Javascript Attempts to Detect VMs via Registry

Files Information

Number of sample files submitted for analysis	1
Number of files created and extracted during analysis	5
Number of files modified and extracted during analysis	6

c:\users\5jghkoaofdp\desktop\pricaz _6_.js

File Properties
Names	c:\users\5jghkoaofdp\desktop\pricaz _6_.js (Sample File)
Size	6.84 KB
Hash Values	MD5: 61e6fb6d1882411f588ae60cd2803ce4 SHA1: 94e0a747af5edf70cd3db0224686f4fe2db2a8aa SHA256: f664d5e8a47084388e3d0efabc38b5f04a759e382211846f722be6f7365df7fc
Actions	... File Actions Download File

c:\users\5jghkoaofdp\appdata\local\microsoft\windows\powershell\commandanalysis\powershell_analysiscacheindex

File Properties
Names	c:\users\5jghkoaofdp\appdata\local\microsoft\windows\powershell\commandanalysis\powershell_analysiscacheindex (Modified File)
Size	6.91 KB
Hash Values	MD5: e8e6e1b9670f015ff4e0a55a47615496 SHA1: 9f64bbffa5f580d8056edf6bcfebedcace913943 SHA256: 2ba0ac4628e063acc987add7b3107068c6bb8d8bcc2b722132880bd6ba2de898
Actions	... File Actions Download File

c:\users\5jghkoaofdp\appdata\local\microsoft\windows\powershell\commandanalysis\powershell_analysiscacheentry_3d8ab723-44d5-4795-947e-d5b7229dfa98

File Properties
Names	c:\users\5jghkoaofdp\appdata\local\microsoft\windows\powershell\commandanalysis\powershell_analysiscacheentry_3d8ab723-44d5-4795-947e-d5b7229dfa98 (Modified File)
Size	9.00 KB
Hash Values	MD5: a15e3bf31a9614ef17d3c33e54536e17 SHA1: 186d1c742c97a503765a44c8ba7236d6561e1228 SHA256: 2af233b36d2216fae1abf43ad7726d871355236517fdbf49367fdb599b168b85
Actions	... File Actions Download File

c:\users\5jghkoaofdp\appdata\local\microsoft\windows\powershell\commandanalysis\powershell_analysiscacheindex

File Properties
Names	c:\users\5jghkoaofdp\appdata\local\microsoft\windows\powershell\commandanalysis\powershell_analysiscacheindex (Modified File)
Size	6.91 KB
Hash Values	MD5: de860b30d5a9cc8628f46fff6b2856f0 SHA1: 9b737328f71457b429c981c1ffad5ed964af3840 SHA256: a78a1c9195470cf245ccfe0fe41f7b2b72a49237ce37c7b7feb711bdd2d0d38d
Actions	... File Actions Download File

c:\users\5jghkoaofdp\appdata\roamingeox20.exe

File Properties
Names	c:\users\5jghkoaofdp\appdata\roamingeox20.exe (Created File)
Size	219.50 KB
Hash Values	MD5: b045619c51603937bff8f832fb125339 SHA1: 2c8ddc87345e1c52173d9ed19161adbf60efe125 SHA256: 4e21cb59a18a4be27cf9879fdcc40411cd9ec5bc8b4340101d4eed2a3ff82c49
Actions	... File Actions Download File

PE Information

Information	Value
Image Base	0x400000
Entry Point	0x401d39
Size Of Code	0xd200
Size Of Initialized Data	0x2b200
Size Of Uninitialized Data	0x0
Format	x86
Type	Executable
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2018-02-28 08:07:58
Compiler/Packer	Unknown

Sections (6)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x401000	0xd19e	0xd200	0x400	CNT_CODE, MEM_EXECUTE, MEM_READ	6.65
.rdata	0x40f000	0x789a	0x7a00	0xd600	CNT_INITIALIZED_DATA, MEM_READ	5.55
.data	0x417000	0x22ac	0xa00	0x15000	CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE	2.28
.gfids	0x41a000	0x111c	0x400	0x15a00	CNT_INITIALIZED_DATA, MEM_READ	1.14
.rsrc	0x41c000	0x1fc39	0x1fe00	0x15e00	CNT_INITIALIZED_DATA, MEM_READ	7.89
.reloc	0x43c000	0x1050	0x1200	0x35c00	CNT_INITIALIZED_DATA, MEM_DISCARDABLE, MEM_READ	6.26

Imports (78)

KERNEL32.dll (76)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset
GetCommTimeouts	0x0	0x40f00c	0x161bc	0x147bc
GetModuleHandleA	0x0	0x40f010	0x161c0	0x147c0
GetLastError	0x0	0x40f014	0x161c4	0x147c4
GetMailslotInfo	0x0	0x40f018	0x161c8	0x147c8
GlobalAlloc	0x0	0x40f01c	0x161cc	0x147cc
GetNativeSystemInfo	0x0	0x40f020	0x161d0	0x147d0
LoadLibraryW	0x0	0x40f024	0x161d4	0x147d4
GetProcAddress	0x0	0x40f028	0x161d8	0x147d8
GetCurrentProcessId	0x0	0x40f02c	0x161dc	0x147dc
GetTempPathW	0x0	0x40f030	0x161e0	0x147e0
GlobalMemoryStatus	0x0	0x40f034	0x161e4	0x147e4
GetProcessHandleCount	0x0	0x40f038	0x161e8	0x147e8
GetDriveTypeW	0x0	0x40f03c	0x161ec	0x147ec
WriteConsoleW	0x0	0x40f040	0x161f0	0x147f0
FlushFileBuffers	0x0	0x40f044	0x161f4	0x147f4
SetFilePointerEx	0x0	0x40f048	0x161f8	0x147f8
GetConsoleMode	0x0	0x40f04c	0x161fc	0x147fc
GetConsoleCP	0x0	0x40f050	0x16200	0x14800
HeapReAlloc	0x0	0x40f054	0x16204	0x14804
HeapSize	0x0	0x40f058	0x16208	0x14808
GetSystemTimes	0x0	0x40f05c	0x1620c	0x1480c
SetSystemTime	0x0	0x40f060	0x16210	0x14810
GetProcessHeap	0x0	0x40f064	0x16214	0x14814
GetStringTypeW	0x0	0x40f068	0x16218	0x14818
UnhandledExceptionFilter	0x0	0x40f06c	0x1621c	0x1481c
SetUnhandledExceptionFilter	0x0	0x40f070	0x16220	0x14820
GetCurrentProcess	0x0	0x40f074	0x16224	0x14824
TerminateProcess	0x0	0x40f078	0x16228	0x14828
IsProcessorFeaturePresent	0x0	0x40f07c	0x1622c	0x1482c
QueryPerformanceCounter	0x0	0x40f080	0x16230	0x14830
GetCurrentThreadId	0x0	0x40f084	0x16234	0x14834
GetSystemTimeAsFileTime	0x0	0x40f088	0x16238	0x14838
InitializeSListHead	0x0	0x40f08c	0x1623c	0x1483c
IsDebuggerPresent	0x0	0x40f090	0x16240	0x14840
GetStartupInfoW	0x0	0x40f094	0x16244	0x14844
GetModuleHandleW	0x0	0x40f098	0x16248	0x14848
RaiseException	0x0	0x40f09c	0x1624c	0x1484c
RtlUnwind	0x0	0x40f0a0	0x16250	0x14850
SetLastError	0x0	0x40f0a4	0x16254	0x14854
EnterCriticalSection	0x0	0x40f0a8	0x16258	0x14858
LeaveCriticalSection	0x0	0x40f0ac	0x1625c	0x1485c
DeleteCriticalSection	0x0	0x40f0b0	0x16260	0x14860
InitializeCriticalSectionAndSpinCount	0x0	0x40f0b4	0x16264	0x14864
TlsAlloc	0x0	0x40f0b8	0x16268	0x14868
TlsGetValue	0x0	0x40f0bc	0x1626c	0x1486c
TlsSetValue	0x0	0x40f0c0	0x16270	0x14870
TlsFree	0x0	0x40f0c4	0x16274	0x14874
FreeLibrary	0x0	0x40f0c8	0x16278	0x14878
LoadLibraryExW	0x0	0x40f0cc	0x1627c	0x1487c
ExitProcess	0x0	0x40f0d0	0x16280	0x14880
GetModuleHandleExW	0x0	0x40f0d4	0x16284	0x14884
GetStdHandle	0x0	0x40f0d8	0x16288	0x14888
WriteFile	0x0	0x40f0dc	0x1628c	0x1488c
GetModuleFileNameA	0x0	0x40f0e0	0x16290	0x14890
MultiByteToWideChar	0x0	0x40f0e4	0x16294	0x14894
WideCharToMultiByte	0x0	0x40f0e8	0x16298	0x14898
GetACP	0x0	0x40f0ec	0x1629c	0x1489c
HeapFree	0x0	0x40f0f0	0x162a0	0x148a0
HeapAlloc	0x0	0x40f0f4	0x162a4	0x148a4
LCMapStringW	0x0	0x40f0f8	0x162a8	0x148a8
EncodePointer	0x0	0x40f0fc	0x162ac	0x148ac
DecodePointer	0x0	0x40f100	0x162b0	0x148b0
GetFileType	0x0	0x40f104	0x162b4	0x148b4
CloseHandle	0x0	0x40f108	0x162b8	0x148b8
FindClose	0x0	0x40f10c	0x162bc	0x148bc
FindFirstFileExA	0x0	0x40f110	0x162c0	0x148c0
FindNextFileA	0x0	0x40f114	0x162c4	0x148c4
IsValidCodePage	0x0	0x40f118	0x162c8	0x148c8
GetOEMCP	0x0	0x40f11c	0x162cc	0x148cc
GetCPInfo	0x0	0x40f120	0x162d0	0x148d0
GetCommandLineA	0x0	0x40f124	0x162d4	0x148d4
GetCommandLineW	0x0	0x40f128	0x162d8	0x148d8
GetEnvironmentStringsW	0x0	0x40f12c	0x162dc	0x148dc
FreeEnvironmentStringsW	0x0	0x40f130	0x162e0	0x148e0
SetStdHandle	0x0	0x40f134	0x162e4	0x148e4
CreateFileW	0x0	0x40f138	0x162e8	0x148e8

GDI32.dll (2)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset
GetTextMetricsW	0x0	0x40f000	0x161b0	0x147b0
BeginPath	0x0	0x40f004	0x161b4	0x147b4

Icons (4)

c:\users\5jghkoaofdp\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3643094112-4209292109-138530109-1001\f38507b2d5f90131ac97816a970da7f0_d4f05a1a-9632-4b29-acc8-98bb6de773ed

File Properties
Names	c:\users\5jghkoaofdp\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-3643094112-4209292109-138530109-1001\f38507b2d5f90131ac97816a970da7f0_d4f05a1a-9632-4b29-acc8-98bb6de773ed (Modified File)
Size	0.05 KB
Hash Values	MD5: 469aa816010c9c8639a9176f625189af SHA1: 2f1050adf64f33298ff0ce423eb86d4728441b21 SHA256: 7955cb2de90dd9efc6df9fdbf5f5d10c114f4135a9a6b52db1003be749e32f7a
Actions	... File Actions Download File

c:\users\5jghkoaofdp\appdata\local\microsoft\windows\inetcache\ie\vzk262qe\nval3l9q.htm

File Properties
Names	c:\users\5jghkoaofdp\appdata\local\microsoft\windows\inetcache\ie\vzk262qe\nval3l9q.htm (Created File)
Size	0.01 KB
Hash Values	MD5: 57e8c72cebb02d041da05bced1877d88 SHA1: ded81e42a51de6b79790ef50bba691906c46fc29 SHA256: 479ba34e45c56d3850a558ec467b3bfb6ba8e5a28e16a1095763d1f9ceae21d2
Actions	... File Actions Download File

c:\users\5jghkoaofdp\appdata\local\microsoft\windows\inetcache\ie\vzk262qe\curl[1].htm

File Properties
Names	c:\users\5jghkoaofdp\appdata\local\microsoft\windows\inetcache\ie\vzk262qe\curl[1].htm (Created File)
Size	5.57 KB
Hash Values	MD5: 81b3cce7d4e7796889feab729213f603 SHA1: 68f945d6f0690ea07db365a170307d6ec1fd626a SHA256: 196f7923b3403b6bec0e478dffda9d0139aa30b806e4fb89b73876a9c2a503c9
Actions	... File Actions Download File

c:\gdcb-decrypt.txt, ...

File Properties
Names	c:\gdcb-decrypt.txt (Created File) c:\$recycle.bin\gdcb-decrypt.txt (Created File) c:\$recycle.bin\s-1-5-19\gdcb-decrypt.txt (Created File) c:\$recycle.bin\s-1-5-21-3643094112-4209292109-138530109-1001\gdcb-decrypt.txt (Created File) c:\boot\gdcb-decrypt.txt (Created File) c:\boot\bg-bg\gdcb-decrypt.txt (Created File) c:\boot\cs-cz\gdcb-decrypt.txt (Created File) c:\boot\da-dk\gdcb-decrypt.txt (Created File) c:\boot\de-de\gdcb-decrypt.txt (Created File) c:\boot\el-gr\gdcb-decrypt.txt (Created File) c:\boot\en-gb\gdcb-decrypt.txt (Created File) c:\boot\en-us\gdcb-decrypt.txt (Created File) c:\boot\es-es\gdcb-decrypt.txt (Created File) c:\boot\et-ee\gdcb-decrypt.txt (Created File) c:\boot\fi-fi\gdcb-decrypt.txt (Created File) c:\boot\fonts\gdcb-decrypt.txt (Created File) c:\boot\fr-fr\gdcb-decrypt.txt (Created File) c:\boot\hr-hr\gdcb-decrypt.txt (Created File) c:\boot\hu-hu\gdcb-decrypt.txt (Created File) c:\boot\it-it\gdcb-decrypt.txt (Created File) c:\boot\ja-jp\gdcb-decrypt.txt (Created File) c:\boot\ko-kr\gdcb-decrypt.txt (Created File) c:\boot\lt-lt\gdcb-decrypt.txt (Created File) c:\boot\lv-lv\gdcb-decrypt.txt (Created File) c:\boot\nb-no\gdcb-decrypt.txt (Created File) c:\boot\nl-nl\gdcb-decrypt.txt (Created File) c:\boot\pl-pl\gdcb-decrypt.txt (Created File) c:\boot\pt-br\gdcb-decrypt.txt (Created File) c:\boot\pt-pt\gdcb-decrypt.txt (Created File) c:\boot\qps-ploc\gdcb-decrypt.txt (Created File) c:\boot\resources\gdcb-decrypt.txt (Created File) c:\boot\resources\en-us\gdcb-decrypt.txt (Created File) c:\boot\ro-ro\gdcb-decrypt.txt (Created File) c:\boot\ru-ru\gdcb-decrypt.txt (Created File) c:\boot\sk-sk\gdcb-decrypt.txt (Created File) c:\boot\sl-si\gdcb-decrypt.txt (Created File) c:\boot\sr-latn-cs\gdcb-decrypt.txt (Created File) c:\boot\sr-latn-rs\gdcb-decrypt.txt (Created File) c:\boot\sv-se\gdcb-decrypt.txt (Created File) c:\boot\tr-tr\gdcb-decrypt.txt (Created File) c:\boot\uk-ua\gdcb-decrypt.txt (Created File) c:\boot\zh-cn\gdcb-decrypt.txt (Created File) c:\boot\zh-hk\gdcb-decrypt.txt (Created File) c:\boot\zh-tw\gdcb-decrypt.txt (Created File)
Size	2.55 KB
Hash Values	MD5: e6cf22b643516b1cbc1454324c2aa5cb SHA1: 22726d8300f1511353749f6fb1ac1daa05a3c915 SHA256: a4382db195164b328ba5d86c2fec6e5505cc7e769a564a466193382813c85f12
Actions	... File Actions Download File

c:\boot\bootstat.dat, ...

File Properties
Names	c:\boot\bootstat.dat (Modified File) c:\boot\bootstat.dat.gdcb (Created File)
Size	64.52 KB
Hash Values	MD5: 61837361532f862e30ffee38c44eda46 SHA1: c0092de53a8bed8dc8ee0cfaea61b1b6f3f2124a SHA256: eadfa2893129bb8a4142c54e6c5be229fa24e7f4cb6e3396a368f420cc98630f
Actions	... File Actions Download File

c:\users\5jghkoaofdp\appdata\local\microsoft\windows\inetcache\counters.dat

File Properties
Names	c:\users\5jghkoaofdp\appdata\local\microsoft\windows\inetcache\counters.dat (Modified File)
Size	0.12 KB
Hash Values	MD5: 249407e9ef04738cf8e05e1ff9bc43c8 SHA1: da14d34b9904e36924c14b8ee91b019a29dc7b6f SHA256: 439beb7c177c913cb30d10b2e93bd4eddca2e62754277ba0fff2784058813aac
Actions	... File Actions Download File

Notifications (1/1)

Files Information

Before

After