If you open your WPL file with Notepad, you’ll find that there are two arrays in it. The code may not specifically say “array”, but its basic structure gives it away — a var line of code containing a value surrounded by square brackets. As shown below, one of the arrays will contain five values separated by commas. The values represent HEX characters, so each value will range from 1 to 255. This array will be our “KeyArray”.
var jumbledCharacters = [218,144,4,215,211]
The other array is very similar to the one described above, but contains a lot more values. That string of characters is the coded URL that the hacker is using to download more viruses. We will call it our “CodeArray” value.
URL Decryption Tool
Use this information to update your firewall. If you need an IP address, use nslookup <hostName> from DOS or PowerShell. Use the Decoded URL as your <hostName>.