ae2ad2106b8c4bf65470eea28cfa812f3484aa4e49075bfe1ab09c277890a051

Analysis

max time kernel
84s
max time network
158s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22/10/2023, 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.df636e7945831c82dc6599250207f6a0.exe
Size

3.0MB
MD5

df636e7945831c82dc6599250207f6a0
SHA1

5077c9373e79473df081d35e67af8a73fbe1d673
SHA256

ae2ad2106b8c4bf65470eea28cfa812f3484aa4e49075bfe1ab09c277890a051
SHA512

b14a9e67be7f3dee1f37bca16d032f684a841780f6bd52d26cf307de68b0b629173c339de1ba4ed360a5c3ffcf3cc783cbdf6c38764d422d46dbbfc74be33322
SSDEEP

49152:j495UciMmq/NhjX5p3JOCdLAweZnE5c965nqqIP2Itdy:jk5LhzACdLAlnE5co5nqqIP2Itdy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
1352	NEAS.df636e7945831c82dc6599250207f6a02.exe
2140	NEAS.df636e7945831c82dc6599250207f6a02.exe
2412	NEAS.df636e7945831c82dc6599250207f6a02.exe
2400	NEAS.df636e7945831c82dc6599250207f6a02.exe
2012	NEAS.df636e7945831c82dc6599250207f6a02.exe
1052	NEAS.df636e7945831c82dc6599250207f6a00.exe
992	NEAS.df636e7945831c82dc6599250207f6a00.exe
632	NEAS.df636e7945831c82dc6599250207f6a00.exe
2100	NEAS.df636e7945831c82dc6599250207f6a00.exe
1572	NEAS.df636e7945831c82dc6599250207f6a02.exe
1212	NEAS.df636e7945831c82dc6599250207f6a02.exe
2388	NEAS.df636e7945831c82dc6599250207f6a02.exe
2704	NEAS.df636e7945831c82dc6599250207f6a02.exe
2428	NEAS.df636e7945831c82dc6599250207f6a02.exe
2580	NEAS.df636e7945831c82dc6599250207f6a02.exe
2716	NEAS.df636e7945831c82dc6599250207f6a06.exe
2880	NEAS.df636e7945831c82dc6599250207f6a02.exe
1868	NEAS.df636e7945831c82dc6599250207f6a02.exe
2668	NEAS.df636e7945831c82dc6599250207f6a02.exe
1952	NEAS.df636e7945831c82dc6599250207f6a02.exe
2536	NEAS.df636e7945831c82dc6599250207f6a02.exe
2500	NEAS.df636e7945831c82dc6599250207f6a02.exe
1664	cmd.exe
2792	cmd.exe
552	NEAS.df636e7945831c82dc6599250207f6a02.exe
2068	NEAS.df636e7945831c82dc6599250207f6a02.exe
2648	NEAS.df636e7945831c82dc6599250207f6a02.exe
568	NEAS.df636e7945831c82dc6599250207f6a02.exe
1932	cmd.exe
2492	cmd.exe
2804	NEAS.df636e7945831c82dc6599250207f6a00.exe
3124	NEAS.df636e7945831c82dc6599250207f6a00.exe
3140	NEAS.df636e7945831c82dc6599250207f6a02.exe
3096	NEAS.df636e7945831c82dc6599250207f6a02.exe
3132	NEAS.df636e7945831c82dc6599250207f6a02.exe
3148	NEAS.df636e7945831c82dc6599250207f6a02.exe
3300	NEAS.df636e7945831c82dc6599250207f6a00.exe
3324	NEAS.df636e7945831c82dc6599250207f6a02.exe
3344	NEAS.df636e7945831c82dc6599250207f6a00.exe
3584	NEAS.df636e7945831c82dc6599250207f6a00.exe
3500	NEAS.df636e7945831c82dc6599250207f6a05.exe
3576	NEAS.df636e7945831c82dc6599250207f6a02.exe
3736	NEAS.df636e7945831c82dc6599250207f6a02.exe
3728	NEAS.df636e7945831c82dc6599250207f6a02.exe
3604	NEAS.df636e7945831c82dc6599250207f6a02.exe
3704	NEAS.df636e7945831c82dc6599250207f6a00.exe
3996	NEAS.df636e7945831c82dc6599250207f6a00.exe
4016	NEAS.df636e7945831c82dc6599250207f6a02.exe
4024	NEAS.df636e7945831c82dc6599250207f6a00.exe
4040	NEAS.df636e7945831c82dc6599250207f6a02.exe
4084	NEAS.df636e7945831c82dc6599250207f6a06.exe
3200	NEAS.df636e7945831c82dc6599250207f6a00.exe
3192	NEAS.df636e7945831c82dc6599250207f6a02.exe
3456	NEAS.df636e7945831c82dc6599250207f6a02.exe
3076	NEAS.df636e7945831c82dc6599250207f6a02.exe
3612	NEAS.df636e7945831c82dc6599250207f6a00.exe
3848	NEAS.df636e7945831c82dc6599250207f6a09.exe
1276	NEAS.df636e7945831c82dc6599250207f6a09.exe
3716	NEAS.df636e7945831c82dc6599250207f6a02.exe
3224	NEAS.df636e7945831c82dc6599250207f6a09.exe
3864	NEAS.df636e7945831c82dc6599250207f6a02.exe
1820	cmd.exe
3596	cmd.exe
3872	NEAS.df636e7945831c82dc6599250207f6a00.exe

Loads dropped DLL 64 IoCs

pid	Process
2912	Process not Found
2912	Process not Found
2868	NEAS.df636e7945831c82dc6599250207f6a0.exe
2868	NEAS.df636e7945831c82dc6599250207f6a0.exe
2876	cmd.exe
2876	cmd.exe
2848	conhost.exe
2848	conhost.exe
1460	Process not Found
1208	Process not Found
2384	Process not Found
804	Process not Found
1312	cmd.exe
1312	cmd.exe
2304	cmd.exe
2428	NEAS.df636e7945831c82dc6599250207f6a02.exe
1008	cmd.exe
2304	cmd.exe
2428	NEAS.df636e7945831c82dc6599250207f6a02.exe
1008	cmd.exe
2056	Process not Found
1816	Process not Found
1932	cmd.exe
1056	Process not Found
1784	Process not Found
1932	cmd.exe
2148	Process not Found
2832	cmd.exe
2832	cmd.exe
2920	cmd.exe
2920	cmd.exe
1960	Process not Found
1380	cmd.exe
1380	cmd.exe
1468	cmd.exe
1468	cmd.exe
1940	Process not Found
1776	cmd.exe
1820	cmd.exe
1776	cmd.exe
1820	cmd.exe
524	cmd.exe
524	cmd.exe
768	cmd.exe
1600	cmd.exe
768	cmd.exe
1600	cmd.exe
828	cmd.exe
2968	conhost.exe
2420	cmd.exe
1020	cmd.exe
2420	cmd.exe
1020	cmd.exe
1932	cmd.exe
1932	cmd.exe
2492	cmd.exe
2492	cmd.exe
1104	Process not Found
3036	Process not Found
2628	Process not Found
3028	Process not Found
1680	Process not Found
2664	cmd.exe
1684	NEAS.df636e7945831c82dc6599250207f6a022.exe

Kills process with taskkill 47 IoCs

evasion

pid	Process
6828	taskkill.exe
7112	taskkill.exe
4200	taskkill.exe
7972	taskkill.exe
6752	taskkill.exe
2900	taskkill.exe
2496	taskkill.exe
6964	taskkill.exe
2320	taskkill.exe
2600	taskkill.exe
8872	taskkill.exe
9872	taskkill.exe
6776	taskkill.exe
6940	taskkill.exe
4948	taskkill.exe
6816	taskkill.exe
8004	taskkill.exe
4504	taskkill.exe
7052	taskkill.exe
6960	taskkill.exe
1708	taskkill.exe
5092	taskkill.exe
6300	taskkill.exe
5668	taskkill.exe
6932	taskkill.exe
6748	taskkill.exe
948	taskkill.exe
5016	taskkill.exe
5012	taskkill.exe
8012	taskkill.exe
7996	taskkill.exe
828	taskkill.exe
6484	taskkill.exe
6824	taskkill.exe
8020	taskkill.exe
6988	taskkill.exe
9636	taskkill.exe
4244	taskkill.exe
6888	taskkill.exe
6884	taskkill.exe
6864	taskkill.exe
2592	taskkill.exe
1924	taskkill.exe
1504	taskkill.exe
4176	taskkill.exe
1548	taskkill.exe
8704	taskkill.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6376	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeAssignPrimaryTokenPrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeLockMemoryPrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeIncreaseQuotaPrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeMachineAccountPrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeTcbPrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeSecurityPrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeTakeOwnershipPrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeLoadDriverPrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeSystemProfilePrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeSystemtimePrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeProfSingleProcessPrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeIncBasePriorityPrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeCreatePagefilePrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeCreatePermanentPrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeBackupPrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeRestorePrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeShutdownPrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeDebugPrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeAuditPrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeSystemEnvironmentPrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeChangeNotifyPrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeRemoteShutdownPrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeUndockPrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeSyncAgentPrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeEnableDelegationPrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeManageVolumePrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeImpersonatePrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeCreateGlobalPrivilege	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: 31	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: 32	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: 33	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: 34	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: 35	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeCreateTokenPrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeAssignPrimaryTokenPrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeLockMemoryPrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeIncreaseQuotaPrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeMachineAccountPrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeTcbPrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeSecurityPrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeTakeOwnershipPrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeLoadDriverPrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeSystemProfilePrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeSystemtimePrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeProfSingleProcessPrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeIncBasePriorityPrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeCreatePagefilePrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeCreatePermanentPrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeBackupPrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeRestorePrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeShutdownPrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeDebugPrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeAuditPrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeSystemEnvironmentPrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeChangeNotifyPrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeRemoteShutdownPrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeUndockPrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeSyncAgentPrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeEnableDelegationPrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeManageVolumePrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeImpersonatePrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: SeCreateGlobalPrivilege	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe
Token: 31	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
6376	explorer.exe
6376	explorer.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
6376	explorer.exe
6376	explorer.exe
6376	explorer.exe
6376	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2728	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe	28
PID 2724 wrote to memory of 2728	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe	28
PID 2724 wrote to memory of 2728	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe	28
PID 2728 wrote to memory of 2716	2728	cmd.exe	29
PID 2728 wrote to memory of 2716	2728	cmd.exe	29
PID 2728 wrote to memory of 2716	2728	cmd.exe	29
PID 2724 wrote to memory of 2696	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe	30
PID 2724 wrote to memory of 2696	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe	30
PID 2724 wrote to memory of 2696	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe	30
PID 2696 wrote to memory of 1048	2696	cmd.exe	33
PID 2696 wrote to memory of 1048	2696	cmd.exe	33
PID 2696 wrote to memory of 1048	2696	cmd.exe	33
PID 2724 wrote to memory of 1860	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe	32
PID 2724 wrote to memory of 1860	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe	32
PID 2724 wrote to memory of 1860	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe	32
PID 1860 wrote to memory of 2556	1860	cmd.exe	35
PID 1860 wrote to memory of 2556	1860	cmd.exe	35
PID 1860 wrote to memory of 2556	1860	cmd.exe	35
PID 2724 wrote to memory of 1576	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe	37
PID 2724 wrote to memory of 1576	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe	37
PID 2724 wrote to memory of 1576	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe	37
PID 2716 wrote to memory of 3048	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe	38
PID 2716 wrote to memory of 3048	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe	38
PID 2716 wrote to memory of 3048	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe	38
PID 1576 wrote to memory of 3052	1576	cmd.exe	41
PID 1576 wrote to memory of 3052	1576	cmd.exe	41
PID 1576 wrote to memory of 3052	1576	cmd.exe	41
PID 2724 wrote to memory of 2432	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe	39
PID 2724 wrote to memory of 2432	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe	39
PID 2724 wrote to memory of 2432	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe	39
PID 2432 wrote to memory of 2116	2432	cmd.exe	44
PID 2432 wrote to memory of 2116	2432	cmd.exe	44
PID 2432 wrote to memory of 2116	2432	cmd.exe	44
PID 2724 wrote to memory of 2132	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe	43
PID 2724 wrote to memory of 2132	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe	43
PID 2724 wrote to memory of 2132	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe	43
PID 2132 wrote to memory of 1672	2132	cmd.exe	45
PID 2132 wrote to memory of 1672	2132	cmd.exe	45
PID 2132 wrote to memory of 1672	2132	cmd.exe	45
PID 2724 wrote to memory of 2924	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe	47
PID 2724 wrote to memory of 2924	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe	47
PID 2724 wrote to memory of 2924	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe	47
PID 2716 wrote to memory of 2912	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe	46
PID 2716 wrote to memory of 2912	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe	46
PID 2716 wrote to memory of 2912	2716	NEAS.df636e7945831c82dc6599250207f6a0.exe	46
PID 2924 wrote to memory of 3032	2924	cmd.exe	403
PID 2924 wrote to memory of 3032	2924	cmd.exe	403
PID 2924 wrote to memory of 3032	2924	cmd.exe	403
PID 2724 wrote to memory of 1756	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe	49
PID 2724 wrote to memory of 1756	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe	49
PID 2724 wrote to memory of 1756	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe	49
PID 2556 wrote to memory of 324	2556	NEAS.df636e7945831c82dc6599250207f6a0.exe	52
PID 2556 wrote to memory of 324	2556	NEAS.df636e7945831c82dc6599250207f6a0.exe	52
PID 2556 wrote to memory of 324	2556	NEAS.df636e7945831c82dc6599250207f6a0.exe	52
PID 1756 wrote to memory of 2108	1756	cmd.exe	53
PID 1756 wrote to memory of 2108	1756	cmd.exe	53
PID 1756 wrote to memory of 2108	1756	cmd.exe	53
PID 2724 wrote to memory of 2804	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe	278
PID 2724 wrote to memory of 2804	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe	278
PID 2724 wrote to memory of 2804	2724	NEAS.df636e7945831c82dc6599250207f6a0.exe	278
PID 2804 wrote to memory of 344	2804	NEAS.df636e7945831c82dc6599250207f6a00.exe	59
PID 2804 wrote to memory of 344	2804	NEAS.df636e7945831c82dc6599250207f6a00.exe	59
PID 2804 wrote to memory of 344	2804	NEAS.df636e7945831c82dc6599250207f6a00.exe	59
PID 3032 wrote to memory of 1964	3032	conhost.exe	57

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+215102.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
      4⤵
      PID:3048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
      4⤵
      PID:2912
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
        5⤵
        Executes dropped EXE
        
        PID:1352
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        6⤵
        
        PID:3268
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        6⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        7⤵
        Executes dropped EXE
        
        PID:3456
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        6⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        7⤵
        Executes dropped EXE
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        7⤵
        
        PID:3832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+422191.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a024.exe
        8⤵
        
        PID:6952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a024.exe 1698019120
        8⤵
        
        PID:7544
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a024.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a024.exe 1698019120
        9⤵
        
        PID:9596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+530851.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe
        8⤵
        
        PID:10348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe 1698019120
        8⤵
        
        PID:11020
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe 1698019120
        9⤵
        
        PID:10028
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        6⤵
        
        PID:2764
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        6⤵
        
        PID:2448
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        6⤵
        Loads dropped DLL
        
        PID:2664
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        6⤵
        Loads dropped DLL
        
        PID:2420
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        6⤵
        Loads dropped DLL
        
        PID:1776
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        6⤵
        Loads dropped DLL
        
        PID:1380
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        6⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        7⤵
        
        PID:4724
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        6⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        7⤵
        
        PID:4756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+8171.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe
        8⤵
        
        PID:5884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe 1698019120
        8⤵
        
        PID:7920
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe 1698019120
        9⤵
        
        PID:8888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+12010.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe
        8⤵
        
        PID:9540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe 1698019120
        8⤵
        
        PID:10568
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe 1698019120
        9⤵
        
        PID:11036
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        6⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        7⤵
        
        PID:2600
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        6⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        7⤵
        
        PID:6724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+95169.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a029.exe
        8⤵
        
        PID:10872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a029.exe 1698019120
        8⤵
        
        PID:10336
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a029.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a029.exe 1698019120
        9⤵
        
        PID:9772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+74447.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a027.exe
        8⤵
        
        PID:3436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a027.exe 1698019120
        8⤵
        
        PID:10496
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a027.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a027.exe 1698019120
        9⤵
        
        PID:3376
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        6⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        7⤵
        
        PID:7468
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:1008
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:9636
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+09999.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
      4⤵
      PID:1504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe 1698019120
      4⤵
      PID:2968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /save 1698019120
      4⤵
      PID:3640
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /save 1698019120
        5⤵
        
        PID:2188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /protect 1698019120
      4⤵
      PID:3744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
    3⤵
    PID:1048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+215102.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
      4⤵
      PID:324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
      4⤵
      PID:2868
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
        5⤵
        Executes dropped EXE
        
        PID:2140
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        6⤵
        Loads dropped DLL
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        7⤵
        Executes dropped EXE
        
        PID:2880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+214056.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
        8⤵
        
        PID:3988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
        8⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
        9⤵
        
        PID:4120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:5520
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:6932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+2792.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
        8⤵
        
        PID:4368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
        8⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
        9⤵
        Loads dropped DLL
        
        PID:1684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:5892
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:6752
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        6⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        7⤵
        Executes dropped EXE
        
        PID:552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+524282.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe
        8⤵
        
        PID:2276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe 1698019120
        8⤵
        
        PID:6368
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe 1698019120
        9⤵
        
        PID:5856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:10088
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:4504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+216499.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
        8⤵
        
        PID:2808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
        8⤵
        
        PID:7896
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
        9⤵
        
        PID:8864
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
        7⤵
        
        PID:3044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
        8⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
        9⤵
        
        PID:2684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:5956
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:7052
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        6⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        7⤵
        Executes dropped EXE
        
        PID:3728
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        6⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        7⤵
        
        PID:4156
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        6⤵
        
        PID:3940
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        6⤵
        
        PID:3060
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        6⤵
        
        PID:1544
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        6⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe 1698019120
        7⤵
        Executes dropped EXE
        
        PID:2100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
        8⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
        9⤵
        
        PID:4668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
        8⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
        9⤵
        
        PID:2508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+8171.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a008.exe
        10⤵
        
        PID:4412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a008.exe 1698019120
        10⤵
        
        PID:7636
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a008.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a008.exe 1698019120
        11⤵
        
        PID:8800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+12010.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a001.exe
        10⤵
        
        PID:9380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a001.exe 1698019120
        10⤵
        
        PID:10816
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a001.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a001.exe 1698019120
        11⤵
        
        PID:11092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
        8⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
        9⤵
        
        PID:4956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
        8⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
        9⤵
        
        PID:7044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+71510.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a007.exe
        10⤵
        
        PID:9908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a007.exe 1698019120
        10⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a007.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a007.exe 1698019120
        11⤵
        
        PID:4924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+721372.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a007.exe
        10⤵
        
        PID:10556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a007.exe 1698019120
        10⤵
        
        PID:10800
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a007.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a007.exe 1698019120
        11⤵
        
        PID:6872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
        8⤵
        
        PID:7192
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
        9⤵
        
        PID:9212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        8⤵
        
        PID:10076
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        9⤵
        Kills process with taskkill
        
        PID:5668
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        6⤵
        Loads dropped DLL
        
        PID:1468
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        6⤵
        Loads dropped DLL
        
        PID:2920
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        6⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        7⤵
        
        PID:4844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+8171.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe
        8⤵
        
        PID:6456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe 1698019120
        8⤵
        
        PID:7872
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe 1698019120
        9⤵
        
        PID:8816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+12010.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe
        8⤵
        
        PID:9504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe 1698019120
        8⤵
        
        PID:10576
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe 1698019120
        9⤵
        
        PID:11004
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        6⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        7⤵
        
        PID:4380
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        6⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        7⤵
        
        PID:2592
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        6⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        7⤵
        
        PID:6740
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:1900
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7972
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
        5⤵
        
        PID:3168
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+214056.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        5⤵
        
        PID:3772
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+2792.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        5⤵
        
        PID:3620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+09999.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
      4⤵
      PID:1508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe 1698019120
      4⤵
      Loads dropped DLL
      PID:2304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
    3⤵
    PID:3052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
    3⤵
    PID:2116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+215102.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
      4⤵
      PID:2792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
      4⤵
      PID:2848
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
        5⤵
        Executes dropped EXE
        
        PID:2400
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        6⤵
        
        PID:3260
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        6⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        7⤵
        
        PID:440
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        6⤵
        
        PID:3960
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        6⤵
        
        PID:1700
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        6⤵
        
        PID:2976
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        6⤵
        
        PID:1684
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        6⤵
        Loads dropped DLL
        
        PID:1020
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        7⤵
        
        PID:5568
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        8⤵
        Kills process with taskkill
        
        PID:1708
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        6⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        7⤵
        
        PID:4776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+8171.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe
        8⤵
        
        PID:3684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe 1698019120
        8⤵
        
        PID:7176
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe 1698019120
        9⤵
        
        PID:7984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+12010.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe
        8⤵
        
        PID:7084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe 1698019120
        8⤵
        
        PID:9772
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe 1698019120
        9⤵
        
        PID:10420
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        6⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        7⤵
        
        PID:4272
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        6⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        7⤵
        
        PID:5096
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        6⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        7⤵
        
        PID:1556
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:2052
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:6300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+09999.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
      4⤵
      PID:1112
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
        5⤵
        
        PID:612
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
        6⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
        7⤵
        
        PID:4292
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        8⤵
        
        PID:5908
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        9⤵
        Kills process with taskkill
        
        PID:6776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe 1698019120
      4⤵
      PID:1008
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe 1698019120
        5⤵
        Executes dropped EXE
        
        PID:632
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
        6⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
        7⤵
        
        PID:1148
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
        6⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
        7⤵
        
        PID:4936
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
        6⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
        7⤵
        
        PID:6716
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:1896
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:8004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
    3⤵
    PID:1672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
  2⤵
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
    3⤵
    PID:3032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+215102.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
      4⤵
      PID:1964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
      4⤵
      Loads dropped DLL
      PID:2876
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
        5⤵
        Executes dropped EXE
        
        PID:2412
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        6⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        7⤵
        
        PID:4784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+8171.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe
        8⤵
        
        PID:6412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe 1698019120
        8⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe 1698019120
        9⤵
        
        PID:7948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+12010.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe
        8⤵
        
        PID:8256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe 1698019120
        8⤵
        
        PID:7528
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe 1698019120
        9⤵
        
        PID:10440
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        6⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        7⤵
        
        PID:4240
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        6⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        7⤵
        
        PID:1612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+8171.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe
        8⤵
        
        PID:5668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe 1698019120
        8⤵
        
        PID:7680
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe 1698019120
        9⤵
        
        PID:6444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+12010.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe
        8⤵
        
        PID:8792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe 1698019120
        8⤵
        
        PID:10392
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe 1698019120
        9⤵
        
        PID:10892
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        6⤵
        Loads dropped DLL
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        7⤵
        
        PID:6708
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:1220
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:8020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+09999.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
      4⤵
      PID:2704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe 1698019120
      4⤵
      PID:2428
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
        5⤵
        
        PID:1272
      - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
        6⤵
        
        PID:3244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        7⤵
        
        PID:5316
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        8⤵
        Kills process with taskkill
        
        PID:1548
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+214056.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
        5⤵
        
        PID:3784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
    3⤵
    PID:2108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
  2⤵
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
    3⤵
    PID:344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+215102.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
      4⤵
      PID:368
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
        5⤵
        
        PID:3596
      - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
        6⤵
        Executes dropped EXE
        
        PID:4024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+09999.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
      4⤵
      PID:1020
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        5⤵
        Executes dropped EXE
        
        PID:2668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe 1698019120
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
      4⤵
      Loads dropped DLL
      PID:1312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
  2⤵
  PID:2832
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
    3⤵
    PID:2844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
  2⤵
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
    3⤵
    PID:1732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+214579.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
      4⤵
      PID:3060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
      4⤵
      Loads dropped DLL
      PID:2832
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
        5⤵
        Executes dropped EXE
        
        PID:1572
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        6⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        7⤵
        
        PID:4596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+422191.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a024.exe
        8⤵
        
        PID:6980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a024.exe 1698019120
        8⤵
        
        PID:6452
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a024.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a024.exe 1698019120
        9⤵
        
        PID:9604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+530851.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe
        8⤵
        
        PID:10364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe 1698019120
        8⤵
        
        PID:11012
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe 1698019120
        9⤵
        
        PID:9508
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        6⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        7⤵
        
        PID:3892
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        6⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        7⤵
        
        PID:4308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+8171.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe
        8⤵
        
        PID:6408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe 1698019120
        8⤵
        
        PID:7608
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe 1698019120
        9⤵
        
        PID:8100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+12010.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe
        8⤵
        
        PID:6308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe 1698019120
        8⤵
        
        PID:10632
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe 1698019120
        9⤵
        
        PID:11116
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        6⤵
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        7⤵
        
        PID:6780
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:6764
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe 1698019120
      4⤵
      Loads dropped DLL
      PID:524
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
        5⤵
        
        PID:2288
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:5444
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:2900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+621780.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
      4⤵
      Executes dropped EXE
      PID:2792
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+92785.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a029.exe
        5⤵
        
        PID:4576
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a029.exe 1698019120
        5⤵
        
        PID:4004
      - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a029.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a029.exe 1698019120
        6⤵
        
        PID:3476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        7⤵
        
        PID:5708
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        8⤵
        Kills process with taskkill
        
        PID:6748
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+38645.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a023.exe
        5⤵
        
        PID:4944
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a023.exe 1698019120
        5⤵
        
        PID:7380
      - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a023.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a023.exe 1698019120
        6⤵
        
        PID:8168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
  2⤵
  PID:588
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
    3⤵
    PID:2780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
  2⤵
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
    3⤵
    PID:2212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+225706.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
      4⤵
      PID:3932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
      4⤵
      PID:952
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
        5⤵
        
        PID:688
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:5608
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:6960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a05.exe 1698019120
      4⤵
      PID:1736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+525327.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a05.exe
      4⤵
      PID:2304
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe 1698019120
        5⤵
        Executes dropped EXE
        
        PID:1052
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
        6⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
        7⤵
        
        PID:4792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+422191.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a004.exe
        8⤵
        
        PID:6988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a004.exe 1698019120
        8⤵
        
        PID:7744
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a004.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a004.exe 1698019120
        9⤵
        
        PID:8768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+530851.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a005.exe
        8⤵
        
        PID:9276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a005.exe 1698019120
        8⤵
        
        PID:10616
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a005.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a005.exe 1698019120
        9⤵
        
        PID:11252
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
        6⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
        7⤵
        
        PID:4332
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
        6⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
        7⤵
        
        PID:5012
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
        6⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
        7⤵
        
        PID:6480
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:7028
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:8012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
  2⤵
  PID:1820
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
    3⤵
    PID:2276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+729633.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a07.exe
      4⤵
      PID:2988
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe 1698019120
      4⤵
      PID:3892
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+93308.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe
      4⤵
      PID:3108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a07.exe 1698019120
      4⤵
      PID:4412
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a07.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a07.exe 1698019120
        5⤵
        
        PID:4868
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:5648
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:4176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
  2⤵
  PID:436
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
    3⤵
    PID:1660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
  2⤵
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
    3⤵
    PID:2020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
  2⤵
  PID:1708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
  2⤵
  PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
  2⤵
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
    3⤵
    PID:2756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
      4⤵
      PID:4584
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
        5⤵
        
        PID:1580
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:5868
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:2320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
  2⤵
  PID:772
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
    3⤵
    PID:2456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
      4⤵
      PID:4684
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
        5⤵
        
        PID:3564
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:5924
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:6828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
  2⤵
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
    3⤵
    - Executes dropped EXE
    PID:3148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
  2⤵
  PID:2392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
  2⤵
  PID:3284
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
    3⤵
    PID:3720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+111442.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a01.exe
      4⤵
      PID:7120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a01.exe 1698019120
      4⤵
      PID:7912
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a01.exe 1698019120
        5⤵
        
        PID:8880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+026925.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
      4⤵
      PID:9460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe 1698019120
      4⤵
      PID:10552
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe 1698019120
        5⤵
        
        PID:10996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
  2⤵
  PID:3976
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
    3⤵
    PID:3780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
  2⤵
  PID:3776
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
    3⤵
    PID:4136
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+422191.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe
      4⤵
      PID:7004
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe 1698019120
      4⤵
      PID:7728
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe 1698019120
        5⤵
        
        PID:9000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+530851.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a05.exe
      4⤵
      PID:9780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a05.exe 1698019120
      4⤵
      PID:10792
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a05.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a05.exe 1698019120
        5⤵
        
        PID:11124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
  2⤵
  PID:1684
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
    3⤵
    PID:2792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
  2⤵
  PID:1316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
  2⤵
  PID:2932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
  2⤵
  PID:560
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
    3⤵
    PID:2296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a07.exe 1698019120
      4⤵
      PID:4424
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a07.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a07.exe 1698019120
        5⤵
        
        PID:4892
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:5736
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:4244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
  2⤵
  PID:1312
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
    3⤵
    - Executes dropped EXE
    PID:2012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
      4⤵
      PID:4876
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        5⤵
        
        PID:2280
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+8171.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe
        6⤵
        
        PID:1348
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe 1698019120
        6⤵
        
        PID:7672
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe 1698019120
        7⤵
        
        PID:8728
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+12010.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe
        6⤵
        
        PID:9324
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe 1698019120
        6⤵
        
        PID:10584
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe 1698019120
        7⤵
        
        PID:11084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
      4⤵
      PID:752
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        5⤵
        
        PID:948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
      4⤵
      PID:1528
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
        5⤵
        
        PID:6996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
      4⤵
      PID:2708
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
        5⤵
        
        PID:7412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:7880
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:8872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
  2⤵
  PID:1112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
  2⤵
  PID:2436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
  2⤵
  PID:1988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
  2⤵
  PID:1592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
  2⤵
  PID:928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
  2⤵
  PID:1740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
  2⤵
  PID:560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
  2⤵
  PID:1552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
  2⤵
  PID:2364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
  2⤵
  PID:4384
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
    3⤵
    PID:4820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
  2⤵
  PID:5100
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
    3⤵
    PID:4552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+8171.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe
      4⤵
      PID:6468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe 1698019120
      4⤵
      PID:7576
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a08.exe 1698019120
        5⤵
        
        PID:6460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+12010.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a01.exe
      4⤵
      PID:8288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a01.exe 1698019120
      4⤵
      PID:6448
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a01.exe 1698019120
        5⤵
        
        PID:10452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
  2⤵
  PID:4684
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
    3⤵
    PID:4348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
  2⤵
  PID:4768
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
    3⤵
    PID:7036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+732709.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a07.exe
      4⤵
      PID:10504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a07.exe 1698019120
      4⤵
      PID:7536
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a07.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a07.exe 1698019120
        5⤵
        
        PID:10632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+423945.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe
      4⤵
      PID:9088
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe 1698019120
      4⤵
      PID:3348
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a04.exe 1698019120
        5⤵
        
        PID:10808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
  2⤵
  PID:3028
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
    3⤵
    PID:7600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:7644
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:9872

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
1⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
1⤵
PID:2088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe 1698019120
  2⤵
  PID:3060
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe 1698019120
    3⤵
    PID:1820
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2428
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe 1698019120
        5⤵
        Executes dropped EXE
        
        PID:992
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
        6⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
        7⤵
        
        PID:4320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+8171.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a008.exe
        8⤵
        
        PID:3544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a008.exe 1698019120
        8⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a008.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a008.exe 1698019120
        9⤵
        
        PID:9192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+12010.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a001.exe
        8⤵
        
        PID:10024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a001.exe 1698019120
        8⤵
        
        PID:10640
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a001.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a001.exe 1698019120
        9⤵
        
        PID:11212
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
        6⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
        7⤵
        
        PID:4744
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
        6⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
        7⤵
        
        PID:6572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+012258.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a000.exe
        8⤵
        
        PID:10848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a000.exe 1698019120
        8⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a000.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a000.exe 1698019120
        9⤵
        
        PID:9064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+225299.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a002.exe
        8⤵
        
        PID:10072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a002.exe 1698019120
        8⤵
        
        PID:10644
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a002.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a002.exe 1698019120
        9⤵
        
        PID:3356
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
        6⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
        7⤵
        
        PID:7276
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:7688
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:8704
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+2792.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
        5⤵
        
        PID:4328
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
        5⤵
        
        PID:4964
      - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
        6⤵
        
        PID:2764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        7⤵
        
        PID:5940
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        8⤵
        Kills process with taskkill
        
        PID:4948
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
    3⤵
    - Executes dropped EXE
    PID:3132
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+213011.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
      4⤵
      PID:6472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
      4⤵
      PID:7300
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
        5⤵
        
        PID:7592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+324352.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a023.exe
      4⤵
      PID:6408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a023.exe 1698019120
      4⤵
      PID:7760
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a023.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a023.exe 1698019120
        5⤵
        
        PID:8292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+93308.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe
  2⤵
  PID:3568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+729633.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a07.exe
  2⤵
  PID:3024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a07.exe 1698019120
  2⤵
  PID:4500
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a07.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a07.exe 1698019120
    3⤵
    PID:5020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:5916
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:7112

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
1⤵
PID:944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1434286575-1391182771-6962225787915214842068128572-69438104611660263931626534786"
1⤵
PID:2392
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
  2⤵
  PID:2132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
1⤵
PID:1644
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
  2⤵
  - Executes dropped EXE
  PID:3324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+213011.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
    3⤵
    PID:6400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
    3⤵
    PID:6696
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
      4⤵
      PID:7356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+324352.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a023.exe
    3⤵
    PID:7836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a023.exe 1698019120
    3⤵
    PID:8904
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a023.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a023.exe 1698019120
      4⤵
      PID:7084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
1⤵
PID:3308
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
  2⤵
  - Executes dropped EXE
  PID:3704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+111442.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a001.exe
    3⤵
    PID:7164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a001.exe 1698019120
    3⤵
    PID:5976
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a001.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a001.exe 1698019120
      4⤵
      PID:9476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+026925.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a000.exe
    3⤵
    PID:10084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a000.exe 1698019120
    3⤵
    PID:10988
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a000.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a000.exe 1698019120
      4⤵
      PID:6648

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
1⤵
- Executes dropped EXE
PID:3344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+523759.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a005.exe
  2⤵
  PID:6460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a005.exe 1698019120
  2⤵
  PID:7268
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a005.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a005.exe 1698019120
    3⤵
    PID:1392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+828279.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a008.exe
  2⤵
  PID:8688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a008.exe 1698019120
  2⤵
  PID:10400
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a008.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a008.exe 1698019120
    3⤵
    PID:10928

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
1⤵
- Executes dropped EXE
PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
1⤵
PID:3276
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
  2⤵
  - Executes dropped EXE
  PID:3576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
1⤵
PID:3244
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
  2⤵
  - Executes dropped EXE
  PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+93308.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe
1⤵
PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+93308.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe
1⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a05.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a05.exe 1698019120
1⤵
- Executes dropped EXE
PID:3500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:5260
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:6484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe 1698019120
1⤵
PID:3884
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe 1698019120
  2⤵
  - Executes dropped EXE
  PID:3224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
    3⤵
    PID:5492
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      PID:6816

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
1⤵
- Executes dropped EXE
PID:3996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+111442.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a001.exe
  2⤵
  PID:7140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a001.exe 1698019120
  2⤵
  PID:7928
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a001.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a001.exe 1698019120
    3⤵
    PID:8696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+026925.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a000.exe
  2⤵
  PID:9300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a000.exe 1698019120
  2⤵
  PID:10764
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a000.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a000.exe 1698019120
    3⤵
    PID:11172

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
1⤵
- Executes dropped EXE
PID:4040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+111442.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe
  2⤵
  PID:1388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe 1698019120
  2⤵
  PID:7720
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe 1698019120
    3⤵
    PID:8748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+026925.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a020.exe
  2⤵
  PID:7428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a020.exe 1698019120
  2⤵
  PID:10772
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a020.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a020.exe 1698019120
    3⤵
    PID:11156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
1⤵
PID:3104
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
  2⤵
  - Executes dropped EXE
  PID:3872

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
1⤵
- Executes dropped EXE
PID:3200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+111442.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a001.exe
  2⤵
  PID:1516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a001.exe 1698019120
  2⤵
  PID:7616
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a001.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a001.exe 1698019120
    3⤵
    PID:8528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+026925.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a000.exe
  2⤵
  PID:8920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a000.exe 1698019120
  2⤵
  PID:10824
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a000.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a000.exe 1698019120
    3⤵
    PID:11180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
1⤵
PID:3208
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
  2⤵
  PID:3672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
1⤵
PID:2252
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
  2⤵
  PID:3900
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
    3⤵
    - Executes dropped EXE
    PID:3192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+422191.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a024.exe
      4⤵
      PID:7084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a024.exe 1698019120
      4⤵
      PID:4224
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a024.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a024.exe 1698019120
        5⤵
        
        PID:9624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+530851.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe
      4⤵
      PID:10412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe 1698019120
      4⤵
      PID:11028
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe 1698019120
        5⤵
        
        PID:3132

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe 1698019120
1⤵
- Executes dropped EXE
PID:1276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:5404
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:6940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
1⤵
PID:3268
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
  2⤵
  - Executes dropped EXE
  PID:3736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+111442.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe
    3⤵
    PID:7128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe 1698019120
    3⤵
    PID:3228
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe 1698019120
      4⤵
      PID:9352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+026925.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a020.exe
    3⤵
    PID:7892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a020.exe 1698019120
    3⤵
    PID:10624
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a020.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a020.exe 1698019120
      4⤵
      PID:11196
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
  2⤵
  PID:2608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
1⤵
PID:3264
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
  2⤵
  PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+729633.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a07.exe
1⤵
PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+729633.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a07.exe
1⤵
PID:3652

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
1⤵
- Executes dropped EXE
PID:3864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:5536
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:2496

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
1⤵
PID:3560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:5472
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1646504247408446150862556224-1318611265-1545028364-20466194471780074438-1957433037"
1⤵
PID:3932

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
1⤵
PID:3908

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
1⤵
PID:3796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+422191.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a004.exe
  2⤵
  PID:6968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a004.exe 1698019120
  2⤵
  PID:7768
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a004.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a004.exe 1698019120
    3⤵
    PID:8760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+530851.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a005.exe
  2⤵
  PID:9264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a005.exe 1698019120
  2⤵
  PID:10832
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a005.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a005.exe 1698019120
    3⤵
    PID:8440

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
1⤵
PID:3744
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /protect 1698019120
  2⤵
  - Executes dropped EXE
  PID:4084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe+111442.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a061.exe
    3⤵
    PID:6292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a061.exe 1698019120
    3⤵
    PID:7844
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a061.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a061.exe 1698019120
      4⤵
      PID:7580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe+026925.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a060.exe
    3⤵
    PID:10092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a060.exe 1698019120
    3⤵
    PID:10560
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a060.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a060.exe 1698019120
      4⤵
      PID:11052

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
1⤵
PID:3676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:5512
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
1⤵
PID:2684
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
  2⤵
  PID:3208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+422191.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a004.exe
    3⤵
    PID:7076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a004.exe 1698019120
    3⤵
    PID:7752
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a004.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a004.exe 1698019120
      4⤵
      PID:8928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+530851.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a005.exe
    3⤵
    PID:9652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a005.exe 1698019120
    3⤵
    PID:10608
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a005.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a005.exe 1698019120
      4⤵
      PID:11060

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe 1698019120
1⤵
- Executes dropped EXE
PID:3848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:5592
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:1504

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
1⤵
- Executes dropped EXE
PID:3716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+111442.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe
  2⤵
  PID:6304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe 1698019120
  2⤵
  PID:7760
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe 1698019120
    3⤵
    PID:8944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+026925.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a020.exe
  2⤵
  PID:9668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a020.exe 1698019120
  2⤵
  PID:10800
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a020.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a020.exe 1698019120
    3⤵
    PID:11148

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
1⤵
- Executes dropped EXE
PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
1⤵
PID:2700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
1⤵
PID:1148
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
  2⤵
  PID:3252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
    3⤵
    PID:5624
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      PID:5016

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
1⤵
- Executes dropped EXE
PID:3076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+111442.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe
  2⤵
  PID:7152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe 1698019120
  2⤵
  PID:7736
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a021.exe 1698019120
    3⤵
    PID:8740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+026925.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a020.exe
  2⤵
  PID:8264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a020.exe 1698019120
  2⤵
  PID:10780
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a020.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a020.exe 1698019120
    3⤵
    PID:11164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
1⤵
PID:524
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe 1698019120
  2⤵
  - Executes dropped EXE
  PID:2716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /protect 1698019120
    3⤵
    PID:4268
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /protect 1698019120
      4⤵
      PID:4676
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe+8171.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a068.exe
        5⤵
        
        PID:6444
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a068.exe 1698019120
        5⤵
        
        PID:7904
      - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a068.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a068.exe 1698019120
        6⤵
        
        PID:8992
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe+12010.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a061.exe
        5⤵
        
        PID:9728
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a061.exe 1698019120
        5⤵
        
        PID:10592
      - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a061.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a061.exe 1698019120
        6⤵
        
        PID:11204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /save 1698019120
    3⤵
    PID:4972
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /save 1698019120
      4⤵
      PID:4224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /protect 1698019120
    3⤵
    PID:3260
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /protect 1698019120
      4⤵
      PID:4972
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe+8171.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a068.exe
        5⤵
        
        PID:4544
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a068.exe 1698019120
        5⤵
        
        PID:7888
      - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a068.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a068.exe 1698019120
        6⤵
        
        PID:8984
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe+12010.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a061.exe
        5⤵
        
        PID:9712
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a061.exe 1698019120
        5⤵
        
        PID:10808
      - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a061.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a061.exe 1698019120
        6⤵
        
        PID:11100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /save 1698019120
    3⤵
    PID:2468
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a06.exe /save 1698019120
      4⤵
      PID:6596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
    3⤵
    PID:7184
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      PID:6988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
1⤵
PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
1⤵
PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
1⤵
PID:3340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
1⤵
PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
1⤵
PID:368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
1⤵
PID:2544

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
1⤵
- Executes dropped EXE
PID:4016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
1⤵
PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe 1698019120
1⤵
PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
1⤵
PID:3908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:5280
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:6884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
1⤵
PID:3900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:5504
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+214056.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
1⤵
PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+214056.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
1⤵
PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
1⤵
PID:3752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+214056.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
1⤵
PID:3688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+214056.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
1⤵
PID:3672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+422191.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a024.exe
  2⤵
  PID:7092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a024.exe 1698019120
  2⤵
  PID:7516
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a024.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a024.exe 1698019120
    3⤵
    PID:9588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+530851.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe
  2⤵
  PID:8600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe 1698019120
  2⤵
  PID:10980
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe 1698019120
    3⤵
    PID:9660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+214056.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
1⤵
PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+214056.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
1⤵
PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+214056.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
1⤵
PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+214056.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
1⤵
PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+2792.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
1⤵
PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
1⤵
- Executes dropped EXE
PID:3596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:5456
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:6864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
1⤵
PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
1⤵
PID:3548

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
1⤵
- Executes dropped EXE
PID:3140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+523759.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe
  2⤵
  PID:6424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe 1698019120
  2⤵
  PID:1280
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe 1698019120
    3⤵
    PID:6252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+828279.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe
  2⤵
  PID:7248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe 1698019120
  2⤵
  PID:8364
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe 1698019120
    3⤵
    PID:10044

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
1⤵
- Executes dropped EXE
PID:3124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+523759.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a005.exe
  2⤵
  PID:6700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a005.exe 1698019120
  2⤵
  PID:7320
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a005.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a005.exe 1698019120
    3⤵
    PID:7008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+828279.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a008.exe
  2⤵
  PID:8720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a008.exe 1698019120
  2⤵
  PID:10384
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a008.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a008.exe 1698019120
    3⤵
    PID:10900

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
1⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
1⤵
- Executes dropped EXE
PID:3096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+213011.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
  2⤵
  PID:6388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
  2⤵
  PID:7404
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
    3⤵
    PID:7964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+324352.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a023.exe
  2⤵
  PID:8280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a023.exe 1698019120
  2⤵
  PID:7784
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a023.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a023.exe 1698019120
    3⤵
    PID:10428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
1⤵
PID:2700
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
  2⤵
  PID:3004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
    3⤵
    PID:5480
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      PID:6888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
1⤵
PID:1288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
1⤵
PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
1⤵
PID:2920
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
  2⤵
  - Executes dropped EXE
  PID:1212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+2792.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
    3⤵
    PID:4296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
    3⤵
    PID:4940
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
      4⤵
      PID:3060
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        5⤵
        
        PID:5932
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        6⤵
        Kills process with taskkill
        
        PID:2600

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+523759.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a005.exe
  2⤵
  PID:6416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a005.exe 1698019120
  2⤵
  PID:7396
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a005.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a005.exe 1698019120
    3⤵
    PID:9388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+828279.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a008.exe
  2⤵
  PID:9720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a008.exe 1698019120
  2⤵
  PID:10648
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a008.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a008.exe 1698019120
    3⤵
    PID:11244

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
1⤵
PID:2492
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
  2⤵
  - Executes dropped EXE
  PID:2500

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
1⤵
PID:1932
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
  2⤵
  - Executes dropped EXE
  PID:2536

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
1⤵
PID:2996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+213011.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
  2⤵
  PID:6436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
  2⤵
  PID:7388
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
    3⤵
    PID:7656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+324352.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe
  2⤵
  PID:6696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe 1698019120
  2⤵
  PID:9536
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe 1698019120
    3⤵
    PID:10460

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
1⤵
- Executes dropped EXE
PID:568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+524282.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe
  2⤵
  PID:2528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe 1698019120
  2⤵
  PID:7020
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe 1698019120
    3⤵
    PID:7200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+216499.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
  2⤵
  PID:7704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
  2⤵
  PID:9284
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
    3⤵
    PID:10484

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
1⤵
- Executes dropped EXE
PID:2648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
1⤵
PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
1⤵
PID:1312
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
  2⤵
  PID:3040

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
1⤵
- Executes dropped EXE
PID:2068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+92785.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a029.exe
  2⤵
  PID:4716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a029.exe 1698019120
  2⤵
  PID:3024
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a029.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a029.exe 1698019120
    3⤵
    PID:4624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:5996
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:6964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+38645.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a023.exe
  2⤵
  PID:5004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a023.exe 1698019120
  2⤵
  PID:7424
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a023.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a023.exe 1698019120
    3⤵
    PID:8156

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
1⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
1⤵
PID:1664
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
  2⤵
  - Loads dropped DLL
  PID:2868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
    3⤵
    PID:4480
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
      4⤵
      PID:5028
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        5⤵
        
        PID:5900
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        6⤵
        Kills process with taskkill
        
        PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
1⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
1⤵
PID:1712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+92785.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe
  2⤵
  PID:4760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe 1698019120
  2⤵
  PID:3276
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a09.exe 1698019120
    3⤵
    PID:2052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:6012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+38645.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe
  2⤵
  - Loads dropped DLL
  PID:1008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe 1698019120
  2⤵
  PID:4928
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a03.exe 1698019120
    3⤵
    PID:6368

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
1⤵
- Executes dropped EXE
PID:1952
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
  2⤵
  PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+524805.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe
  2⤵
  PID:3216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe 1698019120
  2⤵
  PID:4620
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a025.exe 1698019120
    3⤵
    PID:2340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:5876
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:5092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+84719.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe
  2⤵
  PID:4300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe 1698019120
  2⤵
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a028.exe 1698019120
    3⤵
    PID:6756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
1⤵
- Executes dropped EXE
PID:1868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+2792.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
  2⤵
  PID:4220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
  2⤵
  PID:4948
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
    3⤵
    PID:3620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:5948
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:6824

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
1⤵
- Executes dropped EXE
PID:2580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
1⤵
- Loads dropped DLL
PID:1600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2741459361291400384-430916543745288748422246897-91447931712024753911605234967"
1⤵
- Loads dropped DLL
PID:2968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
1⤵
PID:3684
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /protect 1698019120
  2⤵
  PID:4532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+8171.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a008.exe
    3⤵
    PID:4224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a008.exe 1698019120
    3⤵
    PID:7712
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a008.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a008.exe 1698019120
      4⤵
      PID:8960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe+12010.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a001.exe
    3⤵
    PID:9684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a001.exe 1698019120
    3⤵
    PID:10600
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a001.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a001.exe 1698019120
      4⤵
      PID:11108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+2792.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
1⤵
PID:2764
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
  2⤵
  PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
1⤵
PID:1360
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
  2⤵
  PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+2792.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
1⤵
PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+2792.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
1⤵
PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe+2792.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
1⤵
PID:2508

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /save 1698019120
1⤵
- Executes dropped EXE
PID:2704

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe /protect 1698019120
1⤵
- Executes dropped EXE
PID:2388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe+2792.txt C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
  2⤵
  PID:4352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
  2⤵
  PID:4980
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a022.exe 1698019120
    3⤵
    PID:3684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:5884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-490644216-1195605891-268720210-203000298233149046-404958685686874261-1534212009"
1⤵
- Loads dropped DLL
PID:2848

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
1⤵
PID:788

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
1⤵
PID:844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1998748436-18521619181651709660-628314734611166884-9881907701434563677-2007712203"
1⤵
PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
1⤵
PID:2252
- C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe /save 1698019120
  2⤵
  PID:4512

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
1⤵
PID:1588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
  2⤵
  PID:4540
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe 1698019120
    3⤵
    PID:5064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:5660
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:828

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2017870866-164320133-6099946191956604902-20793492891745762018-14839093341868674448"
1⤵
- Suspicious use of WriteProcessMemory
PID:3032

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /save 1698019120
1⤵
PID:2336

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17833448399643529323509684932042817210819009700-237897510-100228470735022363"
1⤵
PID:3236

C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a0.exe /protect 1698019120
1⤵
PID:1604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a07.exe 1698019120
  2⤵
  PID:4304
- - C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a07.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a07.exe 1698019120
    3⤵
    PID:4860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:5728
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:5012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1822620071413268246-133768846-361350190-770676496-363680716-1975502523-1060587747"
1⤵
PID:3844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1217781319966741761-469252665-975723401-18773114941870093204171884419646605524"
1⤵
PID:2700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7057695831524204048-606576020779625273-198480399-533974664-19213227301256625189"
1⤵
PID:3264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "517801734-16336633092131835588-1318186059-21236399471386204930301874710-875278506"
1⤵
PID:3104

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "567902157795000185978158465-14347672642930883331153819469-12851744051014851417"
1⤵
PID:1796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1618265927-1314474302-1074444606-127370152-18526645154507074461362882890-1696094043"
1⤵
PID:1304

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "77687423-2104918333103868630-1008130614-4359553611413841861562346729-915880605"
1⤵
PID:4424

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6597488479083891632102920831185286329160298750320787765719380129431808144874"
1⤵
PID:4384

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1937733105-239751849-881741059526403434756662726-25487008882605192-727004631"
1⤵
PID:4404

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19029574671849685082619876343178331881090784426496229957-8457920711663611050"
1⤵
PID:4412

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17754551951253130656-542893568-33746355-16842383661924232526-2243377121056023926"
1⤵
PID:4304

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1870512884-26235616210149218784295107811755209791-270414441-279487111-2102625303"
1⤵
PID:4480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "170933674010315043421346541974-33453002-1032746988766541452178034797736593542"
1⤵
PID:1604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18146145271529401558-789339490-1227336977-15003680431896539484-1556295592300190995"
1⤵
PID:2088

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17921155514707445671449659790-175903336380378344-261195886-623960511-1125294002"
1⤵
PID:2456

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6376

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x578
1⤵
PID:1996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-590772283-1909334274-66385416-36118674-358176968835181643907230555-1162536977"
1⤵
PID:3544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-662680061549538630899211825-8116630914589015088419972451332157221-775646018"
1⤵
PID:2808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18972275201770492949-1289397585-206105125-99428096420130082202663624301639637684"
1⤵
PID:4544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7707256032714282618968923401780198857-13401208119142136471180348907583794516"
1⤵
PID:2708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2043496122-14568305291680350016-103446643758194865912118679229982943092130548551"
1⤵
PID:6456

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-330145129-1390376081-1855519712073247374-203115933316075544361231659788-1123945520"
1⤵
PID:1756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17289766461621735588-1456261377-1576854061-14262365216518705443450015901811132610"
1⤵
PID:7920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0.bat

Filesize
122B

MD5
8c3c9f2a80cfedc69d843e9d1d594912

SHA1
212516b0f49f83d0d02a69241a2a6eaa1aa5688a

SHA256
b7029ceb41bd59092992faaacac5f9fea1a5a212dfdaf555ecab27a4bef77810

SHA512
0222620f9488c482765c528ffd55076a6b814b15c57c0cb0722242cf0a22489b6c4255fdadd46cae40a51594dba2df87c2cbbda6b52255aef46a6d9ac5a4aaf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.bat

Filesize
122B

MD5
8c3c9f2a80cfedc69d843e9d1d594912

SHA1
212516b0f49f83d0d02a69241a2a6eaa1aa5688a

SHA256
b7029ceb41bd59092992faaacac5f9fea1a5a212dfdaf555ecab27a4bef77810

SHA512
0222620f9488c482765c528ffd55076a6b814b15c57c0cb0722242cf0a22489b6c4255fdadd46cae40a51594dba2df87c2cbbda6b52255aef46a6d9ac5a4aaf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.bat

Filesize
122B

MD5
9dc19d4bba08ebace25f48c4fbfeeb95

SHA1
bd6f87df50e3f49a9638e7f97febd092e47e70db

SHA256
89bd803485a00b904494468db594745f32b6c18de22944ac2c23d3a5b02bd0a0

SHA512
c6c418d78c85525a86d9accb7398e5a54317ae2f19c35be0c4cd5db12f307eb2627a80d3ff95cc0ea69ce8ab1cb53a94d9ec4a39c27b4e57ffc82ae057a891f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\026925.txt

Filesize
5B

MD5
beddf554eb637cbe8c079b879c79c29b

SHA1
8c0e6b21b8fed6b589a0e955bc3c28fe0eb9c5c0

SHA256
1c7ef3ecb922f6fe654c5f7473c84d9612d0e3cc6dd80db85022494feeb6b2bd

SHA512
93b1512fee740deeb66b3ef320f9c11c97f47737964df49e3b938b16ddfbd51bb234014a59407fca2112aaa01dcca76cac5727ff7841d4fb5fcd2018e1856bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\09999.txt

Filesize
4B

MD5
3d98b79ac6c8d1cef43d7bf1dadf8647

SHA1
cf5a215de88845db7d37eb39d63cad4cd309c714

SHA256
f1a5b03e2328be2276c0addf890e2cf6bf37bd90769fe9dc214bdddb040ad95b

SHA512
081a54cc1deb2f38277659a286d6c08f5fc849cc92c45d2ff3cd74f1ae08777526e1e35c71780d6079046a8a30b9a81ab501e1853a86be8330f2023e2c59e059

Download Submit
C:\Users\Admin\AppData\Local\Temp\09999.txt

Filesize
4B

MD5
3d98b79ac6c8d1cef43d7bf1dadf8647

SHA1
cf5a215de88845db7d37eb39d63cad4cd309c714

SHA256
f1a5b03e2328be2276c0addf890e2cf6bf37bd90769fe9dc214bdddb040ad95b

SHA512
081a54cc1deb2f38277659a286d6c08f5fc849cc92c45d2ff3cd74f1ae08777526e1e35c71780d6079046a8a30b9a81ab501e1853a86be8330f2023e2c59e059

Download Submit
C:\Users\Admin\AppData\Local\Temp\09999.txt

Filesize
4B

MD5
3d98b79ac6c8d1cef43d7bf1dadf8647

SHA1
cf5a215de88845db7d37eb39d63cad4cd309c714

SHA256
f1a5b03e2328be2276c0addf890e2cf6bf37bd90769fe9dc214bdddb040ad95b

SHA512
081a54cc1deb2f38277659a286d6c08f5fc849cc92c45d2ff3cd74f1ae08777526e1e35c71780d6079046a8a30b9a81ab501e1853a86be8330f2023e2c59e059

Download Submit
C:\Users\Admin\AppData\Local\Temp\09999.txt

Filesize
4B

MD5
3d98b79ac6c8d1cef43d7bf1dadf8647

SHA1
cf5a215de88845db7d37eb39d63cad4cd309c714

SHA256
f1a5b03e2328be2276c0addf890e2cf6bf37bd90769fe9dc214bdddb040ad95b

SHA512
081a54cc1deb2f38277659a286d6c08f5fc849cc92c45d2ff3cd74f1ae08777526e1e35c71780d6079046a8a30b9a81ab501e1853a86be8330f2023e2c59e059

Download Submit
C:\Users\Admin\AppData\Local\Temp\09999.txt

Filesize
4B

MD5
3d98b79ac6c8d1cef43d7bf1dadf8647

SHA1
cf5a215de88845db7d37eb39d63cad4cd309c714

SHA256
f1a5b03e2328be2276c0addf890e2cf6bf37bd90769fe9dc214bdddb040ad95b

SHA512
081a54cc1deb2f38277659a286d6c08f5fc849cc92c45d2ff3cd74f1ae08777526e1e35c71780d6079046a8a30b9a81ab501e1853a86be8330f2023e2c59e059

Download Submit
C:\Users\Admin\AppData\Local\Temp\111442.txt

Filesize
4B

MD5
b9e4093f970251d5bcf888b76944a4bc

SHA1
5880e6cc3494ec99c12f5cf2e106b7e18ce5d0d2

SHA256
a36e5c3dbd6398cfab94a49482e0bfc539025d42725dbc38497108418d9886cb

SHA512
65193d2f7bb574087466f7f314af33689226b2c8f73df9f8b465d57ec7320caff9c0deb05e367237d65aa44ba3037645b3fb35a1d3819a571c802f3b3d53dfff

Download Submit
C:\Users\Admin\AppData\Local\Temp\12010.txt

Filesize
4B

MD5
07d2c6fd5472b9796184e152bd92a535

SHA1
80e5212754a824d3a4aed185ace4f9cac0f908bf

SHA256
762454f3d015bb2589000f93058f545c3837498ec4d24c27b8cef4d3abba5394

SHA512
7fa0fd43bee1c2859c3a9d1a1573755bbdd464dacf76d5930871ed39a427f5e64ed71bbd35475ba2a9a533460792a8112af5f3720d6ce1dbd789f08cfcd3e003

Download Submit
C:\Users\Admin\AppData\Local\Temp\125792.bat

Filesize
124B

MD5
647bf6e7d94089e0f0065bf6210d5908

SHA1
87f02f4f22aaa3f9d4258d11605fa0862d6abc22

SHA256
8860abdd152cdf03fcee46ab06e288621baad12c70a3b8ce497a5a42d6e0b899

SHA512
ea1de43b815236a90fc20636473075ba9b6a2371c317dc84e7bca61822face9899ea3d09bc0144d411a4100d0ce55139127e69d2a074afae38d8d91b681fb5f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\132352.bat

Filesize
122B

MD5
00a4d29a32f87a8b2d7d0aa5569a0ba1

SHA1
36ddefccc3e5920a142b652aae6753a82830891a

SHA256
625d73bcf9a9fdb11722c8a75ea947715ce3650d272adbc13a46e71771d54805

SHA512
4425989455cec457ecd5c4cf09202b03cc2c4c6f61b48be0afc9e55226edd1c1540002d9ab9fe0ce993b9a9ded1f43f285aa61486f1a8b37e22ca97b51038071

Download Submit
C:\Users\Admin\AppData\Local\Temp\13584.bat

Filesize
124B

MD5
ad6ef76788448a72822d6f542f5299bd

SHA1
6cd9970b112823a2a65b5093a3fc3aa5e31d8cb9

SHA256
4992113fa8b80217694b7c2f0220f93bdf399f4d5381aec46312e12b6688af9f

SHA512
4e7fd0fd8747bdaeadd9dd78c3d6e9bb56d3ec495c81b19c689adce64c769b5901b7f494bf93b695aca8b1220241c6daea142603e996f737af1f0426a2d0fdcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\15530.bat

Filesize
124B

MD5
497ea037b28d5253858779bab337a759

SHA1
fd0bb0b21a7ea5a02faa73f998575ae01b1b5a95

SHA256
fdab28fe51833636b0cc809d0c825877a8a90a8acd4ef982d4297dda4a6970bd

SHA512
50828c0f996c104de8ded9b9348860865f4ec466e801107c0e7cb1e3971c9d810b075d79ca3b7447a785b5f69d5e614aec759bb3c52c098b00af69ca6fe16543

Download Submit
C:\Users\Admin\AppData\Local\Temp\214056.txt

Filesize
4B

MD5
62326dc7c4f7b849d6f013ba46489d6c

SHA1
a73937942e8b4ef38ed774a431ab5c7c014c8a2b

SHA256
41ac9f4b6edb4de8be1a0542d145603d7f2dc2aa8d878691d750860653647eeb

SHA512
007069861c724d5980a5700dbf49dac3efda01fefa02db5be291246a445c553130419b730b881b4a40076854d5281f63ea115b5536638e1a6061488ba5d194e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\215102.txt

Filesize
5B

MD5
788292a2cdb9fa425ff5fb269688befd

SHA1
ac5ac04bbcf50e13bc3e4d4a15d550d0d20c07eb

SHA256
707e234730994afa1caeb0bdc1e69d763dd84e0838b75e81a443257261e9a202

SHA512
2ac7a06b4626e49e7b81ba2f158bab8b56df28b820eba5bce6ededa7599a83803e26a0190b5968fd4bbc4cf85d6c2bb356d6f3e7d58f56116accf560b28465d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\215102.txt

Filesize
5B

MD5
788292a2cdb9fa425ff5fb269688befd

SHA1
ac5ac04bbcf50e13bc3e4d4a15d550d0d20c07eb

SHA256
707e234730994afa1caeb0bdc1e69d763dd84e0838b75e81a443257261e9a202

SHA512
2ac7a06b4626e49e7b81ba2f158bab8b56df28b820eba5bce6ededa7599a83803e26a0190b5968fd4bbc4cf85d6c2bb356d6f3e7d58f56116accf560b28465d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\215102.txt

Filesize
5B

MD5
788292a2cdb9fa425ff5fb269688befd

SHA1
ac5ac04bbcf50e13bc3e4d4a15d550d0d20c07eb

SHA256
707e234730994afa1caeb0bdc1e69d763dd84e0838b75e81a443257261e9a202

SHA512
2ac7a06b4626e49e7b81ba2f158bab8b56df28b820eba5bce6ededa7599a83803e26a0190b5968fd4bbc4cf85d6c2bb356d6f3e7d58f56116accf560b28465d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\215102.txt

Filesize
5B

MD5
788292a2cdb9fa425ff5fb269688befd

SHA1
ac5ac04bbcf50e13bc3e4d4a15d550d0d20c07eb

SHA256
707e234730994afa1caeb0bdc1e69d763dd84e0838b75e81a443257261e9a202

SHA512
2ac7a06b4626e49e7b81ba2f158bab8b56df28b820eba5bce6ededa7599a83803e26a0190b5968fd4bbc4cf85d6c2bb356d6f3e7d58f56116accf560b28465d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\215102.txt

Filesize
5B

MD5
788292a2cdb9fa425ff5fb269688befd

SHA1
ac5ac04bbcf50e13bc3e4d4a15d550d0d20c07eb

SHA256
707e234730994afa1caeb0bdc1e69d763dd84e0838b75e81a443257261e9a202

SHA512
2ac7a06b4626e49e7b81ba2f158bab8b56df28b820eba5bce6ededa7599a83803e26a0190b5968fd4bbc4cf85d6c2bb356d6f3e7d58f56116accf560b28465d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2792.txt

Filesize
5B

MD5
8deb714d5a66d70cf8deac8cd3f79734

SHA1
21616251c0395a0ba35c1095a7a00e0d78d945d9

SHA256
d71ab378886c985f170e51cd8a166cfb33a6d49c9c8f4e3a60b5cb9ba7e60348

SHA512
efb7f9e1ba2f8bc79e7a820733e3d1c0772ad379b17b21f958a4b9e28bad290318cd16ab5ec1694b0bc12d17cd01d1cc2b781386cf38fab7c813eabfc37b3f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\33292.bat

Filesize
112B

MD5
3cfd168a409a2ee022f76c9e66eca266

SHA1
443eb282a3d2cd4389da5a0029e7510ef1bd9e90

SHA256
6674351e351725d0586199f62b0812f9d5bd9cfbbf68b8744be32e3cec45e213

SHA512
a674e6436b6755d779707b351fdfde89ad129662045f68d5611fd755dcc5b9027d0e3cb15ec9900bc36905f03dcd558306a4393578d20dce8f7c0f7f99e42d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\39418.bat

Filesize
111B

MD5
083a26ead94184e411ec10440210259b

SHA1
353e82d817ceb7e22679d3ceb6a6b254c4e33278

SHA256
20952accdec4a2552f842fa3e0314cbf8c12b88eb0de5ab513e83842b35e9f7a

SHA512
20e82487ae9b049e3be5eaf12bc67d55c440a6e9f49e387b2b0a0e267c1bc5f42b3d28325585ec94399f95a459bebb45bf1143d7b94000c5cfe907dbd7162f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\422191.txt

Filesize
5B

MD5
ad846fd1138e66a1cacd0fb4b8644671

SHA1
b0ce7f791df65570609bb4a9066606bf5c7dfc7b

SHA256
c04425f04bcad7856fbf89204a45b058a752b0e82091833da5283f2ee4266428

SHA512
664b21f2db5cc5fc320558c2d2d01c03e0631a43018b8b55cc5662950a7974c8bc9250220c8977af434a4cee3baa0fe5573e54a01dd576ee1ee69c5fbcea70a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\530851.txt

Filesize
5B

MD5
aba49b6369ec3a9497c9c54696f6a3fd

SHA1
ce13f746c2c1c6babc44e41271b32e41358d777e

SHA256
32dd352edda42e5cf389fc7317580bf049252c657e539a1bc1dbe75a4c6d133f

SHA512
a0b196603ec48f49a1567717b36121e14265a62fd5718d355eb48e93e86da026f557019ffab13f41338df66e6896ab390510271f821e55345164a15a0bf454be

Download Submit
C:\Users\Admin\AppData\Local\Temp\621780.txt

Filesize
3B

MD5
3df1d4b96d8976ff5986393e8767f5b2

SHA1
89f549b2a5341a05a7e4afeb364599158a03a47f

SHA256
aaf57ee8c549ef3df8a07abf3a0df0f028e402399ad27aaec710c17aa78d408f

SHA512
c7e58751b4f409ab4840f876d53cc123d97780efdca5a816fbf6bd7d7c2ce568dbb9d2d2876e353458a8f8b1bad1dc14c8039419e4fe5d9c8814eab5b1607352

Download Submit
C:\Users\Admin\AppData\Local\Temp\63304.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\63304.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\63304.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\63304.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\8171.txt

Filesize
5B

MD5
220ef58ed3dc5807d767593835583c5f

SHA1
a191e5f1a90eb7b4aad1acb1328fa54e26bc0df8

SHA256
683ef5ecd42af7de468b39f2b45ba24223b502d351352137f5172fd82832a70a

SHA512
96fffad9e00f54dd4a68760215e2511871621fe04fff99ff6e97a03fb1b816cebc80595275343fd946eaa2dcc68e5738cf483d4e2bbc05c588fc81a20cfe8f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe

Filesize
3.0MB

MD5
b515246edbde99ddd970cdc64ad63f8d

SHA1
2fedc809858daaa6890f2cec14798b727d847599

SHA256
aa953fda8e819a6fa4b1b38d8d8c1df2c052c3f640573142f1ae1daee5aa2aa5

SHA512
db7bbba5d08c541a12937cb8bffaa95110c646d9ec5b29866593d281dd2b54efc60de67ea485082a41ff10b2aba3a3fa554c129644f5a76f8fe43255b96ad2eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe

Filesize
3.0MB

MD5
b515246edbde99ddd970cdc64ad63f8d

SHA1
2fedc809858daaa6890f2cec14798b727d847599

SHA256
aa953fda8e819a6fa4b1b38d8d8c1df2c052c3f640573142f1ae1daee5aa2aa5

SHA512
db7bbba5d08c541a12937cb8bffaa95110c646d9ec5b29866593d281dd2b54efc60de67ea485082a41ff10b2aba3a3fa554c129644f5a76f8fe43255b96ad2eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe

Filesize
3.0MB

MD5
b515246edbde99ddd970cdc64ad63f8d

SHA1
2fedc809858daaa6890f2cec14798b727d847599

SHA256
aa953fda8e819a6fa4b1b38d8d8c1df2c052c3f640573142f1ae1daee5aa2aa5

SHA512
db7bbba5d08c541a12937cb8bffaa95110c646d9ec5b29866593d281dd2b54efc60de67ea485082a41ff10b2aba3a3fa554c129644f5a76f8fe43255b96ad2eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe

Filesize
3.0MB

MD5
b515246edbde99ddd970cdc64ad63f8d

SHA1
2fedc809858daaa6890f2cec14798b727d847599

SHA256
aa953fda8e819a6fa4b1b38d8d8c1df2c052c3f640573142f1ae1daee5aa2aa5

SHA512
db7bbba5d08c541a12937cb8bffaa95110c646d9ec5b29866593d281dd2b54efc60de67ea485082a41ff10b2aba3a3fa554c129644f5a76f8fe43255b96ad2eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe

Filesize
3.0MB

MD5
b515246edbde99ddd970cdc64ad63f8d

SHA1
2fedc809858daaa6890f2cec14798b727d847599

SHA256
aa953fda8e819a6fa4b1b38d8d8c1df2c052c3f640573142f1ae1daee5aa2aa5

SHA512
db7bbba5d08c541a12937cb8bffaa95110c646d9ec5b29866593d281dd2b54efc60de67ea485082a41ff10b2aba3a3fa554c129644f5a76f8fe43255b96ad2eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe

Filesize
3.0MB

MD5
b515246edbde99ddd970cdc64ad63f8d

SHA1
2fedc809858daaa6890f2cec14798b727d847599

SHA256
aa953fda8e819a6fa4b1b38d8d8c1df2c052c3f640573142f1ae1daee5aa2aa5

SHA512
db7bbba5d08c541a12937cb8bffaa95110c646d9ec5b29866593d281dd2b54efc60de67ea485082a41ff10b2aba3a3fa554c129644f5a76f8fe43255b96ad2eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe

Filesize
3.0MB

MD5
b515246edbde99ddd970cdc64ad63f8d

SHA1
2fedc809858daaa6890f2cec14798b727d847599

SHA256
aa953fda8e819a6fa4b1b38d8d8c1df2c052c3f640573142f1ae1daee5aa2aa5

SHA512
db7bbba5d08c541a12937cb8bffaa95110c646d9ec5b29866593d281dd2b54efc60de67ea485082a41ff10b2aba3a3fa554c129644f5a76f8fe43255b96ad2eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe

Filesize
3.0MB

MD5
b515246edbde99ddd970cdc64ad63f8d

SHA1
2fedc809858daaa6890f2cec14798b727d847599

SHA256
aa953fda8e819a6fa4b1b38d8d8c1df2c052c3f640573142f1ae1daee5aa2aa5

SHA512
db7bbba5d08c541a12937cb8bffaa95110c646d9ec5b29866593d281dd2b54efc60de67ea485082a41ff10b2aba3a3fa554c129644f5a76f8fe43255b96ad2eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe

Filesize
3.0MB

MD5
b515246edbde99ddd970cdc64ad63f8d

SHA1
2fedc809858daaa6890f2cec14798b727d847599

SHA256
aa953fda8e819a6fa4b1b38d8d8c1df2c052c3f640573142f1ae1daee5aa2aa5

SHA512
db7bbba5d08c541a12937cb8bffaa95110c646d9ec5b29866593d281dd2b54efc60de67ea485082a41ff10b2aba3a3fa554c129644f5a76f8fe43255b96ad2eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe

Filesize
3.0MB

MD5
ce54d5f4f56e05f5564d5a04c9c95d9a

SHA1
4cb3185211c55d884a616dc3304cdf6a48c88501

SHA256
0c37c981fe471bcad5745dde1f94432d6df36dba52227939c795167e9961af8e

SHA512
aad9b418b12676e7d13bba6d35f09d2c075e917d6fdd0d55492049506ed649e4ae2a4e53e775e036d3b5a9c04ed6e36e65903d7982ad6cbe5f68af003e4fe7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe

Filesize
3.0MB

MD5
ce54d5f4f56e05f5564d5a04c9c95d9a

SHA1
4cb3185211c55d884a616dc3304cdf6a48c88501

SHA256
0c37c981fe471bcad5745dde1f94432d6df36dba52227939c795167e9961af8e

SHA512
aad9b418b12676e7d13bba6d35f09d2c075e917d6fdd0d55492049506ed649e4ae2a4e53e775e036d3b5a9c04ed6e36e65903d7982ad6cbe5f68af003e4fe7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe

Filesize
3.0MB

MD5
ce54d5f4f56e05f5564d5a04c9c95d9a

SHA1
4cb3185211c55d884a616dc3304cdf6a48c88501

SHA256
0c37c981fe471bcad5745dde1f94432d6df36dba52227939c795167e9961af8e

SHA512
aad9b418b12676e7d13bba6d35f09d2c075e917d6fdd0d55492049506ed649e4ae2a4e53e775e036d3b5a9c04ed6e36e65903d7982ad6cbe5f68af003e4fe7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe

Filesize
3.0MB

MD5
ce54d5f4f56e05f5564d5a04c9c95d9a

SHA1
4cb3185211c55d884a616dc3304cdf6a48c88501

SHA256
0c37c981fe471bcad5745dde1f94432d6df36dba52227939c795167e9961af8e

SHA512
aad9b418b12676e7d13bba6d35f09d2c075e917d6fdd0d55492049506ed649e4ae2a4e53e775e036d3b5a9c04ed6e36e65903d7982ad6cbe5f68af003e4fe7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe

Filesize
3.0MB

MD5
ce54d5f4f56e05f5564d5a04c9c95d9a

SHA1
4cb3185211c55d884a616dc3304cdf6a48c88501

SHA256
0c37c981fe471bcad5745dde1f94432d6df36dba52227939c795167e9961af8e

SHA512
aad9b418b12676e7d13bba6d35f09d2c075e917d6fdd0d55492049506ed649e4ae2a4e53e775e036d3b5a9c04ed6e36e65903d7982ad6cbe5f68af003e4fe7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe

Filesize
3.0MB

MD5
ce54d5f4f56e05f5564d5a04c9c95d9a

SHA1
4cb3185211c55d884a616dc3304cdf6a48c88501

SHA256
0c37c981fe471bcad5745dde1f94432d6df36dba52227939c795167e9961af8e

SHA512
aad9b418b12676e7d13bba6d35f09d2c075e917d6fdd0d55492049506ed649e4ae2a4e53e775e036d3b5a9c04ed6e36e65903d7982ad6cbe5f68af003e4fe7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe

Filesize
3.0MB

MD5
ce54d5f4f56e05f5564d5a04c9c95d9a

SHA1
4cb3185211c55d884a616dc3304cdf6a48c88501

SHA256
0c37c981fe471bcad5745dde1f94432d6df36dba52227939c795167e9961af8e

SHA512
aad9b418b12676e7d13bba6d35f09d2c075e917d6fdd0d55492049506ed649e4ae2a4e53e775e036d3b5a9c04ed6e36e65903d7982ad6cbe5f68af003e4fe7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe

Filesize
3.0MB

MD5
ce54d5f4f56e05f5564d5a04c9c95d9a

SHA1
4cb3185211c55d884a616dc3304cdf6a48c88501

SHA256
0c37c981fe471bcad5745dde1f94432d6df36dba52227939c795167e9961af8e

SHA512
aad9b418b12676e7d13bba6d35f09d2c075e917d6fdd0d55492049506ed649e4ae2a4e53e775e036d3b5a9c04ed6e36e65903d7982ad6cbe5f68af003e4fe7ae

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe

Filesize
3.0MB

MD5
b515246edbde99ddd970cdc64ad63f8d

SHA1
2fedc809858daaa6890f2cec14798b727d847599

SHA256
aa953fda8e819a6fa4b1b38d8d8c1df2c052c3f640573142f1ae1daee5aa2aa5

SHA512
db7bbba5d08c541a12937cb8bffaa95110c646d9ec5b29866593d281dd2b54efc60de67ea485082a41ff10b2aba3a3fa554c129644f5a76f8fe43255b96ad2eb

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe

Filesize
3.0MB

MD5
b515246edbde99ddd970cdc64ad63f8d

SHA1
2fedc809858daaa6890f2cec14798b727d847599

SHA256
aa953fda8e819a6fa4b1b38d8d8c1df2c052c3f640573142f1ae1daee5aa2aa5

SHA512
db7bbba5d08c541a12937cb8bffaa95110c646d9ec5b29866593d281dd2b54efc60de67ea485082a41ff10b2aba3a3fa554c129644f5a76f8fe43255b96ad2eb

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe

Filesize
3.0MB

MD5
b515246edbde99ddd970cdc64ad63f8d

SHA1
2fedc809858daaa6890f2cec14798b727d847599

SHA256
aa953fda8e819a6fa4b1b38d8d8c1df2c052c3f640573142f1ae1daee5aa2aa5

SHA512
db7bbba5d08c541a12937cb8bffaa95110c646d9ec5b29866593d281dd2b54efc60de67ea485082a41ff10b2aba3a3fa554c129644f5a76f8fe43255b96ad2eb

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe

Filesize
3.0MB

MD5
b515246edbde99ddd970cdc64ad63f8d

SHA1
2fedc809858daaa6890f2cec14798b727d847599

SHA256
aa953fda8e819a6fa4b1b38d8d8c1df2c052c3f640573142f1ae1daee5aa2aa5

SHA512
db7bbba5d08c541a12937cb8bffaa95110c646d9ec5b29866593d281dd2b54efc60de67ea485082a41ff10b2aba3a3fa554c129644f5a76f8fe43255b96ad2eb

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe

Filesize
3.0MB

MD5
b515246edbde99ddd970cdc64ad63f8d

SHA1
2fedc809858daaa6890f2cec14798b727d847599

SHA256
aa953fda8e819a6fa4b1b38d8d8c1df2c052c3f640573142f1ae1daee5aa2aa5

SHA512
db7bbba5d08c541a12937cb8bffaa95110c646d9ec5b29866593d281dd2b54efc60de67ea485082a41ff10b2aba3a3fa554c129644f5a76f8fe43255b96ad2eb

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe

Filesize
3.0MB

MD5
b515246edbde99ddd970cdc64ad63f8d

SHA1
2fedc809858daaa6890f2cec14798b727d847599

SHA256
aa953fda8e819a6fa4b1b38d8d8c1df2c052c3f640573142f1ae1daee5aa2aa5

SHA512
db7bbba5d08c541a12937cb8bffaa95110c646d9ec5b29866593d281dd2b54efc60de67ea485082a41ff10b2aba3a3fa554c129644f5a76f8fe43255b96ad2eb

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe

Filesize
3.0MB

MD5
b515246edbde99ddd970cdc64ad63f8d

SHA1
2fedc809858daaa6890f2cec14798b727d847599

SHA256
aa953fda8e819a6fa4b1b38d8d8c1df2c052c3f640573142f1ae1daee5aa2aa5

SHA512
db7bbba5d08c541a12937cb8bffaa95110c646d9ec5b29866593d281dd2b54efc60de67ea485082a41ff10b2aba3a3fa554c129644f5a76f8fe43255b96ad2eb

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe

Filesize
3.0MB

MD5
b515246edbde99ddd970cdc64ad63f8d

SHA1
2fedc809858daaa6890f2cec14798b727d847599

SHA256
aa953fda8e819a6fa4b1b38d8d8c1df2c052c3f640573142f1ae1daee5aa2aa5

SHA512
db7bbba5d08c541a12937cb8bffaa95110c646d9ec5b29866593d281dd2b54efc60de67ea485082a41ff10b2aba3a3fa554c129644f5a76f8fe43255b96ad2eb

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe

Filesize
3.0MB

MD5
b515246edbde99ddd970cdc64ad63f8d

SHA1
2fedc809858daaa6890f2cec14798b727d847599

SHA256
aa953fda8e819a6fa4b1b38d8d8c1df2c052c3f640573142f1ae1daee5aa2aa5

SHA512
db7bbba5d08c541a12937cb8bffaa95110c646d9ec5b29866593d281dd2b54efc60de67ea485082a41ff10b2aba3a3fa554c129644f5a76f8fe43255b96ad2eb

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe

Filesize
3.0MB

MD5
b515246edbde99ddd970cdc64ad63f8d

SHA1
2fedc809858daaa6890f2cec14798b727d847599

SHA256
aa953fda8e819a6fa4b1b38d8d8c1df2c052c3f640573142f1ae1daee5aa2aa5

SHA512
db7bbba5d08c541a12937cb8bffaa95110c646d9ec5b29866593d281dd2b54efc60de67ea485082a41ff10b2aba3a3fa554c129644f5a76f8fe43255b96ad2eb

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe

Filesize
3.0MB

MD5
b515246edbde99ddd970cdc64ad63f8d

SHA1
2fedc809858daaa6890f2cec14798b727d847599

SHA256
aa953fda8e819a6fa4b1b38d8d8c1df2c052c3f640573142f1ae1daee5aa2aa5

SHA512
db7bbba5d08c541a12937cb8bffaa95110c646d9ec5b29866593d281dd2b54efc60de67ea485082a41ff10b2aba3a3fa554c129644f5a76f8fe43255b96ad2eb

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a00.exe

Filesize
3.0MB

MD5
b515246edbde99ddd970cdc64ad63f8d

SHA1
2fedc809858daaa6890f2cec14798b727d847599

SHA256
aa953fda8e819a6fa4b1b38d8d8c1df2c052c3f640573142f1ae1daee5aa2aa5

SHA512
db7bbba5d08c541a12937cb8bffaa95110c646d9ec5b29866593d281dd2b54efc60de67ea485082a41ff10b2aba3a3fa554c129644f5a76f8fe43255b96ad2eb

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe

Filesize
3.0MB

MD5
ce54d5f4f56e05f5564d5a04c9c95d9a

SHA1
4cb3185211c55d884a616dc3304cdf6a48c88501

SHA256
0c37c981fe471bcad5745dde1f94432d6df36dba52227939c795167e9961af8e

SHA512
aad9b418b12676e7d13bba6d35f09d2c075e917d6fdd0d55492049506ed649e4ae2a4e53e775e036d3b5a9c04ed6e36e65903d7982ad6cbe5f68af003e4fe7ae

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe

Filesize
3.0MB

MD5
ce54d5f4f56e05f5564d5a04c9c95d9a

SHA1
4cb3185211c55d884a616dc3304cdf6a48c88501

SHA256
0c37c981fe471bcad5745dde1f94432d6df36dba52227939c795167e9961af8e

SHA512
aad9b418b12676e7d13bba6d35f09d2c075e917d6fdd0d55492049506ed649e4ae2a4e53e775e036d3b5a9c04ed6e36e65903d7982ad6cbe5f68af003e4fe7ae

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe

Filesize
3.0MB

MD5
ce54d5f4f56e05f5564d5a04c9c95d9a

SHA1
4cb3185211c55d884a616dc3304cdf6a48c88501

SHA256
0c37c981fe471bcad5745dde1f94432d6df36dba52227939c795167e9961af8e

SHA512
aad9b418b12676e7d13bba6d35f09d2c075e917d6fdd0d55492049506ed649e4ae2a4e53e775e036d3b5a9c04ed6e36e65903d7982ad6cbe5f68af003e4fe7ae

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe

Filesize
3.0MB

MD5
ce54d5f4f56e05f5564d5a04c9c95d9a

SHA1
4cb3185211c55d884a616dc3304cdf6a48c88501

SHA256
0c37c981fe471bcad5745dde1f94432d6df36dba52227939c795167e9961af8e

SHA512
aad9b418b12676e7d13bba6d35f09d2c075e917d6fdd0d55492049506ed649e4ae2a4e53e775e036d3b5a9c04ed6e36e65903d7982ad6cbe5f68af003e4fe7ae

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe

Filesize
3.0MB

MD5
ce54d5f4f56e05f5564d5a04c9c95d9a

SHA1
4cb3185211c55d884a616dc3304cdf6a48c88501

SHA256
0c37c981fe471bcad5745dde1f94432d6df36dba52227939c795167e9961af8e

SHA512
aad9b418b12676e7d13bba6d35f09d2c075e917d6fdd0d55492049506ed649e4ae2a4e53e775e036d3b5a9c04ed6e36e65903d7982ad6cbe5f68af003e4fe7ae

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe

Filesize
3.0MB

MD5
ce54d5f4f56e05f5564d5a04c9c95d9a

SHA1
4cb3185211c55d884a616dc3304cdf6a48c88501

SHA256
0c37c981fe471bcad5745dde1f94432d6df36dba52227939c795167e9961af8e

SHA512
aad9b418b12676e7d13bba6d35f09d2c075e917d6fdd0d55492049506ed649e4ae2a4e53e775e036d3b5a9c04ed6e36e65903d7982ad6cbe5f68af003e4fe7ae

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe

Filesize
3.0MB

MD5
ce54d5f4f56e05f5564d5a04c9c95d9a

SHA1
4cb3185211c55d884a616dc3304cdf6a48c88501

SHA256
0c37c981fe471bcad5745dde1f94432d6df36dba52227939c795167e9961af8e

SHA512
aad9b418b12676e7d13bba6d35f09d2c075e917d6fdd0d55492049506ed649e4ae2a4e53e775e036d3b5a9c04ed6e36e65903d7982ad6cbe5f68af003e4fe7ae

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe

Filesize
3.0MB

MD5
ce54d5f4f56e05f5564d5a04c9c95d9a

SHA1
4cb3185211c55d884a616dc3304cdf6a48c88501

SHA256
0c37c981fe471bcad5745dde1f94432d6df36dba52227939c795167e9961af8e

SHA512
aad9b418b12676e7d13bba6d35f09d2c075e917d6fdd0d55492049506ed649e4ae2a4e53e775e036d3b5a9c04ed6e36e65903d7982ad6cbe5f68af003e4fe7ae

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe

Filesize
3.0MB

MD5
ce54d5f4f56e05f5564d5a04c9c95d9a

SHA1
4cb3185211c55d884a616dc3304cdf6a48c88501

SHA256
0c37c981fe471bcad5745dde1f94432d6df36dba52227939c795167e9961af8e

SHA512
aad9b418b12676e7d13bba6d35f09d2c075e917d6fdd0d55492049506ed649e4ae2a4e53e775e036d3b5a9c04ed6e36e65903d7982ad6cbe5f68af003e4fe7ae

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe

Filesize
3.0MB

MD5
ce54d5f4f56e05f5564d5a04c9c95d9a

SHA1
4cb3185211c55d884a616dc3304cdf6a48c88501

SHA256
0c37c981fe471bcad5745dde1f94432d6df36dba52227939c795167e9961af8e

SHA512
aad9b418b12676e7d13bba6d35f09d2c075e917d6fdd0d55492049506ed649e4ae2a4e53e775e036d3b5a9c04ed6e36e65903d7982ad6cbe5f68af003e4fe7ae

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe

Filesize
3.0MB

MD5
ce54d5f4f56e05f5564d5a04c9c95d9a

SHA1
4cb3185211c55d884a616dc3304cdf6a48c88501

SHA256
0c37c981fe471bcad5745dde1f94432d6df36dba52227939c795167e9961af8e

SHA512
aad9b418b12676e7d13bba6d35f09d2c075e917d6fdd0d55492049506ed649e4ae2a4e53e775e036d3b5a9c04ed6e36e65903d7982ad6cbe5f68af003e4fe7ae

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe

Filesize
3.0MB

MD5
ce54d5f4f56e05f5564d5a04c9c95d9a

SHA1
4cb3185211c55d884a616dc3304cdf6a48c88501

SHA256
0c37c981fe471bcad5745dde1f94432d6df36dba52227939c795167e9961af8e

SHA512
aad9b418b12676e7d13bba6d35f09d2c075e917d6fdd0d55492049506ed649e4ae2a4e53e775e036d3b5a9c04ed6e36e65903d7982ad6cbe5f68af003e4fe7ae

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe

Filesize
3.0MB

MD5
ce54d5f4f56e05f5564d5a04c9c95d9a

SHA1
4cb3185211c55d884a616dc3304cdf6a48c88501

SHA256
0c37c981fe471bcad5745dde1f94432d6df36dba52227939c795167e9961af8e

SHA512
aad9b418b12676e7d13bba6d35f09d2c075e917d6fdd0d55492049506ed649e4ae2a4e53e775e036d3b5a9c04ed6e36e65903d7982ad6cbe5f68af003e4fe7ae

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe

Filesize
3.0MB

MD5
ce54d5f4f56e05f5564d5a04c9c95d9a

SHA1
4cb3185211c55d884a616dc3304cdf6a48c88501

SHA256
0c37c981fe471bcad5745dde1f94432d6df36dba52227939c795167e9961af8e

SHA512
aad9b418b12676e7d13bba6d35f09d2c075e917d6fdd0d55492049506ed649e4ae2a4e53e775e036d3b5a9c04ed6e36e65903d7982ad6cbe5f68af003e4fe7ae

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe

Filesize
3.0MB

MD5
ce54d5f4f56e05f5564d5a04c9c95d9a

SHA1
4cb3185211c55d884a616dc3304cdf6a48c88501

SHA256
0c37c981fe471bcad5745dde1f94432d6df36dba52227939c795167e9961af8e

SHA512
aad9b418b12676e7d13bba6d35f09d2c075e917d6fdd0d55492049506ed649e4ae2a4e53e775e036d3b5a9c04ed6e36e65903d7982ad6cbe5f68af003e4fe7ae

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe

Filesize
3.0MB

MD5
ce54d5f4f56e05f5564d5a04c9c95d9a

SHA1
4cb3185211c55d884a616dc3304cdf6a48c88501

SHA256
0c37c981fe471bcad5745dde1f94432d6df36dba52227939c795167e9961af8e

SHA512
aad9b418b12676e7d13bba6d35f09d2c075e917d6fdd0d55492049506ed649e4ae2a4e53e775e036d3b5a9c04ed6e36e65903d7982ad6cbe5f68af003e4fe7ae

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe

Filesize
3.0MB

MD5
ce54d5f4f56e05f5564d5a04c9c95d9a

SHA1
4cb3185211c55d884a616dc3304cdf6a48c88501

SHA256
0c37c981fe471bcad5745dde1f94432d6df36dba52227939c795167e9961af8e

SHA512
aad9b418b12676e7d13bba6d35f09d2c075e917d6fdd0d55492049506ed649e4ae2a4e53e775e036d3b5a9c04ed6e36e65903d7982ad6cbe5f68af003e4fe7ae

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe

Filesize
3.0MB

MD5
ce54d5f4f56e05f5564d5a04c9c95d9a

SHA1
4cb3185211c55d884a616dc3304cdf6a48c88501

SHA256
0c37c981fe471bcad5745dde1f94432d6df36dba52227939c795167e9961af8e

SHA512
aad9b418b12676e7d13bba6d35f09d2c075e917d6fdd0d55492049506ed649e4ae2a4e53e775e036d3b5a9c04ed6e36e65903d7982ad6cbe5f68af003e4fe7ae

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.df636e7945831c82dc6599250207f6a02.exe

Filesize
3.0MB

MD5
ce54d5f4f56e05f5564d5a04c9c95d9a

SHA1
4cb3185211c55d884a616dc3304cdf6a48c88501

SHA256
0c37c981fe471bcad5745dde1f94432d6df36dba52227939c795167e9961af8e

SHA512
aad9b418b12676e7d13bba6d35f09d2c075e917d6fdd0d55492049506ed649e4ae2a4e53e775e036d3b5a9c04ed6e36e65903d7982ad6cbe5f68af003e4fe7ae

Download Submit
memory/344-80-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/612-175-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/632-205-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/788-215-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/844-213-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/944-210-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/992-204-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1048-82-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1052-203-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1212-177-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1352-195-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1572-214-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1588-169-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1604-163-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1660-201-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1672-192-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1732-96-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1860-211-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1868-176-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1952-220-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2000-209-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2012-202-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2020-206-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2088-168-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2100-207-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2108-193-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2116-71-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2132-212-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2140-197-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2212-148-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2276-164-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2296-166-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2336-208-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2388-179-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2400-200-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2412-198-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2428-180-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2456-174-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2556-70-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2580-217-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2668-221-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2704-216-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2716-55-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2716-218-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2724-190-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2756-171-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2780-196-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2844-194-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2868-167-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2880-178-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3032-72-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3040-219-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3044-173-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3052-191-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3064-199-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads