ae2ad2106b8c4bf65470eea28cfa812f3484aa4e49075bfe1ab09c277890a051

Analysis

max time kernel
178s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2023, 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.df636e7945831c82dc6599250207f6a0.exe
Size

3.0MB
MD5

df636e7945831c82dc6599250207f6a0
SHA1

5077c9373e79473df081d35e67af8a73fbe1d673
SHA256

ae2ad2106b8c4bf65470eea28cfa812f3484aa4e49075bfe1ab09c277890a051
SHA512

b14a9e67be7f3dee1f37bca16d032f684a841780f6bd52d26cf307de68b0b629173c339de1ba4ed360a5c3ffcf3cc783cbdf6c38764d422d46dbbfc74be33322
SSDEEP

49152:j495UciMmq/NhjX5p3JOCdLAweZnE5c965nqqIP2Itdy:jk5LhzACdLAlnE5co5nqqIP2Itdy

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3684	NEAS.df636e7945831c82dc6599250207f6a03.exe
5040	NEAS.df636e7945831c82dc6599250207f6a03.exe
460	NEAS.df636e7945831c82dc6599250207f6a06.exe
1972	NEAS.df636e7945831c82dc6599250207f6a06.exe
3640	NEAS.df636e7945831c82dc6599250207f6a03.exe
388	NEAS.df636e7945831c82dc6599250207f6a03.exe
1936	NEAS.df636e7945831c82dc6599250207f6a06.exe
2880	NEAS.df636e7945831c82dc6599250207f6a06.exe
4564	NEAS.df636e7945831c82dc6599250207f6a03.exe
1084	NEAS.df636e7945831c82dc6599250207f6a00.exe
4348	NEAS.df636e7945831c82dc6599250207f6a08.exe
4852	NEAS.df636e7945831c82dc6599250207f6a08.exe
2632	NEAS.df636e7945831c82dc6599250207f6a03.exe
5132	NEAS.df636e7945831c82dc6599250207f6a08.exe
5260	NEAS.df636e7945831c82dc6599250207f6a06.exe
3304	NEAS.df636e7945831c82dc6599250207f6a06.exe
5248	NEAS.df636e7945831c82dc6599250207f6a00.exe
5484	NEAS.df636e7945831c82dc6599250207f6a03.exe
5876	NEAS.df636e7945831c82dc6599250207f6a08.exe
5896	NEAS.df636e7945831c82dc6599250207f6a03.exe
6040	NEAS.df636e7945831c82dc6599250207f6a08.exe
1072	NEAS.df636e7945831c82dc6599250207f6a00.exe
768	NEAS.df636e7945831c82dc6599250207f6a033.exe
4552	NEAS.df636e7945831c82dc6599250207f6a06.exe
6820	NEAS.df636e7945831c82dc6599250207f6a08.exe
7144	NEAS.df636e7945831c82dc6599250207f6a04.exe

Modifies file permissions 1 TTPs 9 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3220	takeown.exe
5364	takeown.exe
8164	takeown.exe
7424	takeown.exe
4264	takeown.exe
732	takeown.exe
7560	takeown.exe
6124	takeown.exe
5932	takeown.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Kills process with taskkill 24 IoCs

evasion

pid	Process
8016	taskkill.exe
6044	taskkill.exe
7240	taskkill.exe
7276	taskkill.exe
7308	taskkill.exe
8008	taskkill.exe
2404	taskkill.exe
6232	taskkill.exe
2460	taskkill.exe
1764	taskkill.exe
3884	taskkill.exe
2616	taskkill.exe
7364	taskkill.exe
3636	taskkill.exe
5904	taskkill.exe
4000	taskkill.exe
7008	taskkill.exe
7128	taskkill.exe
6176	taskkill.exe
2784	taskkill.exe
7000	taskkill.exe
8040	taskkill.exe
7320	taskkill.exe
3516	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeAssignPrimaryTokenPrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeLockMemoryPrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeIncreaseQuotaPrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeMachineAccountPrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeTcbPrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeSecurityPrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeTakeOwnershipPrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeLoadDriverPrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeSystemProfilePrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeSystemtimePrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeProfSingleProcessPrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeIncBasePriorityPrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeCreatePagefilePrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeCreatePermanentPrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeBackupPrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeRestorePrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeShutdownPrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeDebugPrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeAuditPrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeSystemEnvironmentPrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeChangeNotifyPrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeRemoteShutdownPrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeUndockPrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeSyncAgentPrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeEnableDelegationPrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeManageVolumePrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeImpersonatePrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeCreateGlobalPrivilege	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: 31	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: 32	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: 33	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: 34	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: 35	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeCreateTokenPrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeAssignPrimaryTokenPrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeLockMemoryPrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeIncreaseQuotaPrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeMachineAccountPrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeTcbPrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeSecurityPrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeTakeOwnershipPrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeLoadDriverPrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeSystemProfilePrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeSystemtimePrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeProfSingleProcessPrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeIncBasePriorityPrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeCreatePagefilePrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeCreatePermanentPrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeBackupPrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeRestorePrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeShutdownPrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeDebugPrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeAuditPrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeSystemEnvironmentPrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeChangeNotifyPrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeRemoteShutdownPrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeUndockPrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeSyncAgentPrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeEnableDelegationPrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeManageVolumePrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeImpersonatePrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeCreateGlobalPrivilege	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: 31	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2484	firefox.exe
2484	firefox.exe
2484	firefox.exe
2484	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2484	firefox.exe
2484	firefox.exe
2484	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2484	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2864	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe	87
PID 1648 wrote to memory of 2864	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe	87
PID 2864 wrote to memory of 2640	2864	cmd.exe	88
PID 2864 wrote to memory of 2640	2864	cmd.exe	88
PID 1648 wrote to memory of 2220	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe	90
PID 1648 wrote to memory of 2220	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe	90
PID 2220 wrote to memory of 3856	2220	cmd.exe	91
PID 2220 wrote to memory of 3856	2220	cmd.exe	91
PID 2640 wrote to memory of 2420	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe	93
PID 2640 wrote to memory of 2420	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe	93
PID 1648 wrote to memory of 4740	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe	94
PID 1648 wrote to memory of 4740	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe	94
PID 4740 wrote to memory of 3332	4740	cmd.exe	95
PID 4740 wrote to memory of 3332	4740	cmd.exe	95
PID 1648 wrote to memory of 4980	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe	97
PID 1648 wrote to memory of 4980	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe	97
PID 4980 wrote to memory of 1076	4980	cmd.exe	98
PID 4980 wrote to memory of 1076	4980	cmd.exe	98
PID 1648 wrote to memory of 1728	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe	100
PID 1648 wrote to memory of 1728	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe	100
PID 3332 wrote to memory of 992	3332	NEAS.df636e7945831c82dc6599250207f6a0.exe	103
PID 3332 wrote to memory of 992	3332	NEAS.df636e7945831c82dc6599250207f6a0.exe	103
PID 2640 wrote to memory of 4952	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe	104
PID 2640 wrote to memory of 4952	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe	104
PID 1728 wrote to memory of 3112	1728	cmd.exe	105
PID 1728 wrote to memory of 3112	1728	cmd.exe	105
PID 1648 wrote to memory of 4696	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe	107
PID 1648 wrote to memory of 4696	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe	107
PID 4696 wrote to memory of 3968	4696	cmd.exe	108
PID 4696 wrote to memory of 3968	4696	cmd.exe	108
PID 3332 wrote to memory of 2388	3332	NEAS.df636e7945831c82dc6599250207f6a0.exe	110
PID 3332 wrote to memory of 2388	3332	NEAS.df636e7945831c82dc6599250207f6a0.exe	110
PID 3112 wrote to memory of 1548	3112	NEAS.df636e7945831c82dc6599250207f6a0.exe	111
PID 3112 wrote to memory of 1548	3112	NEAS.df636e7945831c82dc6599250207f6a0.exe	111
PID 1648 wrote to memory of 2300	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe	112
PID 1648 wrote to memory of 2300	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe	112
PID 4952 wrote to memory of 3684	4952	cmd.exe	113
PID 4952 wrote to memory of 3684	4952	cmd.exe	113
PID 2640 wrote to memory of 3672	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe	114
PID 2640 wrote to memory of 3672	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe	114
PID 2300 wrote to memory of 1640	2300	cmd.exe	115
PID 2300 wrote to memory of 1640	2300	cmd.exe	115
PID 1648 wrote to memory of 3024	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe	119
PID 1648 wrote to memory of 3024	1648	NEAS.df636e7945831c82dc6599250207f6a0.exe	119
PID 3112 wrote to memory of 632	3112	NEAS.df636e7945831c82dc6599250207f6a0.exe	120
PID 3112 wrote to memory of 632	3112	NEAS.df636e7945831c82dc6599250207f6a0.exe	120
PID 3684 wrote to memory of 3544	3684	NEAS.df636e7945831c82dc6599250207f6a03.exe	121
PID 3684 wrote to memory of 3544	3684	NEAS.df636e7945831c82dc6599250207f6a03.exe	121
PID 2640 wrote to memory of 1132	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe	123
PID 2640 wrote to memory of 1132	2640	NEAS.df636e7945831c82dc6599250207f6a0.exe	123
PID 1640 wrote to memory of 1524	1640	NEAS.df636e7945831c82dc6599250207f6a0.exe	124
PID 1640 wrote to memory of 1524	1640	NEAS.df636e7945831c82dc6599250207f6a0.exe	124
PID 1132 wrote to memory of 5040	1132	cmd.exe	130
PID 1132 wrote to memory of 5040	1132	cmd.exe	130
PID 2388 wrote to memory of 460	2388	cmd.exe	125
PID 2388 wrote to memory of 460	2388	cmd.exe	125
PID 632 wrote to memory of 1972	632	cmd.exe	129
PID 632 wrote to memory of 1972	632	cmd.exe	129
PID 3332 wrote to memory of 4476	3332	NEAS.df636e7945831c82dc6599250207f6a0.exe	131
PID 3332 wrote to memory of 4476	3332	NEAS.df636e7945831c82dc6599250207f6a0.exe	131
PID 460 wrote to memory of 3536	460	NEAS.df636e7945831c82dc6599250207f6a06.exe	169
PID 460 wrote to memory of 3536	460	NEAS.df636e7945831c82dc6599250207f6a06.exe	169
PID 5040 wrote to memory of 532	5040	NEAS.df636e7945831c82dc6599250207f6a03.exe	135
PID 5040 wrote to memory of 532	5040	NEAS.df636e7945831c82dc6599250207f6a03.exe	135

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019059
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019059
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+314809.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe
      4⤵
      PID:2420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe 1698019059
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4952
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe 1698019059
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3684
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe /protect 1698019059
        6⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe /protect 1698019059
        7⤵
        Executes dropped EXE
        
        PID:3640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe+314286.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a033.exe
        8⤵
        
        PID:4524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a033.exe 1698019059
        8⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a033.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a033.exe 1698019059
        9⤵
        Executes dropped EXE
        
        PID:768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:6608
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:6176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe+911625.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a039.exe
        8⤵
        
        PID:6992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a039.exe 1698019059
        8⤵
        
        PID:6276
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a039.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a039.exe 1698019059
        9⤵
        
        PID:7912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:3120
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:3636
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe /save 1698019059
        6⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe /save 1698019059
        7⤵
        Executes dropped EXE
        
        PID:4564
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe /protect 1698019059
        6⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe /protect 1698019059
        7⤵
        Executes dropped EXE
        
        PID:5484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe+522421.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a035.exe
        8⤵
        
        PID:4476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a035.exe 1698019059
        8⤵
        
        PID:6464
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a035.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a035.exe 1698019059
        9⤵
        
        PID:6760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a035.exe /KillHardDisk 1698019059
        10⤵
        
        PID:7560
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a035.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a035.exe /KillHardDisk 1698019059
        11⤵
        
        PID:3236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a035.exe /killMBR 1698019059
        10⤵
        
        PID:6476
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a035.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a035.exe /killMBR 1698019059
        11⤵
        
        PID:5368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a035.exe /protect 1698019059
        10⤵
        
        PID:6128
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a035.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a035.exe /protect 1698019059
        11⤵
        
        PID:5704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a035.exe+629803.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0356.exe
        12⤵
        
        PID:6660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0356.exe 1698019059
        12⤵
        
        PID:8000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a035.exe /autoup 1698019059
        10⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a035.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a035.exe /autoup 1698019059
        11⤵
        
        PID:7888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a035.exe C:\windows\system32\taskmgr.exe
        10⤵
        
        PID:1404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe+28917.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a032.exe
        8⤵
        
        PID:2512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a032.exe 1698019059
        8⤵
        
        PID:6308
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a032.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a032.exe 1698019059
        9⤵
        
        PID:7480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a032.exe /autoup 1698019059
        10⤵
        
        PID:6660
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a032.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a032.exe /autoup 1698019059
        11⤵
        
        PID:6736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a032.exe /killwindows 1698019059
        10⤵
        
        PID:3388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a032.exe /KillHardDisk 1698019059
        10⤵
        
        PID:5476
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a032.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a032.exe /KillHardDisk 1698019059
        11⤵
        
        PID:8048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        12⤵
        
        PID:4544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a032.exe /killMBR 1698019059
        10⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a032.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a032.exe /killMBR 1698019059
        11⤵
        
        PID:5932
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe /save 1698019059
        6⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe /save 1698019059
        7⤵
        Executes dropped EXE
        
        PID:5896
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:5464
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7128
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe /autoup 1698019059
        6⤵
        
        PID:6456
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe /autoup 1698019059
        7⤵
        
        PID:4328
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe /killwindows 1698019059
        6⤵
        
        PID:7080
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe /killwindows 1698019059
        7⤵
        
        PID:4540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:4204
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:3220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Cacls C:\windows\system32\taskmgr.exe /t /e /c /gAdmin:F
        8⤵
        
        PID:3592
        
        C:\Windows\system32\cacls.exe
        
        Cacls C:\windows\system32\taskmgr.exe /t /e /c /gAdmin:F
        9⤵
        
        PID:1016
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe /KillHardDisk 1698019059
        6⤵
        
        PID:6468
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe /KillHardDisk 1698019059
        7⤵
        
        PID:7524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:1936
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe /killMBR 1698019059
        6⤵
        
        PID:8036
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe /killMBR 1698019059
        7⤵
        
        PID:5296
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe /protect 1698019059
        6⤵
        
        PID:5752
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe /autoup 1698019059
        6⤵
        
        PID:6112
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe /autoup 1698019059
        7⤵
        
        PID:6968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+332613.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe
      4⤵
      PID:3672
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe 1698019059
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1132
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe 1698019059
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5040
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe /protect 1698019059
        6⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe /protect 1698019059
        7⤵
        Executes dropped EXE
        
        PID:388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe+03015.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a030.exe
        8⤵
        
        PID:5024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a030.exe 1698019059
        8⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a030.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a030.exe 1698019059
        9⤵
        
        PID:6668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a030.exe /autoup 1698019059
        10⤵
        
        PID:5520
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a030.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a030.exe /autoup 1698019059
        11⤵
        
        PID:1736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a030.exe /killwindows 1698019059
        10⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a030.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a030.exe /killwindows 1698019059
        11⤵
        
        PID:3788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        12⤵
        
        PID:384
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        13⤵
        Modifies file permissions
        
        PID:7560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a030.exe /KillHardDisk 1698019059
        10⤵
        
        PID:6676
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a030.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a030.exe /KillHardDisk 1698019059
        11⤵
        
        PID:6828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        12⤵
        
        PID:6752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a030.exe /killMBR 1698019059
        10⤵
        
        PID:7100
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a030.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a030.exe /killMBR 1698019059
        11⤵
        
        PID:7844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a030.exe /protect 1698019059
        10⤵
        
        PID:4400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe+019479.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a030.exe
        8⤵
        
        PID:7324
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe /save 1698019059
        6⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe /save 1698019059
        7⤵
        Executes dropped EXE
        
        PID:2632
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:5516
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:2784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019059
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019059
    3⤵
    PID:3856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019059
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019059
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+625557.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
      4⤵
      PID:992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe 1698019059
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2388
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe 1698019059
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:460
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /protect 1698019059
        6⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /protect 1698019059
        7⤵
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe+313764.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a063.exe
        8⤵
        
        PID:488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a063.exe 1698019059
        8⤵
        
        PID:5688
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a063.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a063.exe 1698019059
        9⤵
        
        PID:6400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:7608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe+523405.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a065.exe
        8⤵
        
        PID:6352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a065.exe 1698019059
        8⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a065.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a065.exe 1698019059
        9⤵
        
        PID:5880
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /save 1698019059
        6⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /save 1698019059
        7⤵
        Executes dropped EXE
        
        PID:3304
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:5768
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:5904
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /killwindows 1698019059
        6⤵
        
        PID:5900
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /killwindows 1698019059
        7⤵
        
        PID:6540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:7356
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:4264
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /KillHardDisk 1698019059
        6⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /KillHardDisk 1698019059
        7⤵
        
        PID:8124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:5452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        8⤵
        
        PID:7244
        
        C:\Windows\system32\mountvol.exe
        
        mountvol c: /d
        9⤵
        
        PID:7728
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /autoup 1698019059
        6⤵
        
        PID:6540
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /killMBR 1698019059
        6⤵
        
        PID:7092
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /killMBR 1698019059
        7⤵
        
        PID:5244
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /protect 1698019059
        6⤵
        
        PID:8088
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /protect 1698019059
        7⤵
        
        PID:5156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe+08306.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a060.exe
        8⤵
        
        PID:2232
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /autoup 1698019059
        6⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /autoup 1698019059
        7⤵
        
        PID:6424
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe C:\windows\system32\taskmgr.exe
        6⤵
        
        PID:7792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+83772.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe
      4⤵
      PID:4476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe 1698019059
      4⤵
      PID:4060
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe 1698019059
        5⤵
        Executes dropped EXE
        
        PID:4852
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe /protect 1698019059
        6⤵
        
        PID:6020
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe /protect 1698019059
        7⤵
        Executes dropped EXE
        
        PID:5132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe+522421.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a085.exe
        8⤵
        
        PID:5504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a085.exe 1698019059
        8⤵
        
        PID:6456
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a085.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a085.exe 1698019059
        9⤵
        
        PID:964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:7616
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:7276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a085.exe /autoup 1698019059
        10⤵
        
        PID:6748
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a085.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a085.exe /autoup 1698019059
        11⤵
        
        PID:1200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a085.exe /killwindows 1698019059
        10⤵
        
        PID:5648
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a085.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a085.exe /killwindows 1698019059
        11⤵
        
        PID:4392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        12⤵
        
        PID:3188
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        13⤵
        Modifies file permissions
        
        PID:6124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a085.exe /KillHardDisk 1698019059
        10⤵
        
        PID:6116
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a085.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a085.exe /KillHardDisk 1698019059
        11⤵
        
        PID:7716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        12⤵
        
        PID:5388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a085.exe /killMBR 1698019059
        10⤵
        
        PID:3344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a085.exe /protect 1698019059
        10⤵
        
        PID:7980
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a085.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a085.exe /protect 1698019059
        11⤵
        
        PID:452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a085.exe+07783.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0850.exe
        12⤵
        
        PID:2336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a085.exe /autoup 1698019059
        10⤵
        
        PID:7104
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a085.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a085.exe /autoup 1698019059
        11⤵
        
        PID:7596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe+28917.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a082.exe
        8⤵
        
        PID:7368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a082.exe 1698019059
        8⤵
        
        PID:7256
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe /save 1698019059
        6⤵
        
        PID:5468
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe /save 1698019059
        7⤵
        Executes dropped EXE
        
        PID:6040
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:5592
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019059
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019059
    3⤵
    PID:1076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019059
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019059
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+625557.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
      4⤵
      PID:1548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe 1698019059
      4⤵
      Suspicious use of WriteProcessMemory
      PID:632
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe 1698019059
        5⤵
        Executes dropped EXE
        
        PID:1972
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /protect 1698019059
        6⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /protect 1698019059
        7⤵
        Executes dropped EXE
        
        PID:2880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe+624512.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a066.exe
        8⤵
        
        PID:5252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a066.exe 1698019059
        8⤵
        
        PID:6480
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a066.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a066.exe 1698019059
        9⤵
        
        PID:4904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a069.exe 1698019059
        8⤵
        
        PID:5396
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a069.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a069.exe 1698019059
        9⤵
        
        PID:7488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:6188
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:1764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:4192
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /save 1698019059
        6⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /save 1698019059
        7⤵
        Executes dropped EXE
        
        PID:5260
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:1748
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:4000
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /autoup 1698019059
        6⤵
        
        PID:7172
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /autoup 1698019059
        7⤵
        
        PID:7772
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /killwindows 1698019059
        6⤵
        
        PID:6536
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /killwindows 1698019059
        7⤵
        
        PID:6852
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /KillHardDisk 1698019059
        6⤵
        
        PID:5664
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /KillHardDisk 1698019059
        7⤵
        
        PID:8008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:8064
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /protect 1698019059
        6⤵
        
        PID:5684
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /protect 1698019059
        7⤵
        
        PID:5864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe+08306.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a060.exe
        8⤵
        
        PID:7208
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /killMBR 1698019059
        6⤵
        
        PID:4496
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /autoup 1698019059
        6⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /autoup 1698019059
        7⤵
        
        PID:7816
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe C:\windows\system32\taskmgr.exe
        6⤵
        
        PID:7796
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+83772.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe
      4⤵
      PID:1376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe 1698019059
      4⤵
      PID:1296
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe 1698019059
        5⤵
        Executes dropped EXE
        
        PID:4348
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe /protect 1698019059
        6⤵
        
        PID:5972
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe /protect 1698019059
        7⤵
        Executes dropped EXE
        
        PID:5876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe+521898.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a085.exe
        8⤵
        
        PID:6428
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe /save 1698019059
        6⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe /save 1698019059
        7⤵
        Executes dropped EXE
        
        PID:6820
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:7036
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:8040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019059
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019059
    3⤵
    PID:3968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019059
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019059
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+03538.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
      4⤵
      PID:1524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe 1698019059
      4⤵
      PID:4808
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe 1698019059
        5⤵
        Executes dropped EXE
        
        PID:1084
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019059
        6⤵
        
        PID:5376
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019059
        7⤵
        Executes dropped EXE
        
        PID:5248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+522421.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a005.exe
        8⤵
        
        PID:6096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a005.exe 1698019059
        8⤵
        
        PID:6196
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a005.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a005.exe 1698019059
        9⤵
        
        PID:4184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+28917.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a002.exe
        8⤵
        
        PID:8024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a002.exe 1698019059
        8⤵
        
        PID:6532
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019059
        6⤵
        
        PID:5692
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019059
        7⤵
        Executes dropped EXE
        
        PID:1072
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:3252
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+47698.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe
      4⤵
      PID:3536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe 1698019059
      4⤵
      PID:5916
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe 1698019059
        5⤵
        Executes dropped EXE
        
        PID:7144
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe /KillHardDisk 1698019059
        6⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe /KillHardDisk 1698019059
        7⤵
        
        PID:6880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:7664
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe /killMBR 1698019059
        6⤵
        
        PID:8180
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe /killMBR 1698019059
        7⤵
        
        PID:5180
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe /protect 1698019059
        6⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe /protect 1698019059
        7⤵
        
        PID:6664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe+07783.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a040.exe
        8⤵
        
        PID:4792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a040.exe 1698019059
        8⤵
        
        PID:6320
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe /autoup 1698019059
        6⤵
        
        PID:5544
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe /autoup 1698019059
        7⤵
        
        PID:7588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019059
  2⤵
  PID:3024
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019059
    3⤵
    PID:840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019059
  2⤵
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019059
    3⤵
    PID:4980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+624512.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
      4⤵
      PID:5272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe 1698019059
      4⤵
      PID:5560
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe 1698019059
        5⤵
        Executes dropped EXE
        
        PID:4552
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:7080
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:6232
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /autoup 1698019059
        6⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /autoup 1698019059
        7⤵
        
        PID:4972
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /killwindows 1698019059
        6⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /killwindows 1698019059
        7⤵
        
        PID:2232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:3600
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /KillHardDisk 1698019059
        6⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /KillHardDisk 1698019059
        7⤵
        
        PID:7468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:2436
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /killMBR 1698019059
        6⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /killMBR 1698019059
        7⤵
        
        PID:6780
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /protect 1698019059
        6⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /protect 1698019059
        7⤵
        
        PID:5460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe+08306.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a060.exe
        8⤵
        
        PID:8032
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /autoup 1698019059
        6⤵
        
        PID:6944
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /autoup 1698019059
        7⤵
        
        PID:7540
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe C:\windows\system32\taskmgr.exe
        6⤵
        
        PID:3112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+927332.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe
      4⤵
      PID:7028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe 1698019059
      4⤵
      PID:3296
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe 1698019059
        5⤵
        
        PID:7184
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe /autoup 1698019059
        6⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe /autoup 1698019059
        7⤵
        
        PID:5600
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:7052
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe /killwindows 1698019059
        6⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe /killwindows 1698019059
        7⤵
        
        PID:7384
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe /KillHardDisk 1698019059
        6⤵
        
        PID:8068
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe /KillHardDisk 1698019059
        7⤵
        
        PID:4348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:5580
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe /killMBR 1698019059
        6⤵
        
        PID:6436
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe /killMBR 1698019059
        7⤵
        
        PID:808
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe /protect 1698019059
        6⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe /protect 1698019059
        7⤵
        
        PID:6336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe+318531.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a093.exe
        8⤵
        
        PID:3536
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe /autoup 1698019059
        6⤵
        
        PID:6676
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe /autoup 1698019059
        7⤵
        
        PID:4260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:5832
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:3884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019059
  2⤵
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019059
    3⤵
    PID:3064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:5644
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:6044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /killwindows 1698019059
  2⤵
  PID:1748
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /killwindows 1698019059
    3⤵
    PID:2880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe+927332.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a069.exe
      4⤵
      PID:1708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /KillHardDisk 1698019059
  2⤵
  PID:4248
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /KillHardDisk 1698019059
    3⤵
    PID:4388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\users /r /f
      4⤵
      PID:7356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /autoup 1698019059
  2⤵
  PID:4272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /killMBR 1698019059
  2⤵
  PID:5532
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /killMBR 1698019059
    3⤵
    PID:7576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019059
  2⤵
  PID:3164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /autoup 1698019059
  2⤵
  PID:5856
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /autoup 1698019059
    3⤵
    PID:7752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe C:\windows\system32\taskmgr.exe
  2⤵
  PID:6660

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1820
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2484.0.346174599\1969159738" -parentBuildID 20221007134813 -prefsHandle 1784 -prefMapHandle 1776 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {20c53488-d467-40ff-82a7-3dc68111f766} 2484 "\\.\pipe\gecko-crash-server-pipe.2484" 1876 1a6210d6458 gpu
    3⤵
    PID:4156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2484.1.1853225581\393747156" -parentBuildID 20221007134813 -prefsHandle 2292 -prefMapHandle 2288 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33561877-2931-4396-a92a-c3b160de8ea3} 2484 "\\.\pipe\gecko-crash-server-pipe.2484" 2328 1a620830e58 socket
    3⤵
    PID:4312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2484.2.1429104247\694648502" -childID 1 -isForBrowser -prefsHandle 3536 -prefMapHandle 3532 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 948 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1df4e64-06f2-4966-9ea2-2918cc656265} 2484 "\\.\pipe\gecko-crash-server-pipe.2484" 3484 1a621069c58 tab
    3⤵
    PID:5856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2484.3.1706033920\1143311277" -childID 2 -isForBrowser -prefsHandle 2760 -prefMapHandle 2780 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 948 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a4077fb-616f-4352-b942-1a4dcf723450} 2484 "\\.\pipe\gecko-crash-server-pipe.2484" 2912 1a620832c58 tab
    3⤵
    PID:6492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2484.5.1071534807\315755625" -childID 4 -isForBrowser -prefsHandle 4916 -prefMapHandle 4912 -prefsLen 26842 -prefMapSize 232675 -jsInitHandle 948 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5cbe006-6af5-4152-bdd3-d1b642231b31} 2484 "\\.\pipe\gecko-crash-server-pipe.2484" 4996 1a626f2eb58 tab
    3⤵
    PID:7740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2484.6.2145992704\943840792" -childID 5 -isForBrowser -prefsHandle 4980 -prefMapHandle 4976 -prefsLen 26842 -prefMapSize 232675 -jsInitHandle 948 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {265a5044-e006-4f40-86d3-a9a5f228bb90} 2484 "\\.\pipe\gecko-crash-server-pipe.2484" 5028 1a62538e958 tab
    3⤵
    PID:7856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2484.7.824665351\1418596475" -childID 6 -isForBrowser -prefsHandle 5236 -prefMapHandle 5136 -prefsLen 26842 -prefMapSize 232675 -jsInitHandle 948 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0ab19b6-e0d8-4063-b935-b9c2659b3f2f} 2484 "\\.\pipe\gecko-crash-server-pipe.2484" 5400 1a62538ec58 tab
    3⤵
    PID:7932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2484.4.1626245531\360114425" -childID 3 -isForBrowser -prefsHandle 3940 -prefMapHandle 3936 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 948 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e643456b-9236-4e2a-ae07-da82d5aa3076} 2484 "\\.\pipe\gecko-crash-server-pipe.2484" 3976 1a614c61f58 tab
    3⤵
    PID:2892

C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
1⤵
- Kills process with taskkill
PID:7240

C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
1⤵
- Kills process with taskkill
PID:7320

C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
1⤵
- Kills process with taskkill
PID:7364

C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
1⤵
- Kills process with taskkill
PID:2460

C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
1⤵
- Kills process with taskkill
PID:7308

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /autoup 1698019059
1⤵
PID:3700

C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
1⤵
- Kills process with taskkill
PID:8008

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a002.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a002.exe 1698019059
1⤵
PID:6184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:7724
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
1⤵
PID:6352
- C:\Windows\system32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:2404

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a082.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a082.exe 1698019059
1⤵
PID:4980

C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
1⤵
- Kills process with taskkill
PID:8016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a035.exe /autoup 1698019059
1⤵
PID:2772
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a035.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a035.exe /autoup 1698019059
  2⤵
  PID:7736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
1⤵
PID:7720
- C:\Windows\system32\takeown.exe
  takeown /f C:\windows\system32\taskmgr.exe
  2⤵
  - Modifies file permissions
  PID:732

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe /autoup 1698019059
1⤵
PID:4496
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /killMBR 1698019059
  2⤵
  PID:7084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe /autoup 1698019059
1⤵
PID:6500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a065.exe /autoup 1698019059
1⤵
PID:4032
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a065.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a065.exe /autoup 1698019059
  2⤵
  PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe /killwindows 1698019059
1⤵
PID:7080
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe /killwindows 1698019059
  2⤵
  PID:376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
    3⤵
    PID:4684
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\windows\system32\taskmgr.exe
      4⤵
      Modifies file permissions
      PID:8164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Cacls C:\windows\system32\taskmgr.exe /t /e /c /gAdmin:F
    3⤵
    PID:440
  - - C:\Windows\system32\cacls.exe
      Cacls C:\windows\system32\taskmgr.exe /t /e /c /gAdmin:F
      4⤵
      PID:5168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a035.exe /killwindows 1698019059
1⤵
PID:6020
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a035.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a035.exe /killwindows 1698019059
  2⤵
  PID:5972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
    3⤵
    PID:3332
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\windows\system32\taskmgr.exe
      4⤵
      Modifies file permissions
      PID:5364

C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
1⤵
- Kills process with taskkill
PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
1⤵
PID:7804

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /autoup 1698019059
1⤵
PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
1⤵
PID:6856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
1⤵
PID:7896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
1⤵
PID:7824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
1⤵
PID:7732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
1⤵
PID:7584

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\532c2c952b2a48f3adb0e29832e20029 /t 3308 /p 3116
1⤵
PID:6792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\users /r /f
1⤵
PID:5416

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a032.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a032.exe /killwindows 1698019059
1⤵
PID:3456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
  2⤵
  PID:6968
- - C:\Windows\system32\takeown.exe
    takeown /f C:\windows\system32\taskmgr.exe
    3⤵
    - Modifies file permissions
    PID:5932

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe /protect 1698019059
1⤵
PID:5412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe+08306.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a030.exe
  2⤵
  PID:804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
1⤵
PID:6792
- C:\Windows\system32\takeown.exe
  takeown /f C:\windows\system32\taskmgr.exe
  2⤵
  - Modifies file permissions
  PID:7424

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019059
1⤵
PID:8132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+08306.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
  2⤵
  PID:3580

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a085.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a085.exe /killMBR 1698019059
1⤵
PID:5872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3tq1igo7.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
c42d5ecefd282de58810bc32dca0624b

SHA1
c11392b6f2b9d128cf1945f0aedcfe1d77153b7f

SHA256
0c1952ab3eb35a15bad85d3c48f33819a2a933992386d1a9d6c878999ea409b7

SHA512
af2910c58f6255d4f6ee1a79ceec91437630f13bec64009ba02292b6f0a0683a6bdfaa72ab328934ccefd90eb25f29e1cd1aadacb5e89e67ae425d96bfd63737

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\03015.txt

Filesize
5B

MD5
d3e632e0af5200fc0e75485fb6db422f

SHA1
02110e04446b3ee253d1aa1923890273e54765c9

SHA256
a95015e105cbd8e0d5dcc03a52f6534a85f9d5313267bb73687a9326de86aa59

SHA512
75c896a883ec1538abe10b266a45e4221c81813f94c9d34b538f895044aa58933267151d1d878e7b472f4cac3ddb9c20b6d97fcabbdb8ec9ebc832445a87b53b

Download Submit
C:\Users\Admin\AppData\Local\Temp\03538.txt

Filesize
5B

MD5
b0f9c6e8c9f6fb1525ceef6ae22b8893

SHA1
2f770f74122f110106dde0641d04582f75b4dfdd

SHA256
6d7f68c6bb26c8342bf3a3e21bb30c4a24aa6ccd9d3319af32684e6641052dcd

SHA512
6f02eb731c9cad6f59a3fd0fa96fba5ef12eca0c0c5fe1f4eccbedcce28b7008713f79813f2f17359e4eaf21e02e9e8cc1e287c8daa526897abb024693e900d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\08306.txt

Filesize
5B

MD5
e339e9f77caa07d6be8acfa2fceb178a

SHA1
e0e42dc5991ba6b33c7a05dc2ce137fc86120b31

SHA256
296035ee7b1f0fc62e91300b3bc1ccf7829183c3499cdff85343ecdba8dc39e3

SHA512
3d2be2be9bb73f03020038959b70c924b5b7da41df2d4aa5df84571dde3acf61353d06a145d16caa3b4c145a3e82c16bac58c26cd5c2a9ae1b4e2ba967f1544f

Download Submit
C:\Users\Admin\AppData\Local\Temp\103554.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\11265.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\11265.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\219627.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\313764.txt

Filesize
5B

MD5
4129304d04cff4cb688585ffd88c45fd

SHA1
2a8f98eeefbe076181f38581137bd8260a62bb24

SHA256
6b1c2fe8b35b978d97ad885ff13de490559057a1974270abb8e77415df581357

SHA512
af75c0c1bb20e37c877272ca464d852070a04a7a4d0a3920d3c0002f7689dbad0a96971a30f9c78c74423baa742e592faef35b04e6b2ea3b7dfb206ef39eedee

Download Submit
C:\Users\Admin\AppData\Local\Temp\314286.txt

Filesize
4B

MD5
4ab50afd6dcc95fcba76d0fe04295632

SHA1
5c696fdafa4779e293b52277671f30693b568cfc

SHA256
c027dd7b42f454d65ff27f572f0a23ecc72db4fb6f82098d95314583180bf479

SHA512
0971bebe1b4bdf6a6a16bf882f81e9ff1d679d76a396797e4f7e17fa39f7e71cb117963fa09b16a8801678317cab107d922433f615afaf7539a08848628e0834

Download Submit
C:\Users\Admin\AppData\Local\Temp\314809.txt

Filesize
3B

MD5
89fcd07f20b6785b92134bd6c1d0fa42

SHA1
636fd04ebe81c6118b43c88dba88b3af34ba4c12

SHA256
ce7d916f3b5c6edb421222b8e3b4c69f21bcdd5c38bac9e8a2751f55d865b9dc

SHA512
4d775147270764ac5fa370c40f9fc1f77175d3e653daa876e34599e662db541e52318fc78cdd4b1acb73b4a9b4014a6f2fc669ccf8d082a84fe36830111a6edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\45824.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\47698.txt

Filesize
5B

MD5
39b7696525c15ab11f34386e3ae943ae

SHA1
6badb27b92ab05bcb48b6bf060150b4331bd44d9

SHA256
4795e984b650a142568ef686c047cee884468d817dba2ad6c8942500d90cd43d

SHA512
0e46fa50918de43066ab4ee7a6bfd279ce5797604a61aa136ca133000f0d3bc7f0fcf7b02b83fd44402f12e67288f99dbd9dcb2448635c6ca435433fedeff674

Download Submit
C:\Users\Admin\AppData\Local\Temp\50268.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\522421.txt

Filesize
5B

MD5
3a1d84f752947c47e87f7cfdc42a63b0

SHA1
a54124796ff806e374e4c5b95ec38bdc73bbfdd0

SHA256
d06e4394cd407f16440a65f7de0b1d42395ae963a773d6bb4429a120f76ddeb8

SHA512
ea63b9b2c9cc23f7c8ca73fde3f1cb29e96b119b7540aba7cb82fd0d2f8af851afddd4bca57a2ce4363b50f9dbb9b4a98fcd5d6124c38654798b2292824a99cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\522421.txt

Filesize
5B

MD5
3a1d84f752947c47e87f7cfdc42a63b0

SHA1
a54124796ff806e374e4c5b95ec38bdc73bbfdd0

SHA256
d06e4394cd407f16440a65f7de0b1d42395ae963a773d6bb4429a120f76ddeb8

SHA512
ea63b9b2c9cc23f7c8ca73fde3f1cb29e96b119b7540aba7cb82fd0d2f8af851afddd4bca57a2ce4363b50f9dbb9b4a98fcd5d6124c38654798b2292824a99cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\522421.txt

Filesize
5B

MD5
3a1d84f752947c47e87f7cfdc42a63b0

SHA1
a54124796ff806e374e4c5b95ec38bdc73bbfdd0

SHA256
d06e4394cd407f16440a65f7de0b1d42395ae963a773d6bb4429a120f76ddeb8

SHA512
ea63b9b2c9cc23f7c8ca73fde3f1cb29e96b119b7540aba7cb82fd0d2f8af851afddd4bca57a2ce4363b50f9dbb9b4a98fcd5d6124c38654798b2292824a99cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\57968.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\624512.txt

Filesize
4B

MD5
80f24ef493982c552b6943f1411f7e2c

SHA1
b8bc129977d38d110096beea8d3f79f6e381b6ea

SHA256
e9e556620469f46a4dc171aef71073f5286a288da35c5883cac760446b0ceb46

SHA512
1d3ae664965c9399257881c6d0bb772838944f15d5887577967dc63d7b9de6380a888046cae868e1e0c091374ec1d51c01d9b577f34ce98b9e9d1934bd8863fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\624512.txt

Filesize
4B

MD5
80f24ef493982c552b6943f1411f7e2c

SHA1
b8bc129977d38d110096beea8d3f79f6e381b6ea

SHA256
e9e556620469f46a4dc171aef71073f5286a288da35c5883cac760446b0ceb46

SHA512
1d3ae664965c9399257881c6d0bb772838944f15d5887577967dc63d7b9de6380a888046cae868e1e0c091374ec1d51c01d9b577f34ce98b9e9d1934bd8863fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\625557.txt

Filesize
5B

MD5
e12adf20632f7173b369b04f8e76a425

SHA1
d4eb05228ea58aff12cad893c088b191eb2d1106

SHA256
761065c74d5f26afccc5be40741f44093dba1dafa9775fc5e9316a0ee06b8a37

SHA512
bdcacaa1a100e805bbcd2d3429315aeecc6ad3d28b0599774f6edfd03fff7b7fde0f598a757f8a6cbeb102f21b7f9503b3712bbcbbf9b86967b6d625023112b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\625557.txt

Filesize
5B

MD5
e12adf20632f7173b369b04f8e76a425

SHA1
d4eb05228ea58aff12cad893c088b191eb2d1106

SHA256
761065c74d5f26afccc5be40741f44093dba1dafa9775fc5e9316a0ee06b8a37

SHA512
bdcacaa1a100e805bbcd2d3429315aeecc6ad3d28b0599774f6edfd03fff7b7fde0f598a757f8a6cbeb102f21b7f9503b3712bbcbbf9b86967b6d625023112b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\83772.txt

Filesize
5B

MD5
4496bd929399a73223322c2a9599ff1f

SHA1
ed57e7ea4e449d0f63f3f7d8285d288ef174e6ed

SHA256
8fc27533fb0a2b28f557f4b93c606acbd7e66b334c68072f8230e9a1d5e0d5dc

SHA512
a3ea20d878cec2010ad9dc37c47696000883001604880eddd3566b751cba5f100840e21c8396fd76045382e51d1969abecb6e0f6505d417c806720358dc54a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\83772.txt

Filesize
5B

MD5
4496bd929399a73223322c2a9599ff1f

SHA1
ed57e7ea4e449d0f63f3f7d8285d288ef174e6ed

SHA256
8fc27533fb0a2b28f557f4b93c606acbd7e66b334c68072f8230e9a1d5e0d5dc

SHA512
a3ea20d878cec2010ad9dc37c47696000883001604880eddd3566b751cba5f100840e21c8396fd76045382e51d1969abecb6e0f6505d417c806720358dc54a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\911625.txt

Filesize
5B

MD5
0c2c53e1f9d33713f16353b09a8bfbe6

SHA1
0da6ba5fc6b8ad2de2c1390fc0e0e49189e93764

SHA256
18667b982b1c774d3c096422e457906afb227cfc7f956d3f4fc1f9bc07b98862

SHA512
326afca5a1b0a770b3d7cd702b07eae5a011dd0e7295c6f869a6edaa087eece4eecc98320e7e3cae7808a895219b97ae6d72eb9238a7c1e3a3bbae995920d67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\927332.txt

Filesize
4B

MD5
b928fec5932bf2fddd2cc88c038b8ccb

SHA1
0ba4924a3a10de69787bbb7834cf7eb2f0657e87

SHA256
6a6a93367e7d0023a00c4020a01c8e317b38bb4ce988adeb099fdb08fff5f4d0

SHA512
5b60b66d2f07ec95d3c391b8c7d6f5ef86e412ad1fc0f7e807c7685defb19cef6ad3fde220bcc35cb2e8caade6f87e9e3d75b8218c2f6c4a7977edd116faf72b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe

Filesize
3.0MB

MD5
98f5ebeee7997d2a161cd03da443462f

SHA1
2d003d37628561eac69ffa8c67a03e08a8b6b227

SHA256
2c83f16a8ea1d952f8f6ce98db7d56c67f7b7cf6c64aac7105af56ecf751dfa5

SHA512
5a1711c3cc9cfaf90547a251a5b656e8f44914b9b1326380e3f9e2c85eb3b9a49fb8870c9ddabe7244f9a5f0a09e311348988078de712af03cf776b961228590

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe

Filesize
3.0MB

MD5
98f5ebeee7997d2a161cd03da443462f

SHA1
2d003d37628561eac69ffa8c67a03e08a8b6b227

SHA256
2c83f16a8ea1d952f8f6ce98db7d56c67f7b7cf6c64aac7105af56ecf751dfa5

SHA512
5a1711c3cc9cfaf90547a251a5b656e8f44914b9b1326380e3f9e2c85eb3b9a49fb8870c9ddabe7244f9a5f0a09e311348988078de712af03cf776b961228590

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe

Filesize
3.0MB

MD5
98f5ebeee7997d2a161cd03da443462f

SHA1
2d003d37628561eac69ffa8c67a03e08a8b6b227

SHA256
2c83f16a8ea1d952f8f6ce98db7d56c67f7b7cf6c64aac7105af56ecf751dfa5

SHA512
5a1711c3cc9cfaf90547a251a5b656e8f44914b9b1326380e3f9e2c85eb3b9a49fb8870c9ddabe7244f9a5f0a09e311348988078de712af03cf776b961228590

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe

Filesize
3.0MB

MD5
98f5ebeee7997d2a161cd03da443462f

SHA1
2d003d37628561eac69ffa8c67a03e08a8b6b227

SHA256
2c83f16a8ea1d952f8f6ce98db7d56c67f7b7cf6c64aac7105af56ecf751dfa5

SHA512
5a1711c3cc9cfaf90547a251a5b656e8f44914b9b1326380e3f9e2c85eb3b9a49fb8870c9ddabe7244f9a5f0a09e311348988078de712af03cf776b961228590

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe

Filesize
3.0MB

MD5
1ec596ca602f053a99a597e71188a453

SHA1
f61c2bd937acd9e2a943af427e90332c82dac201

SHA256
88cf49eeee67675ded4f1960cd18f2ec5a5484325091b94a663def347111ca65

SHA512
87c8e2c55d3bfc1908afe358b940221e964aca61bb1997fb22e69fc7e3ce7fb8b0be326202627321e03ec8a8f7801f720ec240390dcbd38923019ee570d18cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe

Filesize
3.0MB

MD5
1ec596ca602f053a99a597e71188a453

SHA1
f61c2bd937acd9e2a943af427e90332c82dac201

SHA256
88cf49eeee67675ded4f1960cd18f2ec5a5484325091b94a663def347111ca65

SHA512
87c8e2c55d3bfc1908afe358b940221e964aca61bb1997fb22e69fc7e3ce7fb8b0be326202627321e03ec8a8f7801f720ec240390dcbd38923019ee570d18cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe

Filesize
3.0MB

MD5
1ec596ca602f053a99a597e71188a453

SHA1
f61c2bd937acd9e2a943af427e90332c82dac201

SHA256
88cf49eeee67675ded4f1960cd18f2ec5a5484325091b94a663def347111ca65

SHA512
87c8e2c55d3bfc1908afe358b940221e964aca61bb1997fb22e69fc7e3ce7fb8b0be326202627321e03ec8a8f7801f720ec240390dcbd38923019ee570d18cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe

Filesize
3.0MB

MD5
1ec596ca602f053a99a597e71188a453

SHA1
f61c2bd937acd9e2a943af427e90332c82dac201

SHA256
88cf49eeee67675ded4f1960cd18f2ec5a5484325091b94a663def347111ca65

SHA512
87c8e2c55d3bfc1908afe358b940221e964aca61bb1997fb22e69fc7e3ce7fb8b0be326202627321e03ec8a8f7801f720ec240390dcbd38923019ee570d18cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe

Filesize
3.0MB

MD5
1ec596ca602f053a99a597e71188a453

SHA1
f61c2bd937acd9e2a943af427e90332c82dac201

SHA256
88cf49eeee67675ded4f1960cd18f2ec5a5484325091b94a663def347111ca65

SHA512
87c8e2c55d3bfc1908afe358b940221e964aca61bb1997fb22e69fc7e3ce7fb8b0be326202627321e03ec8a8f7801f720ec240390dcbd38923019ee570d18cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe

Filesize
3.0MB

MD5
1ec596ca602f053a99a597e71188a453

SHA1
f61c2bd937acd9e2a943af427e90332c82dac201

SHA256
88cf49eeee67675ded4f1960cd18f2ec5a5484325091b94a663def347111ca65

SHA512
87c8e2c55d3bfc1908afe358b940221e964aca61bb1997fb22e69fc7e3ce7fb8b0be326202627321e03ec8a8f7801f720ec240390dcbd38923019ee570d18cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe

Filesize
3.0MB

MD5
1ec596ca602f053a99a597e71188a453

SHA1
f61c2bd937acd9e2a943af427e90332c82dac201

SHA256
88cf49eeee67675ded4f1960cd18f2ec5a5484325091b94a663def347111ca65

SHA512
87c8e2c55d3bfc1908afe358b940221e964aca61bb1997fb22e69fc7e3ce7fb8b0be326202627321e03ec8a8f7801f720ec240390dcbd38923019ee570d18cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe

Filesize
3.0MB

MD5
1ec596ca602f053a99a597e71188a453

SHA1
f61c2bd937acd9e2a943af427e90332c82dac201

SHA256
88cf49eeee67675ded4f1960cd18f2ec5a5484325091b94a663def347111ca65

SHA512
87c8e2c55d3bfc1908afe358b940221e964aca61bb1997fb22e69fc7e3ce7fb8b0be326202627321e03ec8a8f7801f720ec240390dcbd38923019ee570d18cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe

Filesize
3.0MB

MD5
1ec596ca602f053a99a597e71188a453

SHA1
f61c2bd937acd9e2a943af427e90332c82dac201

SHA256
88cf49eeee67675ded4f1960cd18f2ec5a5484325091b94a663def347111ca65

SHA512
87c8e2c55d3bfc1908afe358b940221e964aca61bb1997fb22e69fc7e3ce7fb8b0be326202627321e03ec8a8f7801f720ec240390dcbd38923019ee570d18cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a030.exe

Filesize
3.0MB

MD5
31d2a31289e71a18384f5673baa72720

SHA1
ae1a9ea107c6eb6c29a3bf398133d2aa78ff669a

SHA256
c5d16dc2905000d3600b8096637d3a136837f4e114287cffe92a08011b609441

SHA512
65ce0156d37336c61af3bb6d02d042ab11ae5d281e7feda7eac1ce9a0c0ceccc4e6661af724db6a8cbb628b311cac149bf8973b0f857462f87b27f1c3df47e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a033.exe

Filesize
3.0MB

MD5
63386c2eb6376ac4bc3adca526e7a4a4

SHA1
ec5ffc49daa3f841840165e4a5904e1da09f335b

SHA256
f3ea7852228b186f646ae34a545d17039be5d297af9c3b5c7f12bec8243d7f4b

SHA512
46fb2ad4fee2789b89a9f79138cc911508a487721769b4b0705f36de07c99a118f61593b346a58af64ee19c6eeb51b2034e65294945dd29844de3b8cdc12d4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a033.exe

Filesize
3.0MB

MD5
63386c2eb6376ac4bc3adca526e7a4a4

SHA1
ec5ffc49daa3f841840165e4a5904e1da09f335b

SHA256
f3ea7852228b186f646ae34a545d17039be5d297af9c3b5c7f12bec8243d7f4b

SHA512
46fb2ad4fee2789b89a9f79138cc911508a487721769b4b0705f36de07c99a118f61593b346a58af64ee19c6eeb51b2034e65294945dd29844de3b8cdc12d4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a035.exe

Filesize
3.0MB

MD5
90cf6c1e22d34edb592ce223eed49ff9

SHA1
81ad5eb4896b7f7709cf09c91ab645d49a5751dd

SHA256
99cfe5ba1aa06d21a469437fd22c0dd899c2788a05410ecf98389204f4115c8c

SHA512
63d7fe47ecd076e4c90ae8135d36eb193e415d30e2bf7864b57c3addd275af878095d4ccf71fdebede00d6acda92275518603a88db502a37537d46e26d200b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe

Filesize
3.0MB

MD5
b3ede454aa40fc9866aa8f580214ec15

SHA1
eaca4cf483208c47f139eef2fadc24d51564d6da

SHA256
b4f4435796dee1cde649f8134b645fe08f9c1f0bf38c1e072b0ebf72c521b731

SHA512
b174ed231c634f2317c833113218c659c1e3a693fe68c8093521d0f971a52048956f6c5f95e8816a5b2387dda7ea7550cd62a4b1c9acae530c1c50a7714aaf8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe

Filesize
3.0MB

MD5
94765714cb604cb113b9f239169cab55

SHA1
34ffd2c433fbbbbb9b791aa7000f3535f565b349

SHA256
343db3f6b3402fac500761618b1a9138ad9d971933bae6a8452077a08318253d

SHA512
d2d042ba4087d81db8e1a3363093d624aea7b7d3ac7b1cadb17c96f6225171952445d12105c4e38592df29825f05e27bafd74903110b1a56b0edca4a1604d17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe

Filesize
3.0MB

MD5
94765714cb604cb113b9f239169cab55

SHA1
34ffd2c433fbbbbb9b791aa7000f3535f565b349

SHA256
343db3f6b3402fac500761618b1a9138ad9d971933bae6a8452077a08318253d

SHA512
d2d042ba4087d81db8e1a3363093d624aea7b7d3ac7b1cadb17c96f6225171952445d12105c4e38592df29825f05e27bafd74903110b1a56b0edca4a1604d17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe

Filesize
3.0MB

MD5
94765714cb604cb113b9f239169cab55

SHA1
34ffd2c433fbbbbb9b791aa7000f3535f565b349

SHA256
343db3f6b3402fac500761618b1a9138ad9d971933bae6a8452077a08318253d

SHA512
d2d042ba4087d81db8e1a3363093d624aea7b7d3ac7b1cadb17c96f6225171952445d12105c4e38592df29825f05e27bafd74903110b1a56b0edca4a1604d17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe

Filesize
3.0MB

MD5
94765714cb604cb113b9f239169cab55

SHA1
34ffd2c433fbbbbb9b791aa7000f3535f565b349

SHA256
343db3f6b3402fac500761618b1a9138ad9d971933bae6a8452077a08318253d

SHA512
d2d042ba4087d81db8e1a3363093d624aea7b7d3ac7b1cadb17c96f6225171952445d12105c4e38592df29825f05e27bafd74903110b1a56b0edca4a1604d17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe

Filesize
3.0MB

MD5
94765714cb604cb113b9f239169cab55

SHA1
34ffd2c433fbbbbb9b791aa7000f3535f565b349

SHA256
343db3f6b3402fac500761618b1a9138ad9d971933bae6a8452077a08318253d

SHA512
d2d042ba4087d81db8e1a3363093d624aea7b7d3ac7b1cadb17c96f6225171952445d12105c4e38592df29825f05e27bafd74903110b1a56b0edca4a1604d17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe

Filesize
3.0MB

MD5
94765714cb604cb113b9f239169cab55

SHA1
34ffd2c433fbbbbb9b791aa7000f3535f565b349

SHA256
343db3f6b3402fac500761618b1a9138ad9d971933bae6a8452077a08318253d

SHA512
d2d042ba4087d81db8e1a3363093d624aea7b7d3ac7b1cadb17c96f6225171952445d12105c4e38592df29825f05e27bafd74903110b1a56b0edca4a1604d17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe

Filesize
3.0MB

MD5
94765714cb604cb113b9f239169cab55

SHA1
34ffd2c433fbbbbb9b791aa7000f3535f565b349

SHA256
343db3f6b3402fac500761618b1a9138ad9d971933bae6a8452077a08318253d

SHA512
d2d042ba4087d81db8e1a3363093d624aea7b7d3ac7b1cadb17c96f6225171952445d12105c4e38592df29825f05e27bafd74903110b1a56b0edca4a1604d17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe

Filesize
3.0MB

MD5
94765714cb604cb113b9f239169cab55

SHA1
34ffd2c433fbbbbb9b791aa7000f3535f565b349

SHA256
343db3f6b3402fac500761618b1a9138ad9d971933bae6a8452077a08318253d

SHA512
d2d042ba4087d81db8e1a3363093d624aea7b7d3ac7b1cadb17c96f6225171952445d12105c4e38592df29825f05e27bafd74903110b1a56b0edca4a1604d17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe

Filesize
3.0MB

MD5
94765714cb604cb113b9f239169cab55

SHA1
34ffd2c433fbbbbb9b791aa7000f3535f565b349

SHA256
343db3f6b3402fac500761618b1a9138ad9d971933bae6a8452077a08318253d

SHA512
d2d042ba4087d81db8e1a3363093d624aea7b7d3ac7b1cadb17c96f6225171952445d12105c4e38592df29825f05e27bafd74903110b1a56b0edca4a1604d17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe

Filesize
3.0MB

MD5
94765714cb604cb113b9f239169cab55

SHA1
34ffd2c433fbbbbb9b791aa7000f3535f565b349

SHA256
343db3f6b3402fac500761618b1a9138ad9d971933bae6a8452077a08318253d

SHA512
d2d042ba4087d81db8e1a3363093d624aea7b7d3ac7b1cadb17c96f6225171952445d12105c4e38592df29825f05e27bafd74903110b1a56b0edca4a1604d17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a063.exe

Filesize
3.0MB

MD5
f18608e7e03e67bceb04f0340c84adca

SHA1
7469f5908bb67b0f07c73c3363efe611a3e01122

SHA256
64c3aec7fc32b0f3d605d325736e471912d12e3681461878490f5b0155396560

SHA512
82df4aa32ba6014af51a32669ce5d83d0b1e82c6b6be41ec00bdd8f772b5d0bfe8166afd8d02d8d16b60e27e7e374c6438bd2f2b9239407aebefa24bca5e6d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a066.exe

Filesize
3.0MB

MD5
bb274e422a1ac68ede82bf2a3f7222bb

SHA1
1cbeecf1828df43d04efeaa31dba48b8b063cff9

SHA256
484667814abe86e16625ff6bf04b611eeafa1b1588ede8138d94d97ba05b6096

SHA512
789b37c360886afe2c32576c8728ef9cc56236957cacf7f0dab2957b2dad8f712f98a064e14a5557f0ba6f70b596ec34095a76bc9980c79806a4deaa8daa8c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe

Filesize
3.0MB

MD5
811ebfadee056fb4edbee591413643bd

SHA1
cfeac1831c3f30e7240dc6797272eed90d73fe3d

SHA256
0cdb6c78dce37e6fe682fe59c7512f0aaa77f652274cb20c94ff5e8530e0405e

SHA512
896b313c6f4c5646aedf899e96afd2b87c7cd72fb0d4c1b6f147c04ead474d7a37435122445c61dbe3095fa6732e69462baaa172020592ca3d45991585c5eae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe

Filesize
3.0MB

MD5
811ebfadee056fb4edbee591413643bd

SHA1
cfeac1831c3f30e7240dc6797272eed90d73fe3d

SHA256
0cdb6c78dce37e6fe682fe59c7512f0aaa77f652274cb20c94ff5e8530e0405e

SHA512
896b313c6f4c5646aedf899e96afd2b87c7cd72fb0d4c1b6f147c04ead474d7a37435122445c61dbe3095fa6732e69462baaa172020592ca3d45991585c5eae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe

Filesize
3.0MB

MD5
811ebfadee056fb4edbee591413643bd

SHA1
cfeac1831c3f30e7240dc6797272eed90d73fe3d

SHA256
0cdb6c78dce37e6fe682fe59c7512f0aaa77f652274cb20c94ff5e8530e0405e

SHA512
896b313c6f4c5646aedf899e96afd2b87c7cd72fb0d4c1b6f147c04ead474d7a37435122445c61dbe3095fa6732e69462baaa172020592ca3d45991585c5eae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe

Filesize
3.0MB

MD5
811ebfadee056fb4edbee591413643bd

SHA1
cfeac1831c3f30e7240dc6797272eed90d73fe3d

SHA256
0cdb6c78dce37e6fe682fe59c7512f0aaa77f652274cb20c94ff5e8530e0405e

SHA512
896b313c6f4c5646aedf899e96afd2b87c7cd72fb0d4c1b6f147c04ead474d7a37435122445c61dbe3095fa6732e69462baaa172020592ca3d45991585c5eae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe

Filesize
3.0MB

MD5
811ebfadee056fb4edbee591413643bd

SHA1
cfeac1831c3f30e7240dc6797272eed90d73fe3d

SHA256
0cdb6c78dce37e6fe682fe59c7512f0aaa77f652274cb20c94ff5e8530e0405e

SHA512
896b313c6f4c5646aedf899e96afd2b87c7cd72fb0d4c1b6f147c04ead474d7a37435122445c61dbe3095fa6732e69462baaa172020592ca3d45991585c5eae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe

Filesize
3.0MB

MD5
811ebfadee056fb4edbee591413643bd

SHA1
cfeac1831c3f30e7240dc6797272eed90d73fe3d

SHA256
0cdb6c78dce37e6fe682fe59c7512f0aaa77f652274cb20c94ff5e8530e0405e

SHA512
896b313c6f4c5646aedf899e96afd2b87c7cd72fb0d4c1b6f147c04ead474d7a37435122445c61dbe3095fa6732e69462baaa172020592ca3d45991585c5eae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe

Filesize
3.0MB

MD5
811ebfadee056fb4edbee591413643bd

SHA1
cfeac1831c3f30e7240dc6797272eed90d73fe3d

SHA256
0cdb6c78dce37e6fe682fe59c7512f0aaa77f652274cb20c94ff5e8530e0405e

SHA512
896b313c6f4c5646aedf899e96afd2b87c7cd72fb0d4c1b6f147c04ead474d7a37435122445c61dbe3095fa6732e69462baaa172020592ca3d45991585c5eae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a085.exe

Filesize
3.0MB

MD5
4deff06a21d10042cb7b43ddbe9ab413

SHA1
71f60e43510a08dfbfb9f072872186c6e2c1f9f5

SHA256
68c3f08ea3fd9842d0dd34586fe1ba5e1963c4461293679113c7ebce8c7627b8

SHA512
3df188035c7d8ff33d3d29ba4d4f08a6395ff69d48a28f807c0c9e3aebac6791fda1ff58adc9177db3c47320cd979b00dfe5e7eabad2c0457df80aa9857433db

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe

Filesize
3.0MB

MD5
1692c15f567d37b2fc2c4d49f3ce99dd

SHA1
4500a660a4f85d0661976377480e91f51d2f4ebe

SHA256
c47b9f5e6469184faac211cff1f52585f6b44a5aca78358c1a7c477d02b9e2b4

SHA512
8d749ec6813c73aae0e4bfcfbfd37aa96e63003e4b4ec6947f4e631c4cde55d5feff3def41d0c54d1d9151a4265d55e70efd4e2f5f631476891fa036c7ab1972

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\prefs-1.js

Filesize
6KB

MD5
70a2684cd6d9760117a5b5ea98b9c638

SHA1
53ce93693f3b8bbbc2f9d7edb24c388c25a0d0b8

SHA256
f368b41cd276f0d8c38002bb78990cf4e1341ce835ea0dfa007e059f4ada9d78

SHA512
e2dfc1d70e8afecb44ee3ff8c072f9c9da44ef1b92f718fb33432855ab190f58a7133d90725b9a17c870ece8845e3c98a918e2517c4d21870da3faf9deb4781e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
983B

MD5
e55b8dfbba732b009f3c9e6cba292722

SHA1
dcde3cb3c7e164cf31f60399e332df1d5c95819f

SHA256
31778ba7ea678f0fca8f1f1eb03e725face0f2117f892b9196c075173fd61024

SHA512
c196a7ff963b951f3b4aa11d048f817f769ab97f93a00630b7c7be0ea0f1b0e019e8d0a84d3dc51ad884a83666a0790c81a2cfe45514e25d5dcbff71cae75eee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore.jsonlz4

Filesize
857B

MD5
7144c99d192a938e778ea36035b3ed7f

SHA1
80415652a1a7e913c257f98452fb4a34f6f986a7

SHA256
057f3fa5de15bbc79d953163252ef541b898868739cc1c5caea0192d359de934

SHA512
2f9e640b2544b91ef304b2a7d8007638b4956c7a53948e78124291ac2b25a50124fa1f8c566793e8a7e7cdb6c9a5dad992f41b1bed04fce68b7c40ec613cac68

Download Submit
memory/388-76-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/460-71-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/840-75-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1076-67-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1084-81-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1640-70-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1648-65-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1936-77-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1972-73-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2632-142-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2640-20-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2880-78-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3064-146-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3112-61-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3304-143-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3332-63-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3640-74-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3684-69-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3856-66-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3968-68-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4348-82-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4564-79-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4852-91-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4980-80-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5040-72-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5132-145-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5248-144-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5260-147-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5484-148-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download