iodnwqioundoiqk1.ogg

First submission 2023-09-15 20:51:02

File details

File type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	4787.0 KB (4901888 bytes)
Compile time:	2061-11-06 00:51:38
MD5:	401733815427af8ff3e1d882a9a27fd1
SHA1:	e6fdfc26ae8f55dbf24ddbab10422d4266fbd424
SHA256:	bcae463c6266d8e280a1cd723fafce2b0da9c7d0c6f1a5456e552220ec730c2a
Import Hash :	6ac0494255f289fa08f5348c7771941f
Sections 7	.text .rdata .data .pdata .didat .rsrc .reloc
Directories 6	import export resource debug tls relocation
Virus Total:	4/70 VT report date: 2023-09-15 18:33:06

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXps://cdn.discordapp.com/attachments/1152048825020723336/1152049344418173019/iodnwqioundoiqk1.ogg	cdn.discordapp.com	2023-09-15 20:51:02

PE Sections 0 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x35117f	3478016	d2a7910d9c294a1f37bc42ae6cd57e972c127800	a88c40894b0c35d4de4b8c911a02d3d7
.rdata	0x353000	0xe82a4	951296	2a6c993c51de46c32b5b28121e94e8b9e133e4a0	a70d97ed45ccec57ff950367da750542
.data	0x43c000	0x13c48	62976	817865e877e99ce2fd4bca991efb9c2547f99eb6	1fa54048a51ebb249a22e0b276b0a861
.pdata	0x450000	0x3b148	242176	8bd1b6796655eceed5470c3cc627fc6c6ea66fe5	db2fb96427bda5bda924834d9fa0c6e6
.didat	0x48c000	0x190	512	e3efe8253a5c52218b9382fcebee9a6a05507522	bdbbcc6572e03cd3a2913417335be192
.rsrc	0x48d000	0x16188	90624	d15203e2600594b0f2138fa06724489f2e5a1a8e	079b03e0319b902454502162d253aef1
.reloc	0x4a4000	0x12548	75264	7690b6814fe2d69f497950dd40dcf647a2dd24ea	96675ff74762f6ef5b5b7171e797ca7d

PE Resources 5

Name	Language	Sublanguage	Offset	Size	Data
MUI	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x4a3090	248
WEVT_TEMPLATE	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x48e270	61026	PE Resource: WEVT_TEMPLATE - Data CRIM`Aw'W86KJ ]l$WEVT<tT }~MAPS<VMAPd VMAP$VMAP$,VMAP GCBucketNamesJitLevelMap0MethodAddressRangeMap(SourceRequestForTTBL{3TEMPqS^\|q* ,D EventDataA;oData#KNameSourceID AIoData1KNameScriptContextID AAoData)KNameSourceFlags A1oDataKNameUrl (LhSourceID$ScriptContextIDSourceFlagsUrlTEMP)bXbV GFjD EventDataAIoData1KNameScriptContextID ($ScriptContextIDTEMP l"dZ \|D EventDataAIoData1KNameScriptContextID AOoData7KNameMethodStartAddress A?oData'KName MethodSize A;oData#KNameMethodID AAoData)KNameMethodFlags ASoData;KNameMethodAddressRangeID A;oData#KNameSourceID A3oDataKNameLine A7oDataKNameColumn A?oData'KName MethodName 4 X , @ $ScriptContextID,MethodStartAddressMethodSizeMethodIDMethodFlags0MethodAddressRangeIDSourceIDLineColumnMethodNameTEMP Y~Rk8O+\D EventDataA;oData#KNameTypeName TypeNameTEMP4nrR#WD EventDataA;oData#KNameTypeName A?oData'KName MethodName 0TypeNameMethodNameTEMP, .F_fcpK/D EventDataA;oData#KNameTypeName A=oData%KName EventName H ` TypeNameEventNameTEMPOIHh^'@WZD EventDataA9oData!KNameIsBoxed IsBoxedTEMP ) fPe#B.vD EventDataA;oData#KNameSourceID AIoData1KNameScriptContextID A;oData#KNameMethodID A9oData!KNameASTSize A?oData'KName IsDeferred A?oData'KName MethodName SourceID$ScriptContextIDMethodIDASTSizeIsDeferredMethodNameTEMP(8IxDO[GC D EventDataA;oData#KNameSourceID AIoData1KNameScriptContextID A;oData#KNameMethodID AEoData-KName BytecodeCount ACoData+KNameBytecodeSize A?oData'KName MethodName $DSourceID$ScriptContextIDMethodID BytecodeCount BytecodeSizeMethodNameTEMP_\PS`D EventDataA?oData'KName RecyclerID RecyclerIDTEMP,Yo{Z^0Co\|D EventDataA?oData'KName RecyclerID A9oData!KNameTimeout <RecyclerIDTimeoutTEMP<,%\|Q1%d>VD EventDataA?oData'KName RecyclerID AAoData)KNameHasTimedout T pRecyclerIDHasTimedoutTEMPtX6-P0p&dD EventDataA?oData'KName RecyclerID A]oDataEKNameBackgroundMarkRescanCount RecyclerID8BackgroundMarkRescanCountTEMP<; 5R'KQ\|`D EventDataA?oData'KName RecyclerID A?oData'KName SweptBytes RecyclerIDSweptBytesTEMPT,pTePT<oJD EventDataA?oData'KName RecyclerID A5oDataKNamePhase AMoData5KNameCollectionTrigger ASoData;KNameCollectionStartFlags (8`RecyclerIDPhase(CollectionTrigger0CollectionStartFlagsTEMPp(R_YjXkOSdD EventDataA?oData'KName RecyclerID A3oDataKNameType A9oData!KNameSizeCat A=oData%KName UsedBytes A?oData'KName TotalBytes < RecyclerIDTypeSizeCatUsedBytesTotalBytesTEMP gPsvPUD EventDataA?oData'KName RecyclerID ACoData+KNameScannedCount ACoData+KNameClearedCount AOoData7KNameRegionScannedCount AOoData7KNameRegionClearedCount 8!T!t!!!RecyclerID ScannedCount ClearedCount,RegionScannedCount,RegionClearedCountTEMP$ -:PU7D EventDataAIoData1KNameThreadContextID AOoData7KNameScriptContextCount AEoData-KName AllocatedSize AKoData3KNamePreClearFreeSize A;oData#KNameFreeSize AQoData9KNamePolyInlineCacheSize $$$%(%@%$ThreadContextID,ScriptContextCount AllocatedSize(PreClearFreeSizeFreeSize,PolyInlineCacheSizeTEMP$&YDBSZc\2D EventDataA;oData#KNameSourceID AIoData1KNameScriptContextID A3oDataKNameSize AEoData-KName IsSaveOnClose $'<'`' p'SourceID$ScriptContextIDSize IsSaveOnCloseTEMP0()bXbV GFjD EventDataAIoData1KNameScriptContextID D($ScriptContextIDTEMPDH)$qRtYoD EventDataA;oData#KNameSourceID AIoData1KNameScriptContextID p))SourceID$ScriptContextIDTEMP,+-p"QJ4U6D EventDataAGoData/KNameCallerMethodID AIoData1KNameInlineeMethodID A7oDataKNameCaller A9oData!KNameInlinee h++++$CallerMethodID$InlineeMethodIDCallerInlineeTEMPH\|.o7Sh^}YpD EventDataA;oData#KNameMethodID A?oData'KName MethodName AEoData-KName ScriptContext AKoData3KNameInterpretedCount AGoData/KNameSourceCodeSize ACoData+KNameByteCodeSize AOoData7KNameByteCodeInLoopSize A;oData#KNameJitLevel /4/P/p////0MethodIDMethodName ScriptContext(InterpretedCount$SourceCodeSize ByteCodeSize,ByteCodeInLoopSizeJitLevelTEMPL02SZ344D EventDataA;oData#KNameMethodID A?oData'KName MethodName AEoData-KName ScriptContext AKoData3KNameInterpretedCount AOoData7KNameMethodStartAddress A?oData'KName MethodSize 2222$3 P3MethodIDMethodName ScriptContext(InterpretedCount,MethodStartAddressMethodSizeTEMP@4Z:Tkc%l@D EventDataA;oData#KNameMethodID A?oData'KName MethodName AEoData-KName ScriptContext AKoData3KNameInterpretedCount 05H5d55MethodIDMethodName ScriptContext(InterpretedCountTEMPD6:_!YYbD EventDataAAoData)KNameSizeInBytes X6SizeInBytesTEMP7KYn]? r[fD EventDataAEoData-KName MemoryAddress $7 MemoryAddressTEMP\|8]}W4)j;ID EventDataA5oDataKNameCount AEZComplexDataKNameValues l8\|888CountValues MemoryAddressSizeTEMP9bpm\A%D EventDataAEoData-KName MemoryAddress A=oData%KName BlockSize A?oData'KName ObjectSize :@:X: MemoryAddressBlockSizeObjectSizeTEMP<P;d\|?xRfP>D EventDataAEoData-KName MemoryAddress A;oData#KNameMethodID x;; MemoryAddressMethodIDTEMP4<gl3`S+D EventDataAEoData-KName MemoryAddress A7oDataKNameTypeId << MemoryAddressTypeIdTEMP<=N~\|YA@DD EventDataAEoData-KName MemoryAddress A;oData#KNameTypeName => MemoryAddressTypeNameTEMP8?N8HP:9qD EventDataAEoData-KName MemoryAddress A;oData#KNameTypeName A5oDataKNamejsVar t??? MemoryAddressTypeNamejsVarTEMP Ar,J Wt'wd.D EventDataAEoData-KName MemoryAddress A;oData#KNameTypeName A;oData#KNamecallback A=oData%KName EventName pAAAA MemoryAddressTypeNamecallbackEventNameTEMPBXZw\|[9{yD EventDataAEoData-KName MemoryAddress A;oData#KNameTypeName A9oData!KNameIsArray 0CPC hC MemoryAddressTypeNameIsArrayTEMPDKYn]? r[fD EventDataAEoData-KName MemoryAddress ,D MemoryAddressTEMP F<m5W0D_D EventDataAKoData3KNameAsyncOperationId A?oData'KName FrameCount AIoData1KNameNameBufferCount A?oData'KName NameBuffer AEZComplexDataKNameFrames FFG0GLG `G\|GGG(AsyncOperationIdFrameCount$NameBufferCountNameBufferFramesDocumentId8SourceLocationStartIndex0SourceLocationLengthNameIndexTEMPHJ[l8JUmFD EventDataA9oData!KNameElement A3oDataKNameZero HIElementZeroTEMP@S-sv+X1[S^ D EventDataAOoData7KNameJscript9EngineSize AKoData3KNameMshtmlEngineSize AQoData9KNameJscript9ContextSize AMoData5KNameMshtmlContextSize AQoData9KNameJscript9LibrarySize AMoData5KNameMshtmlLibrarySize AIoData1KNameJscript9CEOSize AEoData-KName MshtmlCEOSize A_oDataGKNameJscript9ScriptEngineOffset A[oDataCKNameMshtmlScriptEngineOffset AaoDataIKNameJscript9ScriptContextOffset A]oDataEKNameMshtmlScriptContextOffset AUoData=KNameJscript9LibraryOffset AQoData9KNameMshtmlLibraryOffset AOoData7KNameJscript9TypeOffset AKoData3KNameMshtmlTypeOffset ASoData;KNameJscript9TypeIdOffset AOoData7KNameMshtmlTypeIdOffset AUoData=KNameJscript9TaggedIntSize AMoData5KNameMshtmlTaggIntSize AOoData7KNameJscript9NumberSize AKoData3KNameMshtmlNumberSize AQoData9KNameJscript9TypeIdLimit AMoData5KNameMshtmlTypeIdLimit AaoDataIKNameJScript9NumberUtilitiesSize A]oDataEKNameMsHtmlNumberUtilitiesSize AeoDataMKNameJScript9NumberUtilitiesOffset AaoDataIKNameMsHtmlNumberUtilitiesOffset pUUUUVDVlVVVV$W`WWWW XHXxXXXX(YPY\|YYYZXZ,Jscript9EngineSize(MshtmlEngineSize,Jscript9ContextSize(MshtmlContextSize,Jscript9LibrarySize(MshtmlLibrarySize$Jscript9CEOSize MshtmlCEOSize<Jscript9ScriptEngineOffset8MshtmlScriptEngineOffset<Jscript9ScriptContextOffset8MshtmlScriptContextOffset0Jscript9LibraryOffset,MshtmlLibraryOffset,Jscript9TypeOffset(MshtmlTypeOffset0Jscript9TypeIdOffset,MshtmlTypeIdOffset0Jscript9TaggedIntSize(MshtmlTaggIntSize,Jscript9NumberSize(MshtmlNumberSize,Jscript9TypeIdLimit(MshtmlTypeIdLimit<JScript9NumberUtilitiesSize8MsHtmlNumberUtilitiesSize@JScript9NumberUtilitiesOffset<MsHtmlNumberUtilitiesOffsetTEMP_WZj5]iD EventDataAKoData3KNameMshtmlEngineSize AMoData5KNameMshtmlContextSize AMoData5KNameMshtmlLibrarySize AEoData-KName MshtmlCEOSize A[oDataCKNameMshtmlScriptEngineOffset A]oDataEKNameMshtmlScriptContextOffset AQoData9KNameMshtmlLibraryOffset AKoData3KNameMshtmlTypeOffset AOoData7KNameMshtmlTypeIdOffset AMoData5KNameMshtmlTaggIntSize AKoData3KNameMshtmlNumberSize AMoData5KNameMshtmlTypeIdLimit A]oDataEKNameMsHtmlNumberUtilitiesSize AaoDataIKNameMsHtmlNumberUtilitiesOffset ``aDadaaab(bTb\|bbbc(MshtmlEngineSize(MshtmlContextSize(MshtmlLibrarySize MshtmlCEOSize8MshtmlScriptEngineOffset8MshtmlScriptContextOffset,MshtmlLibraryOffset(MshtmlTypeOffset,MshtmlTypeIdOffset(MshtmlTaggIntSize(MshtmlNumberSize(MshtmlTypeIdLimit8MsHtmlNumberUtilitiesSize<MsHtmlNumberUtilitiesOffsetTEMP4 eT3VY4GkAD EventDataAAoData)KNameOperationId A?oData'KName FrameCount ASoData;KNameFrameNameBufferCount AIoData1KNameFrameNameBuffer AEZComplexDataKNameFrames eefDfhf\|fffgLgOperationIdFrameCount0FrameNameBufferCount$FrameNameBufferFrames$ScriptContextID8SourceLocationLineNumber<SourceLocationColumnNumber8MethodIDOrFrameNameIndex(IsFrameNameIndexTEMPh\|R6N+D EventDataA;oData#KNameModuleID A;oData#KNameSHA1Hash A1oDataKNameUrl A?oData'KName ModuleSize i,iDiPiModuleIDSHA1HashUrlModuleSizeTEMP$kb[2v:D EventDataA;oData#KNameModuleID AOoData7KNameSerializationIndex A3oDataKNameName AGoData/KNameFunctionOffset ACoData+KNameFunctionSize kkkklModuleID,SerializationIndexName$FunctionOffset FunctionSizeTEMP\m/Z=D EventDataACoData+KNameReasonBuffer AKoData3KNameSourceRequestFor 4mTm ReasonBuffer(SourceRequestForTEMPn%}nT[jKt}D EventDataA?oData'KName HeapHandle A3oDataKNameSize A9oData!KNameAddress A7oDataKNameSource o 4oDoXoHeapHandleSizeAddressSourceTEMPp)c%h_KGk4D EventDataA?oData'KName HeapHandle A9oData!KNameAddress A7oDataKNameSource pppHeapHandleAddressSourceTEMP4q&CZv/2f<D EventDataA?oData'KName RecyclerID A=oData%KName Timestamp rrRecyclerIDTimestampTEMP08t__UjYD EventDataA?oData'KName RecyclerID A=oData%KName UsedBytes AEoData-KName ReservedBytes AGoData/KNameCommittedBytes AKoData3KNameNumberOfSegments A7oDataKNameFromGC t t t u (u PuRecyclerIDUsedBytes ReservedBytes$CommittedBytes(NumberOfSegmentsFromGCTEMPunTs]uX^D EventDataA=oData%KName eventData veventDataTEMPHx{_9OtD EventDataAKoData3KNameFunctionMethodID AKoData3KNameFunctionSourceID AQoData9KNameFunctionDisplayName AAoData)KNameBailoutKind ACoData+KNameBailoutCount A=oData%KName CallCount AAoData)KNameRejitReason A9oData!KNameRethunk lyyyyz$z<z Xz(FunctionMethodID(FunctionSourceID,FunctionDisplayNameBailoutKind BailoutCountCallCountRejitReasonRethunkTEMPh\|I';TRAD EventDataAKoData3KNameFunctionMethodID AKoData3KNameFunctionSourceID AQoData9KNameFunctionDisplayName A?oData'KName LoopNumber AAoData)KNameBailoutKind AAoData)KNameRejitReason },}T}}}}(FunctionMethodID(FunctionSourceID,FunctionDisplayNameLoopNumberBailoutKindRejitReasonPRVA8}Microsoft-JScriptOPCO 20p00 / L0 l0D`0 0 $H0+0+$04-t0-0-0-000\|000<0000\000(0 hwin:Infowin:Startwin:StopMethodLoad(ScriptContextLoad MethodDCStart0ScriptContextDCStart UsedPageSizeFree_Memory MethodUnload,ScriptContextUnloadMethodDCEnd,ScriptContextDCEnd(Free_Memory_BlockSourceLoad$DCStartComplete SourceDCStart$Allocate_Object SourceUnload DCEndCompleteSourceDCEnd$Allocate_ArrayDScriptContextOnStartupCompleteDCStartInit(Allocate_FunctionDCEndInitLoad,Allocate_DOM_ObjectSave@Allocate_WinRT_JSProxy_ObjectStart,Allocate_PixelArrayStop$External_AddRefQueue(External_ReleaseDequeueLAllocate_WinRT_RuntimeClass_ObjectDAllocate_WinRT_Namespace_Object@Allocate_WinRT_Struct_Object<Allocate_WinRT_Enum_ObjectHAllocate_WinRT_TypedArray_ObjectDAllocate_WinRT_Delegate_ObjectLAllocate_WinRT_EventHandler_ObjectHAllocate_WinRT_Collections_ObjectLAllocate_WinRT_PropertyValue_Object<Free_WinRT_Delegate_ObjectDFree_WinRT_EventHandler_Object@Free_WinRT_Collections_ObjectDFree_WinRT_PropertyValue_ObjectLEVL@P(win:InformationalTASKu4eXwO&IdmD8L v}!mD8L v}amD8L }!@ }] }# }] }$}] }#,}] }x Dm8L v}1BL>{H,>bL&BSxF#-KqKgBx (\nGTzO]9\CAc3O<MN8hs@@'HzndV>yFKV2Yer^JL^ES2<iPHK@E@@ `=A.=eM<d<Z@RX3A_O=+vxVtG%W xVtG%W!xVtG%W4"xVtG%Wd#xVtG%W$xVtG%W%xVtG%W&xVtG%W'xVtG%WX(xVtG%W)xVtG%WxVtG%W+<,x-.lj&_M3U-:/r<1OBdt0h-oL.V!H1xftG%W2xftG%W3xftG%W4xftG%WL5xftG%W6xftG%W7xftG%W,8xftG%Wt9xftG%W:xVtG%W;xVtG%WD<xVtG%W=xVtG%W>xVtG%W?xVtG%WH@xVtG%WAt}ExIntfBxVtG%WC 9bJ\QfXDKd(BXJE],CtyFKd(BXJGxVtG%W0HxVtG%WdIRI)6Jb=;>?G\|KJNLom'OVLMu)~lE{:xN5jLc>O9xUJb*8P-cGE~,E Q={O X@>`RpI9'umSxENXx[NLTHf\U@L3/\VllkF/nWdBDJXPIE8@u\Y{Myh4tZpoGE[@~nD$#_oh\-9n?H`h]GJhrD\|^auLD9A$_#qI>SvL`rZ27BT daJ}xb:YmrAEl c6>^Am~hdQHsK1N @fet9NU &hf `2\GSXS8gO-KlQhW#OUi7BOG1(9jxVtG%Wk Kn 4lzR`RO[[hm[/; OKsz9Sns'+\|HM:(_od3+iG4XhpD\|'B5Pq#,B A^iMKrwvEHx@se C]wIt9;IsCT7NXu x'[@^t MethodRuntime0ScriptContextRuntime MethodRundown0ScriptContextRundownDJscript_Projection_ResolveTypeXJscript_Projection_ConstructRuntimeClass@Jscript_Projection_MethodCallHJscript_Projection_RawMethodCallPJscript_Projection_InvokesJsDelegateTJscript_Projection_InvokeNativeDelegateLJscript_Projection_AddEventListenerTJscript_Projection_RemoveEventListener`Jscript_Projection_GetTypeMetaDataInformationLJscript_Projection_SetEventHandlerlJscript_Projection_RemoveAllEventsAndEventHandlersDJscript_Projection_InvokeEventXJscript_Projection_InvokeEventEvParamPrepdJscript_Projection_GetExprFromConcreteTypeName\Jscript_Projection_GetTypeFromTypeNameParts\Jscript_Projection_ReferenceOrArrayGetValue\Jscript_Projection_PropertyValueVarFromGRCNDJscript_Projection_VarFromGRCNLJscript_Projection_WriteIReferenceLJscript_Projection_WriteInspectablehJscript_Projection_GetNonArrayTypeAsPropertyValuetJscript_Projection_GetNonArrayBasicTypeAsPropertyValuedJscript_Projection_GetTypedArrayAsPropertyValuepJscript_Projection_GetBasicTypedArrayAsPropertyValue4GenerateBytecodeMethodParseMethod0Jscript_GC_ResetMarks0Jscript_GC_ScanRoots0Jscript_GC_ScanStack$Jscript_GC_Mark(Jscript_GC_Rescan(Jscript_GC_SweepDJscript_GC_SetupBackgroundSweep<Jscript_GC_BackgroundSweepDJscript_GC_TransferSweptObjects,Jscript_GC_Dispose8Jscript_GC_BackgroundMark<Jscript_GC_ResetWriteWatch<Jscript_Profile_Persistence4Jscript_Backend_Inline,Jscript_Method_Jit4Jscript_GC_IdleCollect<Jscript_Page_Allocator_Size<Jscript_Recycler_Allocation4Jscript_GC_SweepWeakRefDJscript_GC_ProcessTrackedObjectPJscript_GC_ProcessClientTrackedObject@Jscript_GC_BackgroundZeroPage8Jscript_GC_FlushZeroPagehJscript_GC_DecommitConcurrentCollectPageAllocatorHJscript_GC_SweepPartialReusePage<Jscript_GC_BackgroundRescanPJscript_GC_BackgroundResetWriteWatchDJscript_GC_BackgroundScanRootsDJscript_GC_BackgroundResetMarks8Jscript_GC_RescanMarkWaitDJscript_GC_SynchronousMarkWaitDJscript_GC_FinishConcurrentWait@Jscript_GC_EndMarkOnLowMemoryHJscript_AsyncCausality_StackTrace<JScript_ByteCodeDeserializeLJscript_Hosting_BinaryInconsistencyPJscript_Hosting_BinaryConsistencyInfo,Jscript_StackTrace,Jscript_Host_Native0Jscript_SourceMapping4Jscript_GC_ParallelMarkHJscript_GC_BackgroundParallelMark8Memprotect_GC_ResetMarks4Memprotect_GC_ScanRoots4Memprotect_GC_ScanStack,Memprotect_GC_Mark0Memprotect_GC_Rescan,Memprotect_GC_SweepLMemprotect_GC_SetupBackgroundSweep@Memprotect_GC_BackgroundSweepLMemprotect_GC_TransferSweptObjects0Memprotect_GC_Dispose@Memprotect_GC_BackgroundMark@Memprotect_GC_ResetWriteWatch8Memprotect_GC_IdleCollect<Memprotect_GC_SweepWeakRefLMemprotect_GC_ProcessTrackedObjectXMemprotect_GC_ProcessClientTrackedObjectHMemprotect_GC_BackgroundZeroPage<Memprotect_GC_FlushZeroPagepMemprotect_GC_DecommitConcurrentCollectPageAllocatorLMemprotect_GC_SweepPartialReusePageDMemprotect_GC_BackgroundRescanTMemprotect_GC_BackgroundResetWriteWatchHMemprotect_GC_BackgroundScanRootsLMemprotect_GC_BackgroundResetMarks@Memprotect_GC_RescanMarkWaitHMemprotect_GC_SynchronousMarkWaitLMemprotect_GC_FinishConcurrentWaitHMemprotect_GC_EndMarkOnLowMemory<Memprotect_GC_ParallelMarkPMemprotect_GC_BackgroundParallelMark Memprotect_GC8Memprotect_GC_Allocation0Memprotect_GC_Unroot$Jscript_GC_Init4Memprotect_GC_Heap_SizeDJscript_Internal_Generic_Event4Jscript_GC_Bucket_Stats<Memprotect_GC_Bucket_Stats4Jscript_Backend_BailoutHJscript_Backend_Bailout_LoopBody@Jscript_GC_Clear_InlineCache<Jscript_GC_PreSweepCallbackDMemprotect_GC_PreSweepCallbackJscript_GC2$Memprotect_GC2KEYWPDh @8p8 \|@ Dh @4p$JScriptRuntime,JScriptStartRundown(JScriptEndRundown0JScriptGCBucketStats(JScriptProjection$JScriptFrontend8JScriptGarbageCollection$JScriptProfile$JscriptBackendJscriptJit0JScriptMemoryTracing4JScriptObjectAllocationDJScriptExternalReferenceAddRef0JScriptObjectCleanupDJScriptExternalReferenceRelease0JScriptAsyncCausality$JScriptByteCode$JScriptHosting(JScriptStackTrace8JScriptAsyncCausality_V20JScriptSourceMapping<MemProtectGarbageCollection<MemProtectObjectAllocation,MemProtectHeapSizeInternal4MemProtectGCBucketStatsEVNTx4,0X~0\D0` ~0d LT~0hL~0l t`~Lpt~Lt L<~x L~\| tH~t~ \ $~h\ 0~h\ $~\ 0~$~0~$~0~ $~ 0~ $~ 0~$~0~$~,0~, \ $~H \ 0~HL$~d L0~d!\ $~"\ 0~#L$~$L0~%L$~&L0~'`~L( `L)`~ `~+\ $~,\ 0~-\ $~.\ 0~/\ $~0\ 0~1\ $~(2\ 0~(3\ $~D 4\ 0~D$5\ $~`(6\ 0~`,7x $~\|08x 0~\|49\ $~8:\ 0~<;\ $~@<\ 0~D=\ $~H>\ 0~L?\ $~P@\ 0~TA 0$~$XB 00~$\C 8~`D@`$~@dE@`0~@hF @`$~\lG @`0~\pH!@`$~xtI!@`0~xxJ"@`$~\|K"@`0~L#@`$~M#@`0~N$@`$~O$@0~P%@`$~Q%@`0~R&@`$~S&@0~T'@`$~ U'@`0~ V(@`$~<W(@0~<X)@$~XY)@0~XZ@`$~t[@`0~t\+l%h]' ^+h(P_,)~`-+a- 0b-l3c-l3d.@`$~e.@`~f.@`~g.@`~h.@`0~i /5l~j 0 D7x~k0 8~l0t6~m 0t6n0t:8o0;\p0<tq0t6r0t6s0@t6 t0<$u0<(v0<,w0<0x0<4y0 >8z0?<{0 >(@\|0A4D}0\|C@H~0\|CLL0\|CXP 0\|CdT1@`$~8X1@`0~8\2@`$~T`2@`0~Td3@`$~ph3@`0~pl4@`$~p4@`0~t5@`$~x5@`0~\|6@`$~6@`0~7@`$~7@`0~8@$~8@0~9@$~9@0~:@`$~4:@`0~4;@`$~P;@`0~P<@$$~l<@P0~l=@$$~=@P0~>@$$~>@P0~?@`$~?@`0~@LD~AG$~AG0~BI~CZ~0D@c~L@@c~Etg~hEli~hF l~G@`$~G@`0~H@$~H@0~I `$~I `0~J `$~J `0~K `$~K `0~L `$~, L `0~,$M `$~H(M `0~H,N `$~d0N 0~d4O `$~8O `0~<P `$~@P 0~DQ `$~HQ `0~LR `$~PR 0~TS $~XS 0~\T `$~`T `0~dU `$~(hU `~(lU `~(pU `~(tU `0~(xV `$~D\|V `0~DW `$~`W `0~`X `$~\|X `0~\|Y `$~Y `0~Z `$~Z `0~[ `$~[ `0~\ `$~\ `0~] $~] 0~^ $~$^ 0~$_ `$~@_ `0~@` `$~\` `0~\a $$~xa P0~xb $$~b P0~c $$~c P0~d `$~d `0~e `$~e `0~f $~f 0~g G$~ g G0~ h@\|m~<i@lo~Xj@q~tk4r~ldu~m@~ n ~$o$v~(plz~,q@$~80q@!0~84r@`$~T8r@`0~T<s `$~p@s `0~pD1@0~8HV 0~DLt@<$~Pt@<0~Tu <$~Xu <0~\$4444DttTTTTTTdTTTTTTTTTTTTT44$$$
RT_STRING	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x4a2230	32
RT_MESSAGETABLE	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x48df68	772	PE Resource: RT_MESSAGETABLE - Data 004PPpInfo Start Stop Information ,Microsoft-JScript Interpreted JIT JITLoopBody SimpleJit FullJit Reason $ReasonLength Normal (S) Leaf (S) Fin (S) NormWB (S) FinWB (S) Visited (S) Normal (M) Leaf (M) Fin (M) NormWB (M) FinWB (M) Visited (M) Large Total
RT_VERSION	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x48dbf0	884	PE Resource: RT_VERSION - Data t4VS_VERSION_INFOaJaJ?StringFileInfo040904B0LCompanyNameMicrosoft CorporationPFileDescriptionMicrosoft JScriptp(FileVersion11.00.19041.1266 (WinBuild.160101.0800): InternalNamejscript9.dll.LegalCopyright Microsoft Corporation. All rights reserved.B OriginalFilenamejscript9.dllDProductNameInternet ExplorerFProductVersion11.00.19041.1266DVarFileInfo$Translation

Meta infos 9

LegalCopyright:	\xa9 Microsoft Corporation. All rights reserved.
InternalName:	jscript9.dll
FileVersion:	11.00.19041.1266 (WinBuild.160101.0800)
CompanyName:	Microsoft Corporation
ProductVersion:	11.00.19041.1266
FileDescription:	Microsoft \xae JScript
Translation:	0x0409 0x04b0
OriginalFilename:	jscript9.dll
ProductName:	Internet Explorer

Anti debug functions 6

GetLastError
IsDebuggerPresent
OutputDebugStringW
RaiseException
TerminateProcess
UnhandledExceptionFilter

Anti debug functions 1

VMCheck.dll

Strings analysis - File found

Library
api-ms-win-core-timezone-l1-1-0.dll
api-ms-win-core-winrt-l1-1-0.dll
KERNEL32.dll
jscript9.dll
ntdll.dll
api-ms-win-core-processthreads-l1-1-2.dll
api-ms-win-core-delayload-l1-1-1.dll
api-ms-win-core-winrt-error-l1-1-1.dll
F12\pdm.dll
api-ms-win-ro-typeresolution-l1-1-0.dll
pdm.dll
FaultRep.dll
api-ms-win-eventing-provider-l1-1-0.dll
api-ms-win-core-winrt-roparameterizediid-l1-1-0.dll
yjsIntl.dll
windows.globalization.dll
api-ms-win-core-winrt-string-l1-1-0.dll
ADVAPI32.dll
KernelBase.dll
rpcrt4.dll
OLEAUT32.dll
MSVCRT.dll
ole32.dll
api-ms-win-downlevel-shlwapi-l1-1-0.dll
api-ms-win-downlevel-version-l1-1-0.dll
bcrypt.dll
api-ms-win-downlevel-advapi32-l1-1-0.dll
api-ms-win-downlevel-ole32-l1-1-0.dll

Import functions

api-ms-win-downlevel-advapi32-l1-1-0.dll 11 bcrypt.dll 1 ADVAPI32.dll 1 KERNEL32.dll 137 msvcrt.dll 94 api-ms-win-downlevel-version-l1-1-0.dll 3 RPCRT4.dll 19 api-ms-win-downlevel-shlwapi-l1-1-0.dll 10 ntdll.dll 1

Function	Address	Souspicious	Anti Debug
RegDeleteKeyExW	0x180398e20
RegSetValueExW	0x180398e28
EventRegister	0x180398e30
RegCreateKeyExW	0x180398e38
RegOpenKeyExW	0x180398e40
EventWriteTransfer	0x180398e48
EventWrite	0x180398e50
RegQueryValueExW	0x180398e58
RegGetValueW	0x180398e60
EventUnregister	0x180398e68
RegCloseKey	0x180398e70

Function	Address	Souspicious	Anti Debug
BCryptGenRandom	0x180398ef8

Function	Address	Souspicious	Anti Debug
CryptReleaseContext	0x180398920

Function	Address	Souspicious	Anti Debug
ResumeThread	0x180398930
LoadLibraryExA	0x180398938
GetProcessHeap	0x180398940
MapViewOfFile	0x180398948
CreateFileMappingW	0x180398950
UnmapViewOfFile	0x180398958
CreateFileW	0x180398960
GetUserDefaultUILanguage	0x180398968
GetSystemDefaultUILanguage	0x180398970
SearchPathW	0x180398978
SleepConditionVariableSRW	0x180398980
WakeAllConditionVariable	0x180398988
SetUnhandledExceptionFilter	0x180398990
LocalFree	0x180398998
LocalAlloc	0x1803989a0
MultiByteToWideChar	0x1803989a8
FlushInstructionCache	0x1803989b0
ResetEvent	0x1803989b8
SetThreadStackGuarantee	0x1803989c0
GetSystemTimeAdjustment	0x1803989c8
QueryPerformanceFrequency	0x1803989d0
CompareStringEx	0x1803989d8
GetUserDefaultLocaleName	0x1803989e0
ResolveLocaleName	0x1803989e8
QueryThreadCycleTime	0x1803989f0
GetProcessIoCounters	0x1803989f8
Sleep	0x180398a00
GetNumberFormatW	0x180398a08
GetTimeFormatW	0x180398a10
GetDateFormatW	0x180398a18
GetSystemTime	0x180398a20
LCMapStringW	0x180398a28
CompareStringW	0x180398a30
RtlVirtualUnwind	0x180398a38
RtlLookupFunctionEntry	0x180398a40
GetTimeZoneInformation	0x180398a48
GetStringTypeW	0x180398a50
SizeofResource	0x180398a58
LockResource	0x180398a60
LoadResource	0x180398a68
FindResourceExW	0x180398a70
UnhandledExceptionFilter	0x180398a78
TerminateProcess	0x180398a80
RtlAddFunctionTable	0x180398a88
RtlDeleteFunctionTable	0x180398a90
InterlockedPushEntrySList	0x180398a98
InterlockedPopEntrySList	0x180398aa0
InitializeSListHead	0x180398aa8
VirtualAlloc	0x180398ab0
VirtualFree	0x180398ab8
GlobalMemoryStatusEx	0x180398ac0
ResetWriteWatch	0x180398ac8
FreeLibraryAndExitThread	0x180398ad0
SetThreadPriority	0x180398ad8
WaitForMultipleObjectsEx	0x180398ae0
GetWriteWatch	0x180398ae8
GetCurrentThread	0x180398af0
GetThreadContext	0x180398af8
SetEvent	0x180398b00
CreateEventW	0x180398b08
SystemTimeToTzSpecificLocalTime	0x180398b10
TzSpecificLocalTimeToSystemTime	0x180398b18
GetTimeZoneInformationForYear	0x180398b20
SetConsoleTextAttribute	0x180398b28
GetConsoleScreenBufferInfo	0x180398b30
GetStdHandle	0x180398b38
GetVersionExW	0x180398b40
GetSystemInfo	0x180398b48
EncodeSystemPointer	0x180398b50
QueryPerformanceCounter	0x180398b58
WerGetFlags	0x180398b60
VirtualProtect	0x180398b68
WerSetFlags	0x180398b70
LoadLibraryExW	0x180398b78
GetSystemDirectoryW	0x180398b80
RaiseException	0x180398b88
IsValidCodePage	0x180398b90
GetLocaleInfoW	0x180398b98
IsValidLocale	0x180398ba0
VirtualQuery	0x180398ba8
GetEnvironmentVariableW	0x180398bb0
GetACP	0x180398bb8
GetUserDefaultLCID	0x180398bc0
TlsSetValue	0x180398bc8
TlsGetValue	0x180398bd0
TlsFree	0x180398bd8
TlsAlloc	0x180398be0
GetSystemTimeAsFileTime	0x180398be8
InitOnceComplete	0x180398bf0
InitOnceBeginInitialize	0x180398bf8
RaiseFailFastException	0x180398c00
DeleteAtom	0x180398c08
TryEnterCriticalSection	0x180398c10
FreeLibrary	0x180398c18
AddAtomW	0x180398c20
FindAtomW	0x180398c28
InitializeCriticalSectionAndSpinCount	0x180398c30
GetTickCount	0x180398c38
InitializeCriticalSection	0x180398c40
GetModuleFileNameW	0x180398c48
GetCurrentProcess	0x180398c50
K32GetModuleInformation	0x180398c58
IsDebuggerPresent	0x180398c60
DebugBreak	0x180398c68
GetModuleHandleW	0x180398c70
GetCurrentProcessId	0x180398c78
DeleteCriticalSection	0x180398c80
AcquireSRWLockShared	0x180398c88
CreateMutexExW	0x180398c90
GetProcAddress	0x180398c98
HeapAlloc	0x180398ca0
GetModuleFileNameA	0x180398ca8
CreateSemaphoreExW	0x180398cb0
HeapFree	0x180398cb8
SetLastError	0x180398cc0
EnterCriticalSection	0x180398cc8
ReleaseSemaphore	0x180398cd0
GetModuleHandleExW	0x180398cd8
LeaveCriticalSection	0x180398ce0
InitializeCriticalSectionEx	0x180398ce8
WaitForThreadpoolTimerCallbacks	0x180398cf0
WaitForSingleObject	0x180398cf8
GetCurrentThreadId	0x180398d00
ReleaseMutex	0x180398d08
FormatMessageW	0x180398d10
GetLastError	0x180398d18
ReleaseSRWLockExclusive	0x180398d20
OutputDebugStringW	0x180398d28
CloseThreadpoolTimer	0x180398d30
AcquireSRWLockExclusive	0x180398d38
WaitForSingleObjectEx	0x180398d40
OpenSemaphoreW	0x180398d48
CloseHandle	0x180398d50
SetThreadpoolTimer	0x180398d58
ReleaseSRWLockShared	0x180398d60
CreateThreadpoolTimer	0x180398d68
DelayLoadFailureHook	0x180398d70

Function	Address	Souspicious	Anti Debug
memcmp	0x180398f08
qsort	0x180398f10
isdigit	0x180398f18
isalpha	0x180398f20
_wcslwr_s	0x180398f28
_wasctime_s	0x180398f30
_vscwprintf	0x180398f38
qsort_s	0x180398f40
modf	0x180398f48
_tzset	0x180398f50
_ui64tow_s	0x180398f58
_itow_s	0x180398f60
_snwprintf_s	0x180398f68
_beginthreadex	0x180398f70
fwprintf	0x180398f78
_flushall	0x180398f80
fflush	0x180398f88
fwprintf_s	0x180398f90
atan	0x180398f98
rand	0x180398fa0
srand	0x180398fa8
wcstok_s	0x180398fb0
wcsrchr	0x180398fb8
_wfsopen	0x180398fc0
_wsplitpath_s	0x180398fc8
acos	0x180398fd0
wcstoul	0x180398fd8
_stricmp	0x180398fe0
vswprintf_s	0x180398fe8
_i64tow_s	0x180398ff0
_wcsicmp	0x180398ff8
_localtime64_s	0x180399000
swprintf_s	0x180399008
_ltow	0x180399010
wcscat_s	0x180399018
_vsnwprintf_s	0x180399020
_ltow_s	0x180399028
_ultow_s	0x180399030
_controlfp_s	0x180399038
__C_specific_handler	0x180399040
_wcsnicmp	0x180399048
wcsncmp	0x180399050
wcsncpy_s	0x180399058
realloc	0x180399060
_wcsdup	0x180399068
wcschr	0x180399070
free	0x180399078
malloc	0x180399080
wcscpy_s	0x180399088
memmove_s	0x180399090
_vsnprintf_s	0x180399098
??0exception@@QEAA@AEBV0@@Z	0x1803990a0
??0exception@@QEAA@XZ	0x1803990a8
??1exception@@UEAA@XZ	0x1803990b0
atan2	0x1803990b8
wcsstr	0x1803990c0
asin	0x1803990c8
cos	0x1803990d0
exp	0x1803990d8
log	0x1803990e0
sin	0x1803990e8
tan	0x1803990f0
strncmp	0x1803990f8
wcsncat_s	0x180399100
iswalpha	0x180399108
_callnewh	0x180399110
_XcptFilter	0x180399118
_amsg_exit	0x180399120
_initterm	0x180399128
?terminate@@YAXXZ	0x180399130
_lock	0x180399138
_unlock	0x180399140
__dllonexit	0x180399148
_onexit	0x180399150
??1type_info@@UEAA@XZ	0x180399158
sqrt	0x180399160
wcscmp	0x180399168
_purecall	0x180399170
memcpy_s	0x180399178
_vsnwprintf	0x180399180
__iob_func	0x180399188
bsearch	0x180399190
_CxxThrowException	0x180399198
memmove	0x1803991a0
memset	0x1803991a8
tolower	0x1803991b0
__CxxFrameHandler3	0x1803991b8
sqrtf	0x1803991c0
fclose	0x1803991c8
ceil	0x1803991d0
floor	0x1803991d8
fmod	0x1803991e0
memcpy	0x1803991e8
pow	0x1803991f0

Function	Address	Souspicious	Anti Debug
GetFileVersionInfoSizeExW	0x180398ed8
GetFileVersionInfoExW	0x180398ee0
VerQueryValueW	0x180398ee8

Function	Address	Souspicious	Anti Debug
CStdStubBuffer_QueryInterface	0x180398d80
CStdStubBuffer_Invoke	0x180398d88
IUnknown_AddRef_Proxy	0x180398d90
CStdStubBuffer_DebugServerQueryInterface	0x180398d98
CStdStubBuffer_IsIIDSupported	0x180398da0
NdrOleFree	0x180398da8
CStdStubBuffer_AddRef	0x180398db0
IUnknown_Release_Proxy	0x180398db8
NdrDllUnregisterProxy	0x180398dc0
CStdStubBuffer_CountRefs	0x180398dc8
NdrDllCanUnloadNow	0x180398dd0
CStdStubBuffer_Connect	0x180398dd8
NdrCStdStubBuffer_Release	0x180398de0
CStdStubBuffer_Disconnect	0x180398de8
NdrDllGetClassObject	0x180398df0
IUnknown_QueryInterface_Proxy	0x180398df8
NdrOleAllocate	0x180398e00
CStdStubBuffer_DebugServerRelease	0x180398e08
NdrDllRegisterProxy	0x180398e10

Function	Address	Souspicious	Anti Debug
PathGetDriveNumberW	0x180398e80
PathIsUNCW	0x180398e88
PathIsLFNFileSpecW	0x180398e90
PathIsFileSpecW	0x180398e98
PathFindFileNameW	0x180398ea0
StrTrimW	0x180398ea8
PathFileExistsW	0x180398eb0
StrCmpLogicalW	0x180398eb8
PathRemoveFileSpecW	0x180398ec0
StrCmpICW	0x180398ec8

Function	Address	Souspicious	Anti Debug
RtlCaptureContext	0x180399200

PE Exports 97 suspicious

Function	Address
DllCanUnloadNow	0x1801c7e90
DllGetClassObject	0x18005ffd0
DllRegisterServer	0x1801c7fb0
DllUnregisterServer	0x1801c8070
JsAddRef	0x1801e5b50
JsBoolToBoolean	0x1801e5b90
JsBooleanToBool	0x1801e5bd0
JsCallFunction	0x1801e5c10
JsCollectGarbage	0x1801e5c60
JsConstructObject	0x1801e5c80
JsConvertValueToBoolean	0x1801e5cd0
JsConvertValueToNumber	0x1801e5d10
JsConvertValueToObject	0x1801e5d50
JsConvertValueToString	0x1801e5d90
JsCreateArray	0x1801e5dd0
JsCreateContext	0x1801e5e10
JsCreateError	0x1801e5e50
JsCreateExternalObject	0x1801e5e90
JsCreateExternalType	0x1801e5ed0
JsCreateFunction	0x1801e5f10
JsCreateObject	0x1801e5f50
JsCreateRangeError	0x1801e5f70
JsCreateReferenceError	0x1801e5fb0
JsCreateRuntime	0x1801e5ff0
JsCreateSyntaxError	0x1801e6040
JsCreateTypeError	0x1801e6080
JsCreateTypedExternalObject	0x1801e60c0
JsCreateURIError	0x1801e6100
JsDefineProperty	0x1801e6140
JsDeleteIndexedProperty	0x1801e6190
JsDeleteProperty	0x1801e61d0
JsDisableRuntimeExecution	0x1801e6220
JsDisposeRuntime	0x1801e6280
JsDoubleToNumber	0x1801e62a0
JsEnableRuntimeExecution	0x1801e62e0
JsEnumerateHeap	0x1801e6300
JsEquals	0x1801e6380
JsGetAndClearException	0x1801e63c0
JsGetCurrentContext	0x1801e6490
JsGetDefaultTypeDescription	0x1801e64d0
JsGetExtensionAllowed	0x1801e64f0
JsGetExternalData	0x1801e6530
JsGetExternalType	0x1801e6570
JsGetFalseValue	0x1801e65b0
JsGetGlobalObject	0x1801e65d0
JsGetIndexedProperty	0x1801e65f0
JsGetNullValue	0x1801e6630
JsGetOwnPropertyDescriptor	0x1801e6650
JsGetOwnPropertyNames	0x1801e6690
JsGetProperty	0x1801e66d0
JsGetPropertyIdFromName	0x1801e6710
JsGetPropertyNameFromId	0x1801e6750
JsGetPrototype	0x1801e6790
JsGetRuntime	0x1801e67d0
JsGetRuntimeMemoryLimit	0x1801e6820
JsGetRuntimeMemoryUsage	0x1801e6860
JsGetStringLength	0x1801e68a0
JsGetTrueValue	0x1801e68e0
JsGetUndefinedValue	0x1801e6900
JsGetValueType	0x1801e6920
JsHasException	0x1801e6960
JsHasExternalData	0x1801e6a10
JsHasIndexedProperty	0x1801e6a50
JsHasProperty	0x1801e6a90
JsIdle	0x1801e6ad0
JsIntToNumber	0x1801e6af0
JsIsEnumeratingHeap	0x1801e6b30
JsIsRuntimeExecutionDisabled	0x1801e6b90
JsNumberToDouble	0x1801e6bd0
JsParseScript	0x1801e6c10
JsParseSerializedScript	0x1801e6c50
JsPointerToString	0x1801e6c90
JsPreventExtension	0x1801e6cd0
JsRelease	0x1801e6cf0
JsRunScript	0x1801e6d30
JsRunSerializedScript	0x1801e6d70
JsSerializeScript	0x1801e6db0
JsSetCurrentContext	0x1801e6ea0
JsSetException	0x1801e6ec0
JsSetExternalData	0x1801e6ee0
JsSetIndexedProperty	0x1801e6f20
JsSetProperty	0x1801e6f60
JsSetPrototype	0x1801e6fb0
JsSetRuntimeBeforeCollectCallback	0x1801e6ff0
JsSetRuntimeMemoryAllocationCallback	0x1801e7030
JsSetRuntimeMemoryLimit	0x1801e7070
JsStartDebugging	0x1801e70a0
JsStartProfiling	0x1801e70c0
JsStopProfiling	0x1801e7100
JsStrictEquals	0x1801e7120
JsStringToPointer	0x1801e7160
JsValueToVariant	0x1801e71a0
JsVarAddRef	0x180067f90
JsVarRelease	0x180067e30
JsVarToExtension	0x1800958c0
JsVarToScriptDirect	0x1802001f0
JsVariantToValue	0x1801e71e0