e824f7198b4f6e325b8c1608ffec90a50f9b7cd720a335de9e26360ba020f000

Analysis

max time kernel
39s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e57f413518cd934a2faac427530d7b3f.exe
Size

1.2MB
MD5

e57f413518cd934a2faac427530d7b3f
SHA1

802b40d790bfc00b91d8e40457491d6e96bb483c
SHA256

e824f7198b4f6e325b8c1608ffec90a50f9b7cd720a335de9e26360ba020f000
SHA512

bedd7f891e8327454d1931f1f56b92731d5a51af79392fffced3a42e18c85a0c5964fde138acb1a964de062794d6cce281311d700cab376bcf769379109723be
SSDEEP

24576:g2DQ8v7kGPDgBdK3aLZd7aZEMGxfKNiXDehQCNd7omRo2N81P:ND3/Ic3aLT2wfWw2Qcc4IP

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	NEAS.e57f413518cd934a2faac427530d7b3f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	NEAS.e57f413518cd934a2faac427530d7b3f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	NEAS.e57f413518cd934a2faac427530d7b3f.exe

UPX packed file 41 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2852-0-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/2852-1-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/2852-4-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/2852-5-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/5048-6-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/3580-7-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/5104-8-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/312-10-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/1936-9-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/3568-11-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/3560-13-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/4260-12-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/2184-14-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/4652-15-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/1560-16-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/1328-17-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/3052-19-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/4852-20-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/2376-21-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/5052-22-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/4924-23-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/4456-25-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/5104-24-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/2392-26-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/3452-27-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/files/0x0007000000022ce0-33.dat	upx
behavioral2/memory/2492-34-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/2852-32-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/4848-36-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/1588-43-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/3932-48-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/3840-49-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/1740-51-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/3052-53-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/5052-56-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/1180-60-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/2792-61-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/2824-65-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/1332-67-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/2852-68-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/776-66-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	NEAS.e57f413518cd934a2faac427530d7b3f.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	NEAS.e57f413518cd934a2faac427530d7b3f.exe
File opened (read-only)	\??\Q:	NEAS.e57f413518cd934a2faac427530d7b3f.exe
File opened (read-only)	\??\S:	NEAS.e57f413518cd934a2faac427530d7b3f.exe
File opened (read-only)	\??\T:	NEAS.e57f413518cd934a2faac427530d7b3f.exe
File opened (read-only)	\??\Z:	NEAS.e57f413518cd934a2faac427530d7b3f.exe
File opened (read-only)	\??\B:	NEAS.e57f413518cd934a2faac427530d7b3f.exe
File opened (read-only)	\??\H:	NEAS.e57f413518cd934a2faac427530d7b3f.exe
File opened (read-only)	\??\I:	NEAS.e57f413518cd934a2faac427530d7b3f.exe
File opened (read-only)	\??\U:	NEAS.e57f413518cd934a2faac427530d7b3f.exe
File opened (read-only)	\??\A:	NEAS.e57f413518cd934a2faac427530d7b3f.exe
File opened (read-only)	\??\G:	NEAS.e57f413518cd934a2faac427530d7b3f.exe
File opened (read-only)	\??\P:	NEAS.e57f413518cd934a2faac427530d7b3f.exe
File opened (read-only)	\??\R:	NEAS.e57f413518cd934a2faac427530d7b3f.exe
File opened (read-only)	\??\V:	NEAS.e57f413518cd934a2faac427530d7b3f.exe
File opened (read-only)	\??\W:	NEAS.e57f413518cd934a2faac427530d7b3f.exe
File opened (read-only)	\??\X:	NEAS.e57f413518cd934a2faac427530d7b3f.exe
File opened (read-only)	\??\E:	NEAS.e57f413518cd934a2faac427530d7b3f.exe
File opened (read-only)	\??\J:	NEAS.e57f413518cd934a2faac427530d7b3f.exe
File opened (read-only)	\??\K:	NEAS.e57f413518cd934a2faac427530d7b3f.exe
File opened (read-only)	\??\L:	NEAS.e57f413518cd934a2faac427530d7b3f.exe
File opened (read-only)	\??\N:	NEAS.e57f413518cd934a2faac427530d7b3f.exe
File opened (read-only)	\??\O:	NEAS.e57f413518cd934a2faac427530d7b3f.exe
File opened (read-only)	\??\Y:	NEAS.e57f413518cd934a2faac427530d7b3f.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\xxx lingerie lesbian balls .mpeg.exe	NEAS.e57f413518cd934a2faac427530d7b3f.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\mssrv.exe	NEAS.e57f413518cd934a2faac427530d7b3f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2852	NEAS.e57f413518cd934a2faac427530d7b3f.exe
2852	NEAS.e57f413518cd934a2faac427530d7b3f.exe
5048	NEAS.e57f413518cd934a2faac427530d7b3f.exe
5048	NEAS.e57f413518cd934a2faac427530d7b3f.exe
2852	NEAS.e57f413518cd934a2faac427530d7b3f.exe
2852	NEAS.e57f413518cd934a2faac427530d7b3f.exe
3580	NEAS.e57f413518cd934a2faac427530d7b3f.exe
3580	NEAS.e57f413518cd934a2faac427530d7b3f.exe
2852	NEAS.e57f413518cd934a2faac427530d7b3f.exe
2852	NEAS.e57f413518cd934a2faac427530d7b3f.exe
312	NEAS.e57f413518cd934a2faac427530d7b3f.exe
312	NEAS.e57f413518cd934a2faac427530d7b3f.exe
5048	NEAS.e57f413518cd934a2faac427530d7b3f.exe
5048	NEAS.e57f413518cd934a2faac427530d7b3f.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 5048	2852	NEAS.e57f413518cd934a2faac427530d7b3f.exe	93
PID 2852 wrote to memory of 5048	2852	NEAS.e57f413518cd934a2faac427530d7b3f.exe	93
PID 2852 wrote to memory of 5048	2852	NEAS.e57f413518cd934a2faac427530d7b3f.exe	93
PID 2852 wrote to memory of 3580	2852	NEAS.e57f413518cd934a2faac427530d7b3f.exe	94
PID 2852 wrote to memory of 3580	2852	NEAS.e57f413518cd934a2faac427530d7b3f.exe	94
PID 2852 wrote to memory of 3580	2852	NEAS.e57f413518cd934a2faac427530d7b3f.exe	94
PID 5048 wrote to memory of 312	5048	NEAS.e57f413518cd934a2faac427530d7b3f.exe	95
PID 5048 wrote to memory of 312	5048	NEAS.e57f413518cd934a2faac427530d7b3f.exe	95
PID 5048 wrote to memory of 312	5048	NEAS.e57f413518cd934a2faac427530d7b3f.exe	95
PID 2852 wrote to memory of 4260	2852	NEAS.e57f413518cd934a2faac427530d7b3f.exe	96
PID 2852 wrote to memory of 4260	2852	NEAS.e57f413518cd934a2faac427530d7b3f.exe	96
PID 2852 wrote to memory of 4260	2852	NEAS.e57f413518cd934a2faac427530d7b3f.exe	96
PID 5048 wrote to memory of 2184	5048	NEAS.e57f413518cd934a2faac427530d7b3f.exe	97
PID 5048 wrote to memory of 2184	5048	NEAS.e57f413518cd934a2faac427530d7b3f.exe	97
PID 5048 wrote to memory of 2184	5048	NEAS.e57f413518cd934a2faac427530d7b3f.exe	97
PID 3580 wrote to memory of 4652	3580	NEAS.e57f413518cd934a2faac427530d7b3f.exe	98
PID 3580 wrote to memory of 4652	3580	NEAS.e57f413518cd934a2faac427530d7b3f.exe	98
PID 3580 wrote to memory of 4652	3580	NEAS.e57f413518cd934a2faac427530d7b3f.exe	98

C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:312
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:1328
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:1740
      - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        6⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        7⤵
        
        PID:7004
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        7⤵
        
        PID:10624
      - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        6⤵
        
        PID:5844
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        7⤵
        
        PID:10524
      - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        6⤵
        
        PID:7184
      - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        6⤵
        
        PID:9428
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:1180
      - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        6⤵
        
        PID:6992
      - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        6⤵
        
        PID:8896
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:688
      - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        6⤵
        
        PID:7556
      - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        6⤵
        
        PID:9952
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:5704
      - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        6⤵
        
        PID:9472
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:7012
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:8916
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:3932
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:2824
      - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        6⤵
        
        PID:7484
      - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        6⤵
        
        PID:9900
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:5316
      - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        6⤵
        
        PID:8688
      - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        6⤵
        
        PID:11408
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:6436
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:8004
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:10500
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:4456
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:6764
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:8528
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:7368
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:4960
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:8552
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:8376
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:5936
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:10816
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:6804
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:3556
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:3840
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:5232
      - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        6⤵
        
        PID:640
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:6180
      - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        6⤵
        
        PID:11124
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:7732
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:3264
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:3452
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:6584
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:8356
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:6916
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:3088
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:8944
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:5948
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:11100
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:3600
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:4036
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:776
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:7748
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:5480
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:9908
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:6456
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:8076
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:10600
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:4852
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:6088
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:10828
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:7140
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:1872
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:7020
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:8936
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:5256
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:8520
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:7348
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:6284
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:10316
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:7860
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:5688
- C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:4652
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:3560
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:1496
      - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        6⤵
        
        PID:8280
      - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        6⤵
        
        PID:11152
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:5852
      - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        6⤵
        
        PID:10508
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:7172
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:2308
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:2392
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:6876
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:8628
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:11372
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:4324
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:8644
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:11400
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:5960
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:10680
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:3372
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:8988
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:3568
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:1332
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:7724
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:3092
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:5556
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:10168
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:6592
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:8388
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:7420
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:2376
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:6172
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:11092
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:7716
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:9232
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:2492
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:7048
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:9420
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:5308
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:8924
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:6348
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:7996
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:10284
- C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
  2⤵
  PID:4260
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:5104
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:2488
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:7208
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:10756
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:5652
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:9668
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:6600
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:8468
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:3484
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:3052
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:5804
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:3984
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:6912
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:8780
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:4848
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:6936
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:8812
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:11548
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:5264
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:1400
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:6340
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:11364
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:7868
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:5224
- C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
  2⤵
  PID:4924
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:5052
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:1288
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
        5⤵
        
        PID:10672
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:7492
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:9660
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:3152
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:7648
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:10160
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:5584
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:2084
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:6972
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:8820
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:11432
- C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
  2⤵
  PID:1560
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:5512
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
      4⤵
      PID:9464
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:6556
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:8240
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:10928
- C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
  2⤵
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:7568
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:9988
- C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
  2⤵
  PID:228
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:8804
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:11392
- C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
  2⤵
  PID:6080
- - C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
    3⤵
    PID:10772
- C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
  2⤵
  PID:7476
- C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.e57f413518cd934a2faac427530d7b3f.exe"
  2⤵
  PID:9636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\chinese lingerie hidden traffic (Sarah,Ashley).mpg.exe

Filesize
1.8MB

MD5
692a5bf9a6071ada907677a5411cdb48

SHA1
9d37c30815589c055c27a99e4c10099884f0f750

SHA256
93ba94e6e3f90bff3a4896991bfb586efcfb0aa62dd571c1894aae6da277bbae

SHA512
575f1c522efa479f2b615cfeec8b4d2d97d2eee1ab62e19967f3e2ec828b1075be1be9394af6a5f03754d80e30a22fe0b377504f02bd12cd9b4a74ece5d88c5b

Download Submit
memory/312-10-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/776-66-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1180-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1328-17-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1332-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1560-16-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1588-43-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1740-51-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1936-9-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2184-14-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2376-21-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2392-26-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2492-34-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2792-61-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2824-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2852-5-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2852-68-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2852-4-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2852-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2852-32-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2852-1-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3052-19-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3052-53-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3452-27-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3560-13-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3568-11-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3580-7-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3840-49-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3932-48-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4260-12-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4456-25-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4652-15-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4848-36-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4852-20-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4924-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5048-6-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5052-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5052-22-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5104-24-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5104-8-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download