 WII-KC-WholeSaleInternetIncUS false

Static File Info

No static file info

Network Behavior

Network Port Distribution

Total Packets: 8 • 80 (HTTP) • 53 (DNS) Copyright Joe Security LLC 2018 Page 12 of 16 TCP Packets

Timestamp Source Port Dest Port Source IP Dest IP Aug 7, 2018 11:23:28.236330986 CEST 63758 53 192.168.2.3 8.8.8.8 Aug 7, 2018 11:23:28.286312103 CEST 53 63758 8.8.8.8 192.168.2.3 Aug 7, 2018 11:23:28.295602083 CEST 49171 80 192.168.2.3 173.208.193.181 Aug 7, 2018 11:23:28.296526909 CEST 49172 80 192.168.2.3 173.208.193.181 Aug 7, 2018 11:23:28.423145056 CEST 80 49171 173.208.193.181 192.168.2.3 Aug 7, 2018 11:23:28.423229933 CEST 49171 80 192.168.2.3 173.208.193.181 Aug 7, 2018 11:23:28.424396992 CEST 80 49172 173.208.193.181 192.168.2.3 Aug 7, 2018 11:23:28.424521923 CEST 49172 80 192.168.2.3 173.208.193.181 Aug 7, 2018 11:23:28.424868107 CEST 49171 80 192.168.2.3 173.208.193.181 Aug 7, 2018 11:23:28.810250998 CEST 80 49171 173.208.193.181 192.168.2.3 Aug 7, 2018 11:23:29.042680979 CEST 80 49171 173.208.193.181 192.168.2.3 Aug 7, 2018 11:23:29.042834044 CEST 49171 80 192.168.2.3 173.208.193.181

UDP Packets

Timestamp Source Port Dest Port Source IP Dest IP Aug 7, 2018 11:23:28.236330986 CEST 63758 53 192.168.2.3 8.8.8.8 Aug 7, 2018 11:23:28.286312103 CEST 53 63758 8.8.8.8 192.168.2.3

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Aug 7, 2018 11:23:28.236330986 CEST 192.168.2.3 8.8.8.8 0xe477 Standard query aqc223.adf A (IP address) IN (0x0001) (0) rend.com

DNS Answers

Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class Aug 7, 2018 8.8.8.8 192.168.2.3 0xe477 No error (0) aqc223.adf 173.208.193.181 A (IP address) IN (0x0001) 11:23:28.286312103 rend.com CEST

HTTP Request Dependency Graph

aqc223.adfrend.com

HTTP Packets

Session ID Source IP Source Port Destination IP Destination Port Process 0 192.168.2.3 49171 173.208.193.181 80 C:\Program Files\Internet Explorer\iexplore.exe

kBytes Timestamp transferred Direction Data

Copyright Joe Security LLC 2018 Page 13 of 16 kBytes Timestamp transferred Direction Data Aug 7, 2018 0 OUT GET /friendly.js HTTP/1.1 11:23:28.424868107 CEST Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: aqc223.adfrend.com DNT: 1 Connection: Keep-Alive Aug 7, 2018 1 IN HTTP/1.1 200 OK 11:23:29.042680979 CEST Cache-Control: no-cache Pragma: no-cache Content-Type: text/javascript; charset=utf-8 Content-Encoding: gzip Expires: -1 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA div COM NAV OTC NOI DSP COR" X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Tue, 07 Aug 2018 09:23:26 GMT Content-Length: 333 Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ed bd 07 60 1c 49 96 25 26 2f 6d ca 7b 7f 4a f5 4a d7 e0 74 a1 08 80 60 13 24 d8 90 40 10 ec c1 88 cd e6 92 ec 1d 69 47 23 29 ab 2a 81 ca 65 56 65 5d 66 16 40 cc ed 9d bc f7 de 7b ef bd f7 de 7b ef bd f7 ba 3b 9d 4e 27 f7 df ff 3f 5c 66 64 01 6c f6 ce 4a da c9 9e 21 80 aa c8 1f 3f 7e 7c 1f 3f 22 66 d5 74 bd c8 97 ed f8 aa 2e da 7c eb e3 c7 cd b4 2e 56 6d da d4 d3 cf 3e 9a b7 ed aa 79 74 f7 ee b4 2a 96 f3 e2 32 1f 4f ab c5 dd b2 98 b8 0f 16 c5 72 fc d3 cd 47 47 8f ef ca 7b 47 fa fe d1 65 56 a7 f4 65 5e a7 9f a5 cb fc 2a 3d a1 37 be 8d 37 8e 97 d5 f2 7a 51 ad 9b ad 8f 7e 9f f9 2f 3a 78 b3 ff 9d 7b fb 9f 9e 5c bf d8 79 f7 ea 8b af 2e 3e bd 2e af cb e5 f3 b3 2f da 5f f4 bc f8 68 94 fe e2 76 5e 57 6d 5b e6 8f d2 9d f1 de 2f b9 73 c8 30 c7 4d 9b d5 ed d6 9d 43 d7 ed ac b8 4c 9b f6 ba cc 3f fb 68 56 34 ab 32 bb 7e 44 1d e5 84 99 b4 08 07 f4 d3 cd 78 dd e4 75 33 be bf 3b 2e b3 bb bb 0f ef 3f b8 ff e9 bd dd ce 50 ee 12 d0 a3 8f ef 1c fe 3f 29 32 03 d6 24 01 00 00 Data Ascii: `I%&/m{JJt`$@iG#)*eVe]f@{{;N'?\fdlJ!?~|?"ft.|.Vm>yt*2OrGG{GeVe^*=77zQ~/:x{\y.>./_hv^Wm[/s0MCL?hV42 ~Dxu3;.?P?)2$

Code Manipulations

Statistics

Behavior

• iexplore.exe • iexplore.exe • wscript.exe

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 2056 Parent PID: 548

Start time: 11:23:26 Start date: 07/08/2018 Path: C:\Program Files\Internet Explorer\iexplore.exe Wow64 process (32bit): false Commandline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding Imagebase: 0xd80000 File size: 815312 bytes MD5 hash: CA1F703CD665867E8132D2946FB55750 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Completion Count Address Symbol

Source Old File Path New File Path Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

Analysis Process: iexplore.exe PID: 1900 Parent PID: 2056

General

Start time: 11:23:27 Start date: 07/08/2018 Path: C:\Program Files\Internet Explorer\iexplore.exe Wow64 process (32bit): false Commandline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2056 CREDAT:275457 /prefetch:2 Imagebase: 0xd80000 File size: 815312 bytes MD5 hash: CA1F703CD665867E8132D2946FB55750 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol Copyright Joe Security LLC 2018 Page 15 of 16 Registry Activities

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

Analysis Process: wscript.exe PID: 3104 Parent PID: 2056

General

Start time: 11:23:50 Start date: 07/08/2018 Path: C:\Windows\System32\wscript.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows \Temporary Internet Files\Content.IE5\9CMFZC4R\friendly.js' Imagebase: 0x4c0000 File size: 141824 bytes MD5 hash: 979D74799EA6C8B8167869A68DF5204A Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Key Created

Source Key Path Completion Count Address Symbol HKEY_USERS\Software\Microsoft\Windows script Host success or wait 1 4C4109 RegCreateKeyExW HKEY_USERS\Software\Microsoft\Windows script Host\Settings success or wait 1 4C4109 RegCreateKeyExW

Disassembly