f3cf02ba401658b2142eb7e2e8bafd2986d56fbc6e5a931e626ce9df0ab77b8c

Analysis

max time kernel
47s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 05:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
Size

152KB
MD5

2628bd36f2c7d83ce65557cb7825dcc0
SHA1

546df3918fb245e2f47ec98deed3527ce201dd9b
SHA256

f3cf02ba401658b2142eb7e2e8bafd2986d56fbc6e5a931e626ce9df0ab77b8c
SHA512

5be23ae7ce86da9225272cd82f3ccbb2fbe5c0aa7ff77bf40bd5cee3b6e974e089c3a9ad6aed251ac17105b3ada6fb54ca1b58de910bea656da47a0c653b30f9
SSDEEP

3072:0ljbLl/gvQoutmN6N0Tlq8OtVRRkeOMPGl:SjluQoSmN6qbqV5PE

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2272-0-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2272-1-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0008000000022e00-6.dat	upx
behavioral2/memory/3160-12-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3128-15-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1020-17-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4376-94-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3624-95-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4496-99-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5040-100-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3160-101-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1352-102-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3968-104-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1228-103-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3128-105-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2056-106-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3120-107-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1020-108-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/224-109-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4376-110-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2108-111-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3624-112-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/520-113-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4496-114-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5040-115-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1224-116-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1352-117-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3968-119-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1228-118-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3880-120-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1940-121-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4352-123-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2056-122-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3120-124-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/224-125-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2108-126-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2580-127-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/520-129-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1224-130-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2164-131-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2704-133-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3108-134-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3880-135-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4352-136-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3028-137-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2756-139-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4484-140-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4456-138-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2580-141-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4832-143-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2896-142-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3108-144-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1412-147-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4360-148-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4456-149-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3744-156-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4484-157-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5300-158-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5536-159-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5544-160-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5552-161-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5528-163-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5612-172-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5624-173-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File opened (read-only)	\??\A:	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File opened (read-only)	\??\G:	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File opened (read-only)	\??\M:	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File opened (read-only)	\??\O:	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File opened (read-only)	\??\Z:	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File opened (read-only)	\??\E:	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File opened (read-only)	\??\K:	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File opened (read-only)	\??\L:	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File opened (read-only)	\??\S:	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File opened (read-only)	\??\V:	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File opened (read-only)	\??\W:	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File opened (read-only)	\??\X:	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File opened (read-only)	\??\Y:	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File opened (read-only)	\??\I:	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File opened (read-only)	\??\N:	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File opened (read-only)	\??\R:	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File opened (read-only)	\??\T:	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File opened (read-only)	\??\Q:	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File opened (read-only)	\??\B:	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File opened (read-only)	\??\H:	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File opened (read-only)	\??\J:	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File opened (read-only)	\??\P:	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\fucking public hole hairy .zip.exe	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\sperm several models hole upskirt (Liz).avi.exe	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\russian kicking bukkake big .zip.exe	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\lingerie lesbian ash .mpg.exe	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\xxx catfight feet .avi.exe	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\danish handjob hardcore licking .avi.exe	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\chinese fucking girls .zip.exe	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\american horse trambling hot (!) .avi.exe	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\black nude gay hot (!) (Liz).mpg.exe	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File created	C:\Program Files (x86)\Microsoft\Temp\beast hidden hotel (Sandy,Melissa).mpg.exe	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File created	C:\Program Files\Microsoft Office\root\Templates\indian cumshot hardcore sleeping glans shower (Curtney).mpg.exe	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\hardcore sleeping (Tatjana).rar.exe	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File created	C:\Program Files (x86)\Google\Temp\black handjob horse big glans pregnant (Karin).rar.exe	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File created	C:\Program Files (x86)\Google\Update\Download\indian action lingerie uncut (Tatjana).avi.exe	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\black nude fucking [bangbus] hole redhair .mpeg.exe	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\swedish gang bang bukkake [bangbus] cock .mpg.exe	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\swedish gang bang bukkake licking 50+ .rar.exe	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\mssrv.exe	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2272	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
2272	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
3160	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
3160	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
2272	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
2272	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
3128	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
3128	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
2272	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
1020	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
2272	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
1020	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
3160	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
3160	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
4496	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
4496	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
3624	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
3624	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
3128	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
3128	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
2272	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
2272	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
3160	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
3160	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
4376	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
4376	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
5040	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
5040	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
1020	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
1020	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
1352	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
1352	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
1228	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
1228	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
2272	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
2272	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
3128	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
3128	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
3968	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
3968	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
3160	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
3160	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
2056	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
2056	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
4496	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
4496	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
3120	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
3120	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
1020	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
1020	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
3624	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
3624	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
224	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
224	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
2108	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
2108	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
4376	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
4376	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
5040	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
5040	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
2272	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
2272	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
3128	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
3128	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 3160	2272	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	94
PID 2272 wrote to memory of 3160	2272	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	94
PID 2272 wrote to memory of 3160	2272	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	94
PID 2272 wrote to memory of 3128	2272	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	96
PID 2272 wrote to memory of 3128	2272	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	96
PID 2272 wrote to memory of 3128	2272	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	96
PID 3160 wrote to memory of 1020	3160	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	97
PID 3160 wrote to memory of 1020	3160	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	97
PID 3160 wrote to memory of 1020	3160	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	97
PID 3128 wrote to memory of 4376	3128	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	100
PID 3128 wrote to memory of 4376	3128	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	100
PID 3128 wrote to memory of 4376	3128	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	100
PID 2272 wrote to memory of 4496	2272	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	102
PID 2272 wrote to memory of 4496	2272	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	102
PID 2272 wrote to memory of 4496	2272	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	102
PID 3160 wrote to memory of 3624	3160	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	101
PID 3160 wrote to memory of 3624	3160	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	101
PID 3160 wrote to memory of 3624	3160	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	101
PID 1020 wrote to memory of 5040	1020	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	103
PID 1020 wrote to memory of 5040	1020	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	103
PID 1020 wrote to memory of 5040	1020	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	103
PID 2272 wrote to memory of 1228	2272	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	105
PID 2272 wrote to memory of 1228	2272	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	105
PID 2272 wrote to memory of 1228	2272	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	105
PID 3128 wrote to memory of 1352	3128	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	104
PID 3128 wrote to memory of 1352	3128	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	104
PID 3128 wrote to memory of 1352	3128	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	104
PID 3160 wrote to memory of 3968	3160	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	106
PID 3160 wrote to memory of 3968	3160	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	106
PID 3160 wrote to memory of 3968	3160	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	106
PID 4496 wrote to memory of 2056	4496	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	107
PID 4496 wrote to memory of 2056	4496	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	107
PID 4496 wrote to memory of 2056	4496	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	107
PID 1020 wrote to memory of 3120	1020	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	108
PID 1020 wrote to memory of 3120	1020	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	108
PID 1020 wrote to memory of 3120	1020	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	108
PID 3624 wrote to memory of 224	3624	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	109
PID 3624 wrote to memory of 224	3624	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	109
PID 3624 wrote to memory of 224	3624	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	109
PID 4376 wrote to memory of 2108	4376	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	110
PID 4376 wrote to memory of 2108	4376	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	110
PID 4376 wrote to memory of 2108	4376	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	110
PID 5040 wrote to memory of 520	5040	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	111
PID 5040 wrote to memory of 520	5040	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	111
PID 5040 wrote to memory of 520	5040	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	111
PID 2272 wrote to memory of 1224	2272	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	112
PID 2272 wrote to memory of 1224	2272	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	112
PID 2272 wrote to memory of 1224	2272	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	112
PID 3128 wrote to memory of 2704	3128	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	113
PID 3128 wrote to memory of 2704	3128	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	113
PID 3128 wrote to memory of 2704	3128	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	113
PID 3160 wrote to memory of 3880	3160	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	114
PID 3160 wrote to memory of 3880	3160	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	114
PID 3160 wrote to memory of 3880	3160	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	114
PID 4496 wrote to memory of 1940	4496	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	115
PID 4496 wrote to memory of 1940	4496	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	115
PID 4496 wrote to memory of 1940	4496	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	115
PID 1020 wrote to memory of 4352	1020	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	116
PID 1020 wrote to memory of 4352	1020	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	116
PID 1020 wrote to memory of 4352	1020	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	116
PID 3624 wrote to memory of 3028	3624	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	117
PID 3624 wrote to memory of 3028	3624	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	117
PID 3624 wrote to memory of 3028	3624	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	117
PID 4376 wrote to memory of 2756	4376	NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe	118

C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5040
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:520
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:9824
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:7964
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:13196
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:2580
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:9944
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:8036
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        7⤵
        
        PID:7740
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:13260
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:3292
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:8220
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:10032
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:12356
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:5660
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:8984
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:11168
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:2504
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:6816
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:10536
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:9708
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:8060
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:11100
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:13124
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:3120
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:3744
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:9532
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:7936
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        7⤵
        
        PID:3604
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:13156
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:5708
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:7316
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        7⤵
        
        PID:16092
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:9776
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:13080
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:6896
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:15628
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:8692
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:11008
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:14684
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:4352
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:7184
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:16076
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:10016
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:920
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:1768
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:6712
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:1152
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:7328
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:9800
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:13204
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:5544
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:9968
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:7172
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:13276
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:6688
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:11228
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:8616
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:11176
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:9352
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3624
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:224
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:2896
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:8088
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:10056
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:13308
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:5552
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:9976
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:8012
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        7⤵
        
        PID:11120
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:1492
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:6632
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:3284
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:7860
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:16216
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:9960
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:13268
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:3028
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:9680
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:8004
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:15708
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:13148
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:4456
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:8076
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:9984
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:14140
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:5528
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:8228
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:11036
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:15148
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:7076
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:11064
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:7748
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:15376
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:10068
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:3844
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3968
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:232
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:7980
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:10964
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:5376
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:5760
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:9056
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:11184
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:3168
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:7088
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:15492
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:9832
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:8160
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:16004
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:13220
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:3880
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:8320
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:10948
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:5756
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:3108
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:7152
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:10172
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:7760
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:10324
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:14580
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:5024
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:3088
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:10332
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:14568
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:5956
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:8204
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:10984
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:5396
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:8096
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:16032
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:10000
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:3204
- C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4376
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2108
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:2012
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:9288
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:13072
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:5744
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:8732
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:11024
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:4600
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:6888
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:15368
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:7784
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:16048
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:9992
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:13632
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:2756
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:9692
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:8020
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:15508
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:13116
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:2852
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:7736
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:10316
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:14152
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:5624
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:7324
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:2264
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:10376
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:14560
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:6796
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:11220
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:8068
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:15576
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:9700
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:13132
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:1352
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:4552
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:6988
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:3356
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:10008
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:8176
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:13292
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:5612
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:10352
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:7988
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:16028
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:13236
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:6804
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:9228
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:7828
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:9880
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:13284
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:9768
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:6552
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:16116
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:13172
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:4832
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:9816
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:7944
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:16044
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:13212
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:1412
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:10956
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:8184
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:4740
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:5908
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:7192
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:16100
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:9760
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:13252
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:7144
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:13048
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:9176
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:12040
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:8044
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:2040
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:11084
- C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:4484
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:7380
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:16180
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:7916
      - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        6⤵
        
        PID:7008
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:10024
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:13108
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:5536
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:8312
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:10360
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:13668
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:6624
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:9720
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:9540
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:8168
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:16124
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:13092
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:9788
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:6616
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:13188
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:4900
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:7012
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:13056
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:10048
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:8152
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:13140
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:5300
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:8212
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:16060
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:10040
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:13300
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:6368
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:15264
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:3924
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:16064
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:9952
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:4272
- C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:1228
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:4360
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:9808
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:8028
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
        5⤵
        
        PID:16020
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:13244
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:5860
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:9784
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:7996
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:13164
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:7056
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:3172
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:9840
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:8052
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:15996
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:13228
- C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
  2⤵
  PID:1224
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:6700
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:13040
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:9752
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:7956
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:16084
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:13180
- C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
  2⤵
  PID:2164
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:6652
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:2396
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:7844
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:11016
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:1364
- C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
  2⤵
  PID:4800
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:9552
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:7972
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:15500
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:13100
- C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
  2⤵
  PID:5920
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:7680
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
      4⤵
      PID:16108
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:10368
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:14160
- C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
  2⤵
  PID:6936
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
    3⤵
    PID:13064
- C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
  2⤵
  PID:8740
- C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
  2⤵
  PID:11192
- C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.2628bd36f2c7d83ce65557cb7825dcc0_JC.exe"
  2⤵
  PID:4248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\swedish gang bang bukkake [bangbus] cock .mpg.exe

Filesize
1.0MB

MD5
31101771eea8e2f21ba8158f51da0844

SHA1
c6a5435ee28df3c5015e8650c2cdc45f3b502487

SHA256
071c3b323f7951d6735dc2b8e15325a2d295f7b9aa1a9e90925ae7d169cf08b7

SHA512
2ac5ae2ad022e2dc55827f361937449b3bdd6c98bb9541511d66551c04dd4f80d0ee882a0d8c04a74e6c24d2e1c616e208c7a719ee1dae73f204ade4215028b1

Download Submit
memory/224-109-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/224-125-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/520-113-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/520-129-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1020-108-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1020-17-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1224-116-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1224-130-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1228-118-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1228-103-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1352-117-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1352-102-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1412-147-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1940-121-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2056-122-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2056-106-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2108-111-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2108-126-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2164-131-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2272-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2272-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2580-141-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2580-127-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2704-133-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-139-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2896-142-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3028-137-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3108-134-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3108-144-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3120-124-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3120-107-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3128-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3128-105-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3160-12-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3160-101-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3624-95-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3624-112-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3744-156-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3880-135-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3880-120-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3968-104-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3968-119-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4352-136-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4352-123-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4360-148-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4376-110-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4376-94-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4456-138-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4456-149-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4484-140-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4484-157-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4496-99-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4496-114-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4832-143-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5040-115-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5040-100-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5300-158-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5528-163-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5536-159-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5544-160-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5552-161-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5612-172-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5624-173-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5660-174-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download