0a282a1eb954e0c3bca719072d5dee81a939f260642d32ba96bf375f6c7da34d

Analysis

max time kernel
20s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2023, 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.17d4d31580768282ff68a3b744546d10.exe
Size

3.0MB
MD5

17d4d31580768282ff68a3b744546d10
SHA1

4213197eb61313407de0c17a6d1cd0867a925181
SHA256

0a282a1eb954e0c3bca719072d5dee81a939f260642d32ba96bf375f6c7da34d
SHA512

71a45ccc3208027ae900a31a9330ba2bd1e808d1f8f5cf6124ebcaf649ea987f713419453dd3a4ebbd8579b23be8643d59a6b0adf80bb03d8f4c9dd54dfb2c29
SSDEEP

49152:j495UciMmq/NhjX5p3JOCdLAweZnE5c965nqqIP2Itdx:jk5LhzACdLAlnE5co5nqqIP2Itdx

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3552	NEAS.17d4d31580768282ff68a3b744546d106.exe
1592	NEAS.17d4d31580768282ff68a3b744546d109.exe
3036	NEAS.17d4d31580768282ff68a3b744546d109.exe

Modifies file permissions 1 TTPs 15 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5896	takeown.exe
10296	takeown.exe
5540	takeown.exe
10052	takeown.exe
7336	takeown.exe
8868	takeown.exe
3224	takeown.exe
6660	takeown.exe
10424	takeown.exe
10696	takeown.exe
8628	takeown.exe
7184	takeown.exe
3320	takeown.exe
11024	takeown.exe
10672	takeown.exe

Kills process with taskkill 32 IoCs

evasion

pid	Process
4164	taskkill.exe
7024	taskkill.exe
7452	taskkill.exe
7596	taskkill.exe
7484	taskkill.exe
7404	taskkill.exe
7576	taskkill.exe
1156	taskkill.exe
6136	taskkill.exe
2364	taskkill.exe
4812	taskkill.exe
5304	taskkill.exe
7724	taskkill.exe
2092	taskkill.exe
3248	taskkill.exe
7436	taskkill.exe
6892	taskkill.exe
7988	taskkill.exe
7312	taskkill.exe
7644	taskkill.exe
7752	taskkill.exe
7888	taskkill.exe
7728	taskkill.exe
5412	taskkill.exe
6444	taskkill.exe
4404	taskkill.exe
7516	taskkill.exe
4316	taskkill.exe
3948	taskkill.exe
2432	taskkill.exe
5308	taskkill.exe
6140	taskkill.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeAssignPrimaryTokenPrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeLockMemoryPrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeIncreaseQuotaPrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeMachineAccountPrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeTcbPrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeSecurityPrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeTakeOwnershipPrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeLoadDriverPrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeSystemProfilePrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeSystemtimePrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeProfSingleProcessPrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeIncBasePriorityPrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeCreatePagefilePrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeCreatePermanentPrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeBackupPrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeRestorePrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeShutdownPrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeDebugPrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeAuditPrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeSystemEnvironmentPrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeChangeNotifyPrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeRemoteShutdownPrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeUndockPrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeSyncAgentPrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeEnableDelegationPrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeManageVolumePrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeImpersonatePrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeCreateGlobalPrivilege	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: 31	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: 32	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: 33	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: 34	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: 35	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeCreateTokenPrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeAssignPrimaryTokenPrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeLockMemoryPrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeIncreaseQuotaPrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeMachineAccountPrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeTcbPrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeSecurityPrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeTakeOwnershipPrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeLoadDriverPrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeSystemProfilePrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeSystemtimePrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeProfSingleProcessPrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeIncBasePriorityPrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeCreatePagefilePrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeCreatePermanentPrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeBackupPrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeRestorePrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeShutdownPrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeDebugPrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeAuditPrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeSystemEnvironmentPrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeChangeNotifyPrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeRemoteShutdownPrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeUndockPrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeSyncAgentPrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeEnableDelegationPrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeManageVolumePrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeImpersonatePrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: SeCreateGlobalPrivilege	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe
Token: 31	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 4704	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe	89
PID 3904 wrote to memory of 4704	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe	89
PID 4704 wrote to memory of 3128	4704	cmd.exe	90
PID 4704 wrote to memory of 3128	4704	cmd.exe	90
PID 3904 wrote to memory of 4760	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe	92
PID 3904 wrote to memory of 4760	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe	92
PID 4760 wrote to memory of 3648	4760	cmd.exe	93
PID 4760 wrote to memory of 3648	4760	cmd.exe	93
PID 3904 wrote to memory of 1548	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe	95
PID 3904 wrote to memory of 1548	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe	95
PID 3128 wrote to memory of 2180	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe	96
PID 3128 wrote to memory of 2180	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe	96
PID 1548 wrote to memory of 3996	1548	cmd.exe	97
PID 1548 wrote to memory of 3996	1548	cmd.exe	97
PID 3904 wrote to memory of 2520	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe	99
PID 3904 wrote to memory of 2520	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe	99
PID 2520 wrote to memory of 3152	2520	cmd.exe	101
PID 2520 wrote to memory of 3152	2520	cmd.exe	101
PID 3904 wrote to memory of 1160	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe	103
PID 3904 wrote to memory of 1160	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe	103
PID 1160 wrote to memory of 4600	1160	cmd.exe	104
PID 1160 wrote to memory of 4600	1160	cmd.exe	104
PID 3904 wrote to memory of 3976	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe	106
PID 3904 wrote to memory of 3976	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe	106
PID 3976 wrote to memory of 4584	3976	cmd.exe	107
PID 3976 wrote to memory of 4584	3976	cmd.exe	107
PID 3904 wrote to memory of 3868	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe	109
PID 3904 wrote to memory of 3868	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe	109
PID 3128 wrote to memory of 384	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe	110
PID 3128 wrote to memory of 384	3128	NEAS.17d4d31580768282ff68a3b744546d10.exe	110
PID 3868 wrote to memory of 2692	3868	cmd.exe	111
PID 3868 wrote to memory of 2692	3868	cmd.exe	111
PID 3904 wrote to memory of 1284	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe	113
PID 3904 wrote to memory of 1284	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe	113
PID 3996 wrote to memory of 2288	3996	NEAS.17d4d31580768282ff68a3b744546d10.exe	114
PID 3996 wrote to memory of 2288	3996	NEAS.17d4d31580768282ff68a3b744546d10.exe	114
PID 2692 wrote to memory of 3584	2692	NEAS.17d4d31580768282ff68a3b744546d10.exe	223
PID 2692 wrote to memory of 3584	2692	NEAS.17d4d31580768282ff68a3b744546d10.exe	223
PID 4600 wrote to memory of 3536	4600	NEAS.17d4d31580768282ff68a3b744546d10.exe	116
PID 4600 wrote to memory of 3536	4600	NEAS.17d4d31580768282ff68a3b744546d10.exe	116
PID 1284 wrote to memory of 3076	1284	cmd.exe	117
PID 1284 wrote to memory of 3076	1284	cmd.exe	117
PID 3904 wrote to memory of 4296	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe	169
PID 3904 wrote to memory of 4296	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe	169
PID 4296 wrote to memory of 3088	4296	cmd.exe	120
PID 4296 wrote to memory of 3088	4296	cmd.exe	120
PID 3904 wrote to memory of 4032	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe	172
PID 3904 wrote to memory of 4032	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe	172
PID 3996 wrote to memory of 1464	3996	NEAS.17d4d31580768282ff68a3b744546d10.exe	123
PID 3996 wrote to memory of 1464	3996	NEAS.17d4d31580768282ff68a3b744546d10.exe	123
PID 4600 wrote to memory of 1880	4600	NEAS.17d4d31580768282ff68a3b744546d10.exe	124
PID 4600 wrote to memory of 1880	4600	NEAS.17d4d31580768282ff68a3b744546d10.exe	124
PID 4032 wrote to memory of 4320	4032	cmd.exe	127
PID 4032 wrote to memory of 4320	4032	cmd.exe	127
PID 3904 wrote to memory of 3396	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe	125
PID 3904 wrote to memory of 3396	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe	125
PID 3396 wrote to memory of 448	3396	cmd.exe	128
PID 3396 wrote to memory of 448	3396	cmd.exe	128
PID 3904 wrote to memory of 3092	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe	130
PID 3904 wrote to memory of 3092	3904	NEAS.17d4d31580768282ff68a3b744546d10.exe	130
PID 3092 wrote to memory of 4328	3092	cmd.exe	132
PID 3092 wrote to memory of 4328	3092	cmd.exe	132
PID 384 wrote to memory of 3552	384	Process not Found	136
PID 384 wrote to memory of 3552	384	Process not Found	136

C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe+61810.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe
      4⤵
      PID:2180
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe 1698520198
      4⤵
      PID:384
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe 1698520198
        5⤵
        Executes dropped EXE
        
        PID:3552
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe /protect 1698520198
        6⤵
        
        PID:5172
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe /protect 1698520198
        7⤵
        
        PID:5620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe+430396.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1064.exe
        8⤵
        
        PID:5948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1064.exe 1698520198
        8⤵
        
        PID:6036
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1064.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1064.exe 1698520198
        9⤵
        
        PID:5452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:7856
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:7596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe+420487.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1064.exe
        8⤵
        
        PID:7540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1064.exe 1698520198
        8⤵
        
        PID:5404
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1064.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1064.exe 1698520198
        9⤵
        
        PID:1804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:5272
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:2364
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe /save 1698520198
        6⤵
        
        PID:5696
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe /save 1698520198
        7⤵
        
        PID:7124
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:4100
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7888
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe /autoup 1698520198
        6⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe /autoup 1698520198
        7⤵
        
        PID:4492
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe /killwindows 1698520198
        6⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe /killwindows 1698520198
        7⤵
        
        PID:8196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:8924
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:3224
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe /KillHardDisk 1698520198
        6⤵
        
        PID:8944
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe /KillHardDisk 1698520198
        7⤵
        
        PID:5576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:10700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        8⤵
        
        PID:2660
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe /killMBR 1698520198
        6⤵
        
        PID:6652
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe /killMBR 1698520198
        7⤵
        
        PID:7228
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe /protect 1698520198
        6⤵
        
        PID:9980
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe /protect 1698520198
        7⤵
        
        PID:8864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe+916803.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1069.exe
        8⤵
        
        PID:10180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1069.exe 1698520198
        8⤵
        
        PID:5492
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1069.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1069.exe 1698520198
        9⤵
        
        PID:11332
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe /autoup 1698520198
        6⤵
        
        PID:10600
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe /autoup 1698520198
        7⤵
        
        PID:7640
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe C:\windows\system32\taskmgr.exe
        6⤵
        
        PID:10072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe+124550.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d101.exe
      4⤵
      PID:4508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d101.exe 1698520198
      4⤵
      PID:3276
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d101.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d101.exe 1698520198
        5⤵
        
        PID:2108
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d101.exe /protect 1698520198
        6⤵
        
        PID:5928
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d101.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d101.exe /protect 1698520198
        7⤵
        
        PID:5652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d101.exe+430396.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1014.exe
        8⤵
        
        PID:3840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1014.exe 1698520198
        8⤵
        
        PID:7036
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1014.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1014.exe 1698520198
        9⤵
        
        PID:6252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:6412
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:4812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1014.exe /autoup 1698520198
        10⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1014.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1014.exe /autoup 1698520198
        11⤵
        
        PID:8256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1014.exe /killwindows 1698520198
        10⤵
        
        PID:8824
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1014.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1014.exe /killwindows 1698520198
        11⤵
        
        PID:8552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        12⤵
        
        PID:6488
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        13⤵
        Modifies file permissions
        
        PID:10672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1014.exe /KillHardDisk 1698520198
        10⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1014.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1014.exe /KillHardDisk 1698520198
        11⤵
        
        PID:9644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        12⤵
        
        PID:10852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1014.exe /killMBR 1698520198
        10⤵
        
        PID:10116
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1014.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1014.exe /killMBR 1698520198
        11⤵
        
        PID:6552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1014.exe /protect 1698520198
        10⤵
        
        PID:10908
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1014.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1014.exe /protect 1698520198
        11⤵
        
        PID:2232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1014.exe+125461.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10141.exe
        12⤵
        
        PID:11336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1014.exe /autoup 1698520198
        10⤵
        
        PID:9064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d101.exe+420487.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1014.exe
        8⤵
        
        PID:1908
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d101.exe /save 1698520198
        6⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d101.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d101.exe /save 1698520198
        7⤵
        
        PID:6216
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:6692
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:4404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
    3⤵
    PID:3648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe+912558.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe
      4⤵
      PID:2288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe 1698520198
      4⤵
      PID:1464
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe 1698520198
        5⤵
        Executes dropped EXE
        
        PID:3036
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe /protect 1698520198
        6⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe /protect 1698520198
        7⤵
        
        PID:4212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe+119647.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1091.exe
        8⤵
        
        PID:5852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1091.exe 1698520198
        8⤵
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1091.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1091.exe 1698520198
        9⤵
        
        PID:5020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:7588
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:7576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe+016561.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1090.exe
        8⤵
        
        PID:7396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1090.exe 1698520198
        8⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1090.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1090.exe 1698520198
        9⤵
        
        PID:5468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:7928
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:7988
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe /save 1698520198
        6⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe /save 1698520198
        7⤵
        
        PID:6532
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:1484
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe+528476.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
      4⤵
      PID:1544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe 1698520198
      4⤵
      PID:2364
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe 1698520198
        5⤵
        
        PID:3992
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /protect 1698520198
        6⤵
        
        PID:5824
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /protect 1698520198
        7⤵
        
        PID:5908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe+78376.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1057.exe
        8⤵
        
        PID:6200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1057.exe 1698520198
        8⤵
        
        PID:6960
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1057.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1057.exe 1698520198
        9⤵
        
        PID:6188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:7344
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:4316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1057.exe /autoup 1698520198
        10⤵
        
        PID:7644
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1057.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1057.exe /autoup 1698520198
        11⤵
        
        PID:5880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1057.exe /killwindows 1698520198
        10⤵
        
        PID:8540
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1057.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1057.exe /killwindows 1698520198
        11⤵
        
        PID:8016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        12⤵
        
        PID:9664
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        13⤵
        Modifies file permissions
        
        PID:6660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1057.exe /KillHardDisk 1698520198
        10⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1057.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1057.exe /KillHardDisk 1698520198
        11⤵
        
        PID:9544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        12⤵
        
        PID:10712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        12⤵
        
        PID:7184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1057.exe /killMBR 1698520198
        10⤵
        
        PID:10036
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1057.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1057.exe /killMBR 1698520198
        11⤵
        
        PID:5552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1057.exe /protect 1698520198
        10⤵
        
        PID:10884
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1057.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1057.exe /protect 1698520198
        11⤵
        
        PID:9636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1057.exe+125461.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10571.exe
        12⤵
        
        PID:11324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1057.exe /autoup 1698520198
        10⤵
        
        PID:6724
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1057.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1057.exe /autoup 1698520198
        11⤵
        
        PID:12236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe+124414.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1051.exe
        8⤵
        
        PID:7276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1051.exe 1698520198
        8⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1051.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1051.exe 1698520198
        9⤵
        
        PID:3132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:5900
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:7484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1051.exe /autoup 1698520198
        10⤵
        
        PID:8864
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1051.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1051.exe /autoup 1698520198
        11⤵
        
        PID:6984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1051.exe /killwindows 1698520198
        10⤵
        
        PID:9964
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1051.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1051.exe /killwindows 1698520198
        11⤵
        
        PID:7680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        12⤵
        
        PID:10140
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        13⤵
        Modifies file permissions
        
        PID:10296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1051.exe /KillHardDisk 1698520198
        10⤵
        
        PID:10520
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1051.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1051.exe /KillHardDisk 1698520198
        11⤵
        
        PID:9984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        12⤵
        
        PID:7704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1051.exe /killMBR 1698520198
        10⤵
        
        PID:7912
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1051.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1051.exe /killMBR 1698520198
        11⤵
        
        PID:11596
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /save 1698520198
        6⤵
        
        PID:6172
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /save 1698520198
        7⤵
        
        PID:6904
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:6308
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
    3⤵
    PID:3152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe+912558.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe
      4⤵
      PID:3536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe 1698520198
      4⤵
      PID:1880
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe 1698520198
        5⤵
        Executes dropped EXE
        
        PID:1592
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe /protect 1698520198
        6⤵
        
        PID:5468
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe /save 1698520198
        6⤵
        
        PID:5700
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe /save 1698520198
        7⤵
        
        PID:7092
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:7100
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7516
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe /autoup 1698520198
        6⤵
        
        PID:7400
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe /autoup 1698520198
        7⤵
        
        PID:5632
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe /killwindows 1698520198
        6⤵
        
        PID:7692
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe /killwindows 1698520198
        7⤵
        
        PID:1156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:8752
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:8628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Cacls C:\windows\system32\taskmgr.exe /t /e /c /gAdmin:F
        8⤵
        
        PID:10020
        
        C:\Windows\system32\cacls.exe
        
        Cacls C:\windows\system32\taskmgr.exe /t /e /c /gAdmin:F
        9⤵
        
        PID:10276
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe /KillHardDisk 1698520198
        6⤵
        
        PID:8512
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe /KillHardDisk 1698520198
        7⤵
        
        PID:8480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:5596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        8⤵
        
        PID:3540
        
        C:\Windows\system32\mountvol.exe
        
        mountvol c: /d
        9⤵
        
        PID:11788
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe /killMBR 1698520198
        6⤵
        
        PID:5988
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe /killMBR 1698520198
        7⤵
        
        PID:5264
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe /protect 1698520198
        6⤵
        
        PID:10068
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe /protect 1698520198
        7⤵
        
        PID:5500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe+227552.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1092.exe
        8⤵
        
        PID:4312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1092.exe 1698520198
        8⤵
        
        PID:10604
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1092.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1092.exe 1698520198
        9⤵
        
        PID:10388
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe /autoup 1698520198
        6⤵
        
        PID:10972
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe /autoup 1698520198
        7⤵
        
        PID:11216
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe C:\windows\system32\taskmgr.exe
        6⤵
        
        PID:10888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe+528476.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
      4⤵
      PID:5056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
    3⤵
    PID:4584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe+912558.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe
      4⤵
      PID:3584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe 1698520198
      4⤵
      PID:5664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe+528476.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
      4⤵
      PID:3912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
    3⤵
    PID:3076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
  2⤵
  PID:4296
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
    3⤵
    PID:3088
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe+811513.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe
      4⤵
      PID:3908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe 1698520198
      4⤵
      PID:920
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe 1698520198
        5⤵
        
        PID:6368
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:920
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7312
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe+719269.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d107.exe
      4⤵
      PID:6816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d107.exe 1698520198
      4⤵
      PID:6200
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d107.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d107.exe 1698520198
        5⤵
        
        PID:7796
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:3708
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:3248
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d107.exe /autoup 1698520198
        6⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d107.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d107.exe /autoup 1698520198
        7⤵
        
        PID:9188
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d107.exe /killwindows 1698520198
        6⤵
        
        PID:7372
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d107.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d107.exe /killwindows 1698520198
        7⤵
        
        PID:8628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:10816
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:10424
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d107.exe /KillHardDisk 1698520198
        6⤵
        
        PID:9944
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d107.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d107.exe /KillHardDisk 1698520198
        7⤵
        
        PID:7568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:11100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        8⤵
        
        PID:9608
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d107.exe /killMBR 1698520198
        6⤵
        
        PID:10608
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d107.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d107.exe /killMBR 1698520198
        7⤵
        
        PID:4104
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d107.exe /protect 1698520198
        6⤵
        
        PID:10988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
  2⤵
  PID:4032
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
    3⤵
    PID:4320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
    3⤵
    PID:448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe+222261.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d102.exe
      4⤵
      PID:5152
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d102.exe 1698520198
      4⤵
      PID:5644
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d102.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d102.exe 1698520198
        5⤵
        
        PID:6360
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:5632
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7644
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d102.exe /autoup 1698520198
        6⤵
        
        PID:7472
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d102.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d102.exe /autoup 1698520198
        7⤵
        
        PID:7088
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d102.exe /killwindows 1698520198
        6⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d102.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d102.exe /killwindows 1698520198
        7⤵
        
        PID:8916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:5868
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:10052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Cacls C:\windows\system32\taskmgr.exe /t /e /c /gAdmin:F
        8⤵
        
        PID:10900
        
        C:\Windows\system32\cacls.exe
        
        Cacls C:\windows\system32\taskmgr.exe /t /e /c /gAdmin:F
        9⤵
        
        PID:10252
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d102.exe /KillHardDisk 1698520198
        6⤵
        
        PID:9212
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d102.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d102.exe /KillHardDisk 1698520198
        7⤵
        
        PID:1348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:10752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        8⤵
        
        PID:4452
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d102.exe /killMBR 1698520198
        6⤵
        
        PID:9112
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d102.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d102.exe /killMBR 1698520198
        7⤵
        
        PID:10172
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d102.exe /protect 1698520198
        6⤵
        
        PID:7484
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d102.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d102.exe /protect 1698520198
        7⤵
        
        PID:10948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d102.exe+227029.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1022.exe
        8⤵
        
        PID:7864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1022.exe 1698520198
        8⤵
        
        PID:11912
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d102.exe /autoup 1698520198
        6⤵
        
        PID:10380
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d102.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d102.exe /autoup 1698520198
        7⤵
        
        PID:3560
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d102.exe C:\windows\system32\taskmgr.exe
        6⤵
        
        PID:11548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe+123196.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d101.exe
      4⤵
      PID:6800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d101.exe 1698520198
      4⤵
      PID:7036
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d101.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d101.exe 1698520198
        5⤵
        
        PID:7628
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:7500
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:3948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
    3⤵
    PID:4328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
  2⤵
  PID:1888
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
    3⤵
    PID:3112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe+5242.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
      4⤵
      PID:5324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe 1698520198
      4⤵
      PID:2212
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe 1698520198
        5⤵
        
        PID:6540
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:6356
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:5308
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe+827122.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe
      4⤵
      PID:5388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe 1698520198
      4⤵
      PID:6388
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe 1698520198
        5⤵
        
        PID:7732
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:3688
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:1156
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe /autoup 1698520198
        6⤵
        
        PID:7784
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe /autoup 1698520198
        7⤵
        
        PID:9168
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe /killwindows 1698520198
        6⤵
        
        PID:8396
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe /killwindows 1698520198
        7⤵
        
        PID:8844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:10832
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:5896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Cacls C:\windows\system32\taskmgr.exe /t /e /c /gAdmin:F
        8⤵
        
        PID:12200
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe /KillHardDisk 1698520198
        6⤵
        
        PID:9712
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe /KillHardDisk 1698520198
        7⤵
        
        PID:4936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:2984
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe /killMBR 1698520198
        6⤵
        
        PID:10260
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe /killMBR 1698520198
        7⤵
        
        PID:7656
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe /protect 1698520198
        6⤵
        
        PID:8604
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe /protect 1698520198
        7⤵
        
        PID:11300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe+123892.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1081.exe
        8⤵
        
        PID:12220
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe /autoup 1698520198
        6⤵
        
        PID:11880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
  2⤵
  PID:1344
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
    3⤵
    PID:4816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
  2⤵
  PID:3456
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
    3⤵
    PID:4268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe+5242.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
      4⤵
      PID:5596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe 1698520198
      4⤵
      PID:4628
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe 1698520198
        5⤵
        
        PID:6456
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:5032
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7728
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /autoup 1698520198
        6⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /autoup 1698520198
        7⤵
        
        PID:8348
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /killwindows 1698520198
        6⤵
        
        PID:9008
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /killwindows 1698520198
        7⤵
        
        PID:5536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:10112
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:7336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Cacls C:\windows\system32\taskmgr.exe /t /e /c /gAdmin:F
        8⤵
        
        PID:11656
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /KillHardDisk 1698520198
        6⤵
        
        PID:5888
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /KillHardDisk 1698520198
        7⤵
        
        PID:9560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:4628
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /killMBR 1698520198
        6⤵
        
        PID:9920
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /killMBR 1698520198
        7⤵
        
        PID:6736
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /protect 1698520198
        6⤵
        
        PID:10512
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /protect 1698520198
        7⤵
        
        PID:6236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe+125461.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1051.exe
        8⤵
        
        PID:11348
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /autoup 1698520198
        6⤵
        
        PID:10984
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /autoup 1698520198
        7⤵
        
        PID:11604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe+827122.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe
      4⤵
      PID:6964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe 1698520198
      4⤵
      PID:7056
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe 1698520198
        5⤵
        
        PID:7772
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:6212
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:4164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
  2⤵
  PID:2276
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
    3⤵
    PID:3896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
  2⤵
  PID:888
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
    3⤵
    PID:4232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe+5242.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
      4⤵
      PID:5568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe 1698520198
      4⤵
      PID:5928
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe 1698520198
        5⤵
        
        PID:6524
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:5952
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:6140
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /autoup 1698520198
        6⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /autoup 1698520198
        7⤵
        
        PID:2400
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /killwindows 1698520198
        6⤵
        
        PID:8680
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /killwindows 1698520198
        7⤵
        
        PID:5516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:2344
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:7184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Cacls C:\windows\system32\taskmgr.exe /t /e /c /gAdmin:F
        8⤵
        
        PID:11468
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /KillHardDisk 1698520198
        6⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /KillHardDisk 1698520198
        7⤵
        
        PID:9212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:8604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        8⤵
        
        PID:4260
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /killMBR 1698520198
        6⤵
        
        PID:10096
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /killMBR 1698520198
        7⤵
        
        PID:6652
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /protect 1698520198
        6⤵
        
        PID:10860
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /protect 1698520198
        7⤵
        
        PID:10128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe+124938.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1051.exe
        8⤵
        
        PID:11504
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /autoup 1698520198
        6⤵
        
        PID:7976
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /autoup 1698520198
        7⤵
        
        PID:11616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe+827122.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe
      4⤵
      PID:7056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe 1698520198
      4⤵
      PID:5916
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe 1698520198
        5⤵
        
        PID:5584
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:5660
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:6892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
  2⤵
  PID:2520
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
    3⤵
    PID:4940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
  2⤵
  PID:1792
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
    3⤵
    PID:1304
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe+5242.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
      4⤵
      PID:5504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe 1698520198
      4⤵
      PID:4988
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe 1698520198
        5⤵
        
        PID:6332
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:6608
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7404
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /autoup 1698520198
        6⤵
        
        PID:7520
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /autoup 1698520198
        7⤵
        
        PID:7540
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /killwindows 1698520198
        6⤵
        
        PID:5932
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /killwindows 1698520198
        7⤵
        
        PID:5656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:8908
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:5540
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /KillHardDisk 1698520198
        6⤵
        
        PID:8848
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /KillHardDisk 1698520198
        7⤵
        
        PID:5524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:1964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        8⤵
        
        PID:5664
        
        C:\Windows\system32\mountvol.exe
        
        mountvol c: /d
        9⤵
        
        PID:11796
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /killMBR 1698520198
        6⤵
        
        PID:9088
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /killMBR 1698520198
        7⤵
        
        PID:5668
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /protect 1698520198
        6⤵
        
        PID:9972
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /protect 1698520198
        7⤵
        
        PID:5268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe+55532.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1055.exe
        8⤵
        
        PID:7512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1055.exe 1698520198
        8⤵
        
        PID:7896
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1055.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1055.exe 1698520198
        9⤵
        
        PID:11364
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /autoup 1698520198
        6⤵
        
        PID:10420
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /autoup 1698520198
        7⤵
        
        PID:7236
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe C:\windows\system32\taskmgr.exe
        6⤵
        
        PID:520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe+827122.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe
      4⤵
      PID:6628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe 1698520198
      4⤵
      PID:7088
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe 1698520198
        5⤵
        
        PID:7660
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:5464
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:5412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
  2⤵
  PID:1368
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
    3⤵
    PID:1232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
    3⤵
    PID:3356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe+5242.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
      4⤵
      PID:5656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe 1698520198
      4⤵
      PID:5664
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe 1698520198
        5⤵
        
        PID:6644
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:4264
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7724
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /autoup 1698520198
        6⤵
        
        PID:7564
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /autoup 1698520198
        7⤵
        
        PID:8368
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /killwindows 1698520198
        6⤵
        
        PID:9036
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /killwindows 1698520198
        7⤵
        
        PID:8496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:10652
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:11024
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /KillHardDisk 1698520198
        6⤵
        
        PID:5552
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /KillHardDisk 1698520198
        7⤵
        
        PID:9652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:10016
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /killMBR 1698520198
        6⤵
        
        PID:10124
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /killMBR 1698520198
        7⤵
        
        PID:8632
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /protect 1698520198
        6⤵
        
        PID:10936
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /protect 1698520198
        7⤵
        
        PID:10684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe+814190.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1058.exe
        8⤵
        
        PID:11440
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /autoup 1698520198
        6⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /autoup 1698520198
        7⤵
        
        PID:12228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe+827122.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe
      4⤵
      PID:5572
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe 1698520198
      4⤵
      PID:2152
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe 1698520198
        5⤵
        
        PID:7812
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:180
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:6136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
    3⤵
    PID:1280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
  2⤵
  PID:5112
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
    3⤵
    PID:4020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe+5242.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
      4⤵
      PID:5384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe 1698520198
      4⤵
      PID:5584
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe 1698520198
        5⤵
        
        PID:6448
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:7112
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:5304
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /autoup 1698520198
        6⤵
        
        PID:8120
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /autoup 1698520198
        7⤵
        
        PID:3980
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /killwindows 1698520198
        6⤵
        
        PID:8592
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /killwindows 1698520198
        7⤵
        
        PID:5144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:10964
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:10696
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /KillHardDisk 1698520198
        6⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /KillHardDisk 1698520198
        7⤵
        
        PID:9008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:10892
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /killMBR 1698520198
        6⤵
        
        PID:9796
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /killMBR 1698520198
        7⤵
        
        PID:4540
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /protect 1698520198
        6⤵
        
        PID:10252
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /protect 1698520198
        7⤵
        
        PID:10396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe+125461.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1051.exe
        8⤵
        
        PID:11316
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /autoup 1698520198
        6⤵
        
        PID:7636
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe /autoup 1698520198
        7⤵
        
        PID:11476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe+827122.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe
      4⤵
      PID:6908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe 1698520198
      4⤵
      PID:4576
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe 1698520198
        5⤵
        
        PID:8100
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:1108
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:2092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
  2⤵
  PID:384
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
    3⤵
    PID:3020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
  2⤵
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
    3⤵
    PID:4272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
  2⤵
  PID:3148
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
    3⤵
    PID:1924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
  2⤵
  PID:224
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
    3⤵
    PID:4588
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe+5242.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
      4⤵
      PID:5344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
  2⤵
  PID:2276
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
    3⤵
    PID:4216
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
  2⤵
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
    3⤵
    PID:1368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe+5242.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe
      4⤵
      PID:5624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
  2⤵
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /save 1698520198
    3⤵
    PID:6088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:6060
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:7024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /autoup 1698520198
  2⤵
  PID:7956
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /autoup 1698520198
    3⤵
    PID:7944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /killwindows 1698520198
  2⤵
  PID:3928
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /killwindows 1698520198
    3⤵
    PID:7060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
      4⤵
      PID:7328
    - - C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        5⤵
        Modifies file permissions
        
        PID:8868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /KillHardDisk 1698520198
  2⤵
  PID:6568
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /KillHardDisk 1698520198
    3⤵
    PID:8416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\users /r /f
      4⤵
      PID:5476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /killMBR 1698520198
  2⤵
  PID:9076
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /killMBR 1698520198
    3⤵
    PID:4848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
  2⤵
  PID:5688
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /protect 1698520198
    3⤵
    PID:10008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe+917849.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe
      4⤵
      PID:10484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /autoup 1698520198
  2⤵
  PID:9636
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /autoup 1698520198
    3⤵
    PID:10780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe C:\windows\system32\taskmgr.exe
  2⤵
  PID:6672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10.exe /autoup 1698520198
  2⤵
  PID:11448

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\FindTrace.mpeg"
1⤵
PID:4756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:5164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xd0,0x128,0x7ffeaf9c9758,0x7ffeaf9c9768,0x7ffeaf9c9778
  2⤵
  PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2268 --field-trial-handle=1924,i,4828143463424006605,11003090468512746006,131072 /prefetch:8
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1924,i,4828143463424006605,11003090468512746006,131072 /prefetch:8
  2⤵
  PID:6052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1924,i,4828143463424006605,11003090468512746006,131072 /prefetch:2
  2⤵
  PID:6940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3136 --field-trial-handle=1924,i,4828143463424006605,11003090468512746006,131072 /prefetch:1
  2⤵
  PID:7548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1924,i,4828143463424006605,11003090468512746006,131072 /prefetch:1
  2⤵
  PID:4524

C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe 1698520198
1⤵
PID:5320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:976
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:6444

C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe /protect 1698520198
1⤵
PID:232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe+430396.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1094.exe
  2⤵
  PID:5556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1094.exe 1698520198
  2⤵
  PID:5712
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1094.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1094.exe 1698520198
    3⤵
    PID:4820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:7480
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:7452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1094.exe /autoup 1698520198
      4⤵
      PID:3224
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1094.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1094.exe /autoup 1698520198
        5⤵
        
        PID:8272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1094.exe /killwindows 1698520198
      4⤵
      PID:9024
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1094.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1094.exe /killwindows 1698520198
        5⤵
        
        PID:5736
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        6⤵
        
        PID:10472
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        7⤵
        Modifies file permissions
        
        PID:3320
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1094.exe /KillHardDisk 1698520198
      4⤵
      PID:3504
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1094.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1094.exe /KillHardDisk 1698520198
        5⤵
        
        PID:9704
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        6⤵
        
        PID:8832
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        6⤵
        
        PID:3580
        
        C:\Windows\system32\mountvol.exe
        
        mountvol c: /d
        7⤵
        
        PID:11584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1094.exe /killMBR 1698520198
      4⤵
      PID:10132
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1094.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1094.exe /killMBR 1698520198
        5⤵
        
        PID:2480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1094.exe /protect 1698520198
      4⤵
      PID:10868
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1094.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1094.exe /protect 1698520198
        5⤵
        
        PID:10116
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1094.exe+125461.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d10941.exe
        6⤵
        
        PID:11292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1094.exe /autoup 1698520198
      4⤵
      PID:7248
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1094.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1094.exe /autoup 1698520198
        5⤵
        
        PID:11624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe+420487.txt C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1094.exe
  2⤵
  PID:7292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1094.exe 1698520198
  2⤵
  PID:4336
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1094.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d1094.exe 1698520198
    3⤵
    PID:7456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:3820
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:2432

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 9zGtUvccrEmdGO7PxHh5Fw.0.1
1⤵
PID:3584

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
1⤵
PID:7080

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
1⤵
PID:6916

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:6600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f9e9c6711060d4bfe6238eed4c469828

SHA1
bbff7088a4d1a90467ab70c327e71bf0c3173cf3

SHA256
5e681a4a3e241c9988bd74df2a3f2e54188e15e804897d9f44e03c56d3945b66

SHA512
cd1e3c5cc9bf5d6125ea59c81a1501ec184b6671624652a78bb3440be1dee02e9f53cdb74416910cfa41cc321aea6bb634ccdacc82e07e82467579927775905d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7271e36d22054ada5ae1767d653df58a

SHA1
9daa16b08be70f80513283de778b5cb176932624

SHA256
c647bfdd52fc38055101fdf0b12cd60cefefef1db1d2888bbe626ee55be1ae22

SHA512
52a4a884e597c2f1a2dea1c78c5944574b091991fea2f2a84894ac8158ec88ac4e722743a675a2a03778ab2e074154a87e665613275e02a973e1df64522cc7c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
2dd8b10153407020c2fd6a9c15f08702

SHA1
6a7d244508d406a3bb934560c17695840f5dea00

SHA256
bd80a900df15246d2266bcf29f8861f64ca60a20a2750c3df5ccb3d3fa92fd05

SHA512
e7a5977e52a0016a4de6b15dc9debd0753c719e1316b7ba16caca62f794d1720c29f2d4cf1b090e37231b525113383d75aade61028b35d8e1843d61d4357e59d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
216KB

MD5
576a34b0b9df9da5d390f2d511a28a9c

SHA1
e2c3476e1240078ef60502631648ac7c997e3cd3

SHA256
4f0c3e9f75a3a23ab98509023240c4d7fa33941dd3ca90e1f29853c30575ebe6

SHA512
6773749ce7a00f0884381ebdf1f6e4075851203a44030df1b5613cb5a49ac35ddc7b8d66960a6c4cc934a11a084171b0ddf8729c72ea434fa01da2994ee5a92e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
358ad7e584ff2c58f3ccdfa7635ab34f

SHA1
db5c4384c23f77d8b5ee2253f58879d8f44810d3

SHA256
13689283cad34c0768762b3e42af1e31efbfecfabe295fe5d2da8a66e3e49ee0

SHA512
079cca6dd72d4e31aeef70ddb97930f342b1b5219d0c11e8ad7f6f5cab8c289a58f50a197c2bbff01e781ae1c9984e1c654a4128189a1a03b1adaad03278afcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\110601.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\110601.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\113120.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\113120.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\118048.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\118048.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\119647.txt

Filesize
4B

MD5
b67fb3360ae5597d85a005153451dd4e

SHA1
173e2ece985756384fc13564303c66ad5a6e7e96

SHA256
09a0dcb0bb26cd0c32ac0bb6b0d76dc68e7c3df0edd9a8093019d1ddc54113ab

SHA512
e32f41e7c13b018758e62222133d966bb7adf78ba1b7c7d50353645bfedc04bbd76151b2d80b202f4db1ee1420d58a6e332b28f6fcea15d0c0b3a6863837f08c

Download Submit
C:\Users\Admin\AppData\Local\Temp\119796.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\119796.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\120650.bat

Filesize
111B

MD5
65b9c1f216bbb1ff340b1a2bc0133a85

SHA1
0bccfd47a894a196b866cae2fea4511d9bfd0f6c

SHA256
72c18413be104593acb7f3eb52988b4b876acd399f93a9349369b7fab4f676f0

SHA512
1a768bdc18b183352e6df489c7b2920f04a705958f3e3a80f7c799e5a8dcd70e83319c595dd82c54f273536ff7d44e767ccab2812393c97dbc81475adc016d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\120650.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\120650.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\120650.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\120650.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\120650.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\120650.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\120650.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\124550.txt

Filesize
4B

MD5
507373ba57e072aa06e7d4299ea6386d

SHA1
eeb1057ac8044e8292f0fb97a96e78c575447c95

SHA256
7f9a4b41bf305e9a5c50a7616324296bcd720e8d3c0dc6abbd70a7ccb91dbadb

SHA512
623172d82e4d2bd4b64e411e884c0d607b731d7b7c181f1e248abd1490d8dad31e05573c4ec228df6483db4bb740dfa2dbceafead32f9a8fa45db826cb48fdfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\125461.txt

Filesize
5B

MD5
4cdd31af4e1036bd1d21858cbae5fbe5

SHA1
3d8aa1e91d2400df033765da8178708ae7195b0f

SHA256
872665d2d4a010450b8f3047d550bfdd1d2f981d33b963bba65d272441c2f92c

SHA512
b23877082f5c13c17a82d96a74a736b76a27ee1f084c5294bb67040233b6a5ef59f41b422ba301aba056edcb6bfcbb3e79556994117a05829384573c301b76ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\17189.bat

Filesize
85B

MD5
23aa50ae407e2a2c93a5592eef8a5307

SHA1
85a3e243211c8c2d051c5d11d702f6a7175c3301

SHA256
9bb0c7011dee4025d973e3fa41b00a7f0ad9f43b3d2ebccff6e14019378ae3fa

SHA512
8fb1058c45bce2090d69ec13aa7229c8ec327485a8756506db7ae0b0c6f20f1a0fd4566bd1c98050533f4155b3a8e94b982c7754473547f6b22a488a835bd4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\222261.txt

Filesize
4B

MD5
d60678e8f2ba9c540798ebbde31177e8

SHA1
9a7cc1dd44ff5ed66a3ad5eb47b9503c62bd3372

SHA256
77f1eef97df6f4e1652c65c9396783635527a076d7059680c0d9d5771286aece

SHA512
2078bb8200a76887ff4aed35d7da1dade2b05a5588b47efd557589754ea5fd966571385a9654e5693920b033373fa0cea3aefaf71864d7b0ebffc188ea7e8b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\430396.txt

Filesize
5B

MD5
214846ab5ca61bd83f438070a4ef7e34

SHA1
2d7380dc61491bfbed25a7dec47184311e58885b

SHA256
1253e99cb2b18060cd89b20b5a12f0dda64a50f46f320623a04deeee86289283

SHA512
9d3205618631c3ba3e2c0f526300c365c92cb55d8107b8cecc4a16ce60f68c3cd328ba64980e8f010878ca478bcd63cfaf9dfe024217b38c9d964e506737e515

Download Submit
C:\Users\Admin\AppData\Local\Temp\430396.txt

Filesize
5B

MD5
214846ab5ca61bd83f438070a4ef7e34

SHA1
2d7380dc61491bfbed25a7dec47184311e58885b

SHA256
1253e99cb2b18060cd89b20b5a12f0dda64a50f46f320623a04deeee86289283

SHA512
9d3205618631c3ba3e2c0f526300c365c92cb55d8107b8cecc4a16ce60f68c3cd328ba64980e8f010878ca478bcd63cfaf9dfe024217b38c9d964e506737e515

Download Submit
C:\Users\Admin\AppData\Local\Temp\430396.txt

Filesize
5B

MD5
214846ab5ca61bd83f438070a4ef7e34

SHA1
2d7380dc61491bfbed25a7dec47184311e58885b

SHA256
1253e99cb2b18060cd89b20b5a12f0dda64a50f46f320623a04deeee86289283

SHA512
9d3205618631c3ba3e2c0f526300c365c92cb55d8107b8cecc4a16ce60f68c3cd328ba64980e8f010878ca478bcd63cfaf9dfe024217b38c9d964e506737e515

Download Submit
C:\Users\Admin\AppData\Local\Temp\5242.txt

Filesize
5B

MD5
29d750e5ac458ca572dfe267436a847f

SHA1
30b0b2d544bdf1d9a3f760607e6f563b6aaebe2b

SHA256
54822f632d88fa8d66b0f2a2f7b5810561e18bbd67b996b5debbb95db304e235

SHA512
ea3ad5dcd87a268bbaf61a2f1ecb871a9d97dd170841605c2b22445641acb04144fa9477a29b90a8d8e29b0baeef2b644caf2295dcaafc6de41766bc1c928fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5242.txt

Filesize
5B

MD5
29d750e5ac458ca572dfe267436a847f

SHA1
30b0b2d544bdf1d9a3f760607e6f563b6aaebe2b

SHA256
54822f632d88fa8d66b0f2a2f7b5810561e18bbd67b996b5debbb95db304e235

SHA512
ea3ad5dcd87a268bbaf61a2f1ecb871a9d97dd170841605c2b22445641acb04144fa9477a29b90a8d8e29b0baeef2b644caf2295dcaafc6de41766bc1c928fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5242.txt

Filesize
5B

MD5
29d750e5ac458ca572dfe267436a847f

SHA1
30b0b2d544bdf1d9a3f760607e6f563b6aaebe2b

SHA256
54822f632d88fa8d66b0f2a2f7b5810561e18bbd67b996b5debbb95db304e235

SHA512
ea3ad5dcd87a268bbaf61a2f1ecb871a9d97dd170841605c2b22445641acb04144fa9477a29b90a8d8e29b0baeef2b644caf2295dcaafc6de41766bc1c928fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5242.txt

Filesize
5B

MD5
29d750e5ac458ca572dfe267436a847f

SHA1
30b0b2d544bdf1d9a3f760607e6f563b6aaebe2b

SHA256
54822f632d88fa8d66b0f2a2f7b5810561e18bbd67b996b5debbb95db304e235

SHA512
ea3ad5dcd87a268bbaf61a2f1ecb871a9d97dd170841605c2b22445641acb04144fa9477a29b90a8d8e29b0baeef2b644caf2295dcaafc6de41766bc1c928fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5242.txt

Filesize
5B

MD5
29d750e5ac458ca572dfe267436a847f

SHA1
30b0b2d544bdf1d9a3f760607e6f563b6aaebe2b

SHA256
54822f632d88fa8d66b0f2a2f7b5810561e18bbd67b996b5debbb95db304e235

SHA512
ea3ad5dcd87a268bbaf61a2f1ecb871a9d97dd170841605c2b22445641acb04144fa9477a29b90a8d8e29b0baeef2b644caf2295dcaafc6de41766bc1c928fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5242.txt

Filesize
5B

MD5
29d750e5ac458ca572dfe267436a847f

SHA1
30b0b2d544bdf1d9a3f760607e6f563b6aaebe2b

SHA256
54822f632d88fa8d66b0f2a2f7b5810561e18bbd67b996b5debbb95db304e235

SHA512
ea3ad5dcd87a268bbaf61a2f1ecb871a9d97dd170841605c2b22445641acb04144fa9477a29b90a8d8e29b0baeef2b644caf2295dcaafc6de41766bc1c928fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5242.txt

Filesize
5B

MD5
29d750e5ac458ca572dfe267436a847f

SHA1
30b0b2d544bdf1d9a3f760607e6f563b6aaebe2b

SHA256
54822f632d88fa8d66b0f2a2f7b5810561e18bbd67b996b5debbb95db304e235

SHA512
ea3ad5dcd87a268bbaf61a2f1ecb871a9d97dd170841605c2b22445641acb04144fa9477a29b90a8d8e29b0baeef2b644caf2295dcaafc6de41766bc1c928fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5242.txt

Filesize
5B

MD5
29d750e5ac458ca572dfe267436a847f

SHA1
30b0b2d544bdf1d9a3f760607e6f563b6aaebe2b

SHA256
54822f632d88fa8d66b0f2a2f7b5810561e18bbd67b996b5debbb95db304e235

SHA512
ea3ad5dcd87a268bbaf61a2f1ecb871a9d97dd170841605c2b22445641acb04144fa9477a29b90a8d8e29b0baeef2b644caf2295dcaafc6de41766bc1c928fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\528476.txt

Filesize
4B

MD5
45c68484c6fc509cb25bdfca881e5cd8

SHA1
2ed8277474bdc61e4dd9ab78a9a846ac94a14c4b

SHA256
dcbff8f66de95d7c6148b3fbb3a9934d226ffb6dfd405c8394ae5454dc87d348

SHA512
5bd29cd0c9879a7679ed3601d885f6effe12122b6d03b55b51c7a503f6d3bd8a12d4e76ca50a87d98b469fb94bd41d95d7023693a3573206dfcf77ad8f81d8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\528476.txt

Filesize
4B

MD5
45c68484c6fc509cb25bdfca881e5cd8

SHA1
2ed8277474bdc61e4dd9ab78a9a846ac94a14c4b

SHA256
dcbff8f66de95d7c6148b3fbb3a9934d226ffb6dfd405c8394ae5454dc87d348

SHA512
5bd29cd0c9879a7679ed3601d885f6effe12122b6d03b55b51c7a503f6d3bd8a12d4e76ca50a87d98b469fb94bd41d95d7023693a3573206dfcf77ad8f81d8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\61810.txt

Filesize
4B

MD5
89c86ad4bb118af4b7d49925b1b319e1

SHA1
37b434ee07a45af9523f0b59aa3cf673cbceffde

SHA256
19dc1c2e10e78610594dd7b574b7166e298b1fd7b0f73cdba9fe8e91eb10ecee

SHA512
1bd0d85df992bde5171c1379ef0eb805ede506939d9b3c580459ca27872b80ccbd396c005bf878e72773cf463e612bda361c02569c0584d8ba9484aa33457547

Download Submit
C:\Users\Admin\AppData\Local\Temp\811513.txt

Filesize
5B

MD5
51a60f841b871cbc4d3cd33a0fbe59e7

SHA1
d6b013de6e8c99b5fdd25534c6a0bbb5fa7bfa06

SHA256
66975971f341222124019838f0c409f2a94660f268ac2b79846565aa6e205ed4

SHA512
805f9619d41fc839c1463e595d1130e9c08c1e2998584bc1450295c5272ea23a1b350baf489f0906ffba4b25b38cb64b382841b57a09be1d788ad001bac5ccec

Download Submit
C:\Users\Admin\AppData\Local\Temp\827122.txt

Filesize
5B

MD5
c4d2b56920cedd39cf578dcbc2ba960a

SHA1
2c493a73d0bf9a711b921795fa661cd6628a5339

SHA256
426cafad1c4f7f925004736a68eb1ce047fe32d418440f24c775fa67b5fbf2f3

SHA512
b636b036efda22394aa70dd4c1fc68244fc3c96566b705d295e2a4626a14dd3a67beab4df17a82200cb26697602ddee0ef12bc71640a54b61d564d40d191e04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\827122.txt

Filesize
5B

MD5
c4d2b56920cedd39cf578dcbc2ba960a

SHA1
2c493a73d0bf9a711b921795fa661cd6628a5339

SHA256
426cafad1c4f7f925004736a68eb1ce047fe32d418440f24c775fa67b5fbf2f3

SHA512
b636b036efda22394aa70dd4c1fc68244fc3c96566b705d295e2a4626a14dd3a67beab4df17a82200cb26697602ddee0ef12bc71640a54b61d564d40d191e04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\827122.txt

Filesize
5B

MD5
c4d2b56920cedd39cf578dcbc2ba960a

SHA1
2c493a73d0bf9a711b921795fa661cd6628a5339

SHA256
426cafad1c4f7f925004736a68eb1ce047fe32d418440f24c775fa67b5fbf2f3

SHA512
b636b036efda22394aa70dd4c1fc68244fc3c96566b705d295e2a4626a14dd3a67beab4df17a82200cb26697602ddee0ef12bc71640a54b61d564d40d191e04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\912558.txt

Filesize
5B

MD5
4b0cb9685dd1da13cd7d85b3e4de824f

SHA1
9250dd96550c0cbb221cf19251d0096644676cd6

SHA256
d3109358c740513fcda796709ffc47aca519594c50e0eeb686beab35d9e77361

SHA512
3615b75583b1bd787bc378f8e6c0c271f28763b968b52a2a671be9267c6fa00680c92358cc51240572b5f79b42f05ffaa48b16881d767088fe502c18fcc79f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\912558.txt

Filesize
5B

MD5
4b0cb9685dd1da13cd7d85b3e4de824f

SHA1
9250dd96550c0cbb221cf19251d0096644676cd6

SHA256
d3109358c740513fcda796709ffc47aca519594c50e0eeb686beab35d9e77361

SHA512
3615b75583b1bd787bc378f8e6c0c271f28763b968b52a2a671be9267c6fa00680c92358cc51240572b5f79b42f05ffaa48b16881d767088fe502c18fcc79f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\912558.txt

Filesize
5B

MD5
4b0cb9685dd1da13cd7d85b3e4de824f

SHA1
9250dd96550c0cbb221cf19251d0096644676cd6

SHA256
d3109358c740513fcda796709ffc47aca519594c50e0eeb686beab35d9e77361

SHA512
3615b75583b1bd787bc378f8e6c0c271f28763b968b52a2a671be9267c6fa00680c92358cc51240572b5f79b42f05ffaa48b16881d767088fe502c18fcc79f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\917372.txt

Filesize
5B

MD5
5cfcbafd768519bce51371aae5cac8fb

SHA1
9f13277d6e074cf5419c7ffd1be122ceb6c850b1

SHA256
4ca3d61cc31f9dbf58b05d62bbbc890ac262443bda4fe1dc96ddaaec7b178585

SHA512
556bd068704e8e52a70db7b6369152a2b95d5ad8264c125f5114d3f277cdb61114d965436ca86c53c9121f18ad15ba93e17b419497ea3fc0000ca0def512859d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d101.exe

Filesize
3.0MB

MD5
f3ba26b293ac9ac63b1c671650d65639

SHA1
2ba37e6875cae2863265bb2fbc3fb5885a3f7aca

SHA256
b4c2ce73aaaaa78b0993cfd9083c516b228299e21134ca65f342aae2aedb2d3a

SHA512
cd17621a496cb19a14983144797cc408893a056f89d387c5074d030d87a220cc59e5bb59ddfa937a73b2a251827678d1948939ba01d0fa1787c6ae8078b0ff65

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d101.exe

Filesize
3.0MB

MD5
f3ba26b293ac9ac63b1c671650d65639

SHA1
2ba37e6875cae2863265bb2fbc3fb5885a3f7aca

SHA256
b4c2ce73aaaaa78b0993cfd9083c516b228299e21134ca65f342aae2aedb2d3a

SHA512
cd17621a496cb19a14983144797cc408893a056f89d387c5074d030d87a220cc59e5bb59ddfa937a73b2a251827678d1948939ba01d0fa1787c6ae8078b0ff65

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d101.exe

Filesize
3.0MB

MD5
f3ba26b293ac9ac63b1c671650d65639

SHA1
2ba37e6875cae2863265bb2fbc3fb5885a3f7aca

SHA256
b4c2ce73aaaaa78b0993cfd9083c516b228299e21134ca65f342aae2aedb2d3a

SHA512
cd17621a496cb19a14983144797cc408893a056f89d387c5074d030d87a220cc59e5bb59ddfa937a73b2a251827678d1948939ba01d0fa1787c6ae8078b0ff65

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d101.exe

Filesize
3.0MB

MD5
f3ba26b293ac9ac63b1c671650d65639

SHA1
2ba37e6875cae2863265bb2fbc3fb5885a3f7aca

SHA256
b4c2ce73aaaaa78b0993cfd9083c516b228299e21134ca65f342aae2aedb2d3a

SHA512
cd17621a496cb19a14983144797cc408893a056f89d387c5074d030d87a220cc59e5bb59ddfa937a73b2a251827678d1948939ba01d0fa1787c6ae8078b0ff65

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d102.exe

Filesize
3.0MB

MD5
652062d5d9d31f565b2ec1b06ee2de5b

SHA1
96abe2502195738c84e29669d1155c8ffe0f7577

SHA256
b35c0c9c7f134c2bbad63523b2d5b4c36a99fc41713378caec5781bd373c7e3b

SHA512
43c3c4e336d7fb7297257408a94a7f3c39daea988f9e1706d74655cdb9a439d9eb7c3dc43db680a1fa18f427e653cf51928635f77cefb859a55884f663a53cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe

Filesize
3.0MB

MD5
1d1d54717785e709a85964f0b60f386d

SHA1
6d0318c64b2307300662bf010d27bdb7d36fdb32

SHA256
5540bda0d03e5c4b0439746d3c8e12ecf99f2594cb200f156491119383357661

SHA512
2f20871a123bb9cd42c07b1b25fc903bc1e1d8417faa01adc4e35cb66ba7910f8c6cc04f1118a133e2078ab494ec1b9fb1a29a6de8f5080a963fcf64b8c89b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe

Filesize
3.0MB

MD5
1d1d54717785e709a85964f0b60f386d

SHA1
6d0318c64b2307300662bf010d27bdb7d36fdb32

SHA256
5540bda0d03e5c4b0439746d3c8e12ecf99f2594cb200f156491119383357661

SHA512
2f20871a123bb9cd42c07b1b25fc903bc1e1d8417faa01adc4e35cb66ba7910f8c6cc04f1118a133e2078ab494ec1b9fb1a29a6de8f5080a963fcf64b8c89b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe

Filesize
3.0MB

MD5
1d1d54717785e709a85964f0b60f386d

SHA1
6d0318c64b2307300662bf010d27bdb7d36fdb32

SHA256
5540bda0d03e5c4b0439746d3c8e12ecf99f2594cb200f156491119383357661

SHA512
2f20871a123bb9cd42c07b1b25fc903bc1e1d8417faa01adc4e35cb66ba7910f8c6cc04f1118a133e2078ab494ec1b9fb1a29a6de8f5080a963fcf64b8c89b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe

Filesize
3.0MB

MD5
1d1d54717785e709a85964f0b60f386d

SHA1
6d0318c64b2307300662bf010d27bdb7d36fdb32

SHA256
5540bda0d03e5c4b0439746d3c8e12ecf99f2594cb200f156491119383357661

SHA512
2f20871a123bb9cd42c07b1b25fc903bc1e1d8417faa01adc4e35cb66ba7910f8c6cc04f1118a133e2078ab494ec1b9fb1a29a6de8f5080a963fcf64b8c89b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe

Filesize
3.0MB

MD5
1d1d54717785e709a85964f0b60f386d

SHA1
6d0318c64b2307300662bf010d27bdb7d36fdb32

SHA256
5540bda0d03e5c4b0439746d3c8e12ecf99f2594cb200f156491119383357661

SHA512
2f20871a123bb9cd42c07b1b25fc903bc1e1d8417faa01adc4e35cb66ba7910f8c6cc04f1118a133e2078ab494ec1b9fb1a29a6de8f5080a963fcf64b8c89b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe

Filesize
3.0MB

MD5
1d1d54717785e709a85964f0b60f386d

SHA1
6d0318c64b2307300662bf010d27bdb7d36fdb32

SHA256
5540bda0d03e5c4b0439746d3c8e12ecf99f2594cb200f156491119383357661

SHA512
2f20871a123bb9cd42c07b1b25fc903bc1e1d8417faa01adc4e35cb66ba7910f8c6cc04f1118a133e2078ab494ec1b9fb1a29a6de8f5080a963fcf64b8c89b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe

Filesize
3.0MB

MD5
1d1d54717785e709a85964f0b60f386d

SHA1
6d0318c64b2307300662bf010d27bdb7d36fdb32

SHA256
5540bda0d03e5c4b0439746d3c8e12ecf99f2594cb200f156491119383357661

SHA512
2f20871a123bb9cd42c07b1b25fc903bc1e1d8417faa01adc4e35cb66ba7910f8c6cc04f1118a133e2078ab494ec1b9fb1a29a6de8f5080a963fcf64b8c89b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe

Filesize
3.0MB

MD5
1d1d54717785e709a85964f0b60f386d

SHA1
6d0318c64b2307300662bf010d27bdb7d36fdb32

SHA256
5540bda0d03e5c4b0439746d3c8e12ecf99f2594cb200f156491119383357661

SHA512
2f20871a123bb9cd42c07b1b25fc903bc1e1d8417faa01adc4e35cb66ba7910f8c6cc04f1118a133e2078ab494ec1b9fb1a29a6de8f5080a963fcf64b8c89b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d105.exe

Filesize
3.0MB

MD5
1d1d54717785e709a85964f0b60f386d

SHA1
6d0318c64b2307300662bf010d27bdb7d36fdb32

SHA256
5540bda0d03e5c4b0439746d3c8e12ecf99f2594cb200f156491119383357661

SHA512
2f20871a123bb9cd42c07b1b25fc903bc1e1d8417faa01adc4e35cb66ba7910f8c6cc04f1118a133e2078ab494ec1b9fb1a29a6de8f5080a963fcf64b8c89b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe

Filesize
3.0MB

MD5
d3b32639ba26659d6b4de5e33144ec83

SHA1
ca7c11711f448b60c8f5017ab92298cedcd14412

SHA256
8da4227408a3f3354b828d2652b208e6b27bf03161463b2a6433c3400f5e82d2

SHA512
297770989f832a1f9c06caf17b3f423f9b694663afeb0bdc8ac6a12e6ed110f9cf6d05b5f3042adce130e39fc7a9b8d563cde2344941e601ffc73866a4ed6597

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe

Filesize
3.0MB

MD5
d3b32639ba26659d6b4de5e33144ec83

SHA1
ca7c11711f448b60c8f5017ab92298cedcd14412

SHA256
8da4227408a3f3354b828d2652b208e6b27bf03161463b2a6433c3400f5e82d2

SHA512
297770989f832a1f9c06caf17b3f423f9b694663afeb0bdc8ac6a12e6ed110f9cf6d05b5f3042adce130e39fc7a9b8d563cde2344941e601ffc73866a4ed6597

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d106.exe

Filesize
3.0MB

MD5
d3b32639ba26659d6b4de5e33144ec83

SHA1
ca7c11711f448b60c8f5017ab92298cedcd14412

SHA256
8da4227408a3f3354b828d2652b208e6b27bf03161463b2a6433c3400f5e82d2

SHA512
297770989f832a1f9c06caf17b3f423f9b694663afeb0bdc8ac6a12e6ed110f9cf6d05b5f3042adce130e39fc7a9b8d563cde2344941e601ffc73866a4ed6597

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d108.exe

Filesize
3.0MB

MD5
96d0bd80f9fea01431f53d12fde798c3

SHA1
aacf58f7becebe00b1cc0e9236ef4b2cbc03c597

SHA256
f218aea5b9d83574331739a54390bf822828f567fa2c3e2390d54ca6b0b26ca0

SHA512
fc69d5191e38b2899a4734da5d18af8271be550e4b4fb6c1abb20037db3ffba8e7f26c5ca23366da22498daadd5d6649b5b7bbec4d55c79b13a6cb8219233e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe

Filesize
3.0MB

MD5
809defa32cdf07bc0b8cb2096b97e4e2

SHA1
066f324b087c015d6622e7f677274b43ee382bf3

SHA256
8f1b05a16ca943867dda735341bcc0b2edec0bb67f2ebbacc4562f213e0b0e53

SHA512
ea3e81f0715f7f4b706d8c40bf1152f08fcd0e90227e0536c89d56064e4e949a6ccc6b03fc1313bd86bd74b4df335cf73146bba6e2b7c9c8f286731f14df348c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe

Filesize
3.0MB

MD5
809defa32cdf07bc0b8cb2096b97e4e2

SHA1
066f324b087c015d6622e7f677274b43ee382bf3

SHA256
8f1b05a16ca943867dda735341bcc0b2edec0bb67f2ebbacc4562f213e0b0e53

SHA512
ea3e81f0715f7f4b706d8c40bf1152f08fcd0e90227e0536c89d56064e4e949a6ccc6b03fc1313bd86bd74b4df335cf73146bba6e2b7c9c8f286731f14df348c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe

Filesize
3.0MB

MD5
809defa32cdf07bc0b8cb2096b97e4e2

SHA1
066f324b087c015d6622e7f677274b43ee382bf3

SHA256
8f1b05a16ca943867dda735341bcc0b2edec0bb67f2ebbacc4562f213e0b0e53

SHA512
ea3e81f0715f7f4b706d8c40bf1152f08fcd0e90227e0536c89d56064e4e949a6ccc6b03fc1313bd86bd74b4df335cf73146bba6e2b7c9c8f286731f14df348c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe

Filesize
3.0MB

MD5
809defa32cdf07bc0b8cb2096b97e4e2

SHA1
066f324b087c015d6622e7f677274b43ee382bf3

SHA256
8f1b05a16ca943867dda735341bcc0b2edec0bb67f2ebbacc4562f213e0b0e53

SHA512
ea3e81f0715f7f4b706d8c40bf1152f08fcd0e90227e0536c89d56064e4e949a6ccc6b03fc1313bd86bd74b4df335cf73146bba6e2b7c9c8f286731f14df348c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe

Filesize
3.0MB

MD5
809defa32cdf07bc0b8cb2096b97e4e2

SHA1
066f324b087c015d6622e7f677274b43ee382bf3

SHA256
8f1b05a16ca943867dda735341bcc0b2edec0bb67f2ebbacc4562f213e0b0e53

SHA512
ea3e81f0715f7f4b706d8c40bf1152f08fcd0e90227e0536c89d56064e4e949a6ccc6b03fc1313bd86bd74b4df335cf73146bba6e2b7c9c8f286731f14df348c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe

Filesize
3.0MB

MD5
809defa32cdf07bc0b8cb2096b97e4e2

SHA1
066f324b087c015d6622e7f677274b43ee382bf3

SHA256
8f1b05a16ca943867dda735341bcc0b2edec0bb67f2ebbacc4562f213e0b0e53

SHA512
ea3e81f0715f7f4b706d8c40bf1152f08fcd0e90227e0536c89d56064e4e949a6ccc6b03fc1313bd86bd74b4df335cf73146bba6e2b7c9c8f286731f14df348c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe

Filesize
3.0MB

MD5
809defa32cdf07bc0b8cb2096b97e4e2

SHA1
066f324b087c015d6622e7f677274b43ee382bf3

SHA256
8f1b05a16ca943867dda735341bcc0b2edec0bb67f2ebbacc4562f213e0b0e53

SHA512
ea3e81f0715f7f4b706d8c40bf1152f08fcd0e90227e0536c89d56064e4e949a6ccc6b03fc1313bd86bd74b4df335cf73146bba6e2b7c9c8f286731f14df348c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe

Filesize
3.0MB

MD5
809defa32cdf07bc0b8cb2096b97e4e2

SHA1
066f324b087c015d6622e7f677274b43ee382bf3

SHA256
8f1b05a16ca943867dda735341bcc0b2edec0bb67f2ebbacc4562f213e0b0e53

SHA512
ea3e81f0715f7f4b706d8c40bf1152f08fcd0e90227e0536c89d56064e4e949a6ccc6b03fc1313bd86bd74b4df335cf73146bba6e2b7c9c8f286731f14df348c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17d4d31580768282ff68a3b744546d109.exe

Filesize
3.0MB

MD5
809defa32cdf07bc0b8cb2096b97e4e2

SHA1
066f324b087c015d6622e7f677274b43ee382bf3

SHA256
8f1b05a16ca943867dda735341bcc0b2edec0bb67f2ebbacc4562f213e0b0e53

SHA512
ea3e81f0715f7f4b706d8c40bf1152f08fcd0e90227e0536c89d56064e4e949a6ccc6b03fc1313bd86bd74b4df335cf73146bba6e2b7c9c8f286731f14df348c

Download Submit
memory/448-82-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1232-98-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1280-100-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1304-97-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1368-194-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1592-86-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1924-74-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2692-73-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3020-102-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3036-91-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3076-75-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3088-76-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3112-85-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3128-63-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3152-68-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3356-99-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3552-84-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3648-67-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3896-94-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3904-62-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3996-65-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4020-101-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4216-193-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4232-95-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4268-93-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4272-64-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4320-77-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4328-83-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4584-72-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4588-192-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4600-70-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4756-120-0x00007FF691BA0000-0x00007FF691C98000-memory.dmp

Filesize
992KB

Download
memory/4756-128-0x00007FFEC0360000-0x00007FFEC0394000-memory.dmp

Filesize
208KB

Download
memory/4756-131-0x00007FFEAF5E0000-0x00007FFEAF894000-memory.dmp

Filesize
2.7MB

Download
memory/4816-92-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4940-96-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download