ce608faa350d14f5b46cac9ac71fa99df52482ef54b62bb5276e0de0e7266b81

Analysis

max time kernel
36s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2023, 17:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Size

3.0MB
MD5

a6f9088da9f32404b2383e61dc3c5c70
SHA1

5cadab74b7f36f71dfad14ca682f2416e8968f83
SHA256

ce608faa350d14f5b46cac9ac71fa99df52482ef54b62bb5276e0de0e7266b81
SHA512

8798d936ee5ce6a1d35c725944e40cc6f41f09c8e93180bcc5e81965fc8f4bf9afb62d84b9c2870451d8d8015c61b8e469303dcab86366ad3e36ff23ea0ca947
SSDEEP

49152:j495UciMmq/NhjX5p3JOCdLAweZnE5c965nqqIP2Itdj:jk5LhzACdLAlnE5co5nqqIP2Itdj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 11 IoCs

pid	Process
3948	NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
8	NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe
2528	NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
3656	NEAS.a6f9088da9f32404b2383e61dc3c5c708.exe
4056	NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe
3464	NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
1944	NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe
4380	NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe
2028	NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe
2664	NEAS.a6f9088da9f32404b2383e61dc3c5c7018.exe
1372	NEAS.a6f9088da9f32404b2383e61dc3c5c7050.exe

Modifies file permissions 1 TTPs 5 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2760	takeown.exe
5616	takeown.exe
5940	takeown.exe
4032	takeown.exe
2532	takeown.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Kills process with taskkill 16 IoCs

evasion

pid	Process
6816	taskkill.exe
1480	taskkill.exe
2400	taskkill.exe
5496	taskkill.exe
7148	taskkill.exe
1260	taskkill.exe
5792	taskkill.exe
4280	taskkill.exe
4816	taskkill.exe
4216	taskkill.exe
6092	taskkill.exe
6612	taskkill.exe
4028	taskkill.exe
3540	taskkill.exe
4952	taskkill.exe
6900	taskkill.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeAssignPrimaryTokenPrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeLockMemoryPrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeIncreaseQuotaPrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeMachineAccountPrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeTcbPrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeSecurityPrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeTakeOwnershipPrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeLoadDriverPrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeSystemProfilePrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeSystemtimePrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeProfSingleProcessPrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeIncBasePriorityPrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeCreatePagefilePrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeCreatePermanentPrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeBackupPrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeRestorePrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeShutdownPrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeDebugPrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeAuditPrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeSystemEnvironmentPrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeChangeNotifyPrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeRemoteShutdownPrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeUndockPrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeSyncAgentPrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeEnableDelegationPrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeManageVolumePrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeImpersonatePrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeCreateGlobalPrivilege	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: 31	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: 32	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: 33	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: 34	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: 35	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeCreateTokenPrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeAssignPrimaryTokenPrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeLockMemoryPrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeIncreaseQuotaPrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeMachineAccountPrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeTcbPrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeSecurityPrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeTakeOwnershipPrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeLoadDriverPrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeSystemProfilePrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeSystemtimePrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeProfSingleProcessPrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeIncBasePriorityPrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeCreatePagefilePrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeCreatePermanentPrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeBackupPrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeRestorePrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeShutdownPrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeDebugPrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeAuditPrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeSystemEnvironmentPrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeChangeNotifyPrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeRemoteShutdownPrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeUndockPrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeSyncAgentPrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeEnableDelegationPrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeManageVolumePrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeImpersonatePrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: SeCreateGlobalPrivilege	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
Token: 31	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 1484	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	86
PID 4692 wrote to memory of 1484	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	86
PID 1484 wrote to memory of 952	1484	cmd.exe	87
PID 1484 wrote to memory of 952	1484	cmd.exe	87
PID 4692 wrote to memory of 1256	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	89
PID 4692 wrote to memory of 1256	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	89
PID 1256 wrote to memory of 2588	1256	cmd.exe	90
PID 1256 wrote to memory of 2588	1256	cmd.exe	90
PID 4692 wrote to memory of 2148	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	92
PID 4692 wrote to memory of 2148	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	92
PID 2148 wrote to memory of 1480	2148	cmd.exe	94
PID 2148 wrote to memory of 1480	2148	cmd.exe	94
PID 952 wrote to memory of 3648	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	93
PID 952 wrote to memory of 3648	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	93
PID 4692 wrote to memory of 680	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	96
PID 4692 wrote to memory of 680	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	96
PID 680 wrote to memory of 3220	680	cmd.exe	97
PID 680 wrote to memory of 3220	680	cmd.exe	97
PID 952 wrote to memory of 3332	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	99
PID 952 wrote to memory of 3332	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	99
PID 4692 wrote to memory of 4952	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	100
PID 4692 wrote to memory of 4952	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	100
PID 1480 wrote to memory of 2092	1480	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	101
PID 1480 wrote to memory of 2092	1480	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	101
PID 4952 wrote to memory of 2016	4952	cmd.exe	102
PID 4952 wrote to memory of 2016	4952	cmd.exe	102
PID 4692 wrote to memory of 436	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	104
PID 4692 wrote to memory of 436	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	104
PID 436 wrote to memory of 1088	436	cmd.exe	106
PID 436 wrote to memory of 1088	436	cmd.exe	106
PID 4692 wrote to memory of 64	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	108
PID 4692 wrote to memory of 64	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	108
PID 1480 wrote to memory of 4204	1480	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	109
PID 1480 wrote to memory of 4204	1480	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	109
PID 2016 wrote to memory of 4836	2016	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	111
PID 2016 wrote to memory of 4836	2016	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	111
PID 3332 wrote to memory of 3948	3332	cmd.exe	110
PID 3332 wrote to memory of 3948	3332	cmd.exe	110
PID 952 wrote to memory of 4104	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	113
PID 952 wrote to memory of 4104	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	113
PID 64 wrote to memory of 2248	64	cmd.exe	114
PID 64 wrote to memory of 2248	64	cmd.exe	114
PID 4204 wrote to memory of 8	4204	cmd.exe	115
PID 4204 wrote to memory of 8	4204	cmd.exe	115
PID 3948 wrote to memory of 4988	3948	NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe	117
PID 3948 wrote to memory of 4988	3948	NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe	117
PID 952 wrote to memory of 1688	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	119
PID 952 wrote to memory of 1688	952	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	119
PID 8 wrote to memory of 3724	8	NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe	120
PID 8 wrote to memory of 3724	8	NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe	120
PID 1480 wrote to memory of 4500	1480	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	121
PID 1480 wrote to memory of 4500	1480	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	121
PID 4988 wrote to memory of 2528	4988	cmd.exe	126
PID 4988 wrote to memory of 2528	4988	cmd.exe	126
PID 2248 wrote to memory of 1080	2248	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	125
PID 2248 wrote to memory of 1080	2248	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	125
PID 4692 wrote to memory of 1264	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	122
PID 4692 wrote to memory of 1264	4692	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	122
PID 3948 wrote to memory of 2736	3948	NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe	123
PID 3948 wrote to memory of 2736	3948	NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe	123
PID 1688 wrote to memory of 3656	1688	cmd.exe	127
PID 1688 wrote to memory of 3656	1688	cmd.exe	127
PID 2248 wrote to memory of 688	2248	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	129
PID 2248 wrote to memory of 688	2248	NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe	129

C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /protect 1698012515
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /protect 1698012515
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe+130134.txt C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
      4⤵
      PID:3648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe 1698012515
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3332
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe 1698012515
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3948
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /protect 1698012515
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /protect 1698012515
        7⤵
        Executes dropped EXE
        
        PID:2528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe+818862.txt C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7018.exe
        8⤵
        
        PID:2168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7018.exe 1698012515
        8⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7018.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7018.exe 1698012515
        9⤵
        Executes dropped EXE
        
        PID:2664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:4736
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:2400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe+91290.txt C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe
        8⤵
        
        PID:5600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe 1698012515
        8⤵
        
        PID:6212
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe 1698012515
        9⤵
        
        PID:5492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:3848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe /autoup 1698012515
        10⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe /autoup 1698012515
        11⤵
        
        PID:6692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe /killwindows 1698012515
        10⤵
        
        PID:6820
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe /killwindows 1698012515
        11⤵
        
        PID:5884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        12⤵
        
        PID:5604
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        13⤵
        Modifies file permissions
        
        PID:2760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe /KillHardDisk 1698012515
        10⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe /KillHardDisk 1698012515
        11⤵
        
        PID:3992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        12⤵
        
        PID:5952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe /killMBR 1698012515
        10⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe /killMBR 1698012515
        11⤵
        
        PID:6848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe /protect 1698012515
        10⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe /protect 1698012515
        11⤵
        
        PID:892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe+926244.txt C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70199.exe
        12⤵
        
        PID:6372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70199.exe 1698012515
        12⤵
        
        PID:6300
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70199.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70199.exe 1698012515
        13⤵
        
        PID:1940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        14⤵
        
        PID:1080
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        15⤵
        Kills process with taskkill
        
        PID:6900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe+132297.txt C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70191.exe
        12⤵
        
        PID:6404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70191.exe 1698012515
        12⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70191.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70191.exe 1698012515
        13⤵
        
        PID:2396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        14⤵
        
        PID:2300
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        15⤵
        Kills process with taskkill
        
        PID:6816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe /autoup 1698012515
        10⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe /autoup 1698012515
        11⤵
        
        PID:4572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe C:\windows\system32\taskmgr.exe
        10⤵
        
        PID:5720
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /save 1698012515
        6⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /save 1698012515
        7⤵
        Executes dropped EXE
        
        PID:3464
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:2244
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:1480
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /autoup 1698012515
        6⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /autoup 1698012515
        7⤵
        
        PID:5612
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /killwindows 1698012515
        6⤵
        
        PID:6308
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /killwindows 1698012515
        7⤵
        
        PID:4228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:5936
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /KillHardDisk 1698012515
        6⤵
        
        PID:6804
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /KillHardDisk 1698012515
        7⤵
        
        PID:5244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:3908
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /killMBR 1698012515
        6⤵
        
        PID:6008
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /killMBR 1698012515
        7⤵
        
        PID:5732
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /protect 1698012515
        6⤵
        
        PID:5280
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /protect 1698012515
        7⤵
        
        PID:6456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe+927290.txt C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe
        8⤵
        
        PID:1440
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /autoup 1698012515
        6⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /autoup 1698012515
        7⤵
        
        PID:4748
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe C:\windows\system32\taskmgr.exe
        6⤵
        
        PID:6804
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /autoup 1698012515
        6⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /autoup 1698012515
        7⤵
        
        PID:936
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /killwindows 1698012515
        6⤵
        
        PID:7156
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /killwindows 1698012515
        7⤵
        
        PID:212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:6764
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:5616
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /KillHardDisk 1698012515
        6⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /KillHardDisk 1698012515
        7⤵
        
        PID:6508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:3156
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /killMBR 1698012515
        6⤵
        
        PID:5468
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /killMBR 1698012515
        7⤵
        
        PID:7164
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /protect 1698012515
        6⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /protect 1698012515
        7⤵
        
        PID:5864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe+042.txt C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7010.exe
        8⤵
        
        PID:5332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7010.exe 1698012515
        8⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7010.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7010.exe 1698012515
        9⤵
        
        PID:5708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:6428
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:3540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe+132161.txt C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7011.exe
        8⤵
        
        PID:5396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7011.exe 1698012515
        8⤵
        
        PID:6412
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7011.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7011.exe 1698012515
        9⤵
        
        PID:5104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:1692
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:1260
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /autoup 1698012515
        6⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /autoup 1698012515
        7⤵
        
        PID:6304
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe C:\windows\system32\taskmgr.exe
        6⤵
        
        PID:6200
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /autoup 1698012515
        6⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /autoup 1698012515
        7⤵
        
        PID:4964
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /killwindows 1698012515
        6⤵
        
        PID:5380
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /killwindows 1698012515
        7⤵
        
        PID:6004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:3904
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:5940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Cacls C:\windows\system32\taskmgr.exe /t /e /c /gAdmin:F
        8⤵
        
        PID:3696
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /KillHardDisk 1698012515
        6⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /KillHardDisk 1698012515
        7⤵
        
        PID:4068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:5628
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /killMBR 1698012515
        6⤵
        
        PID:5588
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /killMBR 1698012515
        7⤵
        
        PID:5128
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /protect 1698012515
        6⤵
        
        PID:6948
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /protect 1698012515
        7⤵
        
        PID:4056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe+617880.txt C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7016.exe
        8⤵
        
        PID:4064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7016.exe 1698012515
        8⤵
        
        PID:5988
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7016.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7016.exe 1698012515
        9⤵
        
        PID:2212
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /autoup 1698012515
        6⤵
        
        PID:6728
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /autoup 1698012515
        7⤵
        
        PID:5252
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe C:\windows\system32\taskmgr.exe
        6⤵
        
        PID:4140
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /autoup 1698012515
        6⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /autoup 1698012515
        7⤵
        
        PID:2772
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /killwindows 1698012515
        6⤵
        
        PID:6572
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /killwindows 1698012515
        7⤵
        
        PID:5860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:2284
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:2532
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /KillHardDisk 1698012515
        6⤵
        
        PID:5584
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /KillHardDisk 1698012515
        7⤵
        
        PID:1416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:7112
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /killMBR 1698012515
        6⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe /killMBR 1698012515
        7⤵
        
        PID:7040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe+826205.txt C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c708.exe
      4⤵
      PID:4104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c708.exe 1698012515
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1688
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c708.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c708.exe 1698012515
        5⤵
        Executes dropped EXE
        
        PID:3656
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:1016
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:4216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /save 1698012515
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /save 1698012515
    3⤵
    PID:2588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /protect 1698012515
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /protect 1698012515
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe+58114.txt C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe
      4⤵
      PID:2092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe 1698012515
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4204
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe 1698012515
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:8
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe /protect 1698012515
        6⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe /protect 1698012515
        7⤵
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe+026474.txt C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7050.exe
        8⤵
        
        PID:3612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7050.exe 1698012515
        8⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7050.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7050.exe 1698012515
        9⤵
        Executes dropped EXE
        
        PID:1372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:5344
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:5496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe+810362.txt C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7058.exe
        8⤵
        
        PID:5612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7058.exe 1698012515
        8⤵
        
        PID:7152
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7058.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7058.exe 1698012515
        9⤵
        
        PID:4548
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe /save 1698012515
        6⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe /save 1698012515
        7⤵
        Executes dropped EXE
        
        PID:2028
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:2584
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:4280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe+530131.txt C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe
      4⤵
      PID:4500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe 1698012515
      4⤵
      PID:4040
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe 1698012515
        5⤵
        Executes dropped EXE
        
        PID:4380
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:3920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /save 1698012515
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /save 1698012515
    3⤵
    PID:3220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /protect 1698012515
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /protect 1698012515
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe+58114.txt C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe
      4⤵
      PID:4836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /save 1698012515
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /save 1698012515
    3⤵
    PID:1088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /protect 1698012515
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:64
- - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /protect 1698012515
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe+58114.txt C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe
      4⤵
      PID:1080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe 1698012515
      4⤵
      PID:688
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe 1698012515
        5⤵
        Executes dropped EXE
        
        PID:1944
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:4104
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:4952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe+530131.txt C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe
      4⤵
      PID:556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /save 1698012515
  2⤵
  PID:1264
- - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /save 1698012515
    3⤵
    PID:1868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:4900
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:4816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /autoup 1698012515
  2⤵
  PID:980
- - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /autoup 1698012515
    3⤵
    PID:5788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /killwindows 1698012515
  2⤵
  PID:6288
- - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /killwindows 1698012515
    3⤵
    PID:5904
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
      4⤵
      PID:6284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /KillHardDisk 1698012515
  2⤵
  PID:1680
- - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /KillHardDisk 1698012515
    3⤵
    PID:6152
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\users /r /f
      4⤵
      PID:7056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /killMBR 1698012515
  2⤵
  PID:7128
- - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /killMBR 1698012515
    3⤵
    PID:1904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /protect 1698012515
  2⤵
  PID:5304
- - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /protect 1698012515
    3⤵
    PID:5968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe+615496.txt C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c706.exe
      4⤵
      PID:5896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c706.exe 1698012515
      4⤵
      PID:7096
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c706.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c706.exe 1698012515
        5⤵
        
        PID:3772
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:1876
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:4028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe+628370.txt C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c706.exe
      4⤵
      PID:6564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /autoup 1698012515
  2⤵
  PID:4092
- - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /autoup 1698012515
    3⤵
    PID:3012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe C:\windows\system32\taskmgr.exe
  2⤵
  PID:4816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /autoup 1698012515
  2⤵
  PID:5520
- - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /autoup 1698012515
    3⤵
    PID:5340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /killwindows 1698012515
  2⤵
  PID:5556
- - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /killwindows 1698012515
    3⤵
    PID:6128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
      4⤵
      PID:6592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /KillHardDisk 1698012515
  2⤵
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /KillHardDisk 1698012515
    3⤵
    PID:5676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\users /r /f
      4⤵
      PID:5980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /killMBR 1698012515
  2⤵
  PID:3988
- - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /killMBR 1698012515
    3⤵
    PID:5192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /protect 1698012515
  2⤵
  PID:3188
- - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /protect 1698012515
    3⤵
    PID:7132
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe+031765.txt C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c700.exe
      4⤵
      PID:6132
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c700.exe 1698012515
      4⤵
      PID:6644
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c700.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c700.exe 1698012515
        5⤵
        
        PID:872
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:4112
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:6092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe+322953.txt C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c703.exe
      4⤵
      PID:2312
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c703.exe 1698012515
      4⤵
      PID:4268
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c703.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c703.exe 1698012515
        5⤵
        
        PID:5180
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:5200
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:5792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /autoup 1698012515
  2⤵
  PID:6108
- - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /autoup 1698012515
    3⤵
    PID:5912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe C:\windows\system32\taskmgr.exe
  2⤵
  PID:3572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /autoup 1698012515
  2⤵
  PID:5160
- - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /autoup 1698012515
    3⤵
    PID:5852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /killwindows 1698012515
  2⤵
  PID:3332
- - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /killwindows 1698012515
    3⤵
    PID:6252
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
      4⤵
      PID:6484
    - - C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        5⤵
        Modifies file permissions
        
        PID:4032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c Cacls C:\windows\system32\taskmgr.exe /t /e /c /gAdmin:F
      4⤵
      PID:6080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /KillHardDisk 1698012515
  2⤵
  PID:6832
- - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /KillHardDisk 1698012515
    3⤵
    PID:3516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\users /r /f
      4⤵
      PID:7076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /killMBR 1698012515
  2⤵
  PID:6112
- - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /killMBR 1698012515
    3⤵
    PID:4748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /protect 1698012515
  2⤵
  PID:4756
- - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /protect 1698012515
    3⤵
    PID:5756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe+26086.txt C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c702.exe
      4⤵
      PID:4192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /autoup 1698012515
  2⤵
  PID:4152
- - C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /autoup 1698012515
    3⤵
    PID:4164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe C:\windows\system32\taskmgr.exe
  2⤵
  PID:5160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c70.exe /autoup 1698012515
  2⤵
  PID:6164

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\CloseShow.ADT"
1⤵
PID:3472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc758246f8,0x7ffc75824708,0x7ffc75824718
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,8941869103096277925,204088639365272367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,8941869103096277925,204088639365272367,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:3864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc758246f8,0x7ffc75824708,0x7ffc75824718
  2⤵
  PID:368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,12804675220246587206,8121344154659644410,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,12804675220246587206,8121344154659644410,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,12804675220246587206,8121344154659644410,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
  2⤵
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,12804675220246587206,8121344154659644410,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,12804675220246587206,8121344154659644410,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,12804675220246587206,8121344154659644410,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:1
  2⤵
  PID:7056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,12804675220246587206,8121344154659644410,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,12804675220246587206,8121344154659644410,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:7044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,12804675220246587206,8121344154659644410,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,12804675220246587206,8121344154659644410,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,12804675220246587206,8121344154659644410,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,12804675220246587206,8121344154659644410,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
  2⤵
  PID:6616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2216,12804675220246587206,8121344154659644410,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  PID:6912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2216,12804675220246587206,8121344154659644410,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=5912 /prefetch:8
  2⤵
  PID:5252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,12804675220246587206,8121344154659644410,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,12804675220246587206,8121344154659644410,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2216,12804675220246587206,8121344154659644410,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4512 /prefetch:8
  2⤵
  PID:6056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc74569758,0x7ffc74569768,0x7ffc74569778
  2⤵
  PID:5272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1988 --field-trial-handle=2204,i,14372178718370665872,13993397751814106025,131072 /prefetch:8
  2⤵
  PID:5292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=2204,i,14372178718370665872,13993397751814106025,131072 /prefetch:1
  2⤵
  PID:5600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3124 --field-trial-handle=2204,i,14372178718370665872,13993397751814106025,131072 /prefetch:1
  2⤵
  PID:6296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1944 --field-trial-handle=2204,i,14372178718370665872,13993397751814106025,131072 /prefetch:8
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4708 --field-trial-handle=2204,i,14372178718370665872,13993397751814106025,131072 /prefetch:1
  2⤵
  PID:6216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=2204,i,14372178718370665872,13993397751814106025,131072 /prefetch:2
  2⤵
  PID:5156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4956 --field-trial-handle=2204,i,14372178718370665872,13993397751814106025,131072 /prefetch:1
  2⤵
  PID:5652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4504 --field-trial-handle=2204,i,14372178718370665872,13993397751814106025,131072 /prefetch:8
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5072 --field-trial-handle=2204,i,14372178718370665872,13993397751814106025,131072 /prefetch:8
  2⤵
  PID:6672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5260 --field-trial-handle=2204,i,14372178718370665872,13993397751814106025,131072 /prefetch:1
  2⤵
  PID:5476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5480 --field-trial-handle=2204,i,14372178718370665872,13993397751814106025,131072 /prefetch:1
  2⤵
  PID:5548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5132 --field-trial-handle=2204,i,14372178718370665872,13993397751814106025,131072 /prefetch:8
  2⤵
  PID:6516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5868 --field-trial-handle=2204,i,14372178718370665872,13993397751814106025,131072 /prefetch:8
  2⤵
  PID:5612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 --field-trial-handle=2204,i,14372178718370665872,13993397751814106025,131072 /prefetch:8
  2⤵
  PID:3116

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3232
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  PID:4420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.0.1150997386\339940319" -parentBuildID 20221007134813 -prefsHandle 1804 -prefMapHandle 1796 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {49cf11fb-400f-4691-a067-a0050d4296ac} 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 1936 1baffcf7d58 gpu
    3⤵
    PID:6008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.1.1707536654\1653710637" -parentBuildID 20221007134813 -prefsHandle 2312 -prefMapHandle 2308 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12e9d8d8-5d9e-4673-a4eb-1e79dbd05d37} 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 2324 1baff7e3558 socket
    3⤵
    PID:3136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.2.1277244753\1052485791" -childID 1 -isForBrowser -prefsHandle 3120 -prefMapHandle 3116 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1016 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7de721f8-3610-49e3-b78a-255a4b050e29} 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 3244 1ba88bc8358 tab
    3⤵
    PID:6804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4420.3.1428432066\460396747" -childID 2 -isForBrowser -prefsHandle 3456 -prefMapHandle 3452 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1016 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d2e8827-7145-4919-b00e-0e75ef480452} 4420 "\\.\pipe\gecko-crash-server-pipe.4420" 3568 1ba88cd5558 tab
    3⤵
    PID:7064

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
1⤵
PID:5728
- C:\Windows\system32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:6612

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2672

C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
1⤵
- Kills process with taskkill
PID:7148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
8520e19e78a7c12caee60fff43e94ff8

SHA1
a68ade052afc5d7efd92fc62ffeb768719a801a9

SHA256
6876267b76e2be4abb1e82e99340c94d9036517df113ab17f56adabf50d9c1f1

SHA512
8200e7838efd582c9533ea3252f8c6645887f68989628bac42e729f0c6ab4f129cb09d311e8031664b4c6f365c55615192d2a023a441de34a6c432a1f8b98e6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f62218ed8dd3fc19f438b118445b5d92

SHA1
85d8eac633ee6043247ab5da38af2fd46715f606

SHA256
9b50b163037ef393f772ea7a8306be38aaabd61c747ca478ce7b4215ba49ff15

SHA512
3bb838164b7592d7f241d5ed9a1fcbc7dd03510f548fafb9f39de0d70ed53aa45a1bc50225034b5c63ca1c05149f991e745ad22ddf106a9711fe5154c0a81881

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
d54e7caee55104f24fe7faaa24a8fa94

SHA1
3b700687ad309690d93dc5092786b04e1fd8b6b1

SHA256
a1a3dd4c0f962a2d4229497288e196ed48272d2ecf84399978316cd3323d490d

SHA512
df90e345c8470ebad6c97b77bd16e80aba8935e7b4f75b70314e5e1196bf5d6a5990fb012333a4bacf5766e11ee64c916238e53470c942f4ee8243c22e62c9b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3dcc003a3fbbc72918848b932f274ada

SHA1
816a3dd8240235d250c6ae2db14c8f8fa251267b

SHA256
d8736ae978e2f311bc64aad15545622330e5713711e6ab44b976c8ee85068e13

SHA512
b79809de2627f6827785ffc8396ec913512757d3855c78bdb442bcd911f18e11b37915f950c91cd1a44bc879defa58792b9a5334ac24d2fd330cafebb75ed4ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a111ff5748717d909676db9cc784c5c6

SHA1
93e5b23a1a1a3d86c3680f2d6f32c3e34580f953

SHA256
dc540fadadbfb236efd8e636c9679a0fb5dfe87feaae1cf9f69c149d2842bcdf

SHA512
140a92c4c5d1c6b3edeacb5f76d730c2fe866ed4582aa36b0e189b997893c8e46d167f5976671c758778a594ee68359f2bf2944b223ee999658e8c8dcc40dced

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6290bb420beb2492e506d54f3f9c91f9

SHA1
5feed060715907d725bb9cea98bbfd162a23cacd

SHA256
873aaed15b781a69dfa1ea3ba9a25ecee29bce9e695844e219d0cbdd577fb400

SHA512
84245d89bf91e6a0d4b79fe22f1844510e42154817af1ebfa1900310c5dceac7dc14facb84817b749e6ad7a95903875cda677fa0a0838e40716fb1f3b44074d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
214KB

MD5
6d03d6e3f7f0839f991f5feb331de0c1

SHA1
2fc7b9d58b6f661990788e0d1d629e1b7d07f98b

SHA256
0a9186dc206190965095f059cf644f3918e3c8ab2cdaf3539259d9454716c018

SHA512
28b00edb1d32c4b115d53b1739eb311b3f3fac53cb0121f8e75f4c95d4ae03e983164bf683a614b4ff76cfe354cd491d3014c3a6b5ba91254bc110797f2e0da1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
214KB

MD5
d83b8330d338481dc1d7fac914353e66

SHA1
656f12e8d6ba00e205fcb287271f3cfdc3dff9a9

SHA256
fd58ea1ecb3cf85e1b22f635da091773d144d74b0ed4ae741d11acffd9d90c94

SHA512
c61f2bc194f9693c5b47017075e345c6321f97a8bd208f1591b32c8c5b4078f1eabf333008d6b5ec77095a84e703b510ed781a72183a3cd235766ddc9330a15b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
214KB

MD5
addec117e28d33bff729df0101bec942

SHA1
ecaf6d79e77751f9509d7c46b550f97c18981123

SHA256
8542d691e8cb47a7c7c0de27daef9c9e38d8245d2acf207bad9e80cdf854ae57

SHA512
6d7a8b37235097951765ae774fc91b1a78e78c1f2bd0459c0f3e797f47e3793c3f2ffd3a65ce14b3a848c52ad3f7e9349f96a2c806fa5604ee19e809a789206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6f9bc20747520b37b3f22c169195824e

SHA1
de0472972d51b2d9419ff0d714706bef0c6f81d8

SHA256
a176ef484b676f39eaefe30f33df548ef0e4e3b34c4651ac3fb4351404d288b0

SHA512
179e5be96746cfbcc9483de68527d96464f3ce6cb09dc4b5e546a93c5e1dad36ab842a4cdfa336169af4ca459bdc42a2cac72e577699a455ffb7efd9c1c80f11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fe1a370aaf52fc1b4eab2ea5bc89394a

SHA1
fcb66e74db397eae256f6a8cac292618d16c5e48

SHA256
329b4ffd500d1cd8eb06cb65a2c827e397d9722db9bc9397aee6df39a7287790

SHA512
3a844fd798325516bfcd38656dda129b5744071ff30b3c9bcf6ebcb3a582b8d1395a8f8607456d2a966155d8e89a9e6b6eec6adb88abc23584b9903f0f292788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6ef6b285ca3c9634c30313fceba93908

SHA1
004be1bda62c374704209f5b5622db4a22f92095

SHA256
eb6cea3dd98575b19127bac29449515c548b97435c04799b40d7edf26a642fcc

SHA512
77a1f8dec76212f966c7b478c7a1409dfb55e353c028b4b9a0250b69f7120b7923716f116a1e24328903d318c618c8429074125dc61546a425b3aa133a8aad91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
37e01f83907316f2219cb1afdbbfc02b

SHA1
8fa58d32d08b6c756ce2a9e8043a354c1303ff2e

SHA256
40bc063a2ddd6607eab714f6e230ed3c7e6e3ea900a019828abbacf10b19d8d1

SHA512
dffa0a80fb6dd6a811032f7995eef417b2e72270d66902832a7bb342e4c39e59bb42b83a01b8a07adbcb529b9e99622d98894e82680cbe954f405e5f0d983c89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e05436aebb117e9919978ca32bbcefd9

SHA1
97b2af055317952ce42308ea69b82301320eb962

SHA256
cc9bd0953e70356e31a957ad9a9b1926f5e2a9f6a297cdef303ac693a2a86b7f

SHA512
11328e9514ffaa3c1eab84fae06595d75c8503bd5601adfd806182d46065752885a871b738439b356d1bb2c1ac71fc81e9d46bd2d0daa1b2ba0f40543bf952b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
ce8573b53dfd7376021dd4b670c1a940

SHA1
b32e613af98c4f10881780bfc59a4452f966d669

SHA256
8a192ddfc3ccfe5fa1b812f4bf7b583626f2b38031e5a2cf0d681ff7a1c0be7a

SHA512
4c6270f37d114153ecc59403f892298c291edc574805c04901d3eeff3af9fcf1e3c8d3f65a614c0af94420bc61cbdb99c78877591a10eb05aec9c246c14868ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d0efe7c347e3d0d495b5a7ed531b306e

SHA1
74c4b68cc0623ff0fc60a6f35fb59d28e41c7c0d

SHA256
33dc2ddb66b8d0355e11098038c3dcf804d084557e5fda5d8be6640383d91b48

SHA512
3856a15cc7f1f71168f4e46ecf068375f6cb69ac4b964971217507853c6bd946974ebc0cc5a894ad039f0d098d3e75be4cd8b57ce027be15059db0ff3893a3b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
ce8573b53dfd7376021dd4b670c1a940

SHA1
b32e613af98c4f10881780bfc59a4452f966d669

SHA256
8a192ddfc3ccfe5fa1b812f4bf7b583626f2b38031e5a2cf0d681ff7a1c0be7a

SHA512
4c6270f37d114153ecc59403f892298c291edc574805c04901d3eeff3af9fcf1e3c8d3f65a614c0af94420bc61cbdb99c78877591a10eb05aec9c246c14868ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8357b5e24d2cf50fcb3dce50a6be90fa

SHA1
474c98a728ee7680c85edf211fe12bb766e29234

SHA256
b013cca6095141172b1dc727fbf8b6c2c14b858b2e280aaa2222a52b09b75f43

SHA512
85911518f41ac83ab32cc8be5ef4176055b723074a61ad9cd1f670580c1589de7a7d010e9f70311a3bf2fddd98671a4733803573a3c8d71907bbaa91c4f7995e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ebc1d957-c26e-4817-a048-5dd41b4c9d17.tmp

Filesize
10KB

MD5
b645f07d657714c5a5ce52055a0ed731

SHA1
ba8a1ecea46f36bb18db24a55884f23b8bf47374

SHA256
ec46a63e07cbc1bd16692391a222848a5bce2b01fdd1ef80217936019f0e0851

SHA512
33cb9764293d105d29211d1183aadd0a74214747bad24652faa9456fa06c280bfa8bc329dc3369f57b4cb5082716d08a9c77d7919bbf80d474f15a0c10d15f85

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3tq1igo7.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
f8bcdee8ba22ec8b07142c75d8341c1f

SHA1
0fb72964250ee7a7dc6cd02b4b1cf3a10da0cc89

SHA256
fb4abd3518aa519a59febfa04132595ba56d9b0fe8ff76f5c4a5ffab7571379a

SHA512
89a994dd009ffbdc9e798636e440dbcf32e3c087565e7b4a2edc5eded98b3b91b39bd601c2d0f7af10b2a84a03ff71e46cfc462c34e0a3a89bd2e09226148b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\026474.txt

Filesize
5B

MD5
432773124021b504983e853ed7588fa6

SHA1
681665ea8b72237d1677dfaf7339ef7a7ec40269

SHA256
6121f80ab40860b38267a2bbe1e3c41cf1d00ddb3efa549e74c2657521003ab8

SHA512
2dc8b745e80d9af73f161d6ede6f084115e41de1bb0906f3665d2b8c1f6ed6f8387b89ba0448372e2ff1f02128db162b9dac87d817405ced76095c2a4aa7c2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\107320.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\107320.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\130134.txt

Filesize
5B

MD5
5bb77e5c6d452aee283844d47756dc05

SHA1
cc4f9ebb3e9e968c2d2ca4b97f5b0d9554caa840

SHA256
2438cbc1eade910bac1e2da7bf8884b9ad0771c41f3c5ab2cb06a13490f8d82f

SHA512
a87aa838be7d301eb79616f6aa55a5ea5a6612554e637f7d91c2ac14d2f4fab13b37508082ec4dd9efcf33fce78249016974bcc12e59d9868b976a3d35b92d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\530131.txt

Filesize
4B

MD5
e5fc3b8d9510b02e42361c337597d9fa

SHA1
f475e3a0c34640b01830cafd12e1e2e58b70aa74

SHA256
bb76dc3c076cd8e06b6b727b1913eff38a71ffc30bd6a4916e52fd39798ec81f

SHA512
0c59f4c69cf0bf0ec4898139686e79cae596c68d7bdc338f9c916bffb470b8c950d61936b4af741607e8b6ace3f0d1176fbb81a68d98145433fd542ea38e12cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\58114.txt

Filesize
4B

MD5
5cbba2d075f0d1648e0851e1467ba79f

SHA1
b9abf4cce982fdb8d77daad3864eb4f65088e03a

SHA256
25b99b9c636ea2d7820f5409c19248e08e87e59d0fb42c5b44ce7695508f0408

SHA512
a1bfaa112abfd5581f93d82cbadb29807028218aed42bd5ff82a9fc6f18b141d542f99dfd6ab0a7b7bcbd18f4400c1dc5bc8cbbd4e10ae3a58671c0cafb6856e

Download Submit
C:\Users\Admin\AppData\Local\Temp\58114.txt

Filesize
4B

MD5
5cbba2d075f0d1648e0851e1467ba79f

SHA1
b9abf4cce982fdb8d77daad3864eb4f65088e03a

SHA256
25b99b9c636ea2d7820f5409c19248e08e87e59d0fb42c5b44ce7695508f0408

SHA512
a1bfaa112abfd5581f93d82cbadb29807028218aed42bd5ff82a9fc6f18b141d542f99dfd6ab0a7b7bcbd18f4400c1dc5bc8cbbd4e10ae3a58671c0cafb6856e

Download Submit
C:\Users\Admin\AppData\Local\Temp\810362.txt

Filesize
5B

MD5
e1517246f55a92dc53dd2133ebb12837

SHA1
c74a689eaf6e4b801ad29bf6b45ce05a2323b62b

SHA256
52fdb3be244a2dd6a54c4374f86c54d630680ce037e055b844279aa407145007

SHA512
06231a278fd2409e05aed931097302fc5703845b8b7ace6ffae5c00356e765850c807a5683e260e9090ae1de404994fa675a11ae2cf0eb985660da2a7c9816cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\818862.txt

Filesize
5B

MD5
bfbf094d7555f22ae3bd5056dfedfd56

SHA1
8d9458aeb7896cf71dbf18552647dfa8172735f4

SHA256
e7f51df90d0e768dc2785527f28a2c80a1660d069e46201833c7319a0e898651

SHA512
f446429b4e42d00ac5a696489b907a837a36eda92039025bb10b3921f9068cd5e73a4298f0c249e312848956536fc613e184d45d0e74fe50a8c0cb8ff7334a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\826205.txt

Filesize
5B

MD5
6cb993c8fa82ad11ff71fad64d213a72

SHA1
531163ca2711fcc13ff66f76a140d1eeca416610

SHA256
991d584e18d6d29f790ad2660f4760cb36203b2617d82f5a8ac21ab927b1fdc6

SHA512
a4cddd745e17302f1766dcf98b8362cf547326a7ea631e3adce9a37ff5b0a4b7b62297197384a37d8b4acde5b0e04882ee7b9e9297502427dd1c5236421d4904

Download Submit
C:\Users\Admin\AppData\Local\Temp\91290.txt

Filesize
4B

MD5
01daa090f0d5693d97c90755a54fa204

SHA1
033961dc9b8ec055edd3f0cce7718121774ad86c

SHA256
514c9ae59f601e841cb9fa4bf8562c0696ece53bdfe44af88f1967d5ec9cf6b0

SHA512
21c4685d29ba17691b0577571b1b03c57ed714e8785b8071283eaa54a756641d040751aacf82bee517f7a14010ac11611ea6b0e5ef708ddd11d3898f0c9c13fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\97725.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe

Filesize
3.0MB

MD5
fbbfde2693ebf8ea13f319f9f3a80adf

SHA1
c94dd394b7e631585e361bce74332439e2ed24a7

SHA256
962b2e806f86365025c284e49811501b2cd402afc5c37e2158e5757e8dced13d

SHA512
84714e75b1d30ade768d2c2bc372f63923e09cc294a3ca138d0c48fae93899d21f6af837ff67f01f946d674a356c440f07632610052d3f66ea987f8dc511979c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe

Filesize
3.0MB

MD5
fbbfde2693ebf8ea13f319f9f3a80adf

SHA1
c94dd394b7e631585e361bce74332439e2ed24a7

SHA256
962b2e806f86365025c284e49811501b2cd402afc5c37e2158e5757e8dced13d

SHA512
84714e75b1d30ade768d2c2bc372f63923e09cc294a3ca138d0c48fae93899d21f6af837ff67f01f946d674a356c440f07632610052d3f66ea987f8dc511979c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe

Filesize
3.0MB

MD5
fbbfde2693ebf8ea13f319f9f3a80adf

SHA1
c94dd394b7e631585e361bce74332439e2ed24a7

SHA256
962b2e806f86365025c284e49811501b2cd402afc5c37e2158e5757e8dced13d

SHA512
84714e75b1d30ade768d2c2bc372f63923e09cc294a3ca138d0c48fae93899d21f6af837ff67f01f946d674a356c440f07632610052d3f66ea987f8dc511979c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe

Filesize
3.0MB

MD5
fbbfde2693ebf8ea13f319f9f3a80adf

SHA1
c94dd394b7e631585e361bce74332439e2ed24a7

SHA256
962b2e806f86365025c284e49811501b2cd402afc5c37e2158e5757e8dced13d

SHA512
84714e75b1d30ade768d2c2bc372f63923e09cc294a3ca138d0c48fae93899d21f6af837ff67f01f946d674a356c440f07632610052d3f66ea987f8dc511979c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe

Filesize
3.0MB

MD5
fbbfde2693ebf8ea13f319f9f3a80adf

SHA1
c94dd394b7e631585e361bce74332439e2ed24a7

SHA256
962b2e806f86365025c284e49811501b2cd402afc5c37e2158e5757e8dced13d

SHA512
84714e75b1d30ade768d2c2bc372f63923e09cc294a3ca138d0c48fae93899d21f6af837ff67f01f946d674a356c440f07632610052d3f66ea987f8dc511979c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe

Filesize
3.0MB

MD5
fbbfde2693ebf8ea13f319f9f3a80adf

SHA1
c94dd394b7e631585e361bce74332439e2ed24a7

SHA256
962b2e806f86365025c284e49811501b2cd402afc5c37e2158e5757e8dced13d

SHA512
84714e75b1d30ade768d2c2bc372f63923e09cc294a3ca138d0c48fae93899d21f6af837ff67f01f946d674a356c440f07632610052d3f66ea987f8dc511979c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c701.exe

Filesize
3.0MB

MD5
fbbfde2693ebf8ea13f319f9f3a80adf

SHA1
c94dd394b7e631585e361bce74332439e2ed24a7

SHA256
962b2e806f86365025c284e49811501b2cd402afc5c37e2158e5757e8dced13d

SHA512
84714e75b1d30ade768d2c2bc372f63923e09cc294a3ca138d0c48fae93899d21f6af837ff67f01f946d674a356c440f07632610052d3f66ea987f8dc511979c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7018.exe

Filesize
3.0MB

MD5
238b06dfb327834fb0fdbab88c6eae4d

SHA1
f6c98764b5dc04363cbde29f5b4e8333de19391f

SHA256
97ad82073d8faa1dfb73bac79ee84cb30d3c1d8c01559e9aa5083d7be3cdd8b8

SHA512
2ad337ff2fb718cc31feaf36820723d528ba767ed6b4284a4c5089dcf7164da77285a2f25814d8ee026bf6b1425fe3ff9916b00502bb109c70b4a79866567f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7018.exe

Filesize
3.0MB

MD5
238b06dfb327834fb0fdbab88c6eae4d

SHA1
f6c98764b5dc04363cbde29f5b4e8333de19391f

SHA256
97ad82073d8faa1dfb73bac79ee84cb30d3c1d8c01559e9aa5083d7be3cdd8b8

SHA512
2ad337ff2fb718cc31feaf36820723d528ba767ed6b4284a4c5089dcf7164da77285a2f25814d8ee026bf6b1425fe3ff9916b00502bb109c70b4a79866567f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe

Filesize
3.0MB

MD5
7185e6045db4148c6824c84d1a595f11

SHA1
78eb1217f846bc629ffde45c186cf6000fceccbd

SHA256
bd5a3328db6e3d3dfc4cb1b9e91950d08b90d74b5b4eb057de1cfdd74d013b2b

SHA512
97d35009de498fc20a2ed913494d28ddccc42ea52c0c050c52d42128513fbc5eb376876d7cee7c04b0629a5bde894455509c619900dc4dbc23f9ad38e8b014eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe

Filesize
3.0MB

MD5
7185e6045db4148c6824c84d1a595f11

SHA1
78eb1217f846bc629ffde45c186cf6000fceccbd

SHA256
bd5a3328db6e3d3dfc4cb1b9e91950d08b90d74b5b4eb057de1cfdd74d013b2b

SHA512
97d35009de498fc20a2ed913494d28ddccc42ea52c0c050c52d42128513fbc5eb376876d7cee7c04b0629a5bde894455509c619900dc4dbc23f9ad38e8b014eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7019.exe

Filesize
3.0MB

MD5
7185e6045db4148c6824c84d1a595f11

SHA1
78eb1217f846bc629ffde45c186cf6000fceccbd

SHA256
bd5a3328db6e3d3dfc4cb1b9e91950d08b90d74b5b4eb057de1cfdd74d013b2b

SHA512
97d35009de498fc20a2ed913494d28ddccc42ea52c0c050c52d42128513fbc5eb376876d7cee7c04b0629a5bde894455509c619900dc4dbc23f9ad38e8b014eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe

Filesize
3.0MB

MD5
e3972d6afdf15bfd0883ed7f6c25635f

SHA1
568f756fec7097150b8873d60b54faa8d84c1fc1

SHA256
b15c90eb7bb4019b547722013473a9e7158c4e522563ab5618a73ee53e5025da

SHA512
180cccb24a74ac60b8d6d2314b60cf7f3c8b0d1ba2c298d9001d25fafd64cfecc950db8a2ed1c7cf739ee3078b80d6d9817a46eda94127f7a3b64d62f859e266

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe

Filesize
3.0MB

MD5
e3972d6afdf15bfd0883ed7f6c25635f

SHA1
568f756fec7097150b8873d60b54faa8d84c1fc1

SHA256
b15c90eb7bb4019b547722013473a9e7158c4e522563ab5618a73ee53e5025da

SHA512
180cccb24a74ac60b8d6d2314b60cf7f3c8b0d1ba2c298d9001d25fafd64cfecc950db8a2ed1c7cf739ee3078b80d6d9817a46eda94127f7a3b64d62f859e266

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe

Filesize
3.0MB

MD5
e3972d6afdf15bfd0883ed7f6c25635f

SHA1
568f756fec7097150b8873d60b54faa8d84c1fc1

SHA256
b15c90eb7bb4019b547722013473a9e7158c4e522563ab5618a73ee53e5025da

SHA512
180cccb24a74ac60b8d6d2314b60cf7f3c8b0d1ba2c298d9001d25fafd64cfecc950db8a2ed1c7cf739ee3078b80d6d9817a46eda94127f7a3b64d62f859e266

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe

Filesize
3.0MB

MD5
e3972d6afdf15bfd0883ed7f6c25635f

SHA1
568f756fec7097150b8873d60b54faa8d84c1fc1

SHA256
b15c90eb7bb4019b547722013473a9e7158c4e522563ab5618a73ee53e5025da

SHA512
180cccb24a74ac60b8d6d2314b60cf7f3c8b0d1ba2c298d9001d25fafd64cfecc950db8a2ed1c7cf739ee3078b80d6d9817a46eda94127f7a3b64d62f859e266

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe

Filesize
3.0MB

MD5
e3972d6afdf15bfd0883ed7f6c25635f

SHA1
568f756fec7097150b8873d60b54faa8d84c1fc1

SHA256
b15c90eb7bb4019b547722013473a9e7158c4e522563ab5618a73ee53e5025da

SHA512
180cccb24a74ac60b8d6d2314b60cf7f3c8b0d1ba2c298d9001d25fafd64cfecc950db8a2ed1c7cf739ee3078b80d6d9817a46eda94127f7a3b64d62f859e266

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe

Filesize
3.0MB

MD5
e3972d6afdf15bfd0883ed7f6c25635f

SHA1
568f756fec7097150b8873d60b54faa8d84c1fc1

SHA256
b15c90eb7bb4019b547722013473a9e7158c4e522563ab5618a73ee53e5025da

SHA512
180cccb24a74ac60b8d6d2314b60cf7f3c8b0d1ba2c298d9001d25fafd64cfecc950db8a2ed1c7cf739ee3078b80d6d9817a46eda94127f7a3b64d62f859e266

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c705.exe

Filesize
3.0MB

MD5
e3972d6afdf15bfd0883ed7f6c25635f

SHA1
568f756fec7097150b8873d60b54faa8d84c1fc1

SHA256
b15c90eb7bb4019b547722013473a9e7158c4e522563ab5618a73ee53e5025da

SHA512
180cccb24a74ac60b8d6d2314b60cf7f3c8b0d1ba2c298d9001d25fafd64cfecc950db8a2ed1c7cf739ee3078b80d6d9817a46eda94127f7a3b64d62f859e266

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7050.exe

Filesize
3.0MB

MD5
477c4e48b6eafeb5dbeb4612c3ee7a36

SHA1
7cd6b12ebe59d6bdfba18baf2d5ddfe3b217100f

SHA256
e34895d0ef298207d0e1102e0fbdaa751380c9355e35f6fa8ee56f49e5786b5a

SHA512
27bf9953533861e22ad9c11c7fe462772340abb4b233517d080191ff7889169fdf675c011d20317d905c86f321752c11c07800b75c1cac39153f5c211bde1d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7050.exe

Filesize
3.0MB

MD5
477c4e48b6eafeb5dbeb4612c3ee7a36

SHA1
7cd6b12ebe59d6bdfba18baf2d5ddfe3b217100f

SHA256
e34895d0ef298207d0e1102e0fbdaa751380c9355e35f6fa8ee56f49e5786b5a

SHA512
27bf9953533861e22ad9c11c7fe462772340abb4b233517d080191ff7889169fdf675c011d20317d905c86f321752c11c07800b75c1cac39153f5c211bde1d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7058.exe

Filesize
3.0MB

MD5
012545131ea89f2529c8e4f98c60e7e8

SHA1
5df3ba4aa753573cd7b80d55621b8ca87b430b9f

SHA256
ff9963860b9ca0a0f6141dd8be120695ffc0060309749225bc4c3f6901bb502f

SHA512
6cab810b04fbe04d12fe159e7140794fb6f9e3ddd8cef938aa3e5eb4d53792ae0c684df8aad05b81968fb1c143402da80755c94f8b01e250f3e51c2c6fc8e54f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c7058.exe

Filesize
3.0MB

MD5
012545131ea89f2529c8e4f98c60e7e8

SHA1
5df3ba4aa753573cd7b80d55621b8ca87b430b9f

SHA256
ff9963860b9ca0a0f6141dd8be120695ffc0060309749225bc4c3f6901bb502f

SHA512
6cab810b04fbe04d12fe159e7140794fb6f9e3ddd8cef938aa3e5eb4d53792ae0c684df8aad05b81968fb1c143402da80755c94f8b01e250f3e51c2c6fc8e54f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c708.exe

Filesize
3.0MB

MD5
bf6b695375884be1ec64bbee8aba12c1

SHA1
5e8be68cce9393c24f13286bea79b1445a85cdaa

SHA256
45ff164916e6fcef923ed60bbbe62a1fa5bef98f6d3883837a8a624e44abc415

SHA512
269cb078f269e9e6170ced23ab88ca6feffa33eacb174292d3c3ad8ea42ff778699eea9758a94c9f1764142dcb1a91301842a5428982d4fcb923d7ae7ffb1d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.a6f9088da9f32404b2383e61dc3c5c708.exe

Filesize
3.0MB

MD5
bf6b695375884be1ec64bbee8aba12c1

SHA1
5e8be68cce9393c24f13286bea79b1445a85cdaa

SHA256
45ff164916e6fcef923ed60bbbe62a1fa5bef98f6d3883837a8a624e44abc415

SHA512
269cb078f269e9e6170ced23ab88ca6feffa33eacb174292d3c3ad8ea42ff778699eea9758a94c9f1764142dcb1a91301842a5428982d4fcb923d7ae7ffb1d9f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\prefs-1.js

Filesize
6KB

MD5
57251ddb1c0ad5b7cfdd77b9f60ef4c9

SHA1
0e5c0d4c96756643dcbdd7ab5ef01fbacdf8f314

SHA256
967ad5d9c325a2a159e84405f32951799e77a9dae0e497461584cfa2b6a27128

SHA512
ab6998ad782af2a37553c7e58f2fefeca5cf4f8d9fe81961b64af28d886dc48174b2a7f8433e30d1af8943dd773c1863b8ad1df196928942c41a10a46817315f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\prefs.js

Filesize
6KB

MD5
3a224af42678efacaa145b9b3933cbe2

SHA1
9345dc242449a3b2d86d4d74858e6bb2d54845c6

SHA256
9268edf7bc8485b605ff9cf2cccb9e2c953376ab447872d22a6cc966657c7c7c

SHA512
8d1eb9cc5ff9c0bebcf6e8d08706860125c08b964f83702ec45ad45b73c360fcc94b2ef8883c7e463341971b0af59e0be42375bdd6d89f42f59bd187bd792f7f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore.jsonlz4

Filesize
392B

MD5
adaa3416f1761de0078e552bb74774ea

SHA1
cd7a3aca6ddd9d631e4a94475c10dae20c47e325

SHA256
80e43360fa91f11f618a8e59e0df56a724d1efa03e7f4c957f5e4b62284b8518

SHA512
ded624daa05a554bf49f9d38192a252d532438284ab30d60a496039deb532846124432853c0de513155d10d41d9023ea33a8e3d6f138b54c62ca4712feaa9a37

Download Submit
memory/8-48-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/952-30-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1088-40-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1480-52-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1480-36-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1868-67-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1944-70-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1944-88-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2016-39-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2028-122-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2248-47-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2528-208-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2528-49-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2588-35-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3220-38-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3464-69-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3472-261-0x00007FFC7E910000-0x00007FFC7E921000-memory.dmp

Filesize
68KB

Download
memory/3472-279-0x00007FFC788C0000-0x00007FFC788D1000-memory.dmp

Filesize
68KB

Download
memory/3472-271-0x00007FFC788E0000-0x00007FFC7891F000-memory.dmp

Filesize
252KB

Download
memory/3472-209-0x00007FFC85660000-0x00007FFC85678000-memory.dmp

Filesize
96KB

Download
memory/3472-276-0x00007FFC78BC0000-0x00007FFC78BD8000-memory.dmp

Filesize
96KB

Download
memory/3472-202-0x00007FFC74A00000-0x00007FFC74CB4000-memory.dmp

Filesize
2.7MB

Download
memory/3472-250-0x00007FFC85220000-0x00007FFC85237000-memory.dmp

Filesize
92KB

Download
memory/3472-251-0x00007FFC7F590000-0x00007FFC7F5A1000-memory.dmp

Filesize
68KB

Download
memory/3472-121-0x00007FFC74A00000-0x00007FFC74CB4000-memory.dmp

Filesize
2.7MB

Download
memory/3472-102-0x00007FFC897E0000-0x00007FFC89814000-memory.dmp

Filesize
208KB

Download
memory/3472-92-0x00007FF717070000-0x00007FF717168000-memory.dmp

Filesize
992KB

Download
memory/3472-273-0x00007FFC7ACB0000-0x00007FFC7ACD1000-memory.dmp

Filesize
132KB

Download
memory/3472-244-0x00007FFC85240000-0x00007FFC85251000-memory.dmp

Filesize
68KB

Download
memory/3472-255-0x00007FFC7E930000-0x00007FFC7E94D000-memory.dmp

Filesize
116KB

Download
memory/3472-227-0x00007FFC85640000-0x00007FFC85657000-memory.dmp

Filesize
92KB

Download
memory/3472-265-0x00007FFC769C0000-0x00007FFC76BC0000-memory.dmp

Filesize
2.0MB

Download
memory/3656-50-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3948-41-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4056-68-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4380-63-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4692-27-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download