ad41715251c9bbf8799f74c119ae36633c5503a24d810a330fbd3cc4cd28c00a

Analysis

max time kernel
95s
max time network
18s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
22/10/2023, 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Size

3.0MB
MD5

0e3baa4a5958cfc6c75b731f2e8fd1d0
SHA1

3e21f79a280ff4dc048235794e737d7a32ebb6ea
SHA256

ad41715251c9bbf8799f74c119ae36633c5503a24d810a330fbd3cc4cd28c00a
SHA512

c3fd9a7cbaa4d9f90682cb15d51f9d9e5d776631bc9370d4fb0c3dba227f94e7bf619f037eb8b405d0b527f11d50f5cf26d70a2c2602218dc56a28116e55f30f
SSDEEP

49152:j495UciMmq/NhjX5p3JOCdLAweZnE5c965nqqIP2Itdo:jk5LhzACdLAlnE5co5nqqIP2Itdo

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
860	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
536	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
1796	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
884	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
2304	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe
704	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
2172	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
1524	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
2220	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
1608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
2512	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
2240	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
2212	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
2696	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
1692	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe
872	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
820	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
1788	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
1588	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
2960	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
936	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
616	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
2552	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
1848	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
1488	cmd.exe
608	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
1548	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
2564	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
2480	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
2936	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
1660	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
792	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
1984	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
3004	cmd.exe
1960	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
2128	cmd.exe
1492	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d011.exe
3496	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
3548	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe
3232	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
3384	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
3416	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
3448	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
3540	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
3696	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
3776	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
3796	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
3856	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
3904	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
3888	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe
3944	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
2600	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
1784	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
2856	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
1144	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
3260	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe
800	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d012.exe
3348	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
3560	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe
3900	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe
3304	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
3656	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
852	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
4024	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe

Loads dropped DLL 64 IoCs

pid	Process
2976	cmd.exe
2976	cmd.exe
1484	cmd.exe
1484	cmd.exe
1496	Process not Found
2680	Process not Found
1788	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
1788	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
1352	cmd.exe
1352	cmd.exe
1752	Process not Found
2140	Process not Found
2352	cmd.exe
2352	cmd.exe
2936	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
2936	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
2128	cmd.exe
2128	cmd.exe
892	Process not Found
840	cmd.exe
840	cmd.exe
2316	cmd.exe
2316	cmd.exe
2116	Process not Found
2456	Process not Found
2280	cmd.exe
2280	cmd.exe
2272	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
2272	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
1792	Process not Found
2648	cmd.exe
900	cmd.exe
2648	cmd.exe
900	cmd.exe
1716	Process not Found
2244	cmd.exe
2652	cmd.exe
2244	cmd.exe
2652	cmd.exe
2800	cmd.exe
2704	Process not Found
2576	cmd.exe
2784	cmd.exe
1536	cmd.exe
2772	cmd.exe
1488	cmd.exe
2800	cmd.exe
2576	cmd.exe
2784	cmd.exe
1536	cmd.exe
2772	cmd.exe
1488	cmd.exe
2776	cmd.exe
2776	cmd.exe
740	Process not Found
2500	Process not Found
1092	Process not Found
2752	cmd.exe
2752	cmd.exe
1276	Process not Found
2732	Process not Found
1720	Process not Found
2248	cmd.exe
2248	cmd.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3604	takeown.exe
3228	takeown.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\19593 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe"	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Kills process with taskkill 36 IoCs

evasion

pid	Process
3124	taskkill.exe
5480	taskkill.exe
3092	taskkill.exe
4312	taskkill.exe
3116	taskkill.exe
2984	taskkill.exe
4244	taskkill.exe
4568	taskkill.exe
4632	taskkill.exe
4616	taskkill.exe
2236	taskkill.exe
4328	taskkill.exe
4684	taskkill.exe
4948	taskkill.exe
848	taskkill.exe
5556	taskkill.exe
4512	taskkill.exe
4648	taskkill.exe
4272	taskkill.exe
7764	taskkill.exe
3376	taskkill.exe
3768	taskkill.exe
4532	taskkill.exe
4332	taskkill.exe
5732	taskkill.exe
2144	taskkill.exe
2016	taskkill.exe
6220	taskkill.exe
5288	taskkill.exe
5740	taskkill.exe
2904	taskkill.exe
3536	taskkill.exe
4008	taskkill.exe
5300	taskkill.exe
5708	taskkill.exe
6828	taskkill.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeAssignPrimaryTokenPrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeLockMemoryPrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeIncreaseQuotaPrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeMachineAccountPrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeTcbPrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeSecurityPrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeTakeOwnershipPrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeLoadDriverPrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeSystemProfilePrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeSystemtimePrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeProfSingleProcessPrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeIncBasePriorityPrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeCreatePagefilePrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeCreatePermanentPrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeBackupPrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeRestorePrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeShutdownPrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeDebugPrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeAuditPrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeSystemEnvironmentPrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeChangeNotifyPrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeRemoteShutdownPrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeUndockPrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeSyncAgentPrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeEnableDelegationPrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeManageVolumePrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeImpersonatePrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeCreateGlobalPrivilege	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: 31	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: 32	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: 33	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: 34	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: 35	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeCreateTokenPrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeAssignPrimaryTokenPrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeLockMemoryPrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeIncreaseQuotaPrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeMachineAccountPrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeTcbPrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeSecurityPrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeTakeOwnershipPrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeLoadDriverPrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeSystemProfilePrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeSystemtimePrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeProfSingleProcessPrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeIncBasePriorityPrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeCreatePagefilePrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeCreatePermanentPrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeBackupPrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeRestorePrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeShutdownPrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeDebugPrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeAuditPrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeSystemEnvironmentPrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeChangeNotifyPrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeRemoteShutdownPrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeUndockPrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeSyncAgentPrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeEnableDelegationPrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeManageVolumePrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeImpersonatePrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: SeCreateGlobalPrivilege	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
Token: 31	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2280	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	29
PID 2568 wrote to memory of 2280	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	29
PID 2568 wrote to memory of 2280	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	29
PID 2280 wrote to memory of 2100	2280	cmd.exe	30
PID 2280 wrote to memory of 2100	2280	cmd.exe	30
PID 2280 wrote to memory of 2100	2280	cmd.exe	30
PID 2568 wrote to memory of 2272	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	31
PID 2568 wrote to memory of 2272	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	31
PID 2568 wrote to memory of 2272	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	31
PID 2272 wrote to memory of 2340	2272	cmd.exe	32
PID 2272 wrote to memory of 2340	2272	cmd.exe	32
PID 2272 wrote to memory of 2340	2272	cmd.exe	32
PID 2568 wrote to memory of 2636	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	34
PID 2568 wrote to memory of 2636	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	34
PID 2568 wrote to memory of 2636	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	34
PID 2636 wrote to memory of 2744	2636	cmd.exe	36
PID 2636 wrote to memory of 2744	2636	cmd.exe	36
PID 2636 wrote to memory of 2744	2636	cmd.exe	36
PID 2568 wrote to memory of 2756	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	37
PID 2568 wrote to memory of 2756	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	37
PID 2568 wrote to memory of 2756	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	37
PID 2756 wrote to memory of 2596	2756	cmd.exe	39
PID 2756 wrote to memory of 2596	2756	cmd.exe	39
PID 2756 wrote to memory of 2596	2756	cmd.exe	39
PID 2568 wrote to memory of 2416	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	40
PID 2568 wrote to memory of 2416	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	40
PID 2568 wrote to memory of 2416	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	40
PID 2416 wrote to memory of 2720	2416	cmd.exe	42
PID 2416 wrote to memory of 2720	2416	cmd.exe	42
PID 2416 wrote to memory of 2720	2416	cmd.exe	42
PID 2568 wrote to memory of 2716	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	53
PID 2568 wrote to memory of 2716	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	53
PID 2568 wrote to memory of 2716	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	53
PID 2100 wrote to memory of 2656	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	43
PID 2100 wrote to memory of 2656	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	43
PID 2100 wrote to memory of 2656	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	43
PID 2716 wrote to memory of 2872	2716	cmd.exe	52
PID 2716 wrote to memory of 2872	2716	cmd.exe	52
PID 2716 wrote to memory of 2872	2716	cmd.exe	52
PID 2568 wrote to memory of 2648	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	51
PID 2568 wrote to memory of 2648	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	51
PID 2568 wrote to memory of 2648	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	51
PID 2100 wrote to memory of 2976	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	48
PID 2100 wrote to memory of 2976	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	48
PID 2100 wrote to memory of 2976	2100	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	48
PID 2648 wrote to memory of 2600	2648	cmd.exe	47
PID 2648 wrote to memory of 2600	2648	cmd.exe	47
PID 2648 wrote to memory of 2600	2648	cmd.exe	47
PID 2744 wrote to memory of 2496	2744	Process not Found	192
PID 2744 wrote to memory of 2496	2744	Process not Found	192
PID 2744 wrote to memory of 2496	2744	Process not Found	192
PID 2568 wrote to memory of 2504	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	45
PID 2568 wrote to memory of 2504	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	45
PID 2568 wrote to memory of 2504	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	45
PID 2504 wrote to memory of 2608	2504	cmd.exe	54
PID 2504 wrote to memory of 2608	2504	cmd.exe	54
PID 2504 wrote to memory of 2608	2504	cmd.exe	54
PID 2568 wrote to memory of 2944	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	55
PID 2568 wrote to memory of 2944	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	55
PID 2568 wrote to memory of 2944	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	55
PID 2944 wrote to memory of 2216	2944	cmd.exe	62
PID 2944 wrote to memory of 2216	2944	cmd.exe	62
PID 2944 wrote to memory of 2216	2944	cmd.exe	62
PID 2568 wrote to memory of 2948	2568	NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe	60

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+120464.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
      4⤵
      PID:2656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe 1697996398
      4⤵
      Loads dropped DLL
      PID:2976
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe 1697996398
        5⤵
        Executes dropped EXE
        
        PID:860
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
        6⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
        7⤵
        Executes dropped EXE
        
        PID:2172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+66056.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d016.exe
        8⤵
        
        PID:2884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d016.exe 1697996398
        8⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d016.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d016.exe 1697996398
        9⤵
        
        PID:2296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:6884
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:6220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+631033.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d016.exe
        8⤵
        
        PID:2072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d016.exe 1697996398
        8⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d016.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d016.exe 1697996398
        9⤵
        
        PID:4212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:6016
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:3092
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
        6⤵
        
        PID:2272
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
        6⤵
        
        PID:1340
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996398
        6⤵
        Loads dropped DLL
        
        PID:2248
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
        6⤵
        Loads dropped DLL
        
        PID:2776
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996398
        6⤵
        Loads dropped DLL
        
        PID:2648
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996398
        6⤵
        Loads dropped DLL
        
        PID:2316
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996398
        6⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996398
        7⤵
        Executes dropped EXE
        
        PID:3944
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:3996
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:848
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /autoup 1697996398
        6⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /autoup 1697996398
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3304
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /killwindows 1697996398
        6⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /killwindows 1697996398
        7⤵
        Executes dropped EXE
        
        PID:852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:7084
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:3604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Cacls C:\windows\system32\taskmgr.exe /t /e /c /gAdmin:F
        8⤵
        
        PID:8000
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /KillHardDisk 1697996398
        6⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /KillHardDisk 1697996398
        7⤵
        
        PID:1832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:6904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        8⤵
        
        PID:6184
        
        C:\Windows\system32\mountvol.exe
        
        mountvol c: /d
        9⤵
        
        PID:7912
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /killMBR 1697996398
        6⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /killMBR 1697996398
        7⤵
        
        PID:1844
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
        6⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
        7⤵
        
        PID:4184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+710009.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d017.exe
        8⤵
        
        PID:7676
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /autoup 1697996398
        6⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /autoup 1697996398
        7⤵
        
        PID:4440
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe C:\windows\system32\taskmgr.exe
        6⤵
        
        PID:4492
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /autoup 1697996398
        6⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /autoup 1697996398
        7⤵
        
        PID:4960
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /killwindows 1697996398
        6⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /killwindows 1697996398
        7⤵
        
        PID:4452
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /KillHardDisk 1697996398
        6⤵
        
        PID:5144
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /KillHardDisk 1697996398
        7⤵
        
        PID:5472
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /killMBR 1697996398
        6⤵
        
        PID:5916
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /killMBR 1697996398
        7⤵
        
        PID:5284
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
        6⤵
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
        7⤵
        
        PID:2244
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /autoup 1697996398
        6⤵
        
        PID:6272
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /autoup 1697996398
        7⤵
        
        PID:6568
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe C:\windows\system32\taskmgr.exe
        6⤵
        
        PID:6632
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /autoup 1697996398
        6⤵
        
        PID:6924
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /autoup 1697996398
        7⤵
        
        PID:7156
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /killwindows 1697996398
        6⤵
        
        PID:6220
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /killwindows 1697996398
        7⤵
        
        PID:3672
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /KillHardDisk 1697996398
        6⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /KillHardDisk 1697996398
        7⤵
        
        PID:6188
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /killMBR 1697996398
        6⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /killMBR 1697996398
        7⤵
        
        PID:3960
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
        6⤵
        
        PID:6892
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
        7⤵
        
        PID:5988
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /autoup 1697996398
        6⤵
        
        PID:6948
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /autoup 1697996398
        7⤵
        
        PID:7260
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe C:\windows\system32\taskmgr.exe
        6⤵
        
        PID:7752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+118034.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
      4⤵
      PID:1540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe 1697996398
      4⤵
      Loads dropped DLL
      PID:1352
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe 1697996398
        5⤵
        Executes dropped EXE
        
        PID:884
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:3932
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:4008
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /autoup 1697996398
        6⤵
        
        PID:7044
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /autoup 1697996398
        7⤵
        
        PID:5872
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /killwindows 1697996398
        6⤵
        
        PID:5464
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /killwindows 1697996398
        7⤵
        
        PID:2016
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /KillHardDisk 1697996398
        6⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /KillHardDisk 1697996398
        7⤵
        
        PID:3740
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /killMBR 1697996398
        6⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /killMBR 1697996398
        7⤵
        
        PID:7120
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
        6⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
        7⤵
        
        PID:7424
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /autoup 1697996398
        6⤵
        
        PID:7596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
    3⤵
    PID:2340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
    3⤵
    PID:2744
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+120464.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
      4⤵
      PID:2496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe 1697996398
      4⤵
      PID:1484
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe 1697996398
        5⤵
        Executes dropped EXE
        
        PID:536
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
        6⤵
        
        PID:2936
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996398
        6⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996398
        7⤵
        Executes dropped EXE
        
        PID:3232
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
        6⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe 1697996398
        7⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        8⤵
        
        PID:3412
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        9⤵
        Kills process with taskkill
        
        PID:3124
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996398
        6⤵
        
        PID:2300
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996398
        6⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996398
        7⤵
        Executes dropped EXE
        
        PID:3904
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
        6⤵
        
        PID:3424
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996398
        6⤵
        
        PID:3392
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
        6⤵
        
        PID:3348
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
        6⤵
        Loads dropped DLL
        
        PID:2752
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996398
        6⤵
        Loads dropped DLL
        
        PID:2652
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
        6⤵
        Loads dropped DLL
        
        PID:2280
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996398
        6⤵
        Loads dropped DLL
        
        PID:840
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:3988
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:2144
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /autoup 1697996398
        6⤵
        
        PID:6140
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /autoup 1697996398
        7⤵
        
        PID:6332
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /killwindows 1697996398
        6⤵
        
        PID:6512
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /killwindows 1697996398
        7⤵
        
        PID:6696
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /KillHardDisk 1697996398
        6⤵
        
        PID:6880
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /KillHardDisk 1697996398
        7⤵
        
        PID:7056
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /killMBR 1697996398
        6⤵
        
        PID:7144
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /killMBR 1697996398
        7⤵
        
        PID:5992
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
        6⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
        7⤵
        
        PID:3472
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /autoup 1697996398
        6⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /autoup 1697996398
        7⤵
        
        PID:6540
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe C:\windows\system32\taskmgr.exe
        6⤵
        
        PID:4044
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /autoup 1697996398
        6⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /autoup 1697996398
        7⤵
        
        PID:7904
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+118034.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
      4⤵
      PID:2804
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe 1697996398
      4⤵
      PID:1788
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe 1697996398
        5⤵
        Executes dropped EXE
        
        PID:1796
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:3264
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:3768
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /autoup 1697996398
        6⤵
        
        PID:5488
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /autoup 1697996398
        7⤵
        
        PID:2748
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /killwindows 1697996398
        6⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /killwindows 1697996398
        7⤵
        
        PID:3404
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /KillHardDisk 1697996398
        6⤵
        
        PID:6224
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /KillHardDisk 1697996398
        7⤵
        
        PID:3284
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /killMBR 1697996398
        6⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /killMBR 1697996398
        7⤵
        
        PID:5452
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
        6⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
        7⤵
        
        PID:7856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
    3⤵
    PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
    3⤵
    PID:2720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+89193.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
      4⤵
      PID:1628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe 1697996398
      4⤵
      PID:1980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+225887.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
      4⤵
      PID:1212
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
        5⤵
        
        PID:964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe 1697996398
      4⤵
      Loads dropped DLL
      PID:2784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
    3⤵
    PID:2608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996398
    3⤵
    - Executes dropped EXE
    PID:2240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
    3⤵
    PID:2216
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe 1697996398
      4⤵
      PID:1540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+225887.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
      4⤵
      PID:1784
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe 1697996398
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1488
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        5⤵
        
        PID:4524
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        6⤵
        Kills process with taskkill
        
        PID:4616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+89193.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
      4⤵
      PID:2368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  PID:680
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
    3⤵
    PID:1840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe 1697996398
      4⤵
      PID:1780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+225887.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
      4⤵
      PID:2284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe 1697996398
      4⤵
      Loads dropped DLL
      PID:2576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+89193.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
      4⤵
      PID:1332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
  2⤵
  PID:2948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
  2⤵
  PID:1912
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
    3⤵
    PID:796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
  2⤵
  PID:1660
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
    3⤵
    PID:2208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  PID:1148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
  2⤵
  PID:1476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  PID:1924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
  2⤵
  PID:2004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  PID:1864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
  2⤵
  PID:2780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  PID:1800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  PID:1708
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
    3⤵
    PID:2336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+66056.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe
      4⤵
      PID:4020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe 1697996398
      4⤵
      PID:1556
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe 1697996398
        5⤵
        Executes dropped EXE
        
        PID:4024
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:1664
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:6828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+631033.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe
      4⤵
      PID:1844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe 1697996398
      4⤵
      PID:848
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe 1697996398
        5⤵
        
        PID:3120
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:3484
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:2904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  PID:1332
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
    3⤵
    PID:2796
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+65011.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe
      4⤵
      PID:4608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe 1697996398
      4⤵
      PID:4848
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe 1697996398
        5⤵
        
        PID:1800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+821825.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
      4⤵
      PID:5016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe 1697996398
      4⤵
      PID:5464
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe 1697996398
        5⤵
        
        PID:5108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
  2⤵
  PID:2632
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
    3⤵
    PID:588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  PID:2192
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
    3⤵
    PID:1612
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+016805.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d00.exe
      4⤵
      PID:1032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d00.exe 1697996398
      4⤵
      PID:4116
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d00.exe 1697996398
        5⤵
        
        PID:4280
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:4852
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7764
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+12191.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
      4⤵
      PID:4456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe 1697996398
      4⤵
      PID:4708
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe 1697996398
        5⤵
        
        PID:4976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
  2⤵
  PID:1484
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
    3⤵
    PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
      4⤵
      PID:1508
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+326508.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d03.exe
        5⤵
        
        PID:4968
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d03.exe 1697996398
        5⤵
        
        PID:4460
      - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d03.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d03.exe 1697996398
        6⤵
        
        PID:5772
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+729678.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe
        5⤵
        
        PID:6092
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe 1697996398
        5⤵
        
        PID:3836
      - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe 1697996398
        6⤵
        
        PID:6052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  PID:800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
  2⤵
  PID:1968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  PID:1688
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
    3⤵
    PID:2496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
  2⤵
  PID:2632
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
    3⤵
    PID:2396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  PID:2800
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
    3⤵
    PID:1760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
  2⤵
  PID:1484
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
    3⤵
    PID:2436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  PID:1776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
  2⤵
  PID:1928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+326508.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d03.exe
    3⤵
    PID:4952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d03.exe 1697996398
    3⤵
    PID:4436
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d03.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d03.exe 1697996398
      4⤵
      PID:5780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+729678.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe
    3⤵
    PID:6108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe 1697996398
    3⤵
    PID:1768
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe 1697996398
      4⤵
      PID:6244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  PID:736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
  2⤵
  PID:2632
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
    3⤵
    PID:3356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  PID:1536
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe 1697996398
    3⤵
    - Executes dropped EXE
    PID:1588
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:4236
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:4512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
  2⤵
  PID:2800
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe 1697996398
    3⤵
    - Executes dropped EXE
    PID:872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:4164
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:4244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  PID:1948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
  2⤵
  - Loads dropped DLL
  PID:1484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  PID:2328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+915237.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d09.exe
    3⤵
    PID:1612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d09.exe 1697996398
    3⤵
    PID:5200
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d09.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d09.exe 1697996398
      4⤵
      PID:5676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+84764.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    3⤵
    PID:6020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe 1697996398
    3⤵
    PID:5976
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe 1697996398
      4⤵
      PID:6084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
  2⤵
  PID:1688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
  2⤵
  PID:3480
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
    3⤵
    PID:3864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  PID:3440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
  2⤵
  PID:3408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  PID:3376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
  2⤵
  PID:2556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  PID:2536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
  2⤵
  PID:2656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+915237.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d09.exe
    3⤵
    PID:4956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d09.exe 1697996398
    3⤵
    PID:5368
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d09.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d09.exe 1697996398
      4⤵
      PID:5684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+84764.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    3⤵
    PID:6036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe 1697996398
    3⤵
    PID:5464
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe 1697996398
      4⤵
      PID:2020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  PID:2192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
  2⤵
  PID:2180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  PID:1212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
  2⤵
  PID:3008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:4028
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:3376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /autoup 1697996398
  2⤵
  PID:3988
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /autoup 1697996398
    3⤵
    PID:6416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /killwindows 1697996398
  2⤵
  PID:6476
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /killwindows 1697996398
    3⤵
    PID:6672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /KillHardDisk 1697996398
  2⤵
  PID:6848
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /KillHardDisk 1697996398
    3⤵
    PID:7012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /killMBR 1697996398
  2⤵
  PID:7108
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /killMBR 1697996398
    3⤵
    PID:6136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  PID:6348
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
    3⤵
    PID:6112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /autoup 1697996398
  2⤵
  PID:3320
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /autoup 1697996398
    3⤵
    PID:6436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe C:\windows\system32\taskmgr.exe
  2⤵
  PID:6616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /autoup 1697996398
  2⤵
  PID:7128
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /autoup 1697996398
    3⤵
    PID:6256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /killwindows 1697996398
  2⤵
  PID:3352
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /killwindows 1697996398
    3⤵
    PID:3976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /KillHardDisk 1697996398
  2⤵
  PID:7236
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /KillHardDisk 1697996398
    3⤵
    PID:7376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /killMBR 1697996398
  2⤵
  PID:7404
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /killMBR 1697996398
    3⤵
    PID:7684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  PID:7716
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
    3⤵
    PID:8048

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
1⤵
PID:2600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+431213.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe
  2⤵
  PID:1920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe 1697996398
  2⤵
  - Loads dropped DLL
  PID:2244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+721961.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe
  2⤵
  PID:928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe 1697996398
  2⤵
  - Loads dropped DLL
  PID:2352

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
1⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
1⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
1⤵
PID:1116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe 1697996398
  2⤵
  PID:1968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+225887.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
    3⤵
    PID:5124
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      PID:5732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe 1697996398
  2⤵
  - Loads dropped DLL
  PID:1536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+016282.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d00.exe
    3⤵
    PID:4472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d00.exe 1697996398
    3⤵
    PID:4676
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d00.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d00.exe 1697996398
      4⤵
      PID:4840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+713971.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe
    3⤵
    PID:5060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe 1697996398
    3⤵
    PID:4972
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe 1697996398
      4⤵
      PID:5724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+89193.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
  2⤵
  PID:1676

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
1⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
1⤵
PID:1944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe 1697996398
  2⤵
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe 1697996398
    3⤵
    - Executes dropped EXE
    PID:792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:5092
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:4684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+225887.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+915237.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d019.exe
    3⤵
    PID:2836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d019.exe 1697996398
    3⤵
    PID:5348
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d019.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d019.exe 1697996398
      4⤵
      PID:5700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+84764.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe
    3⤵
    PID:6068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe 1697996398
    3⤵
    PID:5672
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe 1697996398
      4⤵
      PID:1096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe 1697996398
  2⤵
  - Loads dropped DLL
  PID:2772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+89193.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
  2⤵
  PID:2408

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
1⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
1⤵
PID:1640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe 1697996398
  2⤵
  PID:2932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+225887.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
  2⤵
  PID:2664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe 1697996398
  2⤵
  - Loads dropped DLL
  PID:2800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+89193.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
  2⤵
  PID:1592

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
1⤵
PID:1028

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
1⤵
PID:2848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe 1697996398
  2⤵
  PID:1564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+225887.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
  2⤵
  PID:2016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe 1697996398
  2⤵
  - Loads dropped DLL
  PID:900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+89193.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
  2⤵
  PID:2148

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996398
1⤵
- Executes dropped EXE
PID:2220

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
1⤵
- Executes dropped EXE
PID:2552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+65534.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d016.exe
  2⤵
  PID:4424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d016.exe 1697996398
  2⤵
  PID:4684
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d016.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d016.exe 1697996398
    3⤵
    PID:4856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+210045.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d012.exe
  2⤵
  PID:5084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d012.exe 1697996398
  2⤵
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d012.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d012.exe 1697996398
    3⤵
    PID:5180

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996398
1⤵
- Executes dropped EXE
PID:608

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe 1697996398
1⤵
- Executes dropped EXE
PID:1660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:4928
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:4328

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
1⤵
PID:1928
- C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
  2⤵
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
    3⤵
    - Executes dropped EXE
    PID:1960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+915759.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d019.exe
      4⤵
      PID:4808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d019.exe 1697996398
      4⤵
      PID:2132
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d019.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d019.exe 1697996398
        5⤵
        
        PID:5616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+225752.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d012.exe
      4⤵
      PID:5988
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d012.exe 1697996398
      4⤵
      PID:5340
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d012.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d012.exe 1697996398
        5⤵
        
        PID:2784

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d011.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d011.exe 1697996398
1⤵
- Executes dropped EXE
PID:1492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:5008
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:4272

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
1⤵
PID:472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+64488.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe
  2⤵
  PID:2072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe 1697996398
  2⤵
  PID:5272
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe 1697996398
    3⤵
    PID:5548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+2837.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
  2⤵
  PID:5972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe 1697996398
  2⤵
  PID:6132
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe 1697996398
    3⤵
    PID:6076

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe 1697996398
1⤵
PID:2128

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
1⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
1⤵
PID:1540
- C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe 1697996398
  2⤵
  - Executes dropped EXE
  PID:1984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
    3⤵
    PID:5224
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      PID:5556

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
1⤵
PID:1808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+64488.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe
  2⤵
  PID:4380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe 1697996398
  2⤵
  PID:5488
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe 1697996398
    3⤵
    PID:5268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+2837.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
  2⤵
  PID:5372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe 1697996398
  2⤵
  PID:5804
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe 1697996398
    3⤵
    PID:6288

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
1⤵
PID:1536
- C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  PID:1664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+915237.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d09.exe
    3⤵
    PID:4604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d09.exe 1697996398
    3⤵
    PID:5996
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d09.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d09.exe 1697996398
      4⤵
      PID:5204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+84764.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    3⤵
    PID:5492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe 1697996398
    3⤵
    PID:6180
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe 1697996398
      4⤵
      PID:6440

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-846266222188543220812977288-1678696851179971477415533798616118836971834605808"
1⤵
PID:1564
- C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe 1697996398
  2⤵
  PID:1488
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe 1697996398
    3⤵
    - Executes dropped EXE
    PID:2960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /save 1697996398
      4⤵
      PID:4052
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /save 1697996398
        5⤵
        Executes dropped EXE
        
        PID:3348
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:3320
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:2016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /autoup 1697996398
      4⤵
      PID:6544
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /autoup 1697996398
        5⤵
        
        PID:6680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /killwindows 1697996398
      4⤵
      PID:6860
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /killwindows 1697996398
        5⤵
        
        PID:7020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /KillHardDisk 1697996398
      4⤵
      PID:7116
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /KillHardDisk 1697996398
        5⤵
        
        PID:6232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /killMBR 1697996398
      4⤵
      PID:6352
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /killMBR 1697996398
        5⤵
        
        PID:1688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /protect 1697996398
      4⤵
      PID:3824
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /protect 1697996398
        5⤵
        
        PID:6476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /autoup 1697996398
      4⤵
      PID:4016
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /autoup 1697996398
        5⤵
        
        PID:6532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe C:\windows\system32\taskmgr.exe
      4⤵
      PID:6636

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
1⤵
PID:2328
- C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
  2⤵
  PID:1964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+326508.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d03.exe
    3⤵
    PID:5028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d03.exe 1697996398
    3⤵
    PID:4808
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d03.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d03.exe 1697996398
      4⤵
      PID:5788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+729678.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe
    3⤵
    PID:6124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe 1697996398
    3⤵
    PID:5544
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe 1697996398
      4⤵
      PID:5088

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
1⤵
PID:2656
- C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
  2⤵
  PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe 1697996398
1⤵
PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /protect 1697996398
1⤵
PID:3124
- C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /protect 1697996398
  2⤵
  - Executes dropped EXE
  PID:3776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe+915237.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d089.exe
    3⤵
    PID:4852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d089.exe 1697996398
    3⤵
    PID:6076
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d089.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d089.exe 1697996398
      4⤵
      PID:6120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe+84764.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d088.exe
    3⤵
    PID:5920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d088.exe 1697996398
    3⤵
    PID:6340
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d088.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d088.exe 1697996398
      4⤵
      PID:2664

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
1⤵
PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+28826.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
1⤵
PID:2128

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1745805963-1588157048-179529998-510333520-1595067411-253192675813985631-1665839246"
1⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe 1697996398
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936
- C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
  2⤵
  - Executes dropped EXE
  PID:704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d012.exe 1697996398
    3⤵
    PID:4020
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d012.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d012.exe 1697996398
      4⤵
      Executes dropped EXE
      PID:800
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        5⤵
        
        PID:4752
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        6⤵
        Kills process with taskkill
        
        PID:2236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:4908
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:4332

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe 1697996398
1⤵
- Executes dropped EXE
PID:2564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:4900
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:4312

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe 1697996398
1⤵
- Executes dropped EXE
PID:2480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:4352
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:4532

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe 1697996398
1⤵
- Executes dropped EXE
PID:1548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:4544
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d011.exe 1697996398
1⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996398
1⤵
- Executes dropped EXE
PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+28826.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d012.exe
1⤵
PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe 1697996398
1⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
1⤵
- Loads dropped DLL
PID:2272
- C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
  2⤵
  - Executes dropped EXE
  PID:2512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe 1697996398
    3⤵
    PID:4012
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe 1697996398
      4⤵
      Executes dropped EXE
      PID:3260
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        5⤵
        
        PID:5216
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        6⤵
        Kills process with taskkill
        
        PID:5740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+83545.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe
    3⤵
    PID:3308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe 1697996398
    3⤵
    PID:3708
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe 1697996398
      4⤵
      Executes dropped EXE
      PID:3900
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        5⤵
        
        PID:5240
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        6⤵
        Kills process with taskkill
        
        PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+119419.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d011.exe
1⤵
PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+119419.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
1⤵
PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /protect 1697996398
1⤵
PID:3564
- C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /protect 1697996398
  2⤵
  - Executes dropped EXE
  PID:3696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe+64488.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d086.exe
    3⤵
    PID:4392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d086.exe 1697996398
    3⤵
    PID:5356
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d086.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d086.exe 1697996398
      4⤵
      PID:5840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe+2837.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d082.exe
    3⤵
    PID:5192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d082.exe 1697996398
    3⤵
    PID:5952
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d082.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d082.exe 1697996398
      4⤵
      PID:6792

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe 1697996398
1⤵
- Executes dropped EXE
PID:3548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:5032
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:5480

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /save 1697996398
1⤵
- Executes dropped EXE
PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe 1697996398
1⤵
PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe 1697996398
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe 1697996398
  2⤵
  - Executes dropped EXE
  PID:3888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
    3⤵
    PID:4180
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /save 1697996398
1⤵
PID:3516

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /protect 1697996398
1⤵
- Executes dropped EXE
PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe+64488.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d086.exe
  2⤵
  PID:3792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d086.exe 1697996398
  2⤵
  PID:5320
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d086.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d086.exe 1697996398
    3⤵
    PID:5824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe+2837.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d082.exe
  2⤵
  PID:5088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d082.exe 1697996398
  2⤵
  PID:5924
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d082.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d082.exe 1697996398
    3⤵
    PID:6776

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
1⤵
PID:3456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+64488.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe
  2⤵
  PID:5104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe 1697996398
  2⤵
  PID:5280
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe 1697996398
    3⤵
    PID:5692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+2837.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
  2⤵
  PID:6052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe 1697996398
  2⤵
  PID:6000
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe 1697996398
    3⤵
    PID:6148

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
1⤵
- Executes dropped EXE
PID:3448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+915237.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d019.exe
  2⤵
  PID:5028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d019.exe 1697996398
  2⤵
  PID:6004
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d019.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d019.exe 1697996398
    3⤵
    PID:4968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+84764.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe
  2⤵
  PID:5992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe 1697996398
  2⤵
  PID:6236
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe 1697996398
    3⤵
    PID:6592

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
1⤵
PID:3432

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996398
1⤵
- Executes dropped EXE
PID:3416

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
1⤵
PID:3400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+64488.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe
  2⤵
  PID:4448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe 1697996398
  2⤵
  PID:5388
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d06.exe 1697996398
    3⤵
    PID:320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+2837.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
  2⤵
  PID:5276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe 1697996398
  2⤵
  PID:6112
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe 1697996398
    3⤵
    PID:6308

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
1⤵
- Executes dropped EXE
PID:3384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+915237.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d019.exe
  2⤵
  PID:3616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d019.exe 1697996398
  2⤵
  PID:5948
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d019.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d019.exe 1697996398
    3⤵
    PID:6028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+84764.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe
  2⤵
  PID:5872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe 1697996398
  2⤵
  PID:6188
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe 1697996398
    3⤵
    PID:6524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+429122.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe
1⤵
PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+429122.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe
1⤵
PID:3324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /protect 1697996398
1⤵
PID:3312
- C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /protect 1697996398
  2⤵
  - Executes dropped EXE
  PID:3856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe+915237.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d089.exe
    3⤵
    PID:4992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d089.exe 1697996398
    3⤵
    PID:5800
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d089.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d089.exe 1697996398
      4⤵
      PID:4436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe+84764.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d088.exe
    3⤵
    PID:2796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d088.exe 1697996398
    3⤵
    PID:6280
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d088.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d088.exe 1697996398
      4⤵
      PID:6392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+429122.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d014.exe
1⤵
PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /protect 1697996398
1⤵
PID:3288
- C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /protect 1697996398
  2⤵
  - Executes dropped EXE
  PID:3796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe+64488.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d086.exe
    3⤵
    PID:1816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d086.exe 1697996398
    3⤵
    PID:5340
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d086.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d086.exe 1697996398
      4⤵
      PID:5832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe+2837.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d082.exe
    3⤵
    PID:6140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d082.exe 1697996398
    3⤵
    PID:5768
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d082.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d082.exe 1697996398
      4⤵
      PID:6784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /protect 1697996398
1⤵
PID:3280

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
1⤵
- Executes dropped EXE
PID:616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe+83545.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe
  2⤵
  PID:4044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe 1697996398
  2⤵
  PID:3444
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d018.exe 1697996398
    3⤵
    - Executes dropped EXE
    PID:3560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:5232
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:5708

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe 1697996398
1⤵
- Executes dropped EXE
PID:936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /save 1697996398
  2⤵
  PID:4004
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /save 1697996398
    3⤵
    - Executes dropped EXE
    PID:1144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:3332
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:2984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /autoup 1697996398
  2⤵
  PID:6468
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /autoup 1697996398
    3⤵
    PID:6648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /killwindows 1697996398
  2⤵
  PID:6764
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /killwindows 1697996398
    3⤵
    PID:6980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /KillHardDisk 1697996398
  2⤵
  PID:7100
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /KillHardDisk 1697996398
    3⤵
    PID:1964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /killMBR 1697996398
  2⤵
  PID:6016
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /killMBR 1697996398
    3⤵
    PID:3068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /protect 1697996398
  2⤵
  PID:3216
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /protect 1697996398
    3⤵
    PID:3884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /autoup 1697996398
  2⤵
  PID:6612
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /autoup 1697996398
    3⤵
    PID:7148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe C:\windows\system32\taskmgr.exe
  2⤵
  PID:6340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /autoup 1697996398
  2⤵
  PID:7944

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe 1697996398
1⤵
- Executes dropped EXE
PID:820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /save 1697996398
  2⤵
  PID:3960
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /save 1697996398
    3⤵
    - Executes dropped EXE
    PID:1784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:3408
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:3116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /autoup 1697996398
  2⤵
  PID:4364
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /autoup 1697996398
    3⤵
    PID:6424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /killwindows 1697996398
  2⤵
  PID:6496
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /killwindows 1697996398
    3⤵
    PID:6704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /KillHardDisk 1697996398
  2⤵
  PID:6888
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /KillHardDisk 1697996398
    3⤵
    PID:7028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /killMBR 1697996398
  2⤵
  PID:7124
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /killMBR 1697996398
    3⤵
    PID:3004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /protect 1697996398
  2⤵
  PID:6380
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /protect 1697996398
    3⤵
    PID:2344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /autoup 1697996398
  2⤵
  PID:6164
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /autoup 1697996398
    3⤵
    PID:6548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe C:\windows\system32\taskmgr.exe
  2⤵
  PID:6744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /autoup 1697996398
  2⤵
  PID:1840
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /autoup 1697996398
    3⤵
    PID:6468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /killwindows 1697996398
  2⤵
  PID:7228
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /killwindows 1697996398
    3⤵
    PID:8008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /KillHardDisk 1697996398
  2⤵
  PID:8036

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe 1697996398
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:4400
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:4632

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996398
1⤵
- Executes dropped EXE
PID:2696

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d07.exe 1697996398
1⤵
- Executes dropped EXE
PID:1692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:4344
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:4568

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /protect 1697996398
1⤵
PID:2012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe+83545.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
  2⤵
  PID:3688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe 1697996398
  2⤵
  PID:3980
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe 1697996398
    3⤵
    - Executes dropped EXE
    PID:2856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:4472
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:5288

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe 1697996398
1⤵
- Executes dropped EXE
PID:2212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /save 1697996398
  2⤵
  PID:3764
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /save 1697996398
    3⤵
    - Executes dropped EXE
    PID:2600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:1504
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:3536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /autoup 1697996398
  2⤵
  PID:1604
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /autoup 1697996398
    3⤵
    - Executes dropped EXE
    PID:3656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /killwindows 1697996398
  2⤵
  PID:2512
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /killwindows 1697996398
    3⤵
    PID:1368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
      4⤵
      PID:6848
    - - C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        5⤵
        Modifies file permissions
        
        PID:3228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /KillHardDisk 1697996398
  2⤵
  PID:1904
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /KillHardDisk 1697996398
    3⤵
    PID:1388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\users /r /f
      4⤵
      PID:7068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c mountvol c: /d
      4⤵
      PID:6140
    - - C:\Windows\system32\mountvol.exe
        
        mountvol c: /d
        5⤵
        
        PID:7480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /killMBR 1697996398
  2⤵
  PID:1800
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /killMBR 1697996398
    3⤵
    PID:4136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /protect 1697996398
  2⤵
  PID:4176
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /protect 1697996398
    3⤵
    PID:4260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe+811577.txt C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d088.exe
      4⤵
      PID:3756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d088.exe 1697996398
      4⤵
      PID:6896
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d088.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d088.exe 1697996398
        5⤵
        
        PID:7864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /autoup 1697996398
  2⤵
  PID:4432
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /autoup 1697996398
    3⤵
    PID:4624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe C:\windows\system32\taskmgr.exe
  2⤵
  PID:4700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /autoup 1697996398
  2⤵
  PID:5072
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /autoup 1697996398
    3⤵
    PID:4608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /killwindows 1697996398
  2⤵
  PID:4388
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /killwindows 1697996398
    3⤵
    PID:5496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /KillHardDisk 1697996398
  2⤵
  PID:5924
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /KillHardDisk 1697996398
    3⤵
    PID:5964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /killMBR 1697996398
  2⤵
  PID:5392
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /killMBR 1697996398
    3⤵
    PID:2456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /protect 1697996398
  2⤵
  PID:6224
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /protect 1697996398
    3⤵
    PID:6504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /autoup 1697996398
  2⤵
  PID:6616
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /autoup 1697996398
    3⤵
    PID:6816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe C:\windows\system32\taskmgr.exe
  2⤵
  PID:6900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /autoup 1697996398
  2⤵
  PID:7164
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /autoup 1697996398
    3⤵
    PID:2796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /killwindows 1697996398
  2⤵
  PID:3816
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /killwindows 1697996398
    3⤵
    PID:3012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /KillHardDisk 1697996398
  2⤵
  PID:6388
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /KillHardDisk 1697996398
    3⤵
    PID:6072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /killMBR 1697996398
  2⤵
  PID:3508
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /killMBR 1697996398
    3⤵
    PID:3400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /protect 1697996398
  2⤵
  PID:4372
- - C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe /protect 1697996398
    3⤵
    PID:7928

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /protect 1697996398
1⤵
- Executes dropped EXE
PID:1608

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe /save 1697996398
1⤵
- Executes dropped EXE
PID:1524

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
1⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d0.exe /save 1697996398
1⤵
PID:2388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7770053885364668281174873516-101636446418329974402133636052-1871492051545760027"
1⤵
PID:1728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-635875208-1687501575-783026566-1180681457-12983310591140160476-11511791011998770340"
1⤵
PID:1924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1076579463117425326834903051-985245240-2030202379-300616367-11037727971453944810"
1⤵
PID:3392

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1553209527-2040060520-20043784361040601661193452200-871382366-1002579304-1560225434"
1⤵
PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\118034.txt

Filesize
4B

MD5
7c82fab8c8f89124e2ce92984e04fb40

SHA1
bbd10f0f88f298fe0ae1d706e0600149c59adb04

SHA256
587a490557627756d252bf50aab1c7c0faa45f5fe2f9160fa8fe0d5d55c5a679

SHA512
8d8f0be1b7986b2984514eb208e4a9e1d530fdf6ccd52041c33ba4dc639372f7048483c010f341867deef5de2b2d4ec175de429c67eac9c4cd42f476d39c43fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\120464.txt

Filesize
5B

MD5
35dcd930df68a3b6194ad8764644721d

SHA1
a9fd371590621bad9b385b1def0016b1b9dc6268

SHA256
d7108914ffad85d6edf0d9a4cb548a1fff0fd21061a92a49e36cbef3929275a5

SHA512
05e47306961af7b52eb0e03da2c58edddfd38a7837fa8cab7e71d8c542bb04c631c298a8d2a6591864abd93a1e8f5307be3be271225ef375d04d71ae8238c2ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\143082.bat

Filesize
124B

MD5
d2b66fee2faf384243c1f73a2b158c2c

SHA1
f599c8eac319328d0fc7f5da962757c94ae94e74

SHA256
0180137c4a83f0bb4ad068bbec4f208a6a505900813a02db79bc716f5a5c86eb

SHA512
1db5aa5b4deb5e5c506c40942cd66576632fcc502ecdfc6ac127280cc27142bbb5da164292731ab2fbb871b8ebbf0feda6a555301ea5bf80aee6f06451c73de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\184812.bat

Filesize
123B

MD5
a3a71712ac8ac3ec335c22068bf940cb

SHA1
34ba89460e53fda10bd5bc1f88eb470bd077483d

SHA256
20bfe974211026307cdf3989b9e28d3c8a71f14b43564ad3c219fff64a4b892e

SHA512
36391a00c77b03a4e1d95cb066d10a78f87ec78ee1213edbf038d010751c0b98abaff4b3f727f8c77bc34a34b5abfdbf13f766f6c6f27565107cc9a8ad28b321

Download Submit
C:\Users\Admin\AppData\Local\Temp\225887.txt

Filesize
5B

MD5
6a4a16eb6b859220e4b55153a6e20730

SHA1
246fca6c9bb91b3dda253a4ada2103e7aaa3d551

SHA256
9232f0b58b03ce66387b60bd2b40d009ce2acbee7739efc74b185473a061e437

SHA512
222fb107912fac2280fa668245307b1b2d170725b15f1f6252123304d542cf802921f59155c83ba00b9f36b8275f4d510de756719e42254528db1ad99e58117c

Download Submit
C:\Users\Admin\AppData\Local\Temp\23980.bat

Filesize
111B

MD5
03e6389e68e2afbfe98dfeea3d283e82

SHA1
87031c905eac8a1074f975041d6f76dc713b34c3

SHA256
5bee79a028e4b784dd79bf17476e133f5f0475a6222056a780a3ec38da79a630

SHA512
de61c2e2d61fcf38d3422cfdcbf43b98ff03769ddaab0e645e27217de96fd02cb5320e611c2a10a804fb5a6873924f7952b6dc6c9a43183b1d69923092a47094

Download Submit
C:\Users\Admin\AppData\Local\Temp\2837.txt

Filesize
5B

MD5
8e28c44c7e1bb849ce85affc38d326bb

SHA1
973364005e23432bb9e7b14a334eef1dee9ce70f

SHA256
d1dadbec2b05bed5cafd27045ed637fde12f336c79dd4f041bfd7caab3ff8228

SHA512
452d2aedac9605f35aae84190227b2525851b71854936c19f907d26b766fbcdb97af810d8c10f6c03d1437bf3b7dc1c56daf5f313f38bb1fdd7d2894dc1d4dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4261.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\431213.txt

Filesize
4B

MD5
06d172404821f7d01060cc9629171b2e

SHA1
9314e7b09e3623e128a5496e88feb36bf42db087

SHA256
b69313a258e85ac7560303276a0ef84c639ab0c71139e51a8bb731cf39121ffa

SHA512
d71a50be20a7ab400608ced0ce28c2eb493c638e5e7ae745cce0c4ce473c31d741aadfb88b70bfa0769a07b4a8adb0813ad7d7ac02a467b5d8654590a173363c

Download Submit
C:\Users\Admin\AppData\Local\Temp\57768.bat

Filesize
122B

MD5
81c89513b3f9c350d0251fabf75dcd60

SHA1
d3c74c6ffd53d57b5c7e0827e9c9acab9502f507

SHA256
0a558d596d5b1732f5a75678f0964e3e6e1e772f7aa061dab6475882bb349373

SHA512
e9b5cd3c027bb2b2dd35e546161c54db67f06b7fa527ce08a8182dca37761136c9322903b2e20c1029773f511ab5a7c105bd9cbbc5e67c4453673552eca97467

Download Submit
C:\Users\Admin\AppData\Local\Temp\57768.bat

Filesize
122B

MD5
81c89513b3f9c350d0251fabf75dcd60

SHA1
d3c74c6ffd53d57b5c7e0827e9c9acab9502f507

SHA256
0a558d596d5b1732f5a75678f0964e3e6e1e772f7aa061dab6475882bb349373

SHA512
e9b5cd3c027bb2b2dd35e546161c54db67f06b7fa527ce08a8182dca37761136c9322903b2e20c1029773f511ab5a7c105bd9cbbc5e67c4453673552eca97467

Download Submit
C:\Users\Admin\AppData\Local\Temp\57768.bat

Filesize
122B

MD5
81c89513b3f9c350d0251fabf75dcd60

SHA1
d3c74c6ffd53d57b5c7e0827e9c9acab9502f507

SHA256
0a558d596d5b1732f5a75678f0964e3e6e1e772f7aa061dab6475882bb349373

SHA512
e9b5cd3c027bb2b2dd35e546161c54db67f06b7fa527ce08a8182dca37761136c9322903b2e20c1029773f511ab5a7c105bd9cbbc5e67c4453673552eca97467

Download Submit
C:\Users\Admin\AppData\Local\Temp\57768.bat

Filesize
122B

MD5
81c89513b3f9c350d0251fabf75dcd60

SHA1
d3c74c6ffd53d57b5c7e0827e9c9acab9502f507

SHA256
0a558d596d5b1732f5a75678f0964e3e6e1e772f7aa061dab6475882bb349373

SHA512
e9b5cd3c027bb2b2dd35e546161c54db67f06b7fa527ce08a8182dca37761136c9322903b2e20c1029773f511ab5a7c105bd9cbbc5e67c4453673552eca97467

Download Submit
C:\Users\Admin\AppData\Local\Temp\57768.bat

Filesize
122B

MD5
81c89513b3f9c350d0251fabf75dcd60

SHA1
d3c74c6ffd53d57b5c7e0827e9c9acab9502f507

SHA256
0a558d596d5b1732f5a75678f0964e3e6e1e772f7aa061dab6475882bb349373

SHA512
e9b5cd3c027bb2b2dd35e546161c54db67f06b7fa527ce08a8182dca37761136c9322903b2e20c1029773f511ab5a7c105bd9cbbc5e67c4453673552eca97467

Download Submit
C:\Users\Admin\AppData\Local\Temp\57768.bat

Filesize
122B

MD5
bff7a37bded5eeece5162d3701ea9db7

SHA1
d659c3cd9c795e550b513b37ad82682f711868b4

SHA256
98e53d161c70202f0fa2717b7739e772bf3434ddbca2c2cda2771239664705f4

SHA512
1a0a682a5fa148924a8596705fa7db07f099764562beaa360f66409ffd8bca2e9748ec35ff384294751c2ee887d12e726ff683582445810ca6d9c2eac72532e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\64488.txt

Filesize
5B

MD5
46235a3abdd04841af13c4d768f13c21

SHA1
dbda35397217dfd44665c7ca310ea778d182417b

SHA256
70539d738dd9af0c879fdb72ced472eb201ef5d453ebefb005db4706a841ddcf

SHA512
aa538166a9f86f2dcecdae946e4e81afd8d097d52e92b0e47406428549c2e86c7eeca877e512fa55721c7c024fe7feb9107550f809d6cbfcc71b2b0d76e11d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\721961.txt

Filesize
5B

MD5
5db16d02db25b9673ff2f72440366df0

SHA1
8cc0eb32a34b85df03123e432da9b37e50b9ffc5

SHA256
ad9bcf2fc04aec15d57797d707e72f5d810c37b5c4172cc6b24ad88415fa3351

SHA512
4f8887314fc7de06c6fab70b5be69c17c02be2f639b537b3195f233a517dca674e2a45a2b01c881de106a77e9cc7b65fd89becd5d1178d9d21847346aabb7498

Download Submit
C:\Users\Admin\AppData\Local\Temp\84764.txt

Filesize
5B

MD5
7d9d329731cad1688ade8b557b74c68c

SHA1
18b228c333df8a6411695fa511db84db563d9549

SHA256
3b297c8441c7b0ad82d81dc862137eda12162cc846d00056108a241772faf1b4

SHA512
93b599a629c30816d37d7c28d74215f4d5a57ef41aa4d1893a327b5fc14d2371cb2d8c847b2e2035c98f942e648fc5231830ded89bfcf0df4356ca6c1e88ee80

Download Submit
C:\Users\Admin\AppData\Local\Temp\89193.txt

Filesize
4B

MD5
884d79963bd8bc0ae9b13a1aa71add73

SHA1
dc1e5e97b303462f6c9a009994f17fb83d9f7624

SHA256
77523aa0395b6ee089984c28fd543755244df3ba6adba24be6b5b20f4fe5c6b3

SHA512
9d4a6e63e43a684483e1fe763ef9cddbeb1d2b3560e5cdc3c0b13f7da2308806c603b361d9991b9b22220ff38cef048d7cc5617e6b83a3bd02d0f8d73a65363a

Download Submit
C:\Users\Admin\AppData\Local\Temp\89193.txt

Filesize
4B

MD5
884d79963bd8bc0ae9b13a1aa71add73

SHA1
dc1e5e97b303462f6c9a009994f17fb83d9f7624

SHA256
77523aa0395b6ee089984c28fd543755244df3ba6adba24be6b5b20f4fe5c6b3

SHA512
9d4a6e63e43a684483e1fe763ef9cddbeb1d2b3560e5cdc3c0b13f7da2308806c603b361d9991b9b22220ff38cef048d7cc5617e6b83a3bd02d0f8d73a65363a

Download Submit
C:\Users\Admin\AppData\Local\Temp\89193.txt

Filesize
4B

MD5
884d79963bd8bc0ae9b13a1aa71add73

SHA1
dc1e5e97b303462f6c9a009994f17fb83d9f7624

SHA256
77523aa0395b6ee089984c28fd543755244df3ba6adba24be6b5b20f4fe5c6b3

SHA512
9d4a6e63e43a684483e1fe763ef9cddbeb1d2b3560e5cdc3c0b13f7da2308806c603b361d9991b9b22220ff38cef048d7cc5617e6b83a3bd02d0f8d73a65363a

Download Submit
C:\Users\Admin\AppData\Local\Temp\89193.txt

Filesize
4B

MD5
884d79963bd8bc0ae9b13a1aa71add73

SHA1
dc1e5e97b303462f6c9a009994f17fb83d9f7624

SHA256
77523aa0395b6ee089984c28fd543755244df3ba6adba24be6b5b20f4fe5c6b3

SHA512
9d4a6e63e43a684483e1fe763ef9cddbeb1d2b3560e5cdc3c0b13f7da2308806c603b361d9991b9b22220ff38cef048d7cc5617e6b83a3bd02d0f8d73a65363a

Download Submit
C:\Users\Admin\AppData\Local\Temp\89193.txt

Filesize
4B

MD5
884d79963bd8bc0ae9b13a1aa71add73

SHA1
dc1e5e97b303462f6c9a009994f17fb83d9f7624

SHA256
77523aa0395b6ee089984c28fd543755244df3ba6adba24be6b5b20f4fe5c6b3

SHA512
9d4a6e63e43a684483e1fe763ef9cddbeb1d2b3560e5cdc3c0b13f7da2308806c603b361d9991b9b22220ff38cef048d7cc5617e6b83a3bd02d0f8d73a65363a

Download Submit
C:\Users\Admin\AppData\Local\Temp\915237.txt

Filesize
5B

MD5
7cbf30c9b6104ef5c28e30c8569aa72e

SHA1
46519443e52f9750e066b776cede1d2a5066ae81

SHA256
7d636fe8bad811f02c720951d2b5daa405f87be80789b1b526a9660d543cdf09

SHA512
b2974fcaa3fb8ebddbe2e964f56dac03a361e40333008f9e4dce98a703d39f649915f560c1fcb45db25b8b98edc7667ccb5df722b74e81cd68ffb91e1afd8f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d02.exe

Filesize
3.0MB

MD5
858a15b90f161538115dd246b1045e11

SHA1
4e4f0e042c36830cb94a58003b64b5a40183052b

SHA256
986f5a5080fb8945a7e2036f2c6fdaeeeecbcf44ec459e56cc03fa06261f138c

SHA512
84fcd0df3975b92835f7ff40ec1036e5518bc4d567c74d28fe83b58370e8327dbe8f55d6b58b1d41806ceb27b5dd860158ed2a4b07d9e9f4e04e6f1004cfde5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe

Filesize
3.0MB

MD5
fe1eb79bd986bf9d4d9fbde7f6b29b3a

SHA1
b8c52e4292afe6839acd658e1760617c1de766a2

SHA256
362d97d5967ecdfb8a7aadec44b99d4078f3e7a740481e409b45f54cfc1b0ccb

SHA512
377e175a90648e1472c8f0e817f09c342c7f689047dddaaf50412a31e8c3a688273e52810372b3ca659986da3b9077c68aa17b98ea497932f7af91ddc5bcf6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe

Filesize
3.0MB

MD5
fe1eb79bd986bf9d4d9fbde7f6b29b3a

SHA1
b8c52e4292afe6839acd658e1760617c1de766a2

SHA256
362d97d5967ecdfb8a7aadec44b99d4078f3e7a740481e409b45f54cfc1b0ccb

SHA512
377e175a90648e1472c8f0e817f09c342c7f689047dddaaf50412a31e8c3a688273e52810372b3ca659986da3b9077c68aa17b98ea497932f7af91ddc5bcf6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe

Filesize
3.0MB

MD5
5d7da340c3aa614c52f671dc447aeca5

SHA1
08bda5cac2408187c01878020e3c9b48865a543c

SHA256
10bd914f668c578abfe2ef03bf169cc1c373024ed876287e2b053b99aa2037a4

SHA512
603db84c90c7cf0f79bba60cf55e9dcb377052a882ad5dc4cf0e79680f2fb64b6a14884a9a3bb45ff445e88f58de3bb2f2f4a55507bbd2f86a492305dc83de68

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d01.exe

Filesize
3.0MB

MD5
0f14af2fb1bccc62dfbbd8163de70ed6

SHA1
931b2673cbd11e3c19fdc64a1d5d66f76ab7420d

SHA256
534850a0e40cca52a6ea96f449c4be6ec64515381a29de94ab0da1614519372b

SHA512
6280b273bfab9030e32ab79c8be8fc4d6087e895e1bfe10e2acabb1307f9d4bbe815f786e8b14e19b8e5f23f9a7e0cb343f98ae90508471af041c1028b6b96d4

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe

Filesize
3.0MB

MD5
fe1eb79bd986bf9d4d9fbde7f6b29b3a

SHA1
b8c52e4292afe6839acd658e1760617c1de766a2

SHA256
362d97d5967ecdfb8a7aadec44b99d4078f3e7a740481e409b45f54cfc1b0ccb

SHA512
377e175a90648e1472c8f0e817f09c342c7f689047dddaaf50412a31e8c3a688273e52810372b3ca659986da3b9077c68aa17b98ea497932f7af91ddc5bcf6b3

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe

Filesize
3.0MB

MD5
fe1eb79bd986bf9d4d9fbde7f6b29b3a

SHA1
b8c52e4292afe6839acd658e1760617c1de766a2

SHA256
362d97d5967ecdfb8a7aadec44b99d4078f3e7a740481e409b45f54cfc1b0ccb

SHA512
377e175a90648e1472c8f0e817f09c342c7f689047dddaaf50412a31e8c3a688273e52810372b3ca659986da3b9077c68aa17b98ea497932f7af91ddc5bcf6b3

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d04.exe

Filesize
3.0MB

MD5
fe1eb79bd986bf9d4d9fbde7f6b29b3a

SHA1
b8c52e4292afe6839acd658e1760617c1de766a2

SHA256
362d97d5967ecdfb8a7aadec44b99d4078f3e7a740481e409b45f54cfc1b0ccb

SHA512
377e175a90648e1472c8f0e817f09c342c7f689047dddaaf50412a31e8c3a688273e52810372b3ca659986da3b9077c68aa17b98ea497932f7af91ddc5bcf6b3

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe

Filesize
3.0MB

MD5
5d7da340c3aa614c52f671dc447aeca5

SHA1
08bda5cac2408187c01878020e3c9b48865a543c

SHA256
10bd914f668c578abfe2ef03bf169cc1c373024ed876287e2b053b99aa2037a4

SHA512
603db84c90c7cf0f79bba60cf55e9dcb377052a882ad5dc4cf0e79680f2fb64b6a14884a9a3bb45ff445e88f58de3bb2f2f4a55507bbd2f86a492305dc83de68

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0e3baa4a5958cfc6c75b731f2e8fd1d08.exe

Filesize
3.0MB

MD5
5d7da340c3aa614c52f671dc447aeca5

SHA1
08bda5cac2408187c01878020e3c9b48865a543c

SHA256
10bd914f668c578abfe2ef03bf169cc1c373024ed876287e2b053b99aa2037a4

SHA512
603db84c90c7cf0f79bba60cf55e9dcb377052a882ad5dc4cf0e79680f2fb64b6a14884a9a3bb45ff445e88f58de3bb2f2f4a55507bbd2f86a492305dc83de68

Download Submit
memory/536-132-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/616-164-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/704-163-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/704-145-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/796-129-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/820-165-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/860-128-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/884-191-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/964-120-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1028-133-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1116-118-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1472-197-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1524-146-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1608-134-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1632-127-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1640-116-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1796-190-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1840-117-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1944-141-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2012-154-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2012-162-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2044-140-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2100-28-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2152-142-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2172-195-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2208-143-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2212-150-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2216-119-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2220-147-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2304-196-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2336-192-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2340-122-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2388-144-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2512-166-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2512-148-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2568-121-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2596-123-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2600-89-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2608-126-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2696-155-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2720-124-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2744-24-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2848-113-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2872-125-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2952-149-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads