165c662a45b7461551e7507e8e807139b480dab5facd9b28e8784a89f3f49949

Analysis

max time kernel
27s
max time network
138s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22/10/2023, 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.67850d6172128a8ebb00611f2c735490.exe
Size

3.0MB
MD5

67850d6172128a8ebb00611f2c735490
SHA1

a1a5057e87059fcfa52a1cdec04c25e8b0d2ccfc
SHA256

165c662a45b7461551e7507e8e807139b480dab5facd9b28e8784a89f3f49949
SHA512

6a1d391790c41627b3fba039a44c55d92e3d0943d595d33486427c686cf2ca0a0ff6976628f344d1aec31bd7eebae045accc3966491fb8bde253cfa59607d881
SSDEEP

49152:j495UciMmq/NhjX5p3JOCdLAweZnE5c965nqqIP2ItdQ:jk5LhzACdLAlnE5co5nqqIP2ItdQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2628	NEAS.67850d6172128a8ebb00611f2c7354907.exe
2580	NEAS.67850d6172128a8ebb00611f2c7354907.exe
544	NEAS.67850d6172128a8ebb00611f2c7354902.exe
472	NEAS.67850d6172128a8ebb00611f2c7354900.exe
628	NEAS.67850d6172128a8ebb00611f2c7354900.exe
2828	NEAS.67850d6172128a8ebb00611f2c7354902.exe
2596	NEAS.67850d6172128a8ebb00611f2c7354907.exe
1888	NEAS.67850d6172128a8ebb00611f2c7354907.exe
1936	NEAS.67850d6172128a8ebb00611f2c7354907.exe
1776	NEAS.67850d6172128a8ebb00611f2c7354907.exe
1924	NEAS.67850d6172128a8ebb00611f2c7354907.exe
1512	NEAS.67850d6172128a8ebb00611f2c7354907.exe
2224	NEAS.67850d6172128a8ebb00611f2c7354907.exe
1716	NEAS.67850d6172128a8ebb00611f2c7354907.exe
2464	NEAS.67850d6172128a8ebb00611f2c7354907.exe
2712	NEAS.67850d6172128a8ebb00611f2c7354907.exe
2816	NEAS.67850d6172128a8ebb00611f2c7354907.exe
2236	NEAS.67850d6172128a8ebb00611f2c7354907.exe
2116	NEAS.67850d6172128a8ebb00611f2c7354903.exe
2808	NEAS.67850d6172128a8ebb00611f2c7354907.exe
2852	NEAS.67850d6172128a8ebb00611f2c7354907.exe
1668	NEAS.67850d6172128a8ebb00611f2c7354907.exe
564	NEAS.67850d6172128a8ebb00611f2c7354907.exe
2988	NEAS.67850d6172128a8ebb00611f2c7354907.exe
1276	NEAS.67850d6172128a8ebb00611f2c7354907.exe
1572	NEAS.67850d6172128a8ebb00611f2c7354907.exe
2312	NEAS.67850d6172128a8ebb00611f2c7354907.exe
1868	NEAS.67850d6172128a8ebb00611f2c7354907.exe
852	NEAS.67850d6172128a8ebb00611f2c7354907.exe
1676	cmd.exe
2228	NEAS.67850d6172128a8ebb00611f2c7354907.exe
2536	NEAS.67850d6172128a8ebb00611f2c7354907.exe
784	NEAS.67850d6172128a8ebb00611f2c7354907.exe
1708	NEAS.67850d6172128a8ebb00611f2c7354907.exe
1900	NEAS.67850d6172128a8ebb00611f2c7354907.exe
2992	NEAS.67850d6172128a8ebb00611f2c7354907.exe
1040	NEAS.67850d6172128a8ebb00611f2c7354900.exe
2616	NEAS.67850d6172128a8ebb00611f2c7354907.exe
3080	NEAS.67850d6172128a8ebb00611f2c7354907.exe
3096	NEAS.67850d6172128a8ebb00611f2c7354900.exe
3116	NEAS.67850d6172128a8ebb00611f2c7354902.exe
3236	NEAS.67850d6172128a8ebb00611f2c7354902.exe
3264	NEAS.67850d6172128a8ebb00611f2c7354907.exe
3292	NEAS.67850d6172128a8ebb00611f2c7354907.exe
3308	NEAS.67850d6172128a8ebb00611f2c7354902.exe
3316	NEAS.67850d6172128a8ebb00611f2c7354900.exe
3332	NEAS.67850d6172128a8ebb00611f2c7354908.exe
3400	NEAS.67850d6172128a8ebb00611f2c7354900.exe
3440	NEAS.67850d6172128a8ebb00611f2c7354900.exe
3536	NEAS.67850d6172128a8ebb00611f2c7354902.exe
3568	NEAS.67850d6172128a8ebb00611f2c7354907.exe
3616	NEAS.67850d6172128a8ebb00611f2c7354907.exe
3636	NEAS.67850d6172128a8ebb00611f2c7354900.exe
3648	NEAS.67850d6172128a8ebb00611f2c7354902.exe
3656	NEAS.67850d6172128a8ebb00611f2c7354907.exe
3704	NEAS.67850d6172128a8ebb00611f2c7354900.exe
3836	NEAS.67850d6172128a8ebb00611f2c7354902.exe
3880	NEAS.67850d6172128a8ebb00611f2c7354907.exe
3920	NEAS.67850d6172128a8ebb00611f2c7354907.exe
3940	NEAS.67850d6172128a8ebb00611f2c7354900.exe
3952	NEAS.67850d6172128a8ebb00611f2c7354902.exe
3968	NEAS.67850d6172128a8ebb00611f2c7354907.exe
4000	NEAS.67850d6172128a8ebb00611f2c7354900.exe
4032	NEAS.67850d6172128a8ebb00611f2c7354908.exe

Loads dropped DLL 64 IoCs

pid	Process
2816	NEAS.67850d6172128a8ebb00611f2c7354907.exe
2544	cmd.exe
2816	NEAS.67850d6172128a8ebb00611f2c7354907.exe
2544	cmd.exe
2676	Process not Found
1508	Process not Found
2136	cmd.exe
1980	cmd.exe
1980	cmd.exe
2136	cmd.exe
328	cmd.exe
328	cmd.exe
1100	conhost.exe
1100	conhost.exe
3004	cmd.exe
3004	cmd.exe
2604	cmd.exe
2604	cmd.exe
1376	Process not Found
1900	NEAS.67850d6172128a8ebb00611f2c7354907.exe
1016	Process not Found
2740	Process not Found
2900	Process not Found
1900	NEAS.67850d6172128a8ebb00611f2c7354907.exe
1904	cmd.exe
1904	cmd.exe
1528	Process not Found
2256	Process not Found
940	conhost.exe
2232	Process not Found
940	conhost.exe
1944	Process not Found
1384	cmd.exe
1384	cmd.exe
696	Process not Found
1724	cmd.exe
1724	cmd.exe
2160	Process not Found
1676	cmd.exe
1676	cmd.exe
2948	Process not Found
2420	cmd.exe
2420	cmd.exe
1220	Process not Found
1580	cmd.exe
1580	cmd.exe
2228	NEAS.67850d6172128a8ebb00611f2c7354907.exe
2228	NEAS.67850d6172128a8ebb00611f2c7354907.exe
2360	cmd.exe
2360	cmd.exe
2076	Process not Found
2704	Process not Found
832	cmd.exe
832	cmd.exe
3036	cmd.exe
3036	cmd.exe
1852	cmd.exe
1852	cmd.exe
2348	Process not Found
3024	Process not Found
1704	cmd.exe
1704	cmd.exe
2680	cmd.exe
2680	cmd.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
7776	taskkill.exe
7676	taskkill.exe
6504	taskkill.exe
5684	taskkill.exe
6704	taskkill.exe
7576	taskkill.exe
7768	taskkill.exe
6868	taskkill.exe
10132	taskkill.exe
10356	taskkill.exe
3612	taskkill.exe
3512	taskkill.exe
5212	taskkill.exe
7500	taskkill.exe
7684	taskkill.exe
7788	taskkill.exe
7508	taskkill.exe
9560	taskkill.exe
5408	taskkill.exe
7708	taskkill.exe
7692	taskkill.exe
10612	taskkill.exe
10788	taskkill.exe
7524	taskkill.exe
7760	taskkill.exe
7732	taskkill.exe
7740	taskkill.exe
7584	taskkill.exe
7428	taskkill.exe
9092	taskkill.exe
10604	taskkill.exe
2716	taskkill.exe
1708	taskkill.exe
12268	taskkill.exe
8640	taskkill.exe
7476	taskkill.exe
7592	taskkill.exe
7628	taskkill.exe
7668	taskkill.exe
7552	taskkill.exe
7716	taskkill.exe
7660	taskkill.exe
5152	taskkill.exe
5100	taskkill.exe
1784	taskkill.exe
7568	taskkill.exe
7612	taskkill.exe
7724	taskkill.exe
7644	taskkill.exe
6128	taskkill.exe
7460	taskkill.exe
8256	taskkill.exe
9236	taskkill.exe
5332	taskkill.exe
7468	taskkill.exe
11888	taskkill.exe
6140	taskkill.exe
7484	taskkill.exe
11904	taskkill.exe
7516	taskkill.exe
7700	taskkill.exe
8960	taskkill.exe
7392	taskkill.exe
7560	taskkill.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeAssignPrimaryTokenPrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeLockMemoryPrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeIncreaseQuotaPrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeMachineAccountPrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeTcbPrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeSecurityPrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeTakeOwnershipPrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeLoadDriverPrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeSystemProfilePrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeSystemtimePrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeProfSingleProcessPrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeIncBasePriorityPrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeCreatePagefilePrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeCreatePermanentPrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeBackupPrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeRestorePrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeShutdownPrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeDebugPrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeAuditPrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeSystemEnvironmentPrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeChangeNotifyPrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeRemoteShutdownPrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeUndockPrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeSyncAgentPrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeEnableDelegationPrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeManageVolumePrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeImpersonatePrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeCreateGlobalPrivilege	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: 31	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: 32	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: 33	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: 34	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: 35	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeCreateTokenPrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeAssignPrimaryTokenPrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeLockMemoryPrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeIncreaseQuotaPrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeMachineAccountPrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeTcbPrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeSecurityPrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeTakeOwnershipPrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeLoadDriverPrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeSystemProfilePrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeSystemtimePrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeProfSingleProcessPrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeIncBasePriorityPrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeCreatePagefilePrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeCreatePermanentPrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeBackupPrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeRestorePrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeShutdownPrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeDebugPrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeAuditPrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeSystemEnvironmentPrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeChangeNotifyPrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeRemoteShutdownPrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeUndockPrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeSyncAgentPrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeEnableDelegationPrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeManageVolumePrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeImpersonatePrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: SeCreateGlobalPrivilege	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe
Token: 31	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 3048	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe	29
PID 2448 wrote to memory of 3048	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe	29
PID 2448 wrote to memory of 3048	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe	29
PID 3048 wrote to memory of 3056	3048	cmd.exe	30
PID 3048 wrote to memory of 3056	3048	cmd.exe	30
PID 3048 wrote to memory of 3056	3048	cmd.exe	30
PID 2448 wrote to memory of 2476	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe	31
PID 2448 wrote to memory of 2476	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe	31
PID 2448 wrote to memory of 2476	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe	31
PID 2476 wrote to memory of 2052	2476	cmd.exe	35
PID 2476 wrote to memory of 2052	2476	cmd.exe	35
PID 2476 wrote to memory of 2052	2476	cmd.exe	35
PID 2448 wrote to memory of 2904	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe	33
PID 2448 wrote to memory of 2904	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe	33
PID 2448 wrote to memory of 2904	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe	33
PID 2904 wrote to memory of 2988	2904	cmd.exe	36
PID 2904 wrote to memory of 2988	2904	cmd.exe	36
PID 2904 wrote to memory of 2988	2904	cmd.exe	36
PID 2448 wrote to memory of 2804	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe	37
PID 2448 wrote to memory of 2804	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe	37
PID 2448 wrote to memory of 2804	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe	37
PID 2804 wrote to memory of 2004	2804	cmd.exe	44
PID 2804 wrote to memory of 2004	2804	cmd.exe	44
PID 2804 wrote to memory of 2004	2804	cmd.exe	44
PID 2448 wrote to memory of 2600	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe	43
PID 2448 wrote to memory of 2600	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe	43
PID 2448 wrote to memory of 2600	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe	43
PID 2600 wrote to memory of 2648	2600	cmd.exe	41
PID 2600 wrote to memory of 2648	2600	cmd.exe	41
PID 2600 wrote to memory of 2648	2600	cmd.exe	41
PID 3056 wrote to memory of 2656	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe	40
PID 3056 wrote to memory of 2656	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe	40
PID 3056 wrote to memory of 2656	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe	40
PID 2448 wrote to memory of 2712	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe	354
PID 2448 wrote to memory of 2712	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe	354
PID 2448 wrote to memory of 2712	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe	354
PID 2988 wrote to memory of 2632	2988	NEAS.67850d6172128a8ebb00611f2c7354907.exe	46
PID 2988 wrote to memory of 2632	2988	NEAS.67850d6172128a8ebb00611f2c7354907.exe	46
PID 2988 wrote to memory of 2632	2988	NEAS.67850d6172128a8ebb00611f2c7354907.exe	46
PID 2712 wrote to memory of 2916	2712	NEAS.67850d6172128a8ebb00611f2c7354907.exe	57
PID 2712 wrote to memory of 2916	2712	NEAS.67850d6172128a8ebb00611f2c7354907.exe	57
PID 2712 wrote to memory of 2916	2712	NEAS.67850d6172128a8ebb00611f2c7354907.exe	57
PID 2448 wrote to memory of 2640	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe	350
PID 2448 wrote to memory of 2640	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe	350
PID 2448 wrote to memory of 2640	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe	350
PID 3056 wrote to memory of 2816	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe	348
PID 3056 wrote to memory of 2816	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe	348
PID 3056 wrote to memory of 2816	3056	NEAS.67850d6172128a8ebb00611f2c735490.exe	348
PID 2988 wrote to memory of 2544	2988	NEAS.67850d6172128a8ebb00611f2c7354907.exe	52
PID 2988 wrote to memory of 2544	2988	NEAS.67850d6172128a8ebb00611f2c7354907.exe	52
PID 2988 wrote to memory of 2544	2988	NEAS.67850d6172128a8ebb00611f2c7354907.exe	52
PID 2640 wrote to memory of 2776	2640	conhost.exe	50
PID 2640 wrote to memory of 2776	2640	conhost.exe	50
PID 2640 wrote to memory of 2776	2640	conhost.exe	50
PID 2448 wrote to memory of 2536	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe	295
PID 2448 wrote to memory of 2536	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe	295
PID 2448 wrote to memory of 2536	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe	295
PID 2536 wrote to memory of 3068	2536	NEAS.67850d6172128a8ebb00611f2c7354907.exe	53
PID 2536 wrote to memory of 3068	2536	NEAS.67850d6172128a8ebb00611f2c7354907.exe	53
PID 2536 wrote to memory of 3068	2536	NEAS.67850d6172128a8ebb00611f2c7354907.exe	53
PID 2448 wrote to memory of 2484	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe	55
PID 2448 wrote to memory of 2484	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe	55
PID 2448 wrote to memory of 2484	2448	NEAS.67850d6172128a8ebb00611f2c735490.exe	55
PID 2484 wrote to memory of 2512	2484	cmd.exe	58

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+711248.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
      4⤵
      PID:2656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe 1698006230
      4⤵
      PID:2816
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe 1698006230
        5⤵
        Executes dropped EXE
        
        PID:2628
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        6⤵
        Loads dropped DLL
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        7⤵
        Executes dropped EXE
        
        PID:1888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+319657.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549073.exe
        8⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
        9⤵
        
        PID:3152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+918336.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354909.exe
        10⤵
        
        PID:7140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354909.exe 1698006230
        10⤵
        
        PID:8028
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354909.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354909.exe 1698006230
        11⤵
        
        PID:4884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        12⤵
        
        PID:6680
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        13⤵
        Kills process with taskkill
        
        PID:7428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+79095.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        10⤵
        
        PID:9084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe 1698006230
        10⤵
        
        PID:7536
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe 1698006230
        11⤵
        
        PID:11256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549073.exe 1698006230
        8⤵
        
        PID:3680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+331699.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549073.exe
        8⤵
        
        PID:3388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549073.exe 1698006230
        8⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549073.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549073.exe 1698006230
        9⤵
        
        PID:740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:5896
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:7716
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        6⤵
        Loads dropped DLL
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        7⤵
        Executes dropped EXE
        
        PID:1776
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        6⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        7⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+020428.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549070.exe
        8⤵
        
        PID:1656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549070.exe 1698006230
        8⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549070.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549070.exe 1698006230
        9⤵
        
        PID:4248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:6148
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:7560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+427511.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549074.exe
        8⤵
        
        PID:4384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549074.exe 1698006230
        8⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549074.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549074.exe 1698006230
        9⤵
        
        PID:5104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:6332
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:7612
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        6⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /save 1698006230
        7⤵
        
        PID:3304
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        6⤵
        
        PID:2228
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        6⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        7⤵
        Executes dropped EXE
        
        PID:2312
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        6⤵
        
        PID:3052
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        6⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        7⤵
        Executes dropped EXE
        
        PID:3264
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        6⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        7⤵
        
        PID:3180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+57065.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe
        8⤵
        
        PID:7256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe 1698006230
        8⤵
        
        PID:6916
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe 1698006230
        9⤵
        
        PID:2768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+616949.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe
        8⤵
        
        PID:5272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe 1698006230
        8⤵
        
        PID:8060
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe 1698006230
        9⤵
        
        PID:12208
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        6⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        7⤵
        
        PID:2008
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        6⤵
        
        PID:3672
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        6⤵
        
        PID:3376
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        6⤵
        
        PID:2288
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        6⤵
        
        PID:1092
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        6⤵
        
        PID:2524
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        6⤵
        
        PID:1860
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        6⤵
        
        PID:2692
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        6⤵
        Loads dropped DLL
        
        PID:1704
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        6⤵
        Loads dropped DLL
        
        PID:3036
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+918859.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549079.exe
        7⤵
        
        PID:6876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549079.exe 1698006230
        7⤵
        
        PID:8520
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549079.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549079.exe 1698006230
        8⤵
        
        PID:9128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+130083.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549071.exe
        7⤵
        
        PID:6916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549071.exe 1698006230
        7⤵
        
        PID:10432
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549071.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549071.exe 1698006230
        8⤵
        
        PID:12076
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        6⤵
        Loads dropped DLL
        
        PID:1724
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        6⤵
        Loads dropped DLL
        
        PID:1384
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        6⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        7⤵
        
        PID:4100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+56543.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe
        8⤵
        
        PID:4388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe 1698006230
        8⤵
        
        PID:7172
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe 1698006230
        9⤵
        
        PID:8428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+128729.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549071.exe
        8⤵
        
        PID:9140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549071.exe 1698006230
        8⤵
        
        PID:10696
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549071.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549071.exe 1698006230
        9⤵
        
        PID:9472
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        6⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        7⤵
        
        PID:4548
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        6⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        7⤵
        
        PID:5028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+56020.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe
        8⤵
        
        PID:6924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe 1698006230
        8⤵
        
        PID:9048
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe 1698006230
        9⤵
        
        PID:4296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:5672
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:5152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+77741.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549077.exe
        8⤵
        
        PID:10484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549077.exe 1698006230
        8⤵
        
        PID:10304
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549077.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549077.exe 1698006230
        9⤵
        
        PID:12124
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        6⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        7⤵
        
        PID:4464
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        6⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        7⤵
        
        PID:2632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+227517.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe
        8⤵
        
        PID:7428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe 1698006230
        8⤵
        
        PID:10204
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe 1698006230
        9⤵
        
        PID:10644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+815595.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549078.exe
        8⤵
        
        PID:10768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549078.exe 1698006230
        8⤵
        
        PID:10780
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549078.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549078.exe 1698006230
        9⤵
        
        PID:9404
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        6⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        7⤵
        
        PID:5416
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:6260
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+221011.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
      4⤵
      PID:1388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe 1698006230
      4⤵
      PID:1100
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe 1698006230
        5⤵
        Executes dropped EXE
        
        PID:2828
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /save 1698006230
        6⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /save 1698006230
        7⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
        8⤵
        
        PID:2804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+229608.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        9⤵
        
        PID:7156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe 1698006230
        9⤵
        
        PID:5860
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe 1698006230
        10⤵
        
        PID:9168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        11⤵
        
        PID:6608
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        12⤵
        Kills process with taskkill
        
        PID:1784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+51242.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354905.exe
        9⤵
        
        PID:6556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354905.exe 1698006230
        9⤵
        
        PID:10568
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354905.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354905.exe 1698006230
        10⤵
        
        PID:11724
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /protect 1698006230
        6⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /protect 1698006230
        7⤵
        
        PID:3748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe+917814.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549029.exe
        8⤵
        
        PID:6760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549029.exe 1698006230
        8⤵
        
        PID:8736
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549029.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549029.exe 1698006230
        9⤵
        
        PID:8368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:6296
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:12268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe+220876.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549022.exe
        8⤵
        
        PID:10220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549022.exe 1698006230
        8⤵
        
        PID:9552
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549022.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549022.exe 1698006230
        9⤵
        
        PID:12052
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /protect 1698006230
        6⤵
        
        PID:3608
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /save 1698006230
        6⤵
        
        PID:3300
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /protect 1698006230
        6⤵
        
        PID:3088
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /save 1698006230
        6⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /save 1698006230
        7⤵
        
        PID:4148
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /protect 1698006230
        6⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /protect 1698006230
        7⤵
        
        PID:4624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe+228562.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549022.exe
        8⤵
        
        PID:7340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549022.exe 1698006230
        8⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549022.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549022.exe 1698006230
        9⤵
        
        PID:10808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:9344
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:3512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe+724802.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549027.exe
        8⤵
        
        PID:10912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549027.exe 1698006230
        8⤵
        
        PID:7248
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549027.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549027.exe 1698006230
        9⤵
        
        PID:8572
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /save 1698006230
        6⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /save 1698006230
        7⤵
        
        PID:5088
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /protect 1698006230
        6⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /protect 1698006230
        7⤵
        
        PID:4972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe+227517.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549022.exe
        8⤵
        
        PID:7400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549022.exe 1698006230
        8⤵
        
        PID:9040
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549022.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549022.exe 1698006230
        9⤵
        
        PID:9496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:8804
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:11888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549022.exe /autoup 1698006230
        10⤵
        
        PID:9636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe+815595.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549028.exe
        8⤵
        
        PID:10392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549028.exe 1698006230
        8⤵
        
        PID:10224
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549028.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549028.exe 1698006230
        9⤵
        
        PID:12156
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /save 1698006230
        6⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /save 1698006230
        7⤵
        
        PID:4196
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:4824
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:5408
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /autoup 1698006230
        6⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /autoup 1698006230
        7⤵
        
        PID:9208
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /killwindows 1698006230
        6⤵
        
        PID:6856
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /killwindows 1698006230
        7⤵
        
        PID:9108
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /KillHardDisk 1698006230
        6⤵
        
        PID:10772
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /KillHardDisk 1698006230
        7⤵
        
        PID:12200
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /killMBR 1698006230
        6⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /killMBR 1698006230
        7⤵
        
        PID:4456
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /protect 1698006230
        6⤵
        
        PID:11528
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /protect 1698006230
        7⤵
        
        PID:10472
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /autoup 1698006230
        6⤵
        
        PID:10596
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /autoup 1698006230
        7⤵
        
        PID:9552
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe C:\windows\system32\taskmgr.exe
        6⤵
        
        PID:9896
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /autoup 1698006230
        6⤵
        
        PID:12004
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /autoup 1698006230
        7⤵
        
        PID:8732
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /killwindows 1698006230
        6⤵
        
        PID:6308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
    3⤵
    PID:2052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
    3⤵
    PID:2988
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+711248.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
      4⤵
      PID:2632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe 1698006230
      4⤵
      Loads dropped DLL
      PID:2544
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe 1698006230
        5⤵
        Executes dropped EXE
        
        PID:2580
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        6⤵
        Loads dropped DLL
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        7⤵
        Executes dropped EXE
        
        PID:564
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        6⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        7⤵
        Executes dropped EXE
        
        PID:1868
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        6⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        7⤵
        Executes dropped EXE
        
        PID:3920
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        6⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        7⤵
        
        PID:540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+228562.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe
        8⤵
        
        PID:7408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe 1698006230
        8⤵
        
        PID:7828
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe 1698006230
        9⤵
        
        PID:10864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:7340
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:3612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+724802.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549077.exe
        8⤵
        
        PID:11100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549077.exe 1698006230
        8⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549077.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549077.exe 1698006230
        9⤵
        
        PID:12068
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        6⤵
        
        PID:3456
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        6⤵
        
        PID:3176
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        6⤵
        
        PID:2492
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        6⤵
        
        PID:2688
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        6⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        7⤵
        
        PID:3912
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        6⤵
        
        PID:1052
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        6⤵
        
        PID:1588
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        6⤵
        
        PID:1280
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        6⤵
        
        PID:3008
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        6⤵
        Loads dropped DLL
        
        PID:1852
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        6⤵
        Loads dropped DLL
        
        PID:2360
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        6⤵
        
        PID:1580
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        6⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        7⤵
        
        PID:4124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+917291.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549079.exe
        8⤵
        
        PID:4524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549079.exe 1698006230
        8⤵
        
        PID:6060
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549079.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549079.exe 1698006230
        9⤵
        
        PID:8784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+832656.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549078.exe
        8⤵
        
        PID:8740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549078.exe 1698006230
        8⤵
        
        PID:11112
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549078.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549078.exe 1698006230
        9⤵
        
        PID:11844
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        6⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        7⤵
        
        PID:4572
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        6⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        7⤵
        
        PID:5036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+56543.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe
        8⤵
        
        PID:6896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe 1698006230
        8⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe 1698006230
        9⤵
        
        PID:7216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:4796
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:9560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+128729.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549071.exe
        8⤵
        
        PID:9420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549071.exe 1698006230
        8⤵
        
        PID:10376
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549071.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549071.exe 1698006230
        9⤵
        
        PID:12164
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        6⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        7⤵
        
        PID:4448
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        6⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        7⤵
        
        PID:2976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+227517.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe
        8⤵
        
        PID:7372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe 1698006230
        8⤵
        
        PID:8724
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe 1698006230
        9⤵
        
        PID:7172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:1268
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:11904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+815595.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549078.exe
        8⤵
        
        PID:6844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549078.exe 1698006230
        8⤵
        
        PID:10796
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549078.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549078.exe 1698006230
        9⤵
        
        PID:1184
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        6⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        7⤵
        
        PID:5368
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:5572
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+221011.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
      4⤵
      PID:1956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe 1698006230
      4⤵
      Loads dropped DLL
      PID:1980
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe 1698006230
        5⤵
        Executes dropped EXE
        
        PID:544
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /save 1698006230
        6⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /save 1698006230
        7⤵
        Executes dropped EXE
        
        PID:3952
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /protect 1698006230
        6⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /protect 1698006230
        7⤵
        
        PID:3436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe+57065.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549025.exe
        8⤵
        
        PID:7284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549025.exe 1698006230
        8⤵
        
        PID:8632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe+616949.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549026.exe
        8⤵
        
        PID:3848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549026.exe 1698006230
        8⤵
        
        PID:10088
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549026.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549026.exe 1698006230
        9⤵
        
        PID:4460
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /protect 1698006230
        6⤵
        
        PID:3472
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /save 1698006230
        6⤵
        
        PID:3204
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /protect 1698006230
        6⤵
        
        PID:2748
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /save 1698006230
        6⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /save 1698006230
        7⤵
        
        PID:1012
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /protect 1698006230
        6⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /protect 1698006230
        7⤵
        
        PID:4108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe+917291.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549029.exe
        8⤵
        
        PID:6844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549029.exe 1698006230
        8⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549029.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549029.exe 1698006230
        9⤵
        
        PID:9008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:9424
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:6140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe+832656.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549028.exe
        8⤵
        
        PID:8696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549028.exe 1698006230
        8⤵
        
        PID:7368
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549028.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549028.exe 1698006230
        9⤵
        
        PID:12132
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /save 1698006230
        6⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /save 1698006230
        7⤵
        
        PID:4564
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /protect 1698006230
        6⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /protect 1698006230
        7⤵
        
        PID:4976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe+56543.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549025.exe
        8⤵
        
        PID:6068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549025.exe 1698006230
        8⤵
        
        PID:6684
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549025.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549025.exe 1698006230
        9⤵
        
        PID:11228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe+128729.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549021.exe
        8⤵
        
        PID:10804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549021.exe 1698006230
        8⤵
        
        PID:11740
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549021.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549021.exe 1698006230
        9⤵
        
        PID:2720
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /save 1698006230
        6⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /save 1698006230
        7⤵
        
        PID:4372
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /protect 1698006230
        6⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /protect 1698006230
        7⤵
        
        PID:2088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe+816768.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549028.exe
        8⤵
        
        PID:4276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549028.exe 1698006230
        8⤵
        
        PID:8008
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549028.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549028.exe 1698006230
        9⤵
        
        PID:5996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:9788
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:10612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe+411668.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549024.exe
        8⤵
        
        PID:9092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549024.exe 1698006230
        8⤵
        
        PID:10720
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549024.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549024.exe 1698006230
        9⤵
        
        PID:10764
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /save 1698006230
        6⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /save 1698006230
        7⤵
        
        PID:5376
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:5584
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
    3⤵
    PID:2004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
  2⤵
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
    3⤵
    PID:2916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
  2⤵
  PID:2536
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
    3⤵
    PID:3068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
    3⤵
    PID:2512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+77877.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
      4⤵
      PID:1956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe 1698006230
      4⤵
      PID:2716
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe 1698006230
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2988
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:4272
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:5332
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /autoup 1698006230
        6⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /autoup 1698006230
        7⤵
        
        PID:9148
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /killwindows 1698006230
        6⤵
        
        PID:7364
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /killwindows 1698006230
        7⤵
        
        PID:10628
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /KillHardDisk 1698006230
        6⤵
        
        PID:10528
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /KillHardDisk 1698006230
        7⤵
        
        PID:6684
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /killMBR 1698006230
        6⤵
        
        PID:11636
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /killMBR 1698006230
        7⤵
        
        PID:900
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        6⤵
        
        PID:10924
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        7⤵
        
        PID:3808
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /autoup 1698006230
        6⤵
        
        PID:10144
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /autoup 1698006230
        7⤵
        
        PID:2076
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe C:\windows\system32\taskmgr.exe
        6⤵
        
        PID:11072
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /autoup 1698006230
        6⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /autoup 1698006230
        7⤵
        
        PID:11896
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /killwindows 1698006230
        6⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /killwindows 1698006230
        7⤵
        
        PID:852
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /KillHardDisk 1698006230
        6⤵
        
        PID:5512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354903.exe 1698006230
      4⤵
      PID:832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+332222.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354903.exe
      4⤵
      PID:2072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
  2⤵
  PID:2640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
  2⤵
  PID:2540
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
    3⤵
    PID:2684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
  2⤵
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
    3⤵
    PID:1628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe 1698006230
      4⤵
      PID:2616
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe 1698006230
        5⤵
        Executes dropped EXE
        
        PID:1040
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:5940
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354908.exe 1698006230
      4⤵
      PID:3184
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+815730.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354908.exe
      4⤵
      PID:1956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+020950.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
      4⤵
      PID:1956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
  2⤵
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
    3⤵
    PID:748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
  2⤵
  PID:588
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
    3⤵
    PID:1968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+815730.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354908.exe
      4⤵
      PID:3520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354908.exe 1698006230
      4⤵
      PID:3820
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354908.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354908.exe 1698006230
        5⤵
        Executes dropped EXE
        
        PID:4032
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:4012
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe 1698006230
      4⤵
      PID:3160
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+020950.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
      4⤵
      PID:3052
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2228
      - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
  2⤵
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
    3⤵
    PID:2932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
  2⤵
  PID:548
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
    3⤵
    PID:1128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354903.exe 1698006230
      4⤵
      PID:832
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354903.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354903.exe 1698006230
        5⤵
        
        PID:3460
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:5428
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
  2⤵
  PID:1952
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
    3⤵
    PID:888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354906.exe 1698006230
      4⤵
      PID:3824
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354906.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354906.exe 1698006230
        5⤵
        
        PID:1120
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:5888
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+923584.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354909.exe
      4⤵
      PID:4116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354909.exe 1698006230
      4⤵
      PID:4540
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354909.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354909.exe 1698006230
        5⤵
        
        PID:4920
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:6320
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
  2⤵
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
    3⤵
    PID:2020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
  2⤵
  PID:2536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
  2⤵
  PID:320
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
    3⤵
    PID:1864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+919382.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354909.exe
      4⤵
      PID:5304
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354909.exe 1698006230
      4⤵
      PID:7224
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354909.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354909.exe 1698006230
        5⤵
        
        PID:6520
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:8372
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+518303.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354905.exe
      4⤵
      PID:9104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354905.exe 1698006230
      4⤵
      PID:10400
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354905.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354905.exe 1698006230
        5⤵
        
        PID:10428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
  2⤵
  PID:1644
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
    3⤵
    PID:1796
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
      4⤵
      PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
  2⤵
  PID:2904
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
    3⤵
    PID:312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
  2⤵
  PID:1804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
  2⤵
  PID:3812
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
    3⤵
    PID:4016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
  2⤵
  PID:740
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
    3⤵
    PID:3428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+917814.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354909.exe
      4⤵
      PID:6424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354909.exe 1698006230
      4⤵
      PID:5564
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354909.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354909.exe 1698006230
        5⤵
        
        PID:8600
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:9968
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:10604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+220876.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
      4⤵
      PID:10100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe 1698006230
      4⤵
      PID:10468
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe 1698006230
        5⤵
        
        PID:11836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
  2⤵
  PID:3500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
  2⤵
  PID:3224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
  2⤵
  PID:1992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
  2⤵
  PID:2040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
  2⤵
  PID:1188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
  2⤵
  PID:2896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
  2⤵
  PID:1200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
  2⤵
  PID:1700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
  2⤵
  PID:1084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
  2⤵
  PID:2376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
  2⤵
  PID:3716
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
    3⤵
    PID:2776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
  2⤵
  PID:1796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
  2⤵
  PID:3500
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
    3⤵
    PID:4412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+228562.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
      4⤵
      PID:7416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe 1698006230
      4⤵
      PID:8500
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe 1698006230
        5⤵
        
        PID:7832
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:11828
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:10356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+724802.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
      4⤵
      PID:9560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe 1698006230
      4⤵
      PID:10948
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe 1698006230
        5⤵
        
        PID:11852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
  2⤵
  PID:4524
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
    3⤵
    PID:4856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
  2⤵
  PID:4984
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
    3⤵
    PID:4348
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+816768.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354908.exe
      4⤵
      PID:7176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354908.exe 1698006230
      4⤵
      PID:6412
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354908.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354908.exe 1698006230
        5⤵
        
        PID:2852
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:9140
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:6504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+411668.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354904.exe
      4⤵
      PID:9568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354904.exe 1698006230
      4⤵
      PID:6132
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354904.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354904.exe 1698006230
        5⤵
        
        PID:11748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
  2⤵
  PID:4652
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
    3⤵
    PID:4984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:2176
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:5212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /autoup 1698006230
  2⤵
  PID:8200
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /autoup 1698006230
    3⤵
    PID:7376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /killwindows 1698006230
  2⤵
  PID:9432
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /killwindows 1698006230
    3⤵
    PID:9104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /KillHardDisk 1698006230
  2⤵
  PID:9140
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /KillHardDisk 1698006230
    3⤵
    PID:11452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /killMBR 1698006230
  2⤵
  PID:11644
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /killMBR 1698006230
    3⤵
    PID:10796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
  2⤵
  PID:9700
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
    3⤵
    PID:2864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /autoup 1698006230
  2⤵
  PID:4240
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /autoup 1698006230
    3⤵
    PID:5268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe C:\windows\system32\taskmgr.exe
  2⤵
  PID:10928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /autoup 1698006230
  2⤵
  PID:3728
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /autoup 1698006230
    3⤵
    PID:7292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /killwindows 1698006230
  2⤵
  PID:5080

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
1⤵
PID:2648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+021996.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
  2⤵
  PID:2872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe 1698006230
  2⤵
  - Loads dropped DLL
  PID:2136
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe 1698006230
    3⤵
    - Executes dropped EXE
    PID:472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /protect 1698006230
      4⤵
      PID:3212
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /protect 1698006230
        5⤵
        Executes dropped EXE
        
        PID:3316
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe+229085.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549002.exe
        6⤵
        
        PID:6672
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549002.exe 1698006230
        6⤵
        
        PID:7180
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe+113022.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549001.exe
        6⤵
        
        PID:8496
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549001.exe 1698006230
        6⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549001.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549001.exe 1698006230
        7⤵
        
        PID:12188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /save 1698006230
      4⤵
      Loads dropped DLL
      PID:2420
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        5⤵
        Executes dropped EXE
        
        PID:2464
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+331176.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549073.exe
        6⤵
        Loads dropped DLL
        
        PID:1580
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549073.exe 1698006230
        6⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549073.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549073.exe 1698006230
        7⤵
        
        PID:4556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        8⤵
        
        PID:6196
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        9⤵
        Kills process with taskkill
        
        PID:7576
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+831437.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549078.exe
        6⤵
        
        PID:4732
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549078.exe 1698006230
        6⤵
        Loads dropped DLL
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549078.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549078.exe 1698006230
        7⤵
        
        PID:4704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        8⤵
        
        PID:6440
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        9⤵
        Kills process with taskkill
        
        PID:7660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /protect 1698006230
      4⤵
      PID:3772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /save 1698006230
      4⤵
      PID:3484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /protect 1698006230
      4⤵
      PID:3520
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /protect 1698006230
        5⤵
        
        PID:3532
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe+228562.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549002.exe
        6⤵
        
        PID:7492
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549002.exe 1698006230
        6⤵
        
        PID:8616
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe+724802.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549007.exe
        6⤵
        
        PID:9412
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549007.exe 1698006230
        6⤵
        
        PID:11088
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549007.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549007.exe 1698006230
        7⤵
        
        PID:11708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /save 1698006230
      4⤵
      PID:2292
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /save 1698006230
        5⤵
        
        PID:4140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /protect 1698006230
      4⤵
      PID:4344
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /protect 1698006230
        5⤵
        
        PID:4532
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe+228039.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549002.exe
        6⤵
        
        PID:6740
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549002.exe 1698006230
        6⤵
        
        PID:10360
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549002.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549002.exe 1698006230
        7⤵
        
        PID:10888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        8⤵
        
        PID:6284
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        9⤵
        Kills process with taskkill
        
        PID:2716
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe+33814.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549003.exe
        6⤵
        
        PID:10952
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549003.exe 1698006230
        6⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549003.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549003.exe 1698006230
        7⤵
        
        PID:11608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /save 1698006230
      4⤵
      PID:4740
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /save 1698006230
        5⤵
        
        PID:4484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /protect 1698006230
      4⤵
      PID:4312
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /protect 1698006230
        5⤵
        
        PID:4740
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe+816768.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549008.exe
        6⤵
        
        PID:7212
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549008.exe 1698006230
        6⤵
        
        PID:8492
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549008.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549008.exe 1698006230
        7⤵
        
        PID:2428
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe+411668.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549004.exe
        6⤵
        
        PID:10236
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549004.exe 1698006230
        6⤵
        
        PID:10140
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549004.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549004.exe 1698006230
        7⤵
        
        PID:11968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /save 1698006230
      4⤵
      PID:4064
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /save 1698006230
        5⤵
        
        PID:2180
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:5252
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:7460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+724938.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
  2⤵
  PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe 1698006230
  2⤵
  - Loads dropped DLL
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe 1698006230
    3⤵
    - Executes dropped EXE
    PID:2596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
      4⤵
      PID:1580
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2712
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+69156.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe
        6⤵
        
        PID:4840
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe 1698006230
        6⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe 1698006230
        7⤵
        
        PID:4644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        8⤵
        
        PID:6428
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        9⤵
        Kills process with taskkill
        
        PID:7740
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+52596.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe
        6⤵
        
        PID:4212
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe 1698006230
        6⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe 1698006230
        7⤵
        
        PID:5348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        8⤵
        
        PID:6660
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        9⤵
        Kills process with taskkill
        
        PID:7584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
      4⤵
      PID:3792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
      4⤵
      PID:3424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
      4⤵
      PID:3596
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        5⤵
        
        PID:836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
      4⤵
      PID:396
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        5⤵
        
        PID:4156
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+228562.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe
        6⤵
        
        PID:7392
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe 1698006230
        6⤵
        
        PID:8808
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe 1698006230
        7⤵
        
        PID:7196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        8⤵
        
        PID:7412
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        9⤵
        Kills process with taskkill
        
        PID:6868
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+724802.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549077.exe
        6⤵
        
        PID:8636
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549077.exe 1698006230
        6⤵
        
        PID:10836
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549077.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549077.exe 1698006230
        7⤵
        
        PID:9124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
      4⤵
      PID:4360
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        5⤵
        
        PID:4656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
      4⤵
      PID:4820
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        5⤵
        
        PID:5096
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+228039.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe
        6⤵
        
        PID:4732
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe 1698006230
        6⤵
        
        PID:6772
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe 1698006230
        7⤵
        
        PID:1552
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+33814.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549073.exe
        6⤵
        
        PID:8952
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549073.exe 1698006230
        6⤵
        
        PID:9560
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549073.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549073.exe 1698006230
        7⤵
        
        PID:11792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
      4⤵
      PID:4376
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        5⤵
        
        PID:4636
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
      4⤵
      PID:4832
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
        5⤵
        
        PID:4316
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+227517.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe
        6⤵
        
        PID:7348
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe 1698006230
        6⤵
        
        PID:10192
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe 1698006230
        7⤵
        
        PID:11028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        8⤵
        
        PID:4108
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        9⤵
        Kills process with taskkill
        
        PID:6128
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+815595.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549078.exe
        6⤵
        
        PID:11120
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549078.exe 1698006230
        6⤵
        
        PID:6556
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549078.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549078.exe 1698006230
        7⤵
        
        PID:12116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
      4⤵
      PID:4784
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
        5⤵
        
        PID:5384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:6460
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:7676

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
1⤵
PID:2776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+021996.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
  2⤵
  PID:1636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe 1698006230
  2⤵
  - Loads dropped DLL
  PID:328
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe 1698006230
    3⤵
    - Executes dropped EXE
    PID:628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /protect 1698006230
      4⤵
      PID:2732
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /protect 1698006230
        5⤵
        Executes dropped EXE
        
        PID:3096
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe+918336.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549009.exe
        6⤵
        
        PID:6732
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549009.exe 1698006230
        6⤵
        
        PID:8060
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549009.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549009.exe 1698006230
        7⤵
        
        PID:7360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        8⤵
        
        PID:11480
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        9⤵
        Kills process with taskkill
        
        PID:5684
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe+79095.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549007.exe
        6⤵
        
        PID:8972
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549007.exe 1698006230
        6⤵
        
        PID:10928
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549007.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549007.exe 1698006230
        7⤵
        
        PID:12140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /protect 1698006230
      4⤵
      PID:2868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /save 1698006230
      4⤵
      PID:3800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /protect 1698006230
      4⤵
      PID:3492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /save 1698006230
      4⤵
      PID:3196
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /save 1698006230
      4⤵
      PID:3612
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /save 1698006230
        5⤵
        
        PID:4092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /protect 1698006230
      4⤵
      PID:3496
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /protect 1698006230
        5⤵
        
        PID:4132
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe+917291.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549009.exe
        6⤵
        
        PID:6908
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549009.exe 1698006230
        6⤵
        
        PID:6684
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549009.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549009.exe 1698006230
        7⤵
        
        PID:8716
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe+832656.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549008.exe
        6⤵
        
        PID:6568
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549008.exe 1698006230
        6⤵
        
        PID:10924
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549008.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549008.exe 1698006230
        7⤵
        
        PID:11280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /save 1698006230
      4⤵
      PID:4312
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /save 1698006230
        5⤵
        
        PID:4600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /protect 1698006230
      4⤵
      PID:4772
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /protect 1698006230
        5⤵
        
        PID:5068
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe+816768.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549008.exe
        6⤵
        
        PID:7268
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549008.exe 1698006230
        6⤵
        
        PID:8508
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549008.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549008.exe 1698006230
        7⤵
        
        PID:8032
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe+411668.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549004.exe
        6⤵
        
        PID:7416
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549004.exe 1698006230
        6⤵
        
        PID:9312
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549004.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549004.exe 1698006230
        7⤵
        
        PID:11960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /save 1698006230
      4⤵
      PID:892
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /save 1698006230
        5⤵
        
        PID:4384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /protect 1698006230
      4⤵
      PID:4784
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /protect 1698006230
        5⤵
        
        PID:4320
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe+227517.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549002.exe
        6⤵
        
        PID:7440
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549002.exe 1698006230
        6⤵
        
        PID:7492
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549002.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549002.exe 1698006230
        7⤵
        
        PID:10936
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe+815595.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549008.exe
        6⤵
        
        PID:10968
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549008.exe 1698006230
        6⤵
        
        PID:10932
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549008.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549008.exe 1698006230
        7⤵
        
        PID:11380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /save 1698006230
      4⤵
      PID:4756
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /save 1698006230
        5⤵
        
        PID:5360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:5592
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:7508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+724938.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
  2⤵
  PID:1612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe 1698006230
  2⤵
  PID:1900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
PID:304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7059758,0x7fef7059768,0x7fef7059778
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1228 --field-trial-handle=1296,i,7188005959585250874,7249060509159809780,131072 /prefetch:2
  2⤵
  PID:5856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1296,i,7188005959585250874,7249060509159809780,131072 /prefetch:8
  2⤵
  PID:5912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1648 --field-trial-handle=1296,i,7188005959585250874,7249060509159809780,131072 /prefetch:8
  2⤵
  PID:5996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2172 --field-trial-handle=1296,i,7188005959585250874,7249060509159809780,131072 /prefetch:1
  2⤵
  PID:6776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2204 --field-trial-handle=1296,i,7188005959585250874,7249060509159809780,131072 /prefetch:1
  2⤵
  PID:6784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2544 --field-trial-handle=1296,i,7188005959585250874,7249060509159809780,131072 /prefetch:2
  2⤵
  PID:7748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2880 --field-trial-handle=1296,i,7188005959585250874,7249060509159809780,131072 /prefetch:8
  2⤵
  PID:5220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2992 --field-trial-handle=1296,i,7188005959585250874,7249060509159809780,131072 /prefetch:8
  2⤵
  PID:7960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2600 --field-trial-handle=1296,i,7188005959585250874,7249060509159809780,131072 /prefetch:2
  2⤵
  PID:1640

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
1⤵
- Executes dropped EXE
PID:2224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+331176.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549073.exe
  2⤵
  PID:4284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549073.exe 1698006230
  2⤵
  PID:4708
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549073.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549073.exe 1698006230
    3⤵
    PID:4964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:6340
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:7732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+831437.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549078.exe
  2⤵
  PID:876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549078.exe 1698006230
  2⤵
  PID:4808
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549078.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549078.exe 1698006230
    3⤵
    PID:2344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:6592
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:7692

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
1⤵
- Executes dropped EXE
PID:784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+67588.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe
  2⤵
  PID:6856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe 1698006230
  2⤵
  PID:8484
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe 1698006230
    3⤵
    PID:7380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+05169.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549070.exe
  2⤵
  PID:10468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549070.exe 1698006230
  2⤵
  PID:2204
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549070.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549070.exe 1698006230
    3⤵
    PID:11656

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
1⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
1⤵
- Executes dropped EXE
PID:3568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+229085.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe
  2⤵
  PID:6696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe 1698006230
  2⤵
  PID:4388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+113022.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549071.exe
  2⤵
  PID:9200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549071.exe 1698006230
  2⤵
  PID:11104
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549071.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549071.exe 1698006230
    3⤵
    PID:11296

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /protect 1698006230
1⤵
- Executes dropped EXE
PID:3648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe+57065.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549025.exe
  2⤵
  PID:7600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549025.exe 1698006230
  2⤵
  PID:10344
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549025.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549025.exe 1698006230
    3⤵
    PID:10684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:5460
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        
        PID:3132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe+616949.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549026.exe
  2⤵
  PID:10880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549026.exe 1698006230
  2⤵
  PID:10192
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549026.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549026.exe 1698006230
    3⤵
    PID:11272

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /protect 1698006230
1⤵
- Executes dropped EXE
PID:3836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe+57065.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549025.exe
  2⤵
  PID:7536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549025.exe 1698006230
  2⤵
  PID:9424
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549025.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549025.exe 1698006230
    3⤵
    PID:11244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe+616949.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549026.exe
  2⤵
  PID:10704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549026.exe 1698006230
  2⤵
  PID:11780
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549026.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549026.exe 1698006230
    3⤵
    PID:4156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
1⤵
PID:3140
- C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
  2⤵
  PID:3776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+69679.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354906.exe
1⤵
PID:3196
- C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /save 1698006230
  2⤵
  - Executes dropped EXE
  PID:3400

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
1⤵
PID:3380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+917814.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549079.exe
  2⤵
  PID:6768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549079.exe 1698006230
  2⤵
  PID:6436
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549079.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549079.exe 1698006230
    3⤵
    PID:8968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+220876.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe
  2⤵
  PID:10300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe 1698006230
  2⤵
  PID:8740
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe 1698006230
    3⤵
    PID:12108

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /protect 1698006230
1⤵
PID:3488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe+228562.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549002.exe
  2⤵
  PID:7364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549002.exe 1698006230
  2⤵
  PID:10136
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549002.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549002.exe 1698006230
    3⤵
    PID:10636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe+724802.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549007.exe
  2⤵
  PID:10784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549007.exe 1698006230
  2⤵
  PID:10880
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549007.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549007.exe 1698006230
    3⤵
    PID:11716

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354903.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354903.exe 1698006230
1⤵
PID:796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:2748
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:7524

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
1⤵
PID:3020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+917814.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549079.exe
  2⤵
  PID:6868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549079.exe 1698006230
  2⤵
  PID:5332
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549079.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549079.exe 1698006230
    3⤵
    PID:6928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:10568
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:10132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+220876.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe
  2⤵
  PID:10432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe 1698006230
  2⤵
  PID:10136
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe 1698006230
    3⤵
    PID:12084

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549073.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549073.exe 1698006230
1⤵
PID:4068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:5504
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:7552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354903.exe 1698006230
1⤵
PID:4052

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /save 1698006230
1⤵
- Executes dropped EXE
PID:4000

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
1⤵
- Executes dropped EXE
PID:3968

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /protect 1698006230
1⤵
- Executes dropped EXE
PID:3940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe+57065.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549005.exe
  2⤵
  PID:7240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549005.exe 1698006230
  2⤵
  PID:7272
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549005.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549005.exe 1698006230
    3⤵
    PID:9808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:5832
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:1708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe+616949.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549006.exe
  2⤵
  PID:10596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549006.exe 1698006230
  2⤵
  PID:10208
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549006.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549006.exe 1698006230
    3⤵
    PID:11152

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
1⤵
- Executes dropped EXE
PID:3880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
1⤵
PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+331699.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354903.exe
1⤵
PID:3764

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
1⤵
PID:3720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+229085.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
  2⤵
  PID:5172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe 1698006230
  2⤵
  PID:5276
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe 1698006230
    3⤵
    PID:9176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:3424
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:9092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+113022.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354901.exe
  2⤵
  PID:9436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354901.exe 1698006230
  2⤵
  PID:9032
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354901.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354901.exe 1698006230
    3⤵
    PID:4340

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /protect 1698006230
1⤵
- Executes dropped EXE
PID:3704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe+229085.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549002.exe
  2⤵
  PID:4940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549002.exe 1698006230
  2⤵
  PID:6892
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549002.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549002.exe 1698006230
    3⤵
    PID:6760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe+113022.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549001.exe
  2⤵
  PID:9356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549001.exe 1698006230
  2⤵
  PID:11092
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549001.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549001.exe 1698006230
    3⤵
    PID:11288

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
1⤵
- Executes dropped EXE
PID:3656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+57065.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe
  2⤵
  PID:7544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe 1698006230
  2⤵
  PID:8744
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe 1698006230
    3⤵
    PID:6876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:11936
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:9236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+616949.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe
  2⤵
  PID:9552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe 1698006230
  2⤵
  PID:1028
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe 1698006230
    3⤵
    PID:11664

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe /save 1698006230
1⤵
- Executes dropped EXE
PID:3636

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
1⤵
- Executes dropped EXE
PID:3616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+57065.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe
  2⤵
  PID:7292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe 1698006230
  2⤵
  PID:8952
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe 1698006230
    3⤵
    PID:8772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+616949.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe
  2⤵
  PID:8504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe 1698006230
  2⤵
  PID:9440
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe 1698006230
    3⤵
    PID:12092

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /save 1698006230
1⤵
- Executes dropped EXE
PID:3536

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe 1698006230
1⤵
- Executes dropped EXE
PID:3440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:6028
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:7516

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354908.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354908.exe 1698006230
1⤵
- Executes dropped EXE
PID:3332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:6084
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:7700

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /save 1698006230
1⤵
- Executes dropped EXE
PID:3308

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
1⤵
- Executes dropped EXE
PID:3292

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /protect 1698006230
1⤵
- Executes dropped EXE
PID:3236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe+229085.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549022.exe
  2⤵
  PID:7192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549022.exe 1698006230
  2⤵
  PID:9120
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549022.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549022.exe 1698006230
    3⤵
    PID:9476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe+113022.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549021.exe
  2⤵
  PID:10532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549021.exe 1698006230
  2⤵
  PID:11224
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549021.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549021.exe 1698006230
    3⤵
    PID:11860

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe /protect 1698006230
1⤵
- Executes dropped EXE
PID:3116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe+67588.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549026.exe
  2⤵
  PID:6052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549026.exe 1698006230
  2⤵
  PID:5264
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549026.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549026.exe 1698006230
    3⤵
    PID:8672
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:10008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe+05169.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549020.exe
  2⤵
  PID:8812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549020.exe 1698006230
  2⤵
  PID:8492
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549020.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549020.exe 1698006230
    3⤵
    PID:11476

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
1⤵
- Executes dropped EXE
PID:3080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+67588.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe
  2⤵
  PID:3700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe 1698006230
  2⤵
  PID:1912
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe 1698006230
    3⤵
    PID:7436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:6848
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:6704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+05169.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549070.exe
  2⤵
  PID:8892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549070.exe 1698006230
  2⤵
  PID:10600
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549070.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549070.exe 1698006230
    3⤵
    PID:12100

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
1⤵
- Executes dropped EXE
PID:2616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+67588.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe
  2⤵
  PID:6132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe 1698006230
  2⤵
  PID:4940
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe 1698006230
    3⤵
    PID:8680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+05169.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549070.exe
  2⤵
  PID:10376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549070.exe 1698006230
  2⤵
  PID:9100
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549070.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549070.exe 1698006230
    3⤵
    PID:11596

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
1⤵
PID:2500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13120527421317391973-3070106411621722076-284255328-498945795-127160327-730406605"
1⤵
- Loads dropped DLL
PID:940

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
1⤵
- Executes dropped EXE
PID:2992

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1900
- C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe 1698006230
  2⤵
  - Executes dropped EXE
  PID:1936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
    3⤵
    PID:3980
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
      4⤵
      PID:4164
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+228562.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe
        5⤵
        
        PID:7324
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe 1698006230
        5⤵
        
        PID:8688
      - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe 1698006230
        6⤵
        
        PID:10652
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+724802.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549077.exe
        5⤵
        
        PID:10800
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549077.exe 1698006230
        5⤵
        
        PID:2856
      - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549077.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549077.exe 1698006230
        6⤵
        
        PID:12148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
    3⤵
    PID:4352
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
      4⤵
      PID:4592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
    3⤵
    PID:4792
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
      4⤵
      PID:5076
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+56543.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe
        5⤵
        
        PID:5288
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe 1698006230
        5⤵
        
        PID:6564
      - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe 1698006230
        6⤵
        
        PID:8648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        7⤵
        
        PID:11952
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        8⤵
        Kills process with taskkill
        
        PID:5100
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+128729.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549071.exe
        5⤵
        
        PID:9364
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549071.exe 1698006230
        5⤵
        
        PID:3156
      - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549071.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549071.exe 1698006230
        6⤵
        
        PID:11800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
    3⤵
    PID:4320
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
      4⤵
      PID:5084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
    3⤵
    PID:3848
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
      4⤵
      PID:4676
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+816768.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549078.exe
        5⤵
        
        PID:4312
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549078.exe 1698006230
        5⤵
        
        PID:6560
      - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549078.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549078.exe 1698006230
        6⤵
        
        PID:9184
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+411668.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549074.exe
        5⤵
        
        PID:10228
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549074.exe 1698006230
        5⤵
        
        PID:6568
      - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549074.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549074.exe 1698006230
        6⤵
        
        PID:11700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
    3⤵
    PID:4884
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
      4⤵
      PID:5448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
    3⤵
    PID:6452
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      PID:7708

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
1⤵
PID:2832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+229608.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
  2⤵
  PID:6848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe 1698006230
  2⤵
  PID:1420
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe 1698006230
    3⤵
    PID:8944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+51242.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354905.exe
  2⤵
  PID:10416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354905.exe 1698006230
  2⤵
  PID:9356
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354905.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354905.exe 1698006230
    3⤵
    PID:11732

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
1⤵
- Executes dropped EXE
PID:1708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+229608.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe
  2⤵
  PID:988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe 1698006230
  2⤵
  PID:9032
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549072.exe 1698006230
    3⤵
    PID:10104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+51242.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe
  2⤵
  PID:10712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe 1698006230
  2⤵
  PID:9412
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe 1698006230
    3⤵
    PID:12044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+319657.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354903.exe
1⤵
PID:3500

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
  2⤵
  PID:2540

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
1⤵
PID:1676
- C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
  2⤵
  - Executes dropped EXE
  PID:1716

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
1⤵
- Executes dropped EXE
PID:852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+918859.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549079.exe
  2⤵
  PID:6692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549079.exe 1698006230
  2⤵
  PID:8972
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549079.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549079.exe 1698006230
    3⤵
    PID:8780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:8412
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:10788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+130083.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549071.exe
  2⤵
  PID:9312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549071.exe 1698006230
  2⤵
  PID:920
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549071.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549071.exe 1698006230
    3⤵
    PID:12060

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
1⤵
- Executes dropped EXE
PID:1572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+68634.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe
  2⤵
  PID:2612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe 1698006230
  2⤵
  PID:5564
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549076.exe 1698006230
    3⤵
    PID:4380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:7932
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:8960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+114376.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549071.exe
  2⤵
  PID:1780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549071.exe 1698006230
  2⤵
  PID:9924
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549071.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549071.exe 1698006230
    3⤵
    PID:9112

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
1⤵
- Executes dropped EXE
PID:1276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+919382.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549079.exe
  2⤵
  PID:5124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549079.exe 1698006230
  2⤵
  PID:7360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+518303.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe
  2⤵
  PID:9112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe 1698006230
  2⤵
  PID:10564
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549075.exe 1698006230
    3⤵
    PID:11036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1115357557-581216311024493441-13952589219133177441416703657-192544867-1280092894"
1⤵
- Loads dropped DLL
PID:1100

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
1⤵
PID:1480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-796838445-156240090-1534027356-5348774461862926020-361863190-309955268323600821"
1⤵
PID:588

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
1⤵
- Executes dropped EXE
PID:1668

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
1⤵
PID:2416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+019905.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
  2⤵
  PID:4360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe 1698006230
  2⤵
  PID:888
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe 1698006230
    3⤵
    PID:5184
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:6576
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:7768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+96523.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354909.exe
  2⤵
  PID:5400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354909.exe 1698006230
  2⤵
  PID:7436
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354909.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354909.exe 1698006230
    3⤵
    PID:5176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:8528
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:8256

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2200406541243289945-624900847-1166958451-1100550532654267204568847310-53351873"
1⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
1⤵
- Executes dropped EXE
PID:2852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+019905.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549070.exe
  2⤵
  PID:4244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549070.exe 1698006230
  2⤵
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549070.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549070.exe 1698006230
    3⤵
    PID:4212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:6540
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:7568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+96523.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549079.exe
  2⤵
  PID:5176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549079.exe 1698006230
  2⤵
  PID:1880

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /protect 1698006230
1⤵
- Executes dropped EXE
PID:2808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+019905.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549070.exe
  2⤵
  PID:4272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549070.exe 1698006230
  2⤵
  PID:4380
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549070.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549070.exe 1698006230
    3⤵
    PID:5136
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:6640
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:7776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe+96523.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549079.exe
  2⤵
  PID:5272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549079.exe 1698006230
  2⤵
  PID:1792

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354903.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354903.exe 1698006230
1⤵
- Executes dropped EXE
PID:2116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354903.exe /protect 1698006230
  2⤵
  PID:4276
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354903.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354903.exe /protect 1698006230
    3⤵
    PID:4948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354903.exe+227517.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549032.exe
      4⤵
      PID:7380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549032.exe 1698006230
      4⤵
      PID:7620
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549032.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549032.exe 1698006230
        5⤵
        
        PID:10816
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:8008
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        
        PID:3176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354903.exe+815595.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549038.exe
      4⤵
      PID:10928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549038.exe 1698006230
      4⤵
      PID:11240
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549038.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c73549038.exe 1698006230
        5⤵
        
        PID:11352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354903.exe /save 1698006230
  2⤵
  PID:5220
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354903.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354903.exe /save 1698006230
    3⤵
    PID:6064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:8016
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:8640

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
1⤵
- Executes dropped EXE
PID:2236

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3520059021147368383-1892275822-1645147032383336302-989892817-2056075671342242738"
1⤵
- Suspicious use of WriteProcessMemory
PID:2640

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
1⤵
PID:2612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+331176.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354903.exe
  2⤵
  PID:2428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354903.exe 1698006230
  2⤵
  PID:4464
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354903.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354903.exe 1698006230
    3⤵
    PID:4812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:6240
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:7788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+831437.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354908.exe
  2⤵
  PID:4884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354908.exe 1698006230
  2⤵
  PID:4396
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354908.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354908.exe 1698006230
    3⤵
    PID:272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:6380
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:7644

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /save 1698006230
1⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe /protect 1698006230
1⤵
PID:1576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+331176.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354903.exe
  2⤵
  PID:1956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354903.exe 1698006230
  2⤵
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354903.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354903.exe 1698006230
    3⤵
    PID:4580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:5544
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:7684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c735490.exe+831437.txt C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354908.exe
  2⤵
  PID:4764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354908.exe 1698006230
  2⤵
  PID:3980
- - C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354908.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354908.exe 1698006230
    3⤵
    PID:4356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:6488
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:7760

C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe /save 1698006230
1⤵
- Executes dropped EXE
PID:1512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "747646687-1581027540-1000821412-1476960415-392646830-661246234-1266497253-1066325880"
1⤵
PID:3792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3652106891709839143-1233819540-17167833391482949486-1154516773-1156372626-162009532"
1⤵
PID:3780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "690850327-1175995166-1671850454786155114804291540-803874613-1072161968-1451651799"
1⤵
PID:3844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-209598453-1701556933-2170430069046252912010082301560496444-19413490521102465842"
1⤵
PID:1628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1536984052-218630370-722234731-1621137871-115613807819753730001339266892-728423047"
1⤵
PID:1968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-311753347192843123-879492498740561794-958896987-450582906786362163-1057205037"
1⤵
PID:3212

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-68160131418733189-1699458370-652712741-879177576-753274221837551266-678894676"
1⤵
PID:3196

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3011590432897937746871141517857076685041688-1386126555539414629-1623975523"
1⤵
PID:1580

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-136065327-1133249570-1803589452-421931640197486535-1427148039-1373774720386541976"
1⤵
PID:3496

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5275524545700961598016856061590328182-1253854873-482509131964145473-1601958717"
1⤵
PID:4540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-137989744516448101141564861085-861049982-587698435-1328517268569111095806720871"
1⤵
PID:4772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1812972312478656206619584614-1294012368-717317960-929962120-732623871-1914207830"
1⤵
PID:4792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-540813572-2336620113636155941328300012-470235242-16300364381668397318-1054705026"
1⤵
PID:3492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2016760391828268800188728158-19212989691126504169-6042727641813308648-1298325857"
1⤵
PID:4396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-708489218-187249409821556144-639297719-1014874541683415710-2082339470-53028499"
1⤵
PID:4748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1247254248672680400-375329102821243642-68535259-53657892318148418881119648986"
1⤵
PID:4764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-164839701015048695801691500967914590210-11972681531349941714-20546632401283313813"
1⤵
PID:4828

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\MergeGrant.MTS"
1⤵
PID:6724

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:6412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
ab942b7cc53216520940b75ae64b31e1

SHA1
ffe6952c07a169f52570410049dce9a806f4ff3d

SHA256
1df369943bafb8ca064352cc9cdd04559756a9c848647eea8e9b9db36201e7cd

SHA512
46510a7c68c3e17e6ce1e3a585def44edf27178d855484e390f783b3bbf2007e95f09f6ff13a1085856e52d19bd7250d4a291e3a0ffd47ffae0060e0ab9f97e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\021996.txt

Filesize
5B

MD5
a697ab0dcf803186970e7bb5ed0909fb

SHA1
e5c194dea076c0dd6caae400c9a6350e0cc6b9fc

SHA256
2d7d00c8ade60f7206469ec7082a306916cda14bb1d6026b9acdfb11169a0677

SHA512
e47abfce4fac6bc17b1d6954c1b3f062a89b0e9e87dc84af305ec6a0d8f60c3af54572cff4308998403688a9b3052e0a072ee0bb0764c9f13f187bb9df6f6f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\021996.txt

Filesize
5B

MD5
a697ab0dcf803186970e7bb5ed0909fb

SHA1
e5c194dea076c0dd6caae400c9a6350e0cc6b9fc

SHA256
2d7d00c8ade60f7206469ec7082a306916cda14bb1d6026b9acdfb11169a0677

SHA512
e47abfce4fac6bc17b1d6954c1b3f062a89b0e9e87dc84af305ec6a0d8f60c3af54572cff4308998403688a9b3052e0a072ee0bb0764c9f13f187bb9df6f6f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\10096.bat

Filesize
124B

MD5
d20c5de5d5a512fdc76873803344e4b2

SHA1
d95eb895127743a6cb2d8918993aac363f1cb5ad

SHA256
dbe87c298b7c513f3289a168ed9652745f020be0b3a007dd2ca9855644c74291

SHA512
2a06ddaaa5f1de87dadf7998f0f20c4559489584985ee9caa2633b155e9272679607c92f8822a2ca04be19245210a94dcf913bc4eac852ea48b98db101b70ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\113022.txt

Filesize
5B

MD5
6080b4a414292cce8d1c1b197708fefb

SHA1
ca1ceb4137e7f074047649a2b70ea9ab2e7de275

SHA256
1869d694223e57293181de73b0f7f41e7a85681ed8bd65f207a1aa6b74016b22

SHA512
c6de27dfa916d40a91aa3db4fd0fc23fbdc2a49ee34b1b4de7dc897e0a49243a398fae83e33ecf0f08d218d5539ec2bcf5b5d1024af1f6594b4ec8570e9d2e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\129870.bat

Filesize
123B

MD5
850fcd886991d75771525990bc84ac4a

SHA1
06e32ad88909bd12810df2d81f735643be70e3aa

SHA256
010ab34f78387f29c863468b384ac92d8fca26b1e232f871666cf346e0ebeda5

SHA512
cd453a6a06fa9d18c12f2c3050b7323a34b22631621f89fb7f1ebcbe484bbd0192fee5b4e5afa325ac03b6cb5204923e9329da54f875e2e323478ad12c96e81a

Download Submit
C:\Users\Admin\AppData\Local\Temp\142002.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\159616.bat

Filesize
124B

MD5
c73be4908f65ed510620fac64bace786

SHA1
4dfdaea3cd036796df1c0e2d8b2b7f29b8e354ef

SHA256
45f196ee48825e92b76944763bc5aa0401b1e5169bedcf29ff94337c44c8c18c

SHA512
0ef056dd7c2dd761672fd1771d22653e96efe16ef6a31cea3dc213208cf48d94207b3ce96ee5af8db4e000479dfcd8b46bd8b181fc15a07c22808250f89e8446

Download Submit
C:\Users\Admin\AppData\Local\Temp\16220.bat

Filesize
124B

MD5
1693815240176c841f841303d569cc50

SHA1
0c35bbdf940f4cb571ece822fc4d42e6b5c38ab0

SHA256
d32d08d8c1a8bd97a908d2af9bd65628b13e55304a961bea8bf3043c6f98f66b

SHA512
88e27e3a3598b821c23c6fcdbe523ad29f9229d4e7abd997a5bc1891758679e8846a5464944357e7ad933f6401f4a346d3cdee65ca01eab2c7a2c772067823ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\162526.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\174222.bat

Filesize
112B

MD5
2b4320b6fbc3725ea033df4b0706ce27

SHA1
89845a1a079c61b44f3b3c816270ad54bf0965a8

SHA256
bfce6d1f50a02e8ddd970be2c0a185643668b7d65c3b3d90760bc2051c040ef6

SHA512
7922d3695c6d6419003d1aa46ea1f883cf74bbf0f26660a48f790fa5fa95402c063a658b0d3941dacfc2548d3c229c41bb8d0eac66da535b349b1039a80d1b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\221011.txt

Filesize
5B

MD5
aae14bda33aa45a1d45d45011529b806

SHA1
1d46fdd649eee746a7ded71e599f64cb291d6dca

SHA256
900f9a803807c073b8665186e2eacd66f902ae2cf1b194ffe4ac5b5df78262b5

SHA512
60fc05010d9a5ac60364787d5ee3836b0531077b4a57703adefd064504b41313596a6cdce56329f5cdf1b73e047171a93b06c06bb79e53607b639abebbe3ab2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\221011.txt

Filesize
5B

MD5
aae14bda33aa45a1d45d45011529b806

SHA1
1d46fdd649eee746a7ded71e599f64cb291d6dca

SHA256
900f9a803807c073b8665186e2eacd66f902ae2cf1b194ffe4ac5b5df78262b5

SHA512
60fc05010d9a5ac60364787d5ee3836b0531077b4a57703adefd064504b41313596a6cdce56329f5cdf1b73e047171a93b06c06bb79e53607b639abebbe3ab2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\227517.txt

Filesize
5B

MD5
7c738d9871e7093863bb5786cd8168e8

SHA1
d01198fc78de764b29e66ff12de92f90d82fccfb

SHA256
516d03df33af3e723d2288fdaac53eee30c8da18e532ff9b7fbf9e0c2892df62

SHA512
cebe3c7d21b9ad9cca4de1adb4e4cdf6ffa350f17c875401b075eefb9afb891cea9fd50ff4cadca03f03bbcc37c143f705f0872d3de72cc2296d373575c9d3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\228562.txt

Filesize
4B

MD5
cc3d69ed781b16bce06687822ae56e6d

SHA1
868d2acc958777666a16632fd681871581822797

SHA256
47012d6a8e8c18e60526a997caabc66257cac6b3457b51186968fc68c9c48673

SHA512
2b31372ade5bd7eb0fb9267e6a57d3b4d20da20b2fea77c9a3208d8cc2167f144773ab810a542a9946e8b3d6a927af7c3d1578142460418cb634578259899cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\229085.txt

Filesize
5B

MD5
d61f3a760c9bcbc9bb75228deddd9379

SHA1
6033889b545d689f75401861c5de1f3b2b7095ee

SHA256
9f11f0b9f60090790647e17be5bab0e0aeb45f172726f8971ba0a6ff82685803

SHA512
94008c9d083b92a07db40335358db06d48bdfc3d39f7eeb52664b34d81b4c6fd165e3e55926bc629d4a3db419f3bdc5b6e54ff0f486d4535d4993a0e11b5a43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\34348.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\40108.bat

Filesize
112B

MD5
46fd4d1a39b7eb393bd6bc860ca9d7f6

SHA1
fd4217f0dfdd1d7f89afd4496642475aefd011cb

SHA256
22e53990f6761695ab3f4b2aedc6fa17549e22702f5ceb12d4235ce75f8f98ff

SHA512
4183446f59a7b9b86f3d87ef20f1e5cbc46a6cef6bff48b27e909e05746852b7f29ec990731a53795e82f9f89bdd23af67e3bf7204f03b334989e34b60b947e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\411668.txt

Filesize
4B

MD5
dd77279f7d325eec933f05b1672f6a1f

SHA1
259fe583ddd64df1efa6b2cbf7a1afae427cfa5d

SHA256
10e35e8e93e91e58b54af372922fe86028c587c7e32fa3f50c4a106eaa05e668

SHA512
ebd68efe4c5f40306b240d1a32b950fe240c31b12e1e8a5c7dc84d45fca0e9696fc0066b40f113c82647195db273c64583e3e241e6ab2f0512823fcab5f0199c

Download Submit
C:\Users\Admin\AppData\Local\Temp\57065.txt

Filesize
5B

MD5
b1ae293d97f4b7f67633115722c1009c

SHA1
b6aa214e6547285c12b7eba8714a68fc2d2b106b

SHA256
843a45abf8dde1e6df29282930565cb1a33657cbe6ceb1a20d06b4f940ab4a23

SHA512
24e125ac5611a79d2f12b64d7fcd92d8d28a03d4eaf3ed95d0113387e57e455cb83b8aad2200193db469fbc222e358f5e7dc6e3a41061efe67a0621052cbd765

Download Submit
C:\Users\Admin\AppData\Local\Temp\57870.bat

Filesize
124B

MD5
4035a3140f3cacc68887b5c40a18815a

SHA1
b6b6edf8e426fa14f5c9dbe4071473fc4140ea39

SHA256
c6f34255617439b0596de0effcd8e49c0728d5173bb5fa6a321de076e6c2ef66

SHA512
70017c78df3a97b935ba1a4722de08dbc416c038969da552dc4f94df92f7e30acd29fa3327b6e21e9b195a5b85726bc0c0f3102aadb8c19035417745394fafe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\616949.txt

Filesize
5B

MD5
ab64c7ef8d0578f7dd1acb6d064a61cd

SHA1
b582020b2c7884c4376dba550bd6025ee2bddb7c

SHA256
c0ab51aef50c001ee74a0c3d3db8ab4c2ed8e9a5e8b7089eaca7bc331fd43b16

SHA512
15e898ebae65e35e7c852ac8c006ea66594a5c68aeb02adb9b6fa7d710e5e8b03c61d15e676b14a75e2c5c1faa7ce8516151f0b82a145cb6b120145a316d5805

Download Submit
C:\Users\Admin\AppData\Local\Temp\711248.txt

Filesize
2B

MD5
d9d4f495e875a2e075a1a4a6e1b9770f

SHA1
fe2ef495a1152561572949784c16bf23abb28057

SHA256
25fc0e7096fc653718202dc30b0c580b8ab87eac11a700cba03a7c021bc35b0c

SHA512
9c3211509a9eee80f881f6b6666ab82df6bec222c84ba583c5bb636a0a0d811d850524e9adba61950e09fcd06ffacdd0ee164220ac09a2319b2f35db219fc8c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\711248.txt

Filesize
2B

MD5
d9d4f495e875a2e075a1a4a6e1b9770f

SHA1
fe2ef495a1152561572949784c16bf23abb28057

SHA256
25fc0e7096fc653718202dc30b0c580b8ab87eac11a700cba03a7c021bc35b0c

SHA512
9c3211509a9eee80f881f6b6666ab82df6bec222c84ba583c5bb636a0a0d811d850524e9adba61950e09fcd06ffacdd0ee164220ac09a2319b2f35db219fc8c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\724802.txt

Filesize
5B

MD5
507cefd45103934642e8584a58e5e10e

SHA1
8608246004ceeecfe33279897ae52b707afe5d74

SHA256
8ea8690abce0fa2207a5a8b06ad7913842b360765c0d0df682e54b2186ac0d51

SHA512
dbd4ac5e97dd7767368a3ff8a26942ab7cf2ad7bd4ce0cc471bac4a04b45a0f1ecd7dfb1f7e8c901b5214e6665f586dbcac2a534ee1949b46a24971c18440355

Download Submit
C:\Users\Admin\AppData\Local\Temp\724938.txt

Filesize
5B

MD5
3e2309f10cc986e761d11632be29f3ad

SHA1
d149add6e9d06301e76194b5028d6b17e93cd1cc

SHA256
1bc62363f5c000cca6616fdf5b897ff1a0309c6ff8c55bb6f6949960fa574c27

SHA512
af99dfe84a577fc1029f7772f18a013c9afe5fbdd0fec12f1c76ae9fe92f20b834adf35484b833fecac277d5da404abbd088555e27ac09e707d271b808f03256

Download Submit
C:\Users\Admin\AppData\Local\Temp\815595.txt

Filesize
5B

MD5
01ee2e65c1b26551bda7abb393ac860c

SHA1
b226ddc44162f1b553a836f69c98314d27b303cb

SHA256
80df70e6d5fd87c83a721a3771e5e4049f78db43654dfa13075710046d07c013

SHA512
7f88044df40e1666d1e7d0f7b95cc92bb87e50275a88b84901574dba7d75da2ca2096308f1c92fbfc84f04fa9bab1ef3b7ec30562ef2496ae769d84d012c4233

Download Submit
C:\Users\Admin\AppData\Local\Temp\816768.txt

Filesize
5B

MD5
53c6684db6a8f413504063163d94972b

SHA1
e0eba759a7cc0b453e086baea6aaa813bdd8fb12

SHA256
ab33bb0a9c7ea93d36f90d9a81da3d30da4a94c93aa5d649462e7dad4e869490

SHA512
b07091f01794f509ff0f4722238f295658f89d761b406b4b2db64da700699868bbd014e845a4dc0ad798c4bd247ec7ccb318b105c51d188c70dcf36dd2bbb16e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe

Filesize
3.0MB

MD5
e77e5c1c711dfb2dfe55d738d028b93f

SHA1
1e6a2fc4283bc803606df71997f968a036fcfbbd

SHA256
611514ba7cc5e680bfb91b2c131853bc312504625eedbac2361c3bd26f37fddc

SHA512
2fb4ad60611f5e53f7d5213de398acad835d7995d56e1065e4b1f8ea774a67f22291ea9923a4795ae1f2efb5abb4ac29bceda3699da1b34002339a9d1b6a9e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe

Filesize
3.0MB

MD5
e77e5c1c711dfb2dfe55d738d028b93f

SHA1
1e6a2fc4283bc803606df71997f968a036fcfbbd

SHA256
611514ba7cc5e680bfb91b2c131853bc312504625eedbac2361c3bd26f37fddc

SHA512
2fb4ad60611f5e53f7d5213de398acad835d7995d56e1065e4b1f8ea774a67f22291ea9923a4795ae1f2efb5abb4ac29bceda3699da1b34002339a9d1b6a9e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe

Filesize
3.0MB

MD5
e77e5c1c711dfb2dfe55d738d028b93f

SHA1
1e6a2fc4283bc803606df71997f968a036fcfbbd

SHA256
611514ba7cc5e680bfb91b2c131853bc312504625eedbac2361c3bd26f37fddc

SHA512
2fb4ad60611f5e53f7d5213de398acad835d7995d56e1065e4b1f8ea774a67f22291ea9923a4795ae1f2efb5abb4ac29bceda3699da1b34002339a9d1b6a9e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe

Filesize
3.0MB

MD5
e77e5c1c711dfb2dfe55d738d028b93f

SHA1
1e6a2fc4283bc803606df71997f968a036fcfbbd

SHA256
611514ba7cc5e680bfb91b2c131853bc312504625eedbac2361c3bd26f37fddc

SHA512
2fb4ad60611f5e53f7d5213de398acad835d7995d56e1065e4b1f8ea774a67f22291ea9923a4795ae1f2efb5abb4ac29bceda3699da1b34002339a9d1b6a9e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe

Filesize
3.0MB

MD5
e77e5c1c711dfb2dfe55d738d028b93f

SHA1
1e6a2fc4283bc803606df71997f968a036fcfbbd

SHA256
611514ba7cc5e680bfb91b2c131853bc312504625eedbac2361c3bd26f37fddc

SHA512
2fb4ad60611f5e53f7d5213de398acad835d7995d56e1065e4b1f8ea774a67f22291ea9923a4795ae1f2efb5abb4ac29bceda3699da1b34002339a9d1b6a9e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe

Filesize
3.0MB

MD5
e885e031c2798db3f5a9a878a7861f02

SHA1
65b6792c7599e4bb6752fda75c45954ed0c6cd09

SHA256
2778938c34cbd414bd646c91b900a35f994d0525f6353dce13ada9d95ecc410e

SHA512
4d285d44c4d888d0a4f7d182b94d44b950367f2ab5c66e146af0ebc9a29e154b9410c168c076d900286956eca900f5ff05cec87c85f6089c3a22620ea6b477e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe

Filesize
3.0MB

MD5
e885e031c2798db3f5a9a878a7861f02

SHA1
65b6792c7599e4bb6752fda75c45954ed0c6cd09

SHA256
2778938c34cbd414bd646c91b900a35f994d0525f6353dce13ada9d95ecc410e

SHA512
4d285d44c4d888d0a4f7d182b94d44b950367f2ab5c66e146af0ebc9a29e154b9410c168c076d900286956eca900f5ff05cec87c85f6089c3a22620ea6b477e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe

Filesize
3.0MB

MD5
e885e031c2798db3f5a9a878a7861f02

SHA1
65b6792c7599e4bb6752fda75c45954ed0c6cd09

SHA256
2778938c34cbd414bd646c91b900a35f994d0525f6353dce13ada9d95ecc410e

SHA512
4d285d44c4d888d0a4f7d182b94d44b950367f2ab5c66e146af0ebc9a29e154b9410c168c076d900286956eca900f5ff05cec87c85f6089c3a22620ea6b477e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe

Filesize
3.0MB

MD5
e77e5c1c711dfb2dfe55d738d028b93f

SHA1
1e6a2fc4283bc803606df71997f968a036fcfbbd

SHA256
611514ba7cc5e680bfb91b2c131853bc312504625eedbac2361c3bd26f37fddc

SHA512
2fb4ad60611f5e53f7d5213de398acad835d7995d56e1065e4b1f8ea774a67f22291ea9923a4795ae1f2efb5abb4ac29bceda3699da1b34002339a9d1b6a9e83

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe

Filesize
3.0MB

MD5
e77e5c1c711dfb2dfe55d738d028b93f

SHA1
1e6a2fc4283bc803606df71997f968a036fcfbbd

SHA256
611514ba7cc5e680bfb91b2c131853bc312504625eedbac2361c3bd26f37fddc

SHA512
2fb4ad60611f5e53f7d5213de398acad835d7995d56e1065e4b1f8ea774a67f22291ea9923a4795ae1f2efb5abb4ac29bceda3699da1b34002339a9d1b6a9e83

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe

Filesize
3.0MB

MD5
e77e5c1c711dfb2dfe55d738d028b93f

SHA1
1e6a2fc4283bc803606df71997f968a036fcfbbd

SHA256
611514ba7cc5e680bfb91b2c131853bc312504625eedbac2361c3bd26f37fddc

SHA512
2fb4ad60611f5e53f7d5213de398acad835d7995d56e1065e4b1f8ea774a67f22291ea9923a4795ae1f2efb5abb4ac29bceda3699da1b34002339a9d1b6a9e83

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe

Filesize
3.0MB

MD5
e77e5c1c711dfb2dfe55d738d028b93f

SHA1
1e6a2fc4283bc803606df71997f968a036fcfbbd

SHA256
611514ba7cc5e680bfb91b2c131853bc312504625eedbac2361c3bd26f37fddc

SHA512
2fb4ad60611f5e53f7d5213de398acad835d7995d56e1065e4b1f8ea774a67f22291ea9923a4795ae1f2efb5abb4ac29bceda3699da1b34002339a9d1b6a9e83

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe

Filesize
3.0MB

MD5
e77e5c1c711dfb2dfe55d738d028b93f

SHA1
1e6a2fc4283bc803606df71997f968a036fcfbbd

SHA256
611514ba7cc5e680bfb91b2c131853bc312504625eedbac2361c3bd26f37fddc

SHA512
2fb4ad60611f5e53f7d5213de398acad835d7995d56e1065e4b1f8ea774a67f22291ea9923a4795ae1f2efb5abb4ac29bceda3699da1b34002339a9d1b6a9e83

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354900.exe

Filesize
3.0MB

MD5
e77e5c1c711dfb2dfe55d738d028b93f

SHA1
1e6a2fc4283bc803606df71997f968a036fcfbbd

SHA256
611514ba7cc5e680bfb91b2c131853bc312504625eedbac2361c3bd26f37fddc

SHA512
2fb4ad60611f5e53f7d5213de398acad835d7995d56e1065e4b1f8ea774a67f22291ea9923a4795ae1f2efb5abb4ac29bceda3699da1b34002339a9d1b6a9e83

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe

Filesize
3.0MB

MD5
e885e031c2798db3f5a9a878a7861f02

SHA1
65b6792c7599e4bb6752fda75c45954ed0c6cd09

SHA256
2778938c34cbd414bd646c91b900a35f994d0525f6353dce13ada9d95ecc410e

SHA512
4d285d44c4d888d0a4f7d182b94d44b950367f2ab5c66e146af0ebc9a29e154b9410c168c076d900286956eca900f5ff05cec87c85f6089c3a22620ea6b477e1

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe

Filesize
3.0MB

MD5
e885e031c2798db3f5a9a878a7861f02

SHA1
65b6792c7599e4bb6752fda75c45954ed0c6cd09

SHA256
2778938c34cbd414bd646c91b900a35f994d0525f6353dce13ada9d95ecc410e

SHA512
4d285d44c4d888d0a4f7d182b94d44b950367f2ab5c66e146af0ebc9a29e154b9410c168c076d900286956eca900f5ff05cec87c85f6089c3a22620ea6b477e1

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe

Filesize
3.0MB

MD5
e885e031c2798db3f5a9a878a7861f02

SHA1
65b6792c7599e4bb6752fda75c45954ed0c6cd09

SHA256
2778938c34cbd414bd646c91b900a35f994d0525f6353dce13ada9d95ecc410e

SHA512
4d285d44c4d888d0a4f7d182b94d44b950367f2ab5c66e146af0ebc9a29e154b9410c168c076d900286956eca900f5ff05cec87c85f6089c3a22620ea6b477e1

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe

Filesize
3.0MB

MD5
e885e031c2798db3f5a9a878a7861f02

SHA1
65b6792c7599e4bb6752fda75c45954ed0c6cd09

SHA256
2778938c34cbd414bd646c91b900a35f994d0525f6353dce13ada9d95ecc410e

SHA512
4d285d44c4d888d0a4f7d182b94d44b950367f2ab5c66e146af0ebc9a29e154b9410c168c076d900286956eca900f5ff05cec87c85f6089c3a22620ea6b477e1

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe

Filesize
3.0MB

MD5
e885e031c2798db3f5a9a878a7861f02

SHA1
65b6792c7599e4bb6752fda75c45954ed0c6cd09

SHA256
2778938c34cbd414bd646c91b900a35f994d0525f6353dce13ada9d95ecc410e

SHA512
4d285d44c4d888d0a4f7d182b94d44b950367f2ab5c66e146af0ebc9a29e154b9410c168c076d900286956eca900f5ff05cec87c85f6089c3a22620ea6b477e1

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354902.exe

Filesize
3.0MB

MD5
e885e031c2798db3f5a9a878a7861f02

SHA1
65b6792c7599e4bb6752fda75c45954ed0c6cd09

SHA256
2778938c34cbd414bd646c91b900a35f994d0525f6353dce13ada9d95ecc410e

SHA512
4d285d44c4d888d0a4f7d182b94d44b950367f2ab5c66e146af0ebc9a29e154b9410c168c076d900286956eca900f5ff05cec87c85f6089c3a22620ea6b477e1

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.67850d6172128a8ebb00611f2c7354907.exe

Filesize
3.0MB

MD5
6c8a158bc0a49e877693dd9138712fcf

SHA1
07c8a45f70c79004f538d3a5ef7971a70a21253b

SHA256
1e0d2afa3eddf1d1bb76457d4c955c4879e78a3622ee12cfbe15460822fa7a1b

SHA512
fb9df82a9f70295c209744312e73503998a873d61092b562db11350811273d9ed84a94ecf09f5f945df24ad02f489917a230a52416ceec3de307df74396a5015

Download Submit
memory/472-140-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/544-141-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/628-142-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/748-139-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/888-144-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1128-129-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1512-175-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1576-156-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1628-100-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1668-188-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1716-177-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1752-164-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1776-163-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1888-124-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1924-149-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1936-162-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1968-105-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2004-112-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2020-176-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2052-111-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2116-183-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2224-166-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2236-181-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2252-178-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2416-186-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2448-110-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2464-157-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2512-91-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2540-182-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2580-115-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2596-161-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2612-158-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2628-117-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2648-69-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2684-126-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2712-187-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2712-179-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2776-70-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2808-184-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2816-180-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2828-153-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2852-185-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2916-113-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2932-160-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2988-50-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-54-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3068-114-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download