19f356e2b80cd6d8a6a8bf9228ddaf7a94948271deb16f53efde6ef5df8fdd8f

Analysis

max time kernel
46s
max time network
132s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
03/11/2023, 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Size

3.0MB
MD5

bb17eadad40e2b3ec213e6d061ffa4f0
SHA1

c17f37e2079b15cc25797b1cf25b43ab62d42852
SHA256

19f356e2b80cd6d8a6a8bf9228ddaf7a94948271deb16f53efde6ef5df8fdd8f
SHA512

009f86e71c0f29e7b6dda9fd1bf5b43f3eba462522272bdd7737a1486ba0fde6f6b8c491c42035ab4c830e3526aba325a9f66140609fdf02562fd536211ada8b
SSDEEP

49152:j495UciMmq/NhjX5p3JOCdLAweZnE5c965nqqIP2Itd6:jk5LhzACdLAlnE5co5nqqIP2Itd6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1560	NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
2628	NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
560	NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
568	NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
2512	NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
1292	NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
2300	NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
1052	NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
2984	NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
1212	NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
2068	NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
1628	NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
1720	NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
2888	NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
3016	NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
2772	NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe
1780	NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
1900	NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
1672	NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
2324	NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
1148	NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
2356	NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
2780	NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
2284	cmd.exe
2428	NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
944	NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
2956	NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
608	NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
2232	NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
2336	cmd.exe
2648	NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
1436	NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
2860	cmd.exe
1244	NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
2804	NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
2044	NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
840	NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
2408	NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe
2480	NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
2752	NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
2964	cmd.exe
1812	NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
2540	cmd.exe
2792	NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
1992	NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe
2768	cmd.exe
1652	cmd.exe
2292	NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
2924	NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
3088	NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
3148	NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
3204	NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
3212	NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
3228	NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe
3276	NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
3324	NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
3376	NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
3368	NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
3448	NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
3488	NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
3528	NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
3556	NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe
3548	NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
3608	NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe

Loads dropped DLL 64 IoCs

pid	Process
2936	cmd.exe
2936	cmd.exe
2496	conhost.exe
2496	conhost.exe
2848	Process not Found
1312	Process not Found
1672	NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
1672	NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
1800	cmd.exe
1800	cmd.exe
2240	cmd.exe
2240	cmd.exe
1636	cmd.exe
1636	cmd.exe
528	Process not Found
2476	cmd.exe
2476	cmd.exe
1524	Process not Found
2508	Process not Found
1108	Process not Found
2664	Process not Found
2268	cmd.exe
2268	cmd.exe
3064	Process not Found
948	cmd.exe
948	cmd.exe
792	cmd.exe
792	cmd.exe
1996	cmd.exe
1996	cmd.exe
1676	Process not Found
1504	cmd.exe
2336	cmd.exe
1504	cmd.exe
2336	cmd.exe
880	cmd.exe
2064	cmd.exe
1924	Process not Found
2064	cmd.exe
2768	cmd.exe
2768	cmd.exe
880	cmd.exe
2524	Process not Found
2108	Process not Found
2724	Process not Found
2596	cmd.exe
2596	cmd.exe
2860	cmd.exe
1452	cmd.exe
2860	cmd.exe
1452	cmd.exe
2680	Process not Found
3024	conhost.exe
1432	conhost.exe
1432	conhost.exe
2872	Process not Found
2696	cmd.exe
2696	cmd.exe
2716	conhost.exe
2716	conhost.exe
1456	Process not Found
1068	Process not Found
1928	Process not Found
2344	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 27 IoCs

evasion

pid	Process
8640	taskkill.exe
7376	taskkill.exe
11596	taskkill.exe
1620	taskkill.exe
8592	taskkill.exe
7248	taskkill.exe
8632	taskkill.exe
11580	taskkill.exe
10228	Process not Found
8172	taskkill.exe
9668	taskkill.exe
10076	taskkill.exe
10044	taskkill.exe
10052	taskkill.exe
7224	taskkill.exe
7700	taskkill.exe
8624	taskkill.exe
8648	taskkill.exe
10084	taskkill.exe
11588	taskkill.exe
7416	Process not Found
7440	taskkill.exe
8552	taskkill.exe
10116	taskkill.exe
10092	taskkill.exe
7588	taskkill.exe
8608	taskkill.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_Classes\Local Settings	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeAssignPrimaryTokenPrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeLockMemoryPrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeIncreaseQuotaPrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeMachineAccountPrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeTcbPrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeSecurityPrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeTakeOwnershipPrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeLoadDriverPrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeSystemProfilePrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeSystemtimePrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeProfSingleProcessPrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeIncBasePriorityPrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeCreatePagefilePrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeCreatePermanentPrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeBackupPrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeRestorePrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeShutdownPrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeDebugPrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeAuditPrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeSystemEnvironmentPrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeChangeNotifyPrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeRemoteShutdownPrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeUndockPrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeSyncAgentPrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeEnableDelegationPrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeManageVolumePrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeImpersonatePrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeCreateGlobalPrivilege	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: 31	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: 32	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: 33	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: 34	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: 35	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
Token: SeCreateTokenPrivilege	2036	cmd.exe
Token: SeAssignPrimaryTokenPrivilege	2036	cmd.exe
Token: SeLockMemoryPrivilege	2036	cmd.exe
Token: SeIncreaseQuotaPrivilege	2036	cmd.exe
Token: SeMachineAccountPrivilege	2036	cmd.exe
Token: SeTcbPrivilege	2036	cmd.exe
Token: SeSecurityPrivilege	2036	cmd.exe
Token: SeTakeOwnershipPrivilege	2036	cmd.exe
Token: SeLoadDriverPrivilege	2036	cmd.exe
Token: SeSystemProfilePrivilege	2036	cmd.exe
Token: SeSystemtimePrivilege	2036	cmd.exe
Token: SeProfSingleProcessPrivilege	2036	cmd.exe
Token: SeIncBasePriorityPrivilege	2036	cmd.exe
Token: SeCreatePagefilePrivilege	2036	cmd.exe
Token: SeCreatePermanentPrivilege	2036	cmd.exe
Token: SeBackupPrivilege	2036	cmd.exe
Token: SeRestorePrivilege	2036	cmd.exe
Token: SeShutdownPrivilege	2036	cmd.exe
Token: SeDebugPrivilege	2036	cmd.exe
Token: SeAuditPrivilege	2036	cmd.exe
Token: SeSystemEnvironmentPrivilege	2036	cmd.exe
Token: SeChangeNotifyPrivilege	2036	cmd.exe
Token: SeRemoteShutdownPrivilege	2036	cmd.exe
Token: SeUndockPrivilege	2036	cmd.exe
Token: SeSyncAgentPrivilege	2036	cmd.exe
Token: SeEnableDelegationPrivilege	2036	cmd.exe
Token: SeManageVolumePrivilege	2036	cmd.exe
Token: SeImpersonatePrivilege	2036	cmd.exe
Token: SeCreateGlobalPrivilege	2036	cmd.exe
Token: 31	2036	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2920	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	29
PID 1732 wrote to memory of 2920	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	29
PID 1732 wrote to memory of 2920	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	29
PID 2920 wrote to memory of 2036	2920	cmd.exe	30
PID 2920 wrote to memory of 2036	2920	cmd.exe	30
PID 2920 wrote to memory of 2036	2920	cmd.exe	30
PID 1732 wrote to memory of 2752	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	32
PID 1732 wrote to memory of 2752	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	32
PID 1732 wrote to memory of 2752	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	32
PID 2752 wrote to memory of 2660	2752	cmd.exe	33
PID 2752 wrote to memory of 2660	2752	cmd.exe	33
PID 2752 wrote to memory of 2660	2752	cmd.exe	33
PID 1732 wrote to memory of 2108	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	34
PID 1732 wrote to memory of 2108	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	34
PID 1732 wrote to memory of 2108	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	34
PID 2108 wrote to memory of 2712	2108	Process not Found	36
PID 2108 wrote to memory of 2712	2108	Process not Found	36
PID 2108 wrote to memory of 2712	2108	Process not Found	36
PID 1732 wrote to memory of 2676	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	166
PID 1732 wrote to memory of 2676	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	166
PID 1732 wrote to memory of 2676	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	166
PID 2036 wrote to memory of 2800	2036	cmd.exe	39
PID 2036 wrote to memory of 2800	2036	cmd.exe	39
PID 2036 wrote to memory of 2800	2036	cmd.exe	39
PID 2676 wrote to memory of 2808	2676	conhost.exe	40
PID 2676 wrote to memory of 2808	2676	conhost.exe	40
PID 2676 wrote to memory of 2808	2676	conhost.exe	40
PID 1732 wrote to memory of 2720	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	197
PID 1732 wrote to memory of 2720	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	197
PID 1732 wrote to memory of 2720	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	197
PID 2036 wrote to memory of 2936	2036	cmd.exe	43
PID 2036 wrote to memory of 2936	2036	cmd.exe	43
PID 2036 wrote to memory of 2936	2036	cmd.exe	43
PID 2720 wrote to memory of 2780	2720	cmd.exe	622
PID 2720 wrote to memory of 2780	2720	cmd.exe	622
PID 2720 wrote to memory of 2780	2720	cmd.exe	622
PID 1732 wrote to memory of 2076	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	45
PID 1732 wrote to memory of 2076	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	45
PID 1732 wrote to memory of 2076	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	45
PID 2076 wrote to memory of 2684	2076	cmd.exe	47
PID 2076 wrote to memory of 2684	2076	cmd.exe	47
PID 2076 wrote to memory of 2684	2076	cmd.exe	47
PID 1732 wrote to memory of 2592	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	49
PID 1732 wrote to memory of 2592	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	49
PID 1732 wrote to memory of 2592	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	49
PID 2712 wrote to memory of 2588	2712	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	50
PID 2712 wrote to memory of 2588	2712	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	50
PID 2712 wrote to memory of 2588	2712	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	50
PID 2592 wrote to memory of 3048	2592	cmd.exe	266
PID 2592 wrote to memory of 3048	2592	cmd.exe	266
PID 2592 wrote to memory of 3048	2592	cmd.exe	266
PID 1732 wrote to memory of 2732	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	51
PID 1732 wrote to memory of 2732	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	51
PID 1732 wrote to memory of 2732	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	51
PID 2712 wrote to memory of 2496	2712	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	169
PID 2712 wrote to memory of 2496	2712	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	169
PID 2712 wrote to memory of 2496	2712	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	169
PID 2732 wrote to memory of 2560	2732	cmd.exe	58
PID 2732 wrote to memory of 2560	2732	cmd.exe	58
PID 2732 wrote to memory of 2560	2732	cmd.exe	58
PID 1732 wrote to memory of 2596	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	628
PID 1732 wrote to memory of 2596	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	628
PID 1732 wrote to memory of 2596	1732	NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe	628
PID 2596 wrote to memory of 2632	2596	cmd.exe	597

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
    3⤵
    PID:2036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+714346.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
      4⤵
      PID:2800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe 1699026771
      4⤵
      Loads dropped DLL
      PID:2936
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe 1699026771
        5⤵
        Executes dropped EXE
        
        PID:1560
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /protect 1699026771
        6⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /protect 1699026771
        7⤵
        Executes dropped EXE
        
        PID:2324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe+923527.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f079.exe
        8⤵
        
        PID:6624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f079.exe 1699026771
        8⤵
        
        PID:8060
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f079.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f079.exe 1699026771
        9⤵
        
        PID:6436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe+821015.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f078.exe
        8⤵
        
        PID:7256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f078.exe 1699026771
        8⤵
        
        PID:11128
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f078.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f078.exe 1699026771
        9⤵
        
        PID:7280
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /save 1699026771
        6⤵
        Loads dropped DLL
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /save 1699026771
        7⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe 1699026771
        8⤵
        Loads dropped DLL
        
        PID:2476
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /protect 1699026771
        6⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /protect 1699026771
        7⤵
        
        PID:2860
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /protect 1699026771
        6⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /protect 1699026771
        7⤵
        Executes dropped EXE
        
        PID:3088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe+612255.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f076.exe
        8⤵
        
        PID:7532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f076.exe 1699026771
        8⤵
        
        PID:8672
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f076.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f076.exe 1699026771
        9⤵
        
        PID:9944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe+728868.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f077.exe
        8⤵
        
        PID:11256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f077.exe 1699026771
        8⤵
        
        PID:9556
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f077.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f077.exe 1699026771
        9⤵
        
        PID:12076
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /save 1699026771
        6⤵
        
        PID:3196
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /protect 1699026771
        6⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /protect 1699026771
        7⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
        8⤵
        
        PID:3728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+612255.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f016.exe
        9⤵
        
        PID:7508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f016.exe 1699026771
        9⤵
        
        PID:7412
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f016.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f016.exe 1699026771
        10⤵
        
        PID:9936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+728868.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f017.exe
        9⤵
        
        PID:11176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f017.exe 1699026771
        9⤵
        
        PID:10980
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f017.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f017.exe 1699026771
        10⤵
        
        PID:5648
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /save 1699026771
        6⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /save 1699026771
        7⤵
        
        PID:2608
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /save 1699026771
        6⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /save 1699026771
        7⤵
        
        PID:4624
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /protect 1699026771
        6⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /protect 1699026771
        7⤵
        
        PID:4964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe+2984.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f072.exe
        8⤵
        
        PID:5924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f072.exe 1699026771
        8⤵
        
        PID:7192
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f072.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f072.exe 1699026771
        9⤵
        
        PID:9708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe+83954.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f078.exe
        8⤵
        
        PID:11032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f078.exe 1699026771
        8⤵
        
        PID:9376
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f078.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f078.exe 1699026771
        9⤵
        
        PID:5960
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /save 1699026771
        6⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /save 1699026771
        7⤵
        
        PID:4316
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /protect 1699026771
        6⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /protect 1699026771
        7⤵
        
        PID:5084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe+611733.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f076.exe
        8⤵
        
        PID:6992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f076.exe 1699026771
        8⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f076.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f076.exe 1699026771
        9⤵
        
        PID:8512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe+37880.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f073.exe
        8⤵
        
        PID:9404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f073.exe 1699026771
        8⤵
        
        PID:11984
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f073.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f073.exe 1699026771
        9⤵
        
        PID:10188
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /save 1699026771
        6⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /save 1699026771
        7⤵
        
        PID:5360
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /protect 1699026771
        6⤵
        
        PID:3776
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /save 1699026771
        6⤵
        
        PID:3896
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /protect 1699026771
        6⤵
        
        PID:3536
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /save 1699026771
        6⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2036
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /save 1699026771
        6⤵
        
        PID:112
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /protect 1699026771
        6⤵
        
        PID:1916
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /save 1699026771
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2596
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /protect 1699026771
        6⤵
        Loads dropped DLL
        
        PID:2064
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /save 1699026771
        6⤵
        Loads dropped DLL
        
        PID:1996
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /protect 1699026771
        6⤵
        Loads dropped DLL
        
        PID:948
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:6568
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+614515.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
      4⤵
      PID:1724
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe 1699026771
      4⤵
      Loads dropped DLL
      PID:2240
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe 1699026771
        5⤵
        Executes dropped EXE
        
        PID:2512
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /protect 1699026771
        6⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /protect 1699026771
        7⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe+31507.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f063.exe
        8⤵
        
        PID:6408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f063.exe 1699026771
        8⤵
        
        PID:5904
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f063.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f063.exe 1699026771
        9⤵
        
        PID:8576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe+224941.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f062.exe
        8⤵
        
        PID:9532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f062.exe 1699026771
        8⤵
        
        PID:11960
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f062.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f062.exe 1699026771
        9⤵
        
        PID:9456
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /protect 1699026771
        6⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /protect 1699026771
        7⤵
        Executes dropped EXE
        
        PID:3204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe+612255.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f066.exe
        8⤵
        
        PID:7556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f066.exe 1699026771
        8⤵
        
        PID:6848
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f066.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f066.exe 1699026771
        9⤵
        
        PID:9764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe+728868.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f067.exe
        8⤵
        
        PID:11204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f067.exe 1699026771
        8⤵
        
        PID:12260
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f067.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f067.exe 1699026771
        9⤵
        
        PID:11996
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /save 1699026771
        6⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /save 1699026771
        7⤵
        
        PID:4056
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /protect 1699026771
        6⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /protect 1699026771
        7⤵
        
        PID:5100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe+2984.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f062.exe
        8⤵
        
        PID:7200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f062.exe 1699026771
        8⤵
        
        PID:8352
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f062.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f062.exe 1699026771
        9⤵
        
        PID:9836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe+83954.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f068.exe
        8⤵
        
        PID:11148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f068.exe 1699026771
        8⤵
        
        PID:10296
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f068.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f068.exe 1699026771
        9⤵
        
        PID:9068
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /save 1699026771
        6⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /save 1699026771
        7⤵
        
        PID:4616
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /protect 1699026771
        6⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /protect 1699026771
        7⤵
        
        PID:4600
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /save 1699026771
        6⤵
        
        PID:5232
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /save 1699026771
        7⤵
        
        PID:6924
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /save 1699026771
        6⤵
        
        PID:4528
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /protect 1699026771
        6⤵
        
        PID:4168
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /protect 1699026771
        6⤵
        
        PID:3252
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /save 1699026771
        6⤵
        
        PID:3956
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /protect 1699026771
        6⤵
        
        PID:3628
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /save 1699026771
        6⤵
        
        PID:3264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+2984.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe
        7⤵
        
        PID:7288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe 1699026771
        7⤵
        
        PID:6400
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe 1699026771
        8⤵
        
        PID:10068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+83954.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe
        7⤵
        
        PID:11048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe 1699026771
        7⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe 1699026771
        8⤵
        
        PID:11636
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /save 1699026771
        6⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        7⤵
        Executes dropped EXE
        
        PID:2428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+31507.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe
        8⤵
        
        PID:6400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe 1699026771
        8⤵
        
        PID:8084
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe 1699026771
        9⤵
        
        PID:8456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+224941.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe
        8⤵
        
        PID:9580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe 1699026771
        8⤵
        
        PID:12044
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe 1699026771
        9⤵
        
        PID:9436
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:7448
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:8172
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /save 1699026771
      4⤵
      Executes dropped EXE
      PID:2752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
    3⤵
    PID:2660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
  2⤵
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+025095.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
      4⤵
      PID:2588
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe 1699026771
      4⤵
      PID:2496
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe 1699026771
        5⤵
        Executes dropped EXE
        
        PID:2628
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        6⤵
        Loads dropped DLL
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        7⤵
        Executes dropped EXE
        
        PID:1212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+117088.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f001.exe
        8⤵
        
        PID:7108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f001.exe 1699026771
        8⤵
        
        PID:8120
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f001.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f001.exe 1699026771
        9⤵
        
        PID:8052
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        6⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        7⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+31507.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe
        8⤵
        
        PID:6324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe 1699026771
        8⤵
        
        PID:7908
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe 1699026771
        9⤵
        
        PID:8416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+224941.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe
        8⤵
        
        PID:9568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe 1699026771
        8⤵
        
        PID:12000
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe 1699026771
        9⤵
        
        PID:9440
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        6⤵
        Loads dropped DLL
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        7⤵
        Executes dropped EXE
        
        PID:1148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+923527.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f009.exe
        8⤵
        
        PID:6588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f009.exe 1699026771
        8⤵
        
        PID:7984
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f009.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f009.exe 1699026771
        9⤵
        
        PID:8380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+821015.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe
        8⤵
        
        PID:8008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe 1699026771
        8⤵
        
        PID:12036
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe 1699026771
        9⤵
        
        PID:11816
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        6⤵
        
        PID:2852
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        6⤵
        
        PID:2292
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        6⤵
        
        PID:2908
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        6⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        7⤵
        
        PID:3832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+923004.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f009.exe
        8⤵
        
        PID:6876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f009.exe 1699026771
        8⤵
        
        PID:7992
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f009.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f009.exe 1699026771
        9⤵
        
        PID:8388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+427.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f004.exe
        8⤵
        
        PID:9524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f004.exe 1699026771
        8⤵
        
        PID:12116
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f004.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f004.exe 1699026771
        9⤵
        
        PID:10812
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        6⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        7⤵
        
        PID:3580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+923004.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f009.exe
        8⤵
        
        PID:7036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f009.exe 1699026771
        8⤵
        
        PID:5768
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f009.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f009.exe 1699026771
        9⤵
        
        PID:8584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+427.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f004.exe
        8⤵
        
        PID:9468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f004.exe 1699026771
        8⤵
        
        PID:12108
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f004.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f004.exe 1699026771
        9⤵
        
        PID:10956
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        6⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        7⤵
        
        PID:2332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe 1699026771
        8⤵
        
        PID:3984
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        6⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        7⤵
        
        PID:4632
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        6⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        7⤵
        
        PID:4956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+2984.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe
        8⤵
        
        PID:7320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe 1699026771
        8⤵
        
        PID:6288
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe 1699026771
        9⤵
        
        PID:7956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+83954.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe
        8⤵
        
        PID:10844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe 1699026771
        8⤵
        
        PID:9596
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe 1699026771
        9⤵
        
        PID:5752
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        6⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        7⤵
        
        PID:4364
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        6⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        7⤵
        
        PID:5052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+611733.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe
        8⤵
        
        PID:6264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe 1699026771
        8⤵
        
        PID:8140
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe 1699026771
        9⤵
        
        PID:8328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+37880.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe
        8⤵
        
        PID:9436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe 1699026771
        8⤵
        
        PID:11952
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe 1699026771
        9⤵
        
        PID:11796
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        6⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        7⤵
        
        PID:5332
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        6⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
        7⤵
        
        PID:3968
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        6⤵
        
        PID:3912
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        6⤵
        
        PID:3248
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        6⤵
        
        PID:1752
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        6⤵
        
        PID:2340
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        6⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /protect 1699026771
        7⤵
        Executes dropped EXE
        
        PID:2984
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        6⤵
        Loads dropped DLL
        
        PID:1452
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2336
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:6476
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+118442.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
      4⤵
      PID:1664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe 1699026771
      4⤵
      Loads dropped DLL
      PID:1800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
  2⤵
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
    3⤵
    PID:2808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
  2⤵
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
    3⤵
    PID:2780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+025095.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
      4⤵
      PID:2864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe 1699026771
      4⤵
      PID:1672
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe 1699026771
        5⤵
        Executes dropped EXE
        
        PID:560
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        6⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /save 1699026771
        7⤵
        Executes dropped EXE
        
        PID:2792
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        6⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        7⤵
        Executes dropped EXE
        
        PID:2480
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        6⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        7⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
        8⤵
        Executes dropped EXE
        
        PID:1812
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        6⤵
        
        PID:1564
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        6⤵
        
        PID:3392
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        6⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        7⤵
        
        PID:3140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+923004.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f009.exe
        8⤵
        
        PID:7072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f009.exe 1699026771
        8⤵
        
        PID:8024
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f009.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f009.exe 1699026771
        9⤵
        
        PID:8368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+427.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f004.exe
        8⤵
        
        PID:9448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f004.exe 1699026771
        8⤵
        
        PID:12052
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f004.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f004.exe 1699026771
        9⤵
        
        PID:9568
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        6⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        7⤵
        
        PID:3892
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        6⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        7⤵
        
        PID:4440
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        6⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        7⤵
        
        PID:4764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+2984.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe
        8⤵
        
        PID:7348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe 1699026771
        8⤵
        
        PID:8224
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe 1699026771
        9⤵
        
        PID:9788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+83954.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe
        8⤵
        
        PID:11132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe 1699026771
        8⤵
        
        PID:10876
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe 1699026771
        9⤵
        
        PID:5928
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        6⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        7⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        8⤵
        
        PID:2640
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        6⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        7⤵
        
        PID:4804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+611733.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe
        8⤵
        
        PID:6280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe 1699026771
        8⤵
        
        PID:8052
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe 1699026771
        9⤵
        
        PID:7508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+37880.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe
        8⤵
        
        PID:8964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe 1699026771
        8⤵
        
        PID:11112
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe 1699026771
        9⤵
        
        PID:12264
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        6⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        7⤵
        
        PID:5168
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        6⤵
        
        PID:5304
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        7⤵
        
        PID:6664
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        6⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe 1699026771
        7⤵
        
        PID:3616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe /protect 1699026771
        8⤵
        
        PID:5860
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe /protect 1699026771
        9⤵
        
        PID:6812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe /save 1699026771
        8⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe /save 1699026771
        9⤵
        
        PID:8184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        8⤵
        
        PID:7048
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        9⤵
        Kills process with taskkill
        
        PID:8624
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        6⤵
        
        PID:3712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+2984.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe
        7⤵
        
        PID:5860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe 1699026771
        7⤵
        
        PID:8200
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe 1699026771
        8⤵
        
        PID:9896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+83954.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe
        7⤵
        
        PID:11240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe 1699026771
        7⤵
        
        PID:7256
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe 1699026771
        8⤵
        
        PID:4024
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        6⤵
        
        PID:1092
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        6⤵
        
        PID:1056
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        6⤵
        
        PID:7124
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        7⤵
        
        PID:7612
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:7924
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:8592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+118442.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
      4⤵
      PID:1260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
    3⤵
    PID:2684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
    3⤵
    PID:3048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+025095.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
      4⤵
      PID:2144
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe 1699026771
      4⤵
      Loads dropped DLL
      PID:1636
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe 1699026771
        5⤵
        Executes dropped EXE
        
        PID:1292
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        6⤵
        
        PID:3048
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        6⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        7⤵
        Executes dropped EXE
        
        PID:3212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+612255.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe
        8⤵
        
        PID:7500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe 1699026771
        8⤵
        
        PID:8664
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe 1699026771
        9⤵
        
        PID:10108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+728868.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f007.exe
        8⤵
        
        PID:10976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f007.exe 1699026771
        8⤵
        
        PID:12232
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f007.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f007.exe 1699026771
        9⤵
        
        PID:2268
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        6⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        7⤵
        
        PID:5112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+2984.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe
        8⤵
        
        PID:7304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe 1699026771
        8⤵
        
        PID:6384
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe 1699026771
        9⤵
        
        PID:6056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+83954.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe
        8⤵
        
        PID:11100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe 1699026771
        8⤵
        
        PID:9252
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe 1699026771
        9⤵
        
        PID:2056
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        6⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        7⤵
        
        PID:4608
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        6⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        7⤵
        
        PID:4552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+611733.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe
        8⤵
        
        PID:7156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe 1699026771
        8⤵
        
        PID:8076
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe 1699026771
        9⤵
        
        PID:6996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+37880.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe
        8⤵
        
        PID:7960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe 1699026771
        8⤵
        
        PID:10668
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe 1699026771
        9⤵
        
        PID:12224
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        6⤵
        
        PID:5240
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        7⤵
        
        PID:6640
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        6⤵
        
        PID:4540
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        6⤵
        
        PID:4180
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        6⤵
        
        PID:4048
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        6⤵
        
        PID:3200
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        6⤵
        
        PID:3976
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        6⤵
        
        PID:3648
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        6⤵
        
        PID:3288
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        7⤵
        Executes dropped EXE
        
        PID:3016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f009.exe 1699026771
        8⤵
        
        PID:7116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+821015.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe
        8⤵
        
        PID:8008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe 1699026771
        8⤵
        
        PID:8684
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe 1699026771
        9⤵
        
        PID:9844
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:6944
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7588
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+118442.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
      4⤵
      PID:2088
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe 1699026771
      4⤵
      Loads dropped DLL
      PID:2268
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe 1699026771
        5⤵
        Executes dropped EXE
        
        PID:1052
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
        6⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
        7⤵
        Executes dropped EXE
        
        PID:3324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+612255.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f016.exe
        8⤵
        
        PID:7540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f016.exe 1699026771
        8⤵
        
        PID:7524
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f016.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f016.exe 1699026771
        9⤵
        
        PID:9724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+728868.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f017.exe
        8⤵
        
        PID:11016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f017.exe 1699026771
        8⤵
        
        PID:10272
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f017.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f017.exe 1699026771
        9⤵
        
        PID:12016
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
        6⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
        7⤵
        
        PID:4036
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
        6⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
        7⤵
        
        PID:3484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+923004.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f019.exe
        8⤵
        
        PID:6172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f019.exe 1699026771
        8⤵
        
        PID:7900
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f019.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f019.exe 1699026771
        9⤵
        
        PID:8320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+427.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f014.exe
        8⤵
        
        PID:9496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f014.exe 1699026771
        8⤵
        
        PID:11968
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f014.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f014.exe 1699026771
        9⤵
        
        PID:10696
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
        6⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
        7⤵
        
        PID:4320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+2984.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe
        8⤵
        
        PID:7232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe 1699026771
        8⤵
        
        PID:6268
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe 1699026771
        9⤵
        
        PID:10060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+83954.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe
        8⤵
        
        PID:10880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe 1699026771
        8⤵
        
        PID:10252
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe 1699026771
        9⤵
        
        PID:11604
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
        6⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
        7⤵
        
        PID:4640
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
        6⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
        7⤵
        
        PID:4984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+2984.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe
        8⤵
        
        PID:7184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe 1699026771
        8⤵
        
        PID:7108
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe 1699026771
        9⤵
        
        PID:9740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+83954.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe
        8⤵
        
        PID:11004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe 1699026771
        8⤵
        
        PID:10288
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe 1699026771
        9⤵
        
        PID:10212
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
        6⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
        7⤵
        
        PID:4472
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
        6⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
        7⤵
        
        PID:4244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+611733.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f016.exe
        8⤵
        
        PID:6976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f016.exe 1699026771
        8⤵
        
        PID:7892
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f016.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f016.exe 1699026771
        9⤵
        
        PID:8568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+37880.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f013.exe
        8⤵
        
        PID:9380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f013.exe 1699026771
        8⤵
        
        PID:12100
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f013.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f013.exe 1699026771
        9⤵
        
        PID:11008
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
        6⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
        7⤵
        
        PID:5400
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
        6⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
        7⤵
        
        PID:3928
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:6468
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:7376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
    3⤵
    PID:2560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
  2⤵
  PID:2596
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
    3⤵
    PID:2632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+024572.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
      4⤵
      PID:2988
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+630222.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
      4⤵
      PID:2948
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /save 1699026771
    3⤵
    - Executes dropped EXE
    PID:1780
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
    3⤵
    PID:3416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+2984.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe
      4⤵
      PID:7192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe 1699026771
      4⤵
      PID:7032
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe 1699026771
        5⤵
        
        PID:9876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+83954.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe
      4⤵
      PID:11208
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe 1699026771
      4⤵
      PID:11068
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe 1699026771
        5⤵
        
        PID:10728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
  2⤵
  PID:3016
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
    3⤵
    PID:2280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+923527.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f009.exe
    3⤵
    PID:5136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
  2⤵
  PID:3024
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
    3⤵
    PID:2548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe 1699026771
      4⤵
      Loads dropped DLL
      PID:880
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe 1699026771
        5⤵
        Executes dropped EXE
        
        PID:2772
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe /protect 1699026771
        6⤵
        
        PID:5468
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe /protect 1699026771
        7⤵
        
        PID:6124
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe /save 1699026771
        6⤵
        
        PID:7952
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe /save 1699026771
        7⤵
        
        PID:8476
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:7200
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:11588
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe 1699026771
      4⤵
      PID:2716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+11381.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
      4⤵
      PID:1888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
  2⤵
  PID:2152
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
    3⤵
    PID:1020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
  2⤵
  PID:1904
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
    3⤵
    PID:672
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+29234.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe
      4⤵
      PID:1644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe 1699026771
      4⤵
      PID:2640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe 1699026771
      4⤵
      PID:1420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+924049.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe
      4⤵
      Executes dropped EXE
      PID:2964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
  2⤵
  PID:2904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
  2⤵
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
    3⤵
    PID:2332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+32030.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe
      4⤵
      PID:3048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe 1699026771
      4⤵
      PID:3384
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
        5⤵
        
        PID:3712
      - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
        6⤵
        
        PID:2944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+713161.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
      4⤵
      PID:3748
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
    3⤵
    PID:2432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
  2⤵
  PID:1056
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
    3⤵
    PID:1932
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
    3⤵
    - Executes dropped EXE
    PID:608
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
      4⤵
      PID:868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
  2⤵
  PID:616
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
    3⤵
    PID:1640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
  2⤵
  PID:2964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
  2⤵
  PID:1820
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
    3⤵
    PID:532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+32030.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe
      4⤵
      PID:3496
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
        5⤵
        
        PID:3704
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+612255.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f016.exe
        6⤵
        
        PID:2436
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f016.exe 1699026771
        6⤵
        
        PID:6060
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f016.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f016.exe 1699026771
        7⤵
        
        PID:8528
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+728868.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f017.exe
        6⤵
        
        PID:9392
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f017.exe 1699026771
        6⤵
        
        PID:11944
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f017.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f017.exe 1699026771
        7⤵
        
        PID:10984
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe 1699026771
      4⤵
      PID:3008
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe 1699026771
        5⤵
        
        PID:4136
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe /protect 1699026771
        6⤵
        
        PID:6092
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe /protect 1699026771
        7⤵
        
        PID:6688
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe /save 1699026771
        6⤵
        
        PID:7328
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe /save 1699026771
        7⤵
        
        PID:6876
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:8232
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:10044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+713161.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
      4⤵
      PID:4256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
  2⤵
  PID:608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
  2⤵
  PID:2676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
  2⤵
  PID:2496
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
    3⤵
    PID:1708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+923527.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe
      4⤵
      PID:6648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe 1699026771
      4⤵
      PID:8112
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe 1699026771
        5⤵
        
        PID:8060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+821015.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f08.exe
      4⤵
      PID:7284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f08.exe 1699026771
      4⤵
      PID:12084
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f08.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f08.exe 1699026771
        5⤵
        
        PID:10924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
  2⤵
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
    3⤵
    PID:1260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
  2⤵
  PID:2476
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
    3⤵
    PID:2604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+923527.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe
      4⤵
      PID:6616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe 1699026771
      4⤵
      PID:5864
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe 1699026771
        5⤵
        
        PID:8536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+821015.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f08.exe
      4⤵
      PID:7744
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f08.exe 1699026771
      4⤵
      PID:11928
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f08.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f08.exe 1699026771
        5⤵
        
        PID:11260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
  2⤵
  PID:2912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
  2⤵
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
    3⤵
    PID:1888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
  2⤵
  PID:2548
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
    3⤵
    PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
      4⤵
      PID:2520
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+31507.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe
        5⤵
        
        PID:6452
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe 1699026771
        5⤵
        
        PID:7408
      - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe 1699026771
        6⤵
        
        PID:8600
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+224941.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe
        5⤵
        
        PID:9616
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe 1699026771
        5⤵
        
        PID:12144
      - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe 1699026771
        6⤵
        
        PID:10704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+612255.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
      4⤵
      PID:7524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe 1699026771
      4⤵
      PID:6464
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe 1699026771
        5⤵
        
        PID:9748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+728868.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
      4⤵
      PID:8220
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe 1699026771
      4⤵
      PID:11112
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe 1699026771
        5⤵
        
        PID:1972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+32552.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe
    3⤵
    PID:2764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
  2⤵
  PID:1768
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
    3⤵
    PID:3080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
  2⤵
  PID:3176
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
    3⤵
    PID:3356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+612255.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
      4⤵
      PID:7516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe 1699026771
      4⤵
      PID:8344
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe 1699026771
        5⤵
        
        PID:10024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+728868.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
      4⤵
      PID:8356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe 1699026771
      4⤵
      PID:9584
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe 1699026771
        5⤵
        
        PID:8096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
  2⤵
  PID:3760
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
    3⤵
    PID:3964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+2984.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe
      4⤵
      PID:7400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe 1699026771
      4⤵
      PID:8240
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe 1699026771
        5⤵
        
        PID:10100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+83954.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f08.exe
      4⤵
      PID:10960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f08.exe 1699026771
      4⤵
      PID:11228
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f08.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f08.exe 1699026771
        5⤵
        
        PID:9128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
  2⤵
  PID:3392
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
    3⤵
    PID:4208
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
    3⤵
    - Executes dropped EXE
    PID:3608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+612255.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe
      4⤵
      PID:7548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe 1699026771
      4⤵
      PID:8288
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe 1699026771
        5⤵
        
        PID:9652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+728868.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f007.exe
      4⤵
      PID:10920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f007.exe 1699026771
      4⤵
      PID:9468
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f007.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f007.exe 1699026771
        5⤵
        
        PID:12096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
  2⤵
  PID:4312
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
    3⤵
    PID:4508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+2984.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe
      4⤵
      PID:7384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe 1699026771
      4⤵
      PID:8296
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe 1699026771
        5⤵
        
        PID:10016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+83954.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f08.exe
      4⤵
      PID:11056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f08.exe 1699026771
      4⤵
      PID:9620
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f08.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f08.exe 1699026771
        5⤵
        
        PID:4020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
  2⤵
  PID:4940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
  2⤵
  PID:4220
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
    3⤵
    PID:4776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
  2⤵
  PID:5076
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
    3⤵
    PID:5212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
  2⤵
  PID:5320
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
    3⤵
    PID:6904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
  2⤵
  PID:4608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
  2⤵
  PID:1692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
  2⤵
  PID:3800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
  2⤵
  PID:3480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
  2⤵
  PID:2308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
  2⤵
  PID:2484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
  2⤵
  PID:300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:7460
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:1620

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe 1699026771
1⤵
- Executes dropped EXE
PID:568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
  2⤵
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
    3⤵
    - Executes dropped EXE
    PID:2924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+612255.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f016.exe
      4⤵
      PID:7484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f016.exe 1699026771
      4⤵
      PID:8264
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f016.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f016.exe 1699026771
        5⤵
        
        PID:9868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+728868.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f017.exe
      4⤵
      PID:10872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f017.exe 1699026771
      4⤵
      PID:9540
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f017.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f017.exe 1699026771
        5⤵
        
        PID:8116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
  2⤵
  PID:3168
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
    3⤵
    - Executes dropped EXE
    PID:3376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
  2⤵
  PID:3820
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
    3⤵
    PID:4012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
  2⤵
  PID:4616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
  2⤵
  PID:4948
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
    3⤵
    PID:3196
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /save 1699026771
      4⤵
      Executes dropped EXE
      PID:3448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
  2⤵
  PID:4336
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
    3⤵
    PID:3664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+2984.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe
      4⤵
      PID:4544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe 1699026771
      4⤵
      PID:5136
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe 1699026771
        5⤵
        
        PID:7900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+83954.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe
      4⤵
      PID:10824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe 1699026771
      4⤵
      PID:12272
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe 1699026771
        5⤵
        
        PID:12052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
  2⤵
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
    3⤵
    PID:5224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
  2⤵
  PID:5344
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
    3⤵
    PID:6960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
  2⤵
  PID:4300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
  2⤵
  PID:3032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
  2⤵
  PID:3600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
  2⤵
  PID:2128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
  2⤵
  PID:3504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe+2984.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f072.exe
    3⤵
    PID:7208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f072.exe 1699026771
    3⤵
    PID:7472
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f072.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f072.exe 1699026771
      4⤵
      PID:9344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe+83954.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f078.exe
    3⤵
    PID:10968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f078.exe 1699026771
    3⤵
    PID:10196
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f078.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f078.exe 1699026771
      4⤵
      PID:11088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
  2⤵
  - Executes dropped EXE
  PID:1652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+612255.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe
    3⤵
    PID:7476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe 1699026771
    3⤵
    PID:5924
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe 1699026771
      4⤵
      PID:10036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+728868.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f007.exe
    3⤵
    PID:7340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f007.exe 1699026771
    3⤵
    PID:9532
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f007.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f007.exe 1699026771
      4⤵
      PID:8972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
  2⤵
  PID:7420
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
    3⤵
    PID:6404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:8280
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:10052

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
1⤵
PID:1756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe 1699026771
  2⤵
  PID:3300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+29234.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe
  2⤵
  PID:2916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe 1699026771
  2⤵
  PID:2452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+924049.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe
  2⤵
  PID:1768

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe 1699026771
1⤵
- Executes dropped EXE
PID:2300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
  2⤵
  PID:2372
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
    3⤵
    PID:2964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
    3⤵
    - Executes dropped EXE
    PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
      4⤵
      Executes dropped EXE
      PID:2956
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+31507.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe
        5⤵
        
        PID:6320
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe 1699026771
        5⤵
        
        PID:8000
      - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe 1699026771
        6⤵
        
        PID:8440
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+224941.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe
        5⤵
        
        PID:9596
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe 1699026771
        5⤵
        
        PID:12068
      - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe 1699026771
        6⤵
        
        PID:10712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+612255.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f016.exe
      4⤵
      PID:6848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f016.exe 1699026771
      4⤵
      PID:7732
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f016.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f016.exe 1699026771
        5⤵
        
        PID:8616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+728868.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f017.exe
      4⤵
      PID:9364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f017.exe 1699026771
      4⤵
      PID:11992
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f017.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f017.exe 1699026771
        5⤵
        
        PID:10840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
  2⤵
  PID:3160
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
    3⤵
    - Executes dropped EXE
    PID:3368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
  2⤵
  PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
  2⤵
  PID:3540
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
    3⤵
    PID:2304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
  2⤵
  PID:3200
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
    3⤵
    PID:4224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+2984.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe
      4⤵
      PID:5212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe 1699026771
      4⤵
      PID:8076
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe 1699026771
        5⤵
        
        PID:9624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+83954.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe
      4⤵
      PID:10808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe 1699026771
      4⤵
      PID:9404
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe 1699026771
        5⤵
        
        PID:12064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
  2⤵
  PID:4344
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
    3⤵
    PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
  2⤵
  PID:4648
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
    3⤵
    PID:4888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+2984.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe
      4⤵
      PID:7336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe 1699026771
      4⤵
      PID:7040
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe 1699026771
        5⤵
        
        PID:9732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+83954.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe
      4⤵
      PID:10936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe 1699026771
      4⤵
      PID:2700
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe 1699026771
        5⤵
        
        PID:11660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
  2⤵
  PID:5016
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
    3⤵
    PID:3536
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /protect 1699026771
      4⤵
      PID:3812
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe+923004.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f079.exe
        5⤵
        
        PID:7080
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f079.exe 1699026771
        5⤵
        
        PID:5908
      - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f079.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f079.exe 1699026771
        6⤵
        
        PID:8544
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe+427.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f074.exe
        5⤵
        
        PID:9456
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f074.exe 1699026771
        5⤵
        
        PID:11936
      - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f074.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f074.exe 1699026771
        6⤵
        
        PID:10372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
  2⤵
  PID:4348
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
    3⤵
    PID:4940
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
      4⤵
      PID:268
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+2984.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe
        5⤵
        
        PID:4216
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe 1699026771
        5⤵
        
        PID:8248
      - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe 1699026771
        6⤵
        
        PID:9860
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+83954.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f08.exe
        5⤵
        
        PID:11192
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f08.exe 1699026771
        5⤵
        
        PID:9432
      - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f08.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f08.exe 1699026771
        6⤵
        
        PID:11932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+611733.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f016.exe
      4⤵
      PID:7064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f016.exe 1699026771
      4⤵
      PID:8128
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f016.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f016.exe 1699026771
        5⤵
        
        PID:8408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+37880.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f013.exe
      4⤵
      PID:9416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f013.exe 1699026771
      4⤵
      PID:12008
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f013.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f013.exe 1699026771
        5⤵
        
        PID:11840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
  2⤵
  PID:5072
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
    3⤵
    PID:5260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
  2⤵
  PID:5368
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
    3⤵
    PID:6632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+029863.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f010.exe
      4⤵
      PID:10204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
  2⤵
  PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
  2⤵
  PID:3792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe+2984.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f062.exe
    3⤵
    PID:7264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f062.exe 1699026771
    3⤵
    PID:8216
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f062.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f062.exe 1699026771
      4⤵
      PID:9884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe+83954.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f068.exe
    3⤵
    PID:11224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f068.exe 1699026771
    3⤵
    PID:10304
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f068.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f068.exe 1699026771
      4⤵
      PID:2616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
  2⤵
  PID:1740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
  2⤵
  PID:6936
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
    3⤵
    PID:7636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:7916
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:8648

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
1⤵
PID:2536

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\ClearAdd.temp
1⤵
- Modifies registry class
PID:108

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
1⤵
PID:984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe 1699026771
  2⤵
  PID:3964
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe 1699026771
    3⤵
    PID:3172
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe /protect 1699026771
      4⤵
      PID:5920
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe /protect 1699026771
        5⤵
        
        PID:6704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe /save 1699026771
      4⤵
      PID:5268
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe /save 1699026771
        5⤵
        
        PID:7828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:6312
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:8552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+713161.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
  2⤵
  PID:3740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe 1699026771
  2⤵
  PID:1072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+32030.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe
  2⤵
  PID:3676

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
1⤵
- Executes dropped EXE
PID:1720

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /protect 1699026771
1⤵
- Executes dropped EXE
PID:2888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe+923527.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f079.exe
  2⤵
  PID:4712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f079.exe 1699026771
  2⤵
  PID:5204
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f079.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f079.exe 1699026771
    3⤵
    PID:6696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe+821015.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f078.exe
  2⤵
  PID:7360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f078.exe 1699026771
  2⤵
  PID:7656
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f078.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f078.exe 1699026771
    3⤵
    PID:7504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-547062904-173710779262388942-38802635-1837680199-1701276877-2070452137-1130547433"
1⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe 1699026771
1⤵
- Executes dropped EXE
PID:1900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /protect 1699026771
  2⤵
  PID:5528
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /protect 1699026771
    3⤵
    PID:6656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe+031431.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f060.exe
      4⤵
      PID:9352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /save 1699026771
  2⤵
  PID:6884
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /save 1699026771
    3⤵
    PID:7628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:7936
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:8640

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe 1699026771
1⤵
- Executes dropped EXE
PID:2356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
  2⤵
  PID:5616
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
    3⤵
    PID:7132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
  2⤵
  PID:7840
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
    3⤵
    PID:8484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:8056
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:11596

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /save 1699026771
1⤵
- Executes dropped EXE
PID:2232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2468770214769536-132673952110129302641890878414132140360858341054-1295585428"
1⤵
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
  2⤵
  PID:2740

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1392359866-10501051329985784996431510133769285287538845392763587-1640189242"
1⤵
- Loads dropped DLL
PID:2496

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
1⤵
- Executes dropped EXE
PID:1436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+31507.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f013.exe
  2⤵
  PID:6344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f013.exe 1699026771
  2⤵
  PID:6316
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f013.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f013.exe 1699026771
    3⤵
    PID:8448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+224941.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe
  2⤵
  PID:9552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe 1699026771
  2⤵
  PID:12028
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe 1699026771
    3⤵
    PID:10940

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
1⤵
- Executes dropped EXE
PID:2648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+31507.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe
  2⤵
  PID:6416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe 1699026771
  2⤵
  PID:8092
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe 1699026771
    3⤵
    PID:8432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+224941.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe
  2⤵
  PID:9588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe 1699026771
  2⤵
  PID:12076
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe 1699026771
    3⤵
    PID:11048

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20375009461976065359804624532315755571-891431281252066770-1124903906-1984465637"
1⤵
- Loads dropped DLL
PID:1432

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-580442646-206620400429629715-55316984913184439621851509631-2050259534495802743"
1⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
1⤵
- Executes dropped EXE
PID:1244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+31507.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f013.exe
  2⤵
  PID:6424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f013.exe 1699026771
  2⤵
  PID:5140
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f013.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f013.exe 1699026771
    3⤵
    PID:8560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+224941.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe
  2⤵
  PID:9604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe 1699026771
  2⤵
  PID:12060
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe 1699026771
    3⤵
    PID:10832

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12318238198272173441633883836-4358247971664283760-1683435696194408811-637529096"
1⤵
PID:2852
- C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
  2⤵
  PID:2284

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe 1699026771
1⤵
- Executes dropped EXE
PID:1992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe /protect 1699026771
  2⤵
  PID:5764
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe /protect 1699026771
    3⤵
    PID:6680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe /save 1699026771
  2⤵
  PID:7280
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe /save 1699026771
    3⤵
    PID:8152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:8312
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:10084

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
1⤵
PID:2540

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
1⤵
- Executes dropped EXE
PID:3148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+612255.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe
  2⤵
  PID:7412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe 1699026771
  2⤵
  PID:6416
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe 1699026771
    3⤵
    PID:10000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+728868.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f007.exe
  2⤵
  PID:10568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f007.exe 1699026771
  2⤵
  PID:11244
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f007.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f007.exe 1699026771
    3⤵
    PID:9092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-121146714787734610-1209249466531383747786303633-16671303261204845565-1465373705"
1⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe 1699026771
1⤵
- Executes dropped EXE
PID:3228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe /protect 1699026771
  2⤵
  PID:5816
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe /protect 1699026771
    3⤵
    PID:6820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe /save 1699026771
  2⤵
  PID:7312
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe /save 1699026771
    3⤵
    PID:8036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:8272
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:10116

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /protect 1699026771
1⤵
PID:3872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe+612255.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f066.exe
  2⤵
  PID:7492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f066.exe 1699026771
  2⤵
  PID:7392
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f066.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f066.exe 1699026771
    3⤵
    PID:9756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe+728868.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f067.exe
  2⤵
  PID:11236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f067.exe 1699026771
  2⤵
  PID:6356
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f067.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f067.exe 1699026771
    3⤵
    PID:5520

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
1⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
1⤵
PID:4020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+923004.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe
  2⤵
  PID:6968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe 1699026771
  2⤵
  PID:8100
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe 1699026771
    3⤵
    PID:7336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+427.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f04.exe
  2⤵
  PID:7300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f04.exe 1699026771
  2⤵
  PID:12016
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f04.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f04.exe 1699026771
    3⤵
    PID:7420

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12486403971972485774-92703302634517589510995868836067901521658012086-1557954816"
1⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
1⤵
PID:1452

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "51043860320662232222672521871969985485-560976077-2141484044713545908-1375140353"
1⤵
PID:1564
- C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
  2⤵
  - Executes dropped EXE
  PID:3276

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15199648821001185182-878233562-189815223969847384-1462276292-2035765632-1629140069"
1⤵
PID:3048
- C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
  2⤵
  PID:2768

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
1⤵
PID:3292

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /protect 1699026771
1⤵
PID:3792

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
1⤵
PID:3820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+2984.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe
  2⤵
  PID:7176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe 1699026771
  2⤵
  PID:7432
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe 1699026771
    3⤵
    PID:9700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+83954.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe
  2⤵
  PID:10952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe 1699026771
  2⤵
  PID:9508
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe 1699026771
    3⤵
    PID:10764

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe 1699026771
1⤵
PID:4128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /protect 1699026771
  2⤵
  PID:6056
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /protect 1699026771
    3⤵
    PID:7140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /save 1699026771
  2⤵
  PID:7744
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /save 1699026771
    3⤵
    PID:7036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:8336
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:10076

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
1⤵
PID:3900

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /protect 1699026771
1⤵
PID:4420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe+2984.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f062.exe
  2⤵
  PID:7216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f062.exe 1699026771
  2⤵
  PID:7156
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f062.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f062.exe 1699026771
    3⤵
    PID:9852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe+83954.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f068.exe
  2⤵
  PID:10840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f068.exe 1699026771
  2⤵
  PID:9496
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f068.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f068.exe 1699026771
    3⤵
    PID:11656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe+612778.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f076.exe
1⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
1⤵
PID:4432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+2984.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe
  2⤵
  PID:7368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe 1699026771
  2⤵
  PID:8256
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe 1699026771
    3⤵
    PID:9644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+83954.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe
  2⤵
  PID:11060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe 1699026771
  2⤵
  PID:10228
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe 1699026771
    3⤵
    PID:7720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f076.exe 1699026771
1⤵
PID:4772
- C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f076.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f076.exe 1699026771
  2⤵
  PID:5092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f076.exe /protect 1699026771
    3⤵
    PID:5356
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f076.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f076.exe /protect 1699026771
      4⤵
      PID:6672
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f076.exe+410457.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0764.exe
        5⤵
        
        PID:1076
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0764.exe 1699026771
        5⤵
        
        PID:5500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f076.exe /save 1699026771
    3⤵
    PID:7148
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f076.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f076.exe /save 1699026771
      4⤵
      PID:7620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
    3⤵
    PID:7944
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      PID:8608

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
1⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /save 1699026771
1⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
1⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
1⤵
PID:4836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+2984.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe
  2⤵
  PID:7240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe 1699026771
  2⤵
  PID:8208
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe 1699026771
    3⤵
    PID:9772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+83954.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe
  2⤵
  PID:11116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe 1699026771
  2⤵
  PID:9444
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe 1699026771
    3⤵
    PID:10588

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe 1699026771
1⤵
PID:4812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /protect 1699026771
  2⤵
  PID:5088
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /protect 1699026771
    3⤵
    PID:7164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /save 1699026771
  2⤵
  PID:7884
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /save 1699026771
    3⤵
    PID:8504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:7540
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:11580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
1⤵
PID:5072
- C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
  2⤵
  PID:4304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+2984.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe
    3⤵
    PID:7296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe 1699026771
    3⤵
    PID:8304
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe 1699026771
      4⤵
      PID:9632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+83954.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe
    3⤵
    PID:10888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe 1699026771
    3⤵
    PID:9380
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe 1699026771
      4⤵
      PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+612778.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
1⤵
PID:3600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1039519519205980276319893038101753850327-13488003441535974540222289011170926562"
1⤵
PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe 1699026771
1⤵
PID:4184
- C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe 1699026771
  2⤵
  PID:6484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
1⤵
PID:4552
- C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
  2⤵
  PID:3248
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
    3⤵
    - Executes dropped EXE
    PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe+117088.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f071.exe
1⤵
PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe 1699026771
1⤵
PID:4904
- C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe 1699026771
  2⤵
  PID:5160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
    3⤵
    PID:6156
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      PID:7224

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2112871096192643612132767176315401999291478209731783225385830369711002772077"
1⤵
PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
1⤵
PID:4664
- C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
  2⤵
  PID:5376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+611733.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe
    3⤵
    PID:6368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe 1699026771
    3⤵
    PID:8068
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe 1699026771
      4⤵
      PID:7480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+37880.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe
    3⤵
    PID:9428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe 1699026771
    3⤵
    PID:12156
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe 1699026771
      4⤵
      PID:10236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f071.exe 1699026771
1⤵
PID:532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe 1699026771
  2⤵
  PID:4600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe+611733.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f066.exe
    3⤵
    PID:1592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f066.exe 1699026771
    3⤵
    PID:8016
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f066.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f066.exe 1699026771
      4⤵
      PID:6336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe+37880.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f063.exe
    3⤵
    PID:10904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f063.exe 1699026771
    3⤵
    PID:9524
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f063.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f063.exe 1699026771
      4⤵
      PID:12108
- C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f071.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f071.exe 1699026771
  2⤵
  PID:6560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
    3⤵
    PID:11316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe+117088.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
1⤵
PID:5288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+612778.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f006.exe
1⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /save 1699026771
1⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
1⤵
PID:4292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+2984.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe
  2⤵
  PID:7392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe 1699026771
  2⤵
  PID:8032
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe 1699026771
    3⤵
    PID:9716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+83954.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe
  2⤵
  PID:6968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe 1699026771
  2⤵
  PID:10360
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f008.exe 1699026771
    3⤵
    PID:2604

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /protect 1699026771
1⤵
PID:4284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe+2984.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f072.exe
  2⤵
  PID:7272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f072.exe 1699026771
  2⤵
  PID:5396
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f072.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f072.exe 1699026771
    3⤵
    PID:9324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe+83954.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f078.exe
  2⤵
  PID:10856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f078.exe 1699026771
  2⤵
  PID:10872
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f078.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f078.exe 1699026771
    3⤵
    PID:7736

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
1⤵
PID:4196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+2984.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe
  2⤵
  PID:7256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe 1699026771
  2⤵
  PID:7556
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f012.exe 1699026771
    3⤵
    PID:10008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe+83954.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe
  2⤵
  PID:11096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe 1699026771
  2⤵
  PID:10280
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f018.exe 1699026771
    3⤵
    PID:12084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe /protect 1699026771
1⤵
PID:5672
- C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe /protect 1699026771
  2⤵
  PID:6804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3066100551260420578-507838425-613086299536028883-1979881018198445062-231488016"
1⤵
PID:2904

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe /protect 1699026771
1⤵
PID:3264
- C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /save 1699026771
  2⤵
  - Executes dropped EXE
  PID:3528

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe 1699026771
1⤵
PID:3128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /protect 1699026771
  2⤵
  PID:5904
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /protect 1699026771
    3⤵
    PID:7088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /save 1699026771
  2⤵
  PID:7432
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /save 1699026771
    3⤵
    PID:7788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:6168
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:10092

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe /save 1699026771
1⤵
PID:3108

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /save 1699026771
1⤵
PID:2972

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
1⤵
PID:3880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+923004.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f009.exe
  2⤵
  PID:6868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f009.exe 1699026771
  2⤵
  PID:7968
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f009.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f009.exe 1699026771
    3⤵
    PID:8396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+427.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f004.exe
  2⤵
  PID:9508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f004.exe 1699026771
  2⤵
  PID:12092
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f004.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f004.exe 1699026771
    3⤵
    PID:10892

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
1⤵
PID:3720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe /protect 1699026771
1⤵
PID:5836
- C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe /protect 1699026771
  2⤵
  PID:6188

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe 1699026771
1⤵
- Executes dropped EXE
PID:3556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe /save 1699026771
  2⤵
  PID:7960
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f02.exe /save 1699026771
    3⤵
    PID:7708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:7492
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:9668

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
1⤵
- Executes dropped EXE
PID:3548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "433694242-18155965671244059779-1704344214-324931453-125512344211442918441102165058"
1⤵
PID:2908
- C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /protect 1699026771
  2⤵
  - Executes dropped EXE
  PID:840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+31507.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe
    3⤵
    PID:6388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe 1699026771
    3⤵
    PID:6236
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f003.exe 1699026771
      4⤵
      PID:8424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe+224941.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe
    3⤵
    PID:9544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe 1699026771
    3⤵
    PID:11976
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f002.exe 1699026771
      4⤵
      PID:11808

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe 1699026771
1⤵
- Executes dropped EXE
PID:2408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe /save 1699026771
  2⤵
  PID:6464
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f09.exe /save 1699026771
    3⤵
    PID:8164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:7664
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:8632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-158071701011616278-4771216602095796552312174415-385390750426140265378395626"
1⤵
- Loads dropped DLL
PID:2716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-807681089-881911101-104924821-1070944284-169478247012382414522087336328-1622374810"
1⤵
PID:2632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe 1699026771
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe+31507.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f073.exe
    3⤵
    PID:6432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f073.exe 1699026771
    3⤵
    PID:3040
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f073.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f073.exe 1699026771
      4⤵
      PID:7840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe+224941.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f072.exe
    3⤵
    PID:10984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f072.exe 1699026771
    3⤵
    PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f072.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f072.exe 1699026771
      4⤵
      PID:11936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe 1699026771
  2⤵
  - Loads dropped DLL
  PID:1504

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
1⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /protect 1699026771
1⤵
- Executes dropped EXE
PID:944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe+31507.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f073.exe
  2⤵
  PID:6444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f073.exe 1699026771
  2⤵
  PID:6844
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f073.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f073.exe 1699026771
    3⤵
    PID:7532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe+224941.txt C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f072.exe
  2⤵
  PID:11072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f072.exe 1699026771
  2⤵
  PID:9476
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f072.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f072.exe 1699026771
    3⤵
    PID:11608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "112160384-683508353874460047-2031076494-666141355-6548231611429269682826636806"
1⤵
- Loads dropped DLL
PID:3024

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe 1699026771
1⤵
- Executes dropped EXE
PID:1628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
  2⤵
  PID:6576
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe /save 1699026771
    3⤵
    PID:6800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:7976
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:7700

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /protect 1699026771
1⤵
PID:2940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe 1699026771
  2⤵
  PID:6912
- - C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe 1699026771
    3⤵
    PID:7644

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe /save 1699026771
1⤵
- Executes dropped EXE
PID:2068

C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f0.exe /save 1699026771
1⤵
PID:2012

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\ClearAdd.temp
1⤵
- Modifies registry class
PID:6180

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\ClearAdd.temp
1⤵
- Modifies registry class
PID:6192

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\DebugUninstall.kix
1⤵
- Modifies registry class
PID:6228

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\DebugUninstall.kix
1⤵
- Modifies registry class
PID:6240

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ExitUnregister.mid"
1⤵
PID:6360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1866495608-1941384454127514965115703771224985143352183956831567225324-2104853766"
1⤵
PID:6368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1901458200-1179604975-1587212657-176014456-1721946741-561052905-873047816-1292978541"
1⤵
PID:6624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13047683241052867483-1539947097-88628513-19469965147131966661947455785-100686494"
1⤵
PID:7232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1120034169505924800842682851-246397204-188216858611968479364254326131688761320"
1⤵
PID:7360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1139504180667609419-1439562901422528166820717599-10618318821987483827-504751665"
1⤵
PID:9544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3849480805107171201274881203559617990-52233858599301570-1928053371466814625"
1⤵
PID:10668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "86916119820563516081579152327-14432201412127574593-100424822-1129022893-29471953"
1⤵
PID:11116

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-189131883813058836761741399763-149301282-2057280472589639437-1937244557-276373750"
1⤵
PID:6968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1310129490-201083371-1589490308-656108632-2034021033-928016421130329598608777868"
1⤵
PID:10976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "368573955-60344718713356337773339682051475980667-1114104630-44730008870842380"
1⤵
PID:11056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "448230961202211336-1139510262-1356228961-13224779151559385875746682671342882859"
1⤵
PID:11240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "377691023667089852852378970-1215554034-315875806-774326511-6047396062048192028"
1⤵
PID:8356

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "167066681114763256519842467981801202477-1584550493-2000914397611980209323563572"
1⤵
PID:11208

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1954671250-19564501561318344419-257545131951660723-1153110511149071611-1842471116"
1⤵
PID:12092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\025095.txt

Filesize
4B

MD5
3ff31b21755de79edf5668a07bd37f81

SHA1
25b04cb8e702c2fb0e7d9d530e5e42ba1a2c1cbb

SHA256
b59593174a9ed010ad25fe0e143ae7790cf63c4bd7aa2a654ab80d1016da8265

SHA512
8a1b59ac4247935bafaf4927421fd642c1fd8b46da992e6188a98a1225443a170c3ab2942e531b0949c08dd533dbf559e63297bce6093bf2511ce35bb56a1c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\025095.txt

Filesize
4B

MD5
3ff31b21755de79edf5668a07bd37f81

SHA1
25b04cb8e702c2fb0e7d9d530e5e42ba1a2c1cbb

SHA256
b59593174a9ed010ad25fe0e143ae7790cf63c4bd7aa2a654ab80d1016da8265

SHA512
8a1b59ac4247935bafaf4927421fd642c1fd8b46da992e6188a98a1225443a170c3ab2942e531b0949c08dd533dbf559e63297bce6093bf2511ce35bb56a1c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\118442.txt

Filesize
5B

MD5
9a1d8e7dcd9cc4fd0e9806ea87e3105f

SHA1
5086c3c4f721b3321069d5524463de68ef013bfd

SHA256
27991ee8d8a3187e84f20ac42c2e5df16c1918e9f634527c3791f93356fb4eb0

SHA512
bbdeaae66523afe94ff744bec8c0312d46844c183cd6e15897ec7e05d35fae385fc2ea56f1980476f326de5063f5e2cca9b4041a0309d27b37e9625b42a070f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\118442.txt

Filesize
5B

MD5
9a1d8e7dcd9cc4fd0e9806ea87e3105f

SHA1
5086c3c4f721b3321069d5524463de68ef013bfd

SHA256
27991ee8d8a3187e84f20ac42c2e5df16c1918e9f634527c3791f93356fb4eb0

SHA512
bbdeaae66523afe94ff744bec8c0312d46844c183cd6e15897ec7e05d35fae385fc2ea56f1980476f326de5063f5e2cca9b4041a0309d27b37e9625b42a070f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\119925.bat

Filesize
124B

MD5
b70a3eb5d8b21153f7cdf9179323a62d

SHA1
d302d18a1c63e35be7b746c99b6f69d99e9479bc

SHA256
a9954cee5fc31767d9e22efadb0de8de5d2409bc7761afdf81fc0a57f1ecaeda

SHA512
986ccb286f59bd9dd4f7b4ee53bb205f148be001da8cbddfb863f899e15fefec104dfa0b06ba9fe824891a64c2d9e6fe51aac0c88652e6a2d2d9a3e17015ed39

Download Submit
C:\Users\Admin\AppData\Local\Temp\224941.txt

Filesize
5B

MD5
58936a175470c7915a764a2e98ebacf3

SHA1
95d99e98683612dc9f242f34a960acc25db6b181

SHA256
813c8ef9f0fbbbb20ccc252aec1876131af947e1ed189d6c904cd85e0945c276

SHA512
536e40116a2895c0f3f8659bcee9bb92084331047f6c56a62b094ee7f4a4b1bfc2992523cb8f795bce0a98a4c8546e4f1dd2ec3a5be9b4c0eb466c8447158e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\227421.bat

Filesize
124B

MD5
bf6920518a8f3bf6bcac15b7f789cb01

SHA1
53badd3b2bbeabc8cacc0ed7c16dc172b3114a95

SHA256
3999077cc48674009d53e7ab486dbbe70577070759dfd860e9f5ba0b5f87343f

SHA512
01f7bb3ec825e8e95e6f557150051773591e44f8f21701519701c7b5cbaeccfe9a6e34b45179c61fd49a937e892c0194b9fb9f94b0b6e8d5027f9699026e0f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2984.txt

Filesize
5B

MD5
e1549f7b56377c935b1c29794a8da341

SHA1
720428798a2e1c2a8fb53b67ad630bb49838b462

SHA256
18e42726c9bbddf7d24a8f22fae61bb1d69c7d4cf9bdddd0fd26ceeaa99418e2

SHA512
454b8f4cfd4807d709f7306df988ecdf0c73896e190a166e4be7bacf9896a8bc23ce75d83d5dd70fd00dc2886e6cbac14e79fb40902953dbd4c6ca9d73ae8a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\31095.bat

Filesize
123B

MD5
24d550c5d3b33dc634af0d06b6d6f425

SHA1
c7c4b0a21d6203e2c405227bc20e05b9f5d73727

SHA256
26e535630803a78e1ff7613aa1e1f297dbe93dc0bb36fd47e8fdb18424579b15

SHA512
06fdb3197cadcc2db8b4e8186d9751c676d412a36319f91a4abbdb2518bdeac00bd3e1b0b0b4d3d36bfe2a74938fdfaaf9599d3cb3f9b97e63bbbfb9afc58510

Download Submit
C:\Users\Admin\AppData\Local\Temp\31507.txt

Filesize
5B

MD5
548c579b82d70ac53cf18c68c0f505e3

SHA1
3fa3a9d29d3b7030e1da713365f23fea664d9b8e

SHA256
8c4e4469a4377250af10a74afb02b5695606134390b233682cf1a75a6aeca903

SHA512
daf944f21892ec46d3eb895dc0a2e0d9de376773e1ccded041873f2f1009cc706f451da6b4d39566cf28f84bf190c0994724aa5739069c9131fc1d2a2e5cc655

Download Submit
C:\Users\Admin\AppData\Local\Temp\32552.txt

Filesize
4B

MD5
73e5080f0f3804cb9cf470a8ce895dac

SHA1
2145c3e7ce74ef291f7254708749ad33403111fc

SHA256
d7827558d408d7af184cf3ab50d6ad7886ee44b67c6a9d0d7beafe3d0c902c85

SHA512
72a77f6052930741de91a332ddc17524f51229d57bb04b07fb708da5236897d3e74e69a4eaa3c68c737bb5d7a9738fcb7b27b07d0e39935926fedf2a2c5d07fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\37880.txt

Filesize
4B

MD5
e46bc064f8e92ac2c404b9871b2a4ef2

SHA1
689a93dc62f20464ceb70cf30746f363ccf85ec9

SHA256
bdf27cc797d40a3b96e45913422ad961f80891145524b854ca2928ad1655efc4

SHA512
eab9e4954ca35a0d9bc758e8586e72516e8b0f55759e7f67c96c6336adc15de34f84047c46617e9d023bfa799f63a43605fdcb3a25f59ac2d12a97408e1c49dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\39996.bat

Filesize
111B

MD5
8efadb36efa378cfc883ec8fa1aae5f4

SHA1
e45576e435fe85bc9b01b4f7aae383a67e8d0bfd

SHA256
5b6be60a4f488bd66c74a67360dd9ed38b30d603b3125d597e40224ba5553256

SHA512
51b6a38e74a62b07253f488941b78cd33dfb3f9c403d56b3485434b9659f843e3ba6291469ca11b930ba5663cc2b0234900573652c19fe7723348b2a2424c069

Download Submit
C:\Users\Admin\AppData\Local\Temp\427.txt

Filesize
5B

MD5
7b8bc3700ce886e8627f41e799fe764f

SHA1
490a2b1a4a6e6fce7826947181ce3bb79926951f

SHA256
717795fa2f74a06676650aacd299b1d03a7b282c970959d35aa76c5744787812

SHA512
61fc810d838a6ce1145c9de7335268b878bcbe00a8e152e2e8c80a0630b71670ad243213dbb2cc382c41d876214b2ef199e2201ddaa019f1c5c1e0de6b4ca23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5298.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\5298.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\611733.txt

Filesize
5B

MD5
76fb6fb9cbea7011e49166d9d4ddbc48

SHA1
9560b02e6b27f41fc691e53b8bf6c47e0b81731f

SHA256
1ba131cd8a949bd1394be4d9b3a78b16abe47be31c3f13b457eef7f030eb1b9d

SHA512
080ea167066fbcca4e05bcce93e8be8c25ed248e4d2a0ef584418acddb1b1b947ef7d328feac68f31d38f8973a226c0b3943cd5eab19de795c671a18d000e5eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\612255.txt

Filesize
4B

MD5
09eb27dec1a45d92f229228204ea7201

SHA1
55709846063e89f32a7274cc5744c0fdb17cf5bc

SHA256
bf0d3c01d1f27f0972799070f69e69d5a81777c7e28e25f355177306845fd5ff

SHA512
bc51f302d5805b6a3a2a818f97f6998c7e353a079837188c1a59e91d624b8f9eda79d3addb71135cc4b38232786336c72129f84e8e925da0925a492260ffb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\614515.txt

Filesize
5B

MD5
4e6934f77e86b8c41a52f986de47181f

SHA1
2d49a3e898c20f2e70575416c674ab3aa188241f

SHA256
5c219b05e6b594420c83c7a609905c8cc70d93554443079f42b9ca49d3a738c8

SHA512
9ff03eedb8f18fbb8b4a76ed4a992ffcc1b464401666f804cf4fce7dc5ee86c92bafd9205ce6f3bd1b5c59c1788e917727e609542cebe91d646f1c454ac75199

Download Submit
C:\Users\Admin\AppData\Local\Temp\62380.bat

Filesize
122B

MD5
239a010243af8e11133617b5bd6da2db

SHA1
e401c5a3e15ea7ddba21d9661aa0808f894e94e8

SHA256
4115e546697a7a8834443fb76b115cc7537e020b5ad2019616d4d81490a8bb46

SHA512
b5799b6a4e218da352cd13d71ac101ab7eb209fb9c3f382510476f7ac9f8613bc29173fb2e7cbbe83f158b1e41cdff7e28ff6580e3d12d3efb54ece4fb6c1445

Download Submit
C:\Users\Admin\AppData\Local\Temp\714346.txt

Filesize
5B

MD5
16dd8c942ad630be7e5a12b681b3f5c4

SHA1
7ceaa106b677f9a465f452ed7bee5100aa717173

SHA256
c577c5bd448343ea6ca9b737875e0c1ac860d747037a1c313dd9fd9ba5059af0

SHA512
e320abb6991a8b37deab7c657fbd313df6967dfbb76505a90c6bf39648598c45f149448365df1c193870ab1f7d7362e199ff57e26c440db889811f8738e8f15e

Download Submit
C:\Users\Admin\AppData\Local\Temp\728868.txt

Filesize
5B

MD5
15e69232b3bfbcce60261950230e734b

SHA1
6d66b3591c4cb26ac8291f1176e18beb2a4b78e6

SHA256
0123729d5d90048f70e14c86cf5f6b153ed202a7c80ffa5bb215f1573ecc11b4

SHA512
d544f8112ab63d1ef285260a18e41d855dddc1aca4f4543f8037f26a7a5d33edfaf4c546964805ab5dd021f4ed0d60483c90f9c8e555710a61e98274fb06e33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\821015.txt

Filesize
5B

MD5
54bff62713e574c1097f56646402832a

SHA1
170f66dbc93feceb64ec762053b581141d26ff18

SHA256
05133844bff497e37fd1339314cfab5db8085849e76d743168884b9de2028a91

SHA512
265424498c3ab5b71a855f2251a978c8afd57c886b6c78a080ab99d9e858d8122444d56d25d072b5fb216179b925d2fd1f472d872be46d465e4c8337d87deda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\83954.txt

Filesize
4B

MD5
ea3aed2bce2d893088e71e188ebca823

SHA1
b449c1ba98846c62fa7ed0e90ad97c337be10b68

SHA256
6129bdf179bacd2c2b006843113f7ae74881dd2e28d922c673bc4ae2c09bee6e

SHA512
cde6f5ab7e1b556d8d0675c3d74a8542003c2d5fe4829884a7e2015047730f23eb46c0ca2524656d701b02d98f33bf9d59e187a26c5f97173f24157c3c9b727c

Download Submit
C:\Users\Admin\AppData\Local\Temp\923004.txt

Filesize
5B

MD5
aebb462e657b9e288cbfe408fc1a9dd5

SHA1
5c733bb6042d839f65f6ee5f1a42231bc2d52f94

SHA256
4bc81052d59ac153d6720d370d614584ad8d3c946d25611e1c66919f667f7afb

SHA512
f92a15a42b337d31c78fb25255d7aa0bad1bbff6480b4c1688bc360c6e2e389e93ede619ac04132e78e4ee375cf63cc4535d957869200f5a546e3bcb61013bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\923527.txt

Filesize
5B

MD5
71bfbe458113bbc3b27576494be78972

SHA1
e602365d57471b1c57a2e7c0151090e7ef88e7d1

SHA256
3c78f6dac9f5b5cc26c96e8b2f7fe399156ce1f6a8234e16274191ce985d494f

SHA512
cff471beb0ff5b7394f86fcb8239406cb15f643ee1153e262a7614a8b9849eef50b6c951fc29ebda898f7c9a52b8199f21d7c2782c5e02d290ada96ba6831f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\97716.bat

Filesize
124B

MD5
dde50a02895e49b132fe2db7436da56d

SHA1
359a1ad5c586877d5cb467074de923886358aaa9

SHA256
a788682e7ea30b78f475b7af9b5ba72f50d70436d7ba345bfe42e41964812de1

SHA512
8533b488a33c0b34fce2631bee2acf658aa6dcf8a090dc1d1381cdd299340bcfcb417b622c8a1f447cbaf587fbd9d44f581ee87152937255355b1b5bb3786c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe

Filesize
3.0MB

MD5
76ddb61db3351ba3c38f36420de949aa

SHA1
b1f2ad6223b738e69e207b803dc883ce0bbd5bbc

SHA256
2382ec5d9e05463b3df4b47d7062fb986d525b14ce2733306293705c841361e6

SHA512
f9c57db56402074c30d041c77c5cf43b24092a405ed983732eb78bbbe04652e8f10767b4aa6ba30d1c935a2e3facd68a89e7f973fb09be5c8f0517c4f220949d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe

Filesize
3.0MB

MD5
76ddb61db3351ba3c38f36420de949aa

SHA1
b1f2ad6223b738e69e207b803dc883ce0bbd5bbc

SHA256
2382ec5d9e05463b3df4b47d7062fb986d525b14ce2733306293705c841361e6

SHA512
f9c57db56402074c30d041c77c5cf43b24092a405ed983732eb78bbbe04652e8f10767b4aa6ba30d1c935a2e3facd68a89e7f973fb09be5c8f0517c4f220949d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe

Filesize
3.0MB

MD5
76ddb61db3351ba3c38f36420de949aa

SHA1
b1f2ad6223b738e69e207b803dc883ce0bbd5bbc

SHA256
2382ec5d9e05463b3df4b47d7062fb986d525b14ce2733306293705c841361e6

SHA512
f9c57db56402074c30d041c77c5cf43b24092a405ed983732eb78bbbe04652e8f10767b4aa6ba30d1c935a2e3facd68a89e7f973fb09be5c8f0517c4f220949d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe

Filesize
3.0MB

MD5
76ddb61db3351ba3c38f36420de949aa

SHA1
b1f2ad6223b738e69e207b803dc883ce0bbd5bbc

SHA256
2382ec5d9e05463b3df4b47d7062fb986d525b14ce2733306293705c841361e6

SHA512
f9c57db56402074c30d041c77c5cf43b24092a405ed983732eb78bbbe04652e8f10767b4aa6ba30d1c935a2e3facd68a89e7f973fb09be5c8f0517c4f220949d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe

Filesize
3.0MB

MD5
76ddb61db3351ba3c38f36420de949aa

SHA1
b1f2ad6223b738e69e207b803dc883ce0bbd5bbc

SHA256
2382ec5d9e05463b3df4b47d7062fb986d525b14ce2733306293705c841361e6

SHA512
f9c57db56402074c30d041c77c5cf43b24092a405ed983732eb78bbbe04652e8f10767b4aa6ba30d1c935a2e3facd68a89e7f973fb09be5c8f0517c4f220949d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe

Filesize
3.0MB

MD5
76ddb61db3351ba3c38f36420de949aa

SHA1
b1f2ad6223b738e69e207b803dc883ce0bbd5bbc

SHA256
2382ec5d9e05463b3df4b47d7062fb986d525b14ce2733306293705c841361e6

SHA512
f9c57db56402074c30d041c77c5cf43b24092a405ed983732eb78bbbe04652e8f10767b4aa6ba30d1c935a2e3facd68a89e7f973fb09be5c8f0517c4f220949d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe

Filesize
3.0MB

MD5
76ddb61db3351ba3c38f36420de949aa

SHA1
b1f2ad6223b738e69e207b803dc883ce0bbd5bbc

SHA256
2382ec5d9e05463b3df4b47d7062fb986d525b14ce2733306293705c841361e6

SHA512
f9c57db56402074c30d041c77c5cf43b24092a405ed983732eb78bbbe04652e8f10767b4aa6ba30d1c935a2e3facd68a89e7f973fb09be5c8f0517c4f220949d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe

Filesize
3.0MB

MD5
414f54768c56e0f2bb0752d0828229b5

SHA1
16e4a81887b7eaaafd1a880144c4d87485507746

SHA256
1ec890735ca27f0aa63412a70d7f344e7a6ef86a8fce622727cc716a8ef208fd

SHA512
798f166aef56deb04c0689ce115fff0b1f1aabb6bf08900b9fb5e595ea002a9f535292a9853727f185564eac756c909cb413d5adc392fcd64bb0f942414d4dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe

Filesize
3.0MB

MD5
414f54768c56e0f2bb0752d0828229b5

SHA1
16e4a81887b7eaaafd1a880144c4d87485507746

SHA256
1ec890735ca27f0aa63412a70d7f344e7a6ef86a8fce622727cc716a8ef208fd

SHA512
798f166aef56deb04c0689ce115fff0b1f1aabb6bf08900b9fb5e595ea002a9f535292a9853727f185564eac756c909cb413d5adc392fcd64bb0f942414d4dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe

Filesize
3.0MB

MD5
414f54768c56e0f2bb0752d0828229b5

SHA1
16e4a81887b7eaaafd1a880144c4d87485507746

SHA256
1ec890735ca27f0aa63412a70d7f344e7a6ef86a8fce622727cc716a8ef208fd

SHA512
798f166aef56deb04c0689ce115fff0b1f1aabb6bf08900b9fb5e595ea002a9f535292a9853727f185564eac756c909cb413d5adc392fcd64bb0f942414d4dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe

Filesize
3.0MB

MD5
414f54768c56e0f2bb0752d0828229b5

SHA1
16e4a81887b7eaaafd1a880144c4d87485507746

SHA256
1ec890735ca27f0aa63412a70d7f344e7a6ef86a8fce622727cc716a8ef208fd

SHA512
798f166aef56deb04c0689ce115fff0b1f1aabb6bf08900b9fb5e595ea002a9f535292a9853727f185564eac756c909cb413d5adc392fcd64bb0f942414d4dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f03.exe

Filesize
3.0MB

MD5
4073a7448851d97591f89ef3b1ffccf0

SHA1
ec1a1091c4365b481810721fcf3c8eb15277bf6e

SHA256
d64d7155c8e2db78fbb1c684af66902e19076af034e5e80c2d2068ac0a6d28a4

SHA512
8c42f76dd4bc9edbbfa0d89760f1a983e932fba1362d0de2184abc04de996f5e4bbe4516b223e34405c42ff488fc87425a78539d90f76e182a13b8827cca448f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe

Filesize
3.0MB

MD5
342521376fd56be455bd7b0e175a558b

SHA1
cd81f67f5962911466d4e00a44d8cfe7e218f2dd

SHA256
02ffb1b2037af61306c3898b2ce0db46f79e764511edf9c423d98cefe3d13678

SHA512
91295451656b46d894a97a67d96fc1fdab368376bf2009857d30a5cfe7258903fcbca4d189fb6ffbcec9bbfa68c32a10fb2e863ae32a55a0fd977e3fbe2fbdde

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe

Filesize
3.0MB

MD5
342521376fd56be455bd7b0e175a558b

SHA1
cd81f67f5962911466d4e00a44d8cfe7e218f2dd

SHA256
02ffb1b2037af61306c3898b2ce0db46f79e764511edf9c423d98cefe3d13678

SHA512
91295451656b46d894a97a67d96fc1fdab368376bf2009857d30a5cfe7258903fcbca4d189fb6ffbcec9bbfa68c32a10fb2e863ae32a55a0fd977e3fbe2fbdde

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe

Filesize
3.0MB

MD5
35d03e4b00ae6a2d0485b7f37c530482

SHA1
6c9f8a20dca19438307f5101f59f12c651cd9adb

SHA256
111aa77f0c3611c63431792910aa7c357acab35e7a66ef9f8aef55bffd70683d

SHA512
15e4b71eb282ca1056ece2972f142ec3ee336c6ae8118149ad7af629672715f74059dbdd8147402f503400e81c6c3517604dfc1aa87d37bef408ace1516c4d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe

Filesize
3.0MB

MD5
35d03e4b00ae6a2d0485b7f37c530482

SHA1
6c9f8a20dca19438307f5101f59f12c651cd9adb

SHA256
111aa77f0c3611c63431792910aa7c357acab35e7a66ef9f8aef55bffd70683d

SHA512
15e4b71eb282ca1056ece2972f142ec3ee336c6ae8118149ad7af629672715f74059dbdd8147402f503400e81c6c3517604dfc1aa87d37bef408ace1516c4d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe

Filesize
3.0MB

MD5
35d03e4b00ae6a2d0485b7f37c530482

SHA1
6c9f8a20dca19438307f5101f59f12c651cd9adb

SHA256
111aa77f0c3611c63431792910aa7c357acab35e7a66ef9f8aef55bffd70683d

SHA512
15e4b71eb282ca1056ece2972f142ec3ee336c6ae8118149ad7af629672715f74059dbdd8147402f503400e81c6c3517604dfc1aa87d37bef408ace1516c4d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe

Filesize
3.0MB

MD5
35d03e4b00ae6a2d0485b7f37c530482

SHA1
6c9f8a20dca19438307f5101f59f12c651cd9adb

SHA256
111aa77f0c3611c63431792910aa7c357acab35e7a66ef9f8aef55bffd70683d

SHA512
15e4b71eb282ca1056ece2972f142ec3ee336c6ae8118149ad7af629672715f74059dbdd8147402f503400e81c6c3517604dfc1aa87d37bef408ace1516c4d5a

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe

Filesize
3.0MB

MD5
76ddb61db3351ba3c38f36420de949aa

SHA1
b1f2ad6223b738e69e207b803dc883ce0bbd5bbc

SHA256
2382ec5d9e05463b3df4b47d7062fb986d525b14ce2733306293705c841361e6

SHA512
f9c57db56402074c30d041c77c5cf43b24092a405ed983732eb78bbbe04652e8f10767b4aa6ba30d1c935a2e3facd68a89e7f973fb09be5c8f0517c4f220949d

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe

Filesize
3.0MB

MD5
76ddb61db3351ba3c38f36420de949aa

SHA1
b1f2ad6223b738e69e207b803dc883ce0bbd5bbc

SHA256
2382ec5d9e05463b3df4b47d7062fb986d525b14ce2733306293705c841361e6

SHA512
f9c57db56402074c30d041c77c5cf43b24092a405ed983732eb78bbbe04652e8f10767b4aa6ba30d1c935a2e3facd68a89e7f973fb09be5c8f0517c4f220949d

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe

Filesize
3.0MB

MD5
76ddb61db3351ba3c38f36420de949aa

SHA1
b1f2ad6223b738e69e207b803dc883ce0bbd5bbc

SHA256
2382ec5d9e05463b3df4b47d7062fb986d525b14ce2733306293705c841361e6

SHA512
f9c57db56402074c30d041c77c5cf43b24092a405ed983732eb78bbbe04652e8f10767b4aa6ba30d1c935a2e3facd68a89e7f973fb09be5c8f0517c4f220949d

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe

Filesize
3.0MB

MD5
76ddb61db3351ba3c38f36420de949aa

SHA1
b1f2ad6223b738e69e207b803dc883ce0bbd5bbc

SHA256
2382ec5d9e05463b3df4b47d7062fb986d525b14ce2733306293705c841361e6

SHA512
f9c57db56402074c30d041c77c5cf43b24092a405ed983732eb78bbbe04652e8f10767b4aa6ba30d1c935a2e3facd68a89e7f973fb09be5c8f0517c4f220949d

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe

Filesize
3.0MB

MD5
76ddb61db3351ba3c38f36420de949aa

SHA1
b1f2ad6223b738e69e207b803dc883ce0bbd5bbc

SHA256
2382ec5d9e05463b3df4b47d7062fb986d525b14ce2733306293705c841361e6

SHA512
f9c57db56402074c30d041c77c5cf43b24092a405ed983732eb78bbbe04652e8f10767b4aa6ba30d1c935a2e3facd68a89e7f973fb09be5c8f0517c4f220949d

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe

Filesize
3.0MB

MD5
76ddb61db3351ba3c38f36420de949aa

SHA1
b1f2ad6223b738e69e207b803dc883ce0bbd5bbc

SHA256
2382ec5d9e05463b3df4b47d7062fb986d525b14ce2733306293705c841361e6

SHA512
f9c57db56402074c30d041c77c5cf43b24092a405ed983732eb78bbbe04652e8f10767b4aa6ba30d1c935a2e3facd68a89e7f973fb09be5c8f0517c4f220949d

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe

Filesize
3.0MB

MD5
76ddb61db3351ba3c38f36420de949aa

SHA1
b1f2ad6223b738e69e207b803dc883ce0bbd5bbc

SHA256
2382ec5d9e05463b3df4b47d7062fb986d525b14ce2733306293705c841361e6

SHA512
f9c57db56402074c30d041c77c5cf43b24092a405ed983732eb78bbbe04652e8f10767b4aa6ba30d1c935a2e3facd68a89e7f973fb09be5c8f0517c4f220949d

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe

Filesize
3.0MB

MD5
76ddb61db3351ba3c38f36420de949aa

SHA1
b1f2ad6223b738e69e207b803dc883ce0bbd5bbc

SHA256
2382ec5d9e05463b3df4b47d7062fb986d525b14ce2733306293705c841361e6

SHA512
f9c57db56402074c30d041c77c5cf43b24092a405ed983732eb78bbbe04652e8f10767b4aa6ba30d1c935a2e3facd68a89e7f973fb09be5c8f0517c4f220949d

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe

Filesize
3.0MB

MD5
76ddb61db3351ba3c38f36420de949aa

SHA1
b1f2ad6223b738e69e207b803dc883ce0bbd5bbc

SHA256
2382ec5d9e05463b3df4b47d7062fb986d525b14ce2733306293705c841361e6

SHA512
f9c57db56402074c30d041c77c5cf43b24092a405ed983732eb78bbbe04652e8f10767b4aa6ba30d1c935a2e3facd68a89e7f973fb09be5c8f0517c4f220949d

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe

Filesize
3.0MB

MD5
76ddb61db3351ba3c38f36420de949aa

SHA1
b1f2ad6223b738e69e207b803dc883ce0bbd5bbc

SHA256
2382ec5d9e05463b3df4b47d7062fb986d525b14ce2733306293705c841361e6

SHA512
f9c57db56402074c30d041c77c5cf43b24092a405ed983732eb78bbbe04652e8f10767b4aa6ba30d1c935a2e3facd68a89e7f973fb09be5c8f0517c4f220949d

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe

Filesize
3.0MB

MD5
76ddb61db3351ba3c38f36420de949aa

SHA1
b1f2ad6223b738e69e207b803dc883ce0bbd5bbc

SHA256
2382ec5d9e05463b3df4b47d7062fb986d525b14ce2733306293705c841361e6

SHA512
f9c57db56402074c30d041c77c5cf43b24092a405ed983732eb78bbbe04652e8f10767b4aa6ba30d1c935a2e3facd68a89e7f973fb09be5c8f0517c4f220949d

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe

Filesize
3.0MB

MD5
76ddb61db3351ba3c38f36420de949aa

SHA1
b1f2ad6223b738e69e207b803dc883ce0bbd5bbc

SHA256
2382ec5d9e05463b3df4b47d7062fb986d525b14ce2733306293705c841361e6

SHA512
f9c57db56402074c30d041c77c5cf43b24092a405ed983732eb78bbbe04652e8f10767b4aa6ba30d1c935a2e3facd68a89e7f973fb09be5c8f0517c4f220949d

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe

Filesize
3.0MB

MD5
76ddb61db3351ba3c38f36420de949aa

SHA1
b1f2ad6223b738e69e207b803dc883ce0bbd5bbc

SHA256
2382ec5d9e05463b3df4b47d7062fb986d525b14ce2733306293705c841361e6

SHA512
f9c57db56402074c30d041c77c5cf43b24092a405ed983732eb78bbbe04652e8f10767b4aa6ba30d1c935a2e3facd68a89e7f973fb09be5c8f0517c4f220949d

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe

Filesize
3.0MB

MD5
76ddb61db3351ba3c38f36420de949aa

SHA1
b1f2ad6223b738e69e207b803dc883ce0bbd5bbc

SHA256
2382ec5d9e05463b3df4b47d7062fb986d525b14ce2733306293705c841361e6

SHA512
f9c57db56402074c30d041c77c5cf43b24092a405ed983732eb78bbbe04652e8f10767b4aa6ba30d1c935a2e3facd68a89e7f973fb09be5c8f0517c4f220949d

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f00.exe

Filesize
3.0MB

MD5
76ddb61db3351ba3c38f36420de949aa

SHA1
b1f2ad6223b738e69e207b803dc883ce0bbd5bbc

SHA256
2382ec5d9e05463b3df4b47d7062fb986d525b14ce2733306293705c841361e6

SHA512
f9c57db56402074c30d041c77c5cf43b24092a405ed983732eb78bbbe04652e8f10767b4aa6ba30d1c935a2e3facd68a89e7f973fb09be5c8f0517c4f220949d

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe

Filesize
3.0MB

MD5
414f54768c56e0f2bb0752d0828229b5

SHA1
16e4a81887b7eaaafd1a880144c4d87485507746

SHA256
1ec890735ca27f0aa63412a70d7f344e7a6ef86a8fce622727cc716a8ef208fd

SHA512
798f166aef56deb04c0689ce115fff0b1f1aabb6bf08900b9fb5e595ea002a9f535292a9853727f185564eac756c909cb413d5adc392fcd64bb0f942414d4dc1

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe

Filesize
3.0MB

MD5
414f54768c56e0f2bb0752d0828229b5

SHA1
16e4a81887b7eaaafd1a880144c4d87485507746

SHA256
1ec890735ca27f0aa63412a70d7f344e7a6ef86a8fce622727cc716a8ef208fd

SHA512
798f166aef56deb04c0689ce115fff0b1f1aabb6bf08900b9fb5e595ea002a9f535292a9853727f185564eac756c909cb413d5adc392fcd64bb0f942414d4dc1

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe

Filesize
3.0MB

MD5
414f54768c56e0f2bb0752d0828229b5

SHA1
16e4a81887b7eaaafd1a880144c4d87485507746

SHA256
1ec890735ca27f0aa63412a70d7f344e7a6ef86a8fce622727cc716a8ef208fd

SHA512
798f166aef56deb04c0689ce115fff0b1f1aabb6bf08900b9fb5e595ea002a9f535292a9853727f185564eac756c909cb413d5adc392fcd64bb0f942414d4dc1

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe

Filesize
3.0MB

MD5
414f54768c56e0f2bb0752d0828229b5

SHA1
16e4a81887b7eaaafd1a880144c4d87485507746

SHA256
1ec890735ca27f0aa63412a70d7f344e7a6ef86a8fce622727cc716a8ef208fd

SHA512
798f166aef56deb04c0689ce115fff0b1f1aabb6bf08900b9fb5e595ea002a9f535292a9853727f185564eac756c909cb413d5adc392fcd64bb0f942414d4dc1

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe

Filesize
3.0MB

MD5
414f54768c56e0f2bb0752d0828229b5

SHA1
16e4a81887b7eaaafd1a880144c4d87485507746

SHA256
1ec890735ca27f0aa63412a70d7f344e7a6ef86a8fce622727cc716a8ef208fd

SHA512
798f166aef56deb04c0689ce115fff0b1f1aabb6bf08900b9fb5e595ea002a9f535292a9853727f185564eac756c909cb413d5adc392fcd64bb0f942414d4dc1

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe

Filesize
3.0MB

MD5
414f54768c56e0f2bb0752d0828229b5

SHA1
16e4a81887b7eaaafd1a880144c4d87485507746

SHA256
1ec890735ca27f0aa63412a70d7f344e7a6ef86a8fce622727cc716a8ef208fd

SHA512
798f166aef56deb04c0689ce115fff0b1f1aabb6bf08900b9fb5e595ea002a9f535292a9853727f185564eac756c909cb413d5adc392fcd64bb0f942414d4dc1

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe

Filesize
3.0MB

MD5
414f54768c56e0f2bb0752d0828229b5

SHA1
16e4a81887b7eaaafd1a880144c4d87485507746

SHA256
1ec890735ca27f0aa63412a70d7f344e7a6ef86a8fce622727cc716a8ef208fd

SHA512
798f166aef56deb04c0689ce115fff0b1f1aabb6bf08900b9fb5e595ea002a9f535292a9853727f185564eac756c909cb413d5adc392fcd64bb0f942414d4dc1

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe

Filesize
3.0MB

MD5
414f54768c56e0f2bb0752d0828229b5

SHA1
16e4a81887b7eaaafd1a880144c4d87485507746

SHA256
1ec890735ca27f0aa63412a70d7f344e7a6ef86a8fce622727cc716a8ef208fd

SHA512
798f166aef56deb04c0689ce115fff0b1f1aabb6bf08900b9fb5e595ea002a9f535292a9853727f185564eac756c909cb413d5adc392fcd64bb0f942414d4dc1

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f01.exe

Filesize
3.0MB

MD5
414f54768c56e0f2bb0752d0828229b5

SHA1
16e4a81887b7eaaafd1a880144c4d87485507746

SHA256
1ec890735ca27f0aa63412a70d7f344e7a6ef86a8fce622727cc716a8ef208fd

SHA512
798f166aef56deb04c0689ce115fff0b1f1aabb6bf08900b9fb5e595ea002a9f535292a9853727f185564eac756c909cb413d5adc392fcd64bb0f942414d4dc1

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe

Filesize
3.0MB

MD5
342521376fd56be455bd7b0e175a558b

SHA1
cd81f67f5962911466d4e00a44d8cfe7e218f2dd

SHA256
02ffb1b2037af61306c3898b2ce0db46f79e764511edf9c423d98cefe3d13678

SHA512
91295451656b46d894a97a67d96fc1fdab368376bf2009857d30a5cfe7258903fcbca4d189fb6ffbcec9bbfa68c32a10fb2e863ae32a55a0fd977e3fbe2fbdde

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe

Filesize
3.0MB

MD5
342521376fd56be455bd7b0e175a558b

SHA1
cd81f67f5962911466d4e00a44d8cfe7e218f2dd

SHA256
02ffb1b2037af61306c3898b2ce0db46f79e764511edf9c423d98cefe3d13678

SHA512
91295451656b46d894a97a67d96fc1fdab368376bf2009857d30a5cfe7258903fcbca4d189fb6ffbcec9bbfa68c32a10fb2e863ae32a55a0fd977e3fbe2fbdde

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f06.exe

Filesize
3.0MB

MD5
342521376fd56be455bd7b0e175a558b

SHA1
cd81f67f5962911466d4e00a44d8cfe7e218f2dd

SHA256
02ffb1b2037af61306c3898b2ce0db46f79e764511edf9c423d98cefe3d13678

SHA512
91295451656b46d894a97a67d96fc1fdab368376bf2009857d30a5cfe7258903fcbca4d189fb6ffbcec9bbfa68c32a10fb2e863ae32a55a0fd977e3fbe2fbdde

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe

Filesize
3.0MB

MD5
35d03e4b00ae6a2d0485b7f37c530482

SHA1
6c9f8a20dca19438307f5101f59f12c651cd9adb

SHA256
111aa77f0c3611c63431792910aa7c357acab35e7a66ef9f8aef55bffd70683d

SHA512
15e4b71eb282ca1056ece2972f142ec3ee336c6ae8118149ad7af629672715f74059dbdd8147402f503400e81c6c3517604dfc1aa87d37bef408ace1516c4d5a

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe

Filesize
3.0MB

MD5
35d03e4b00ae6a2d0485b7f37c530482

SHA1
6c9f8a20dca19438307f5101f59f12c651cd9adb

SHA256
111aa77f0c3611c63431792910aa7c357acab35e7a66ef9f8aef55bffd70683d

SHA512
15e4b71eb282ca1056ece2972f142ec3ee336c6ae8118149ad7af629672715f74059dbdd8147402f503400e81c6c3517604dfc1aa87d37bef408ace1516c4d5a

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe

Filesize
3.0MB

MD5
35d03e4b00ae6a2d0485b7f37c530482

SHA1
6c9f8a20dca19438307f5101f59f12c651cd9adb

SHA256
111aa77f0c3611c63431792910aa7c357acab35e7a66ef9f8aef55bffd70683d

SHA512
15e4b71eb282ca1056ece2972f142ec3ee336c6ae8118149ad7af629672715f74059dbdd8147402f503400e81c6c3517604dfc1aa87d37bef408ace1516c4d5a

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe

Filesize
3.0MB

MD5
35d03e4b00ae6a2d0485b7f37c530482

SHA1
6c9f8a20dca19438307f5101f59f12c651cd9adb

SHA256
111aa77f0c3611c63431792910aa7c357acab35e7a66ef9f8aef55bffd70683d

SHA512
15e4b71eb282ca1056ece2972f142ec3ee336c6ae8118149ad7af629672715f74059dbdd8147402f503400e81c6c3517604dfc1aa87d37bef408ace1516c4d5a

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe

Filesize
3.0MB

MD5
35d03e4b00ae6a2d0485b7f37c530482

SHA1
6c9f8a20dca19438307f5101f59f12c651cd9adb

SHA256
111aa77f0c3611c63431792910aa7c357acab35e7a66ef9f8aef55bffd70683d

SHA512
15e4b71eb282ca1056ece2972f142ec3ee336c6ae8118149ad7af629672715f74059dbdd8147402f503400e81c6c3517604dfc1aa87d37bef408ace1516c4d5a

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe

Filesize
3.0MB

MD5
35d03e4b00ae6a2d0485b7f37c530482

SHA1
6c9f8a20dca19438307f5101f59f12c651cd9adb

SHA256
111aa77f0c3611c63431792910aa7c357acab35e7a66ef9f8aef55bffd70683d

SHA512
15e4b71eb282ca1056ece2972f142ec3ee336c6ae8118149ad7af629672715f74059dbdd8147402f503400e81c6c3517604dfc1aa87d37bef408ace1516c4d5a

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe

Filesize
3.0MB

MD5
35d03e4b00ae6a2d0485b7f37c530482

SHA1
6c9f8a20dca19438307f5101f59f12c651cd9adb

SHA256
111aa77f0c3611c63431792910aa7c357acab35e7a66ef9f8aef55bffd70683d

SHA512
15e4b71eb282ca1056ece2972f142ec3ee336c6ae8118149ad7af629672715f74059dbdd8147402f503400e81c6c3517604dfc1aa87d37bef408ace1516c4d5a

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bb17eadad40e2b3ec213e6d061ffa4f07.exe

Filesize
3.0MB

MD5
35d03e4b00ae6a2d0485b7f37c530482

SHA1
6c9f8a20dca19438307f5101f59f12c651cd9adb

SHA256
111aa77f0c3611c63431792910aa7c357acab35e7a66ef9f8aef55bffd70683d

SHA512
15e4b71eb282ca1056ece2972f142ec3ee336c6ae8118149ad7af629672715f74059dbdd8147402f503400e81c6c3517604dfc1aa87d37bef408ace1516c4d5a

Download Submit
memory/532-117-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/560-134-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/568-135-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/672-102-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/868-146-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/984-113-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1020-133-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1052-141-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1212-147-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1292-138-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1560-131-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1628-150-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1640-144-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1708-156-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1720-151-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1732-125-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1756-104-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/1932-143-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2012-136-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2036-48-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2068-148-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2280-130-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2300-139-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2332-109-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2512-137-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2536-140-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2548-92-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2560-129-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2628-132-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2632-91-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2660-126-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2684-128-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2712-39-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2740-154-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2772-152-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2780-57-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2808-127-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2888-153-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2940-149-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2984-145-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3016-155-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/3048-64-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/5224-142-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download