Analysis
-
max time kernel
120s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
03-11-2023 10:16
Behavioral task
behavioral1
Sample
NEAS.9399f53943a362e0bca86efa9fc6b520.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.9399f53943a362e0bca86efa9fc6b520.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.9399f53943a362e0bca86efa9fc6b520.exe
-
Size
360KB
-
MD5
9399f53943a362e0bca86efa9fc6b520
-
SHA1
d4f564c73d1a31a0bc220e9ae7c8f45111e0c67c
-
SHA256
b093de41fa94b02a68b5ffbbcece3b4b83469072cb6e9314aaa4c636af2f14ee
-
SHA512
6920826b832ec853903238f6631613bc429684050011641fc84910d8ce97bb4a6c0dff7593863b8770feeeab04a9ebeb1c3f385c047d9f7e5d1aa899b75f9348
-
SSDEEP
6144:JjluyDM3Io5R4nM/40yJN/1BWX0g0bXxOO9uTfJ+5XJ6K0ZTYMcWTrQNf:JEyDMhqhFPWoTYHTfJ+18K3/WTrqf
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 34 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.9399f53943a362e0bca86efa9fc6b520.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/5044-0-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/files/0x0006000000022df9-5.dat upx behavioral2/memory/5044-9-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/5044-10-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/5044-11-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/5044-12-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/5044-13-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/5044-14-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/3616-15-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/1464-31-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/1276-36-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/1916-41-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/4960-40-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/4368-42-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/660-43-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/2016-44-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/4564-45-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/4984-46-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/2252-47-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/2480-48-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/4088-49-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/3616-50-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/820-51-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/4960-53-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/1276-52-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/2608-54-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/2132-57-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/4668-56-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/3672-55-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/4476-58-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/5056-59-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/4700-61-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/3200-63-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/4984-64-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/3276-62-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/2320-65-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/4024-67-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/4012-68-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/4028-66-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/820-69-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/1512-70-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/5044-71-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/4772-72-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/1748-73-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/4668-74-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/5228-75-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/5260-76-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/5252-77-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/5088-78-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/5364-80-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/5384-79-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/5428-81-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/5492-82-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/5376-83-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/5460-84-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/4476-87-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/5656-88-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/5672-90-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/5680-91-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/5740-92-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/5616-89-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/5872-93-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/5980-94-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/5796-96-0x0000000000400000-0x000000000041E000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" NEAS.9399f53943a362e0bca86efa9fc6b520.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: NEAS.9399f53943a362e0bca86efa9fc6b520.exe File opened (read-only) \??\A: NEAS.9399f53943a362e0bca86efa9fc6b520.exe File opened (read-only) \??\J: NEAS.9399f53943a362e0bca86efa9fc6b520.exe File opened (read-only) \??\M: NEAS.9399f53943a362e0bca86efa9fc6b520.exe File opened (read-only) \??\S: NEAS.9399f53943a362e0bca86efa9fc6b520.exe File opened (read-only) \??\V: NEAS.9399f53943a362e0bca86efa9fc6b520.exe File opened (read-only) \??\G: NEAS.9399f53943a362e0bca86efa9fc6b520.exe File opened (read-only) \??\P: NEAS.9399f53943a362e0bca86efa9fc6b520.exe File opened (read-only) \??\R: NEAS.9399f53943a362e0bca86efa9fc6b520.exe File opened (read-only) \??\Y: NEAS.9399f53943a362e0bca86efa9fc6b520.exe File opened (read-only) \??\Z: NEAS.9399f53943a362e0bca86efa9fc6b520.exe File opened (read-only) \??\K: NEAS.9399f53943a362e0bca86efa9fc6b520.exe File opened (read-only) \??\Q: NEAS.9399f53943a362e0bca86efa9fc6b520.exe File opened (read-only) \??\W: NEAS.9399f53943a362e0bca86efa9fc6b520.exe File opened (read-only) \??\N: NEAS.9399f53943a362e0bca86efa9fc6b520.exe File opened (read-only) \??\O: NEAS.9399f53943a362e0bca86efa9fc6b520.exe File opened (read-only) \??\T: NEAS.9399f53943a362e0bca86efa9fc6b520.exe File opened (read-only) \??\B: NEAS.9399f53943a362e0bca86efa9fc6b520.exe File opened (read-only) \??\E: NEAS.9399f53943a362e0bca86efa9fc6b520.exe File opened (read-only) \??\H: NEAS.9399f53943a362e0bca86efa9fc6b520.exe File opened (read-only) \??\I: NEAS.9399f53943a362e0bca86efa9fc6b520.exe File opened (read-only) \??\L: NEAS.9399f53943a362e0bca86efa9fc6b520.exe File opened (read-only) \??\U: NEAS.9399f53943a362e0bca86efa9fc6b520.exe -
Drops file in Program Files directory 17 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\asian fetish fucking catfight .rar.exe NEAS.9399f53943a362e0bca86efa9fc6b520.exe File created C:\Program Files (x86)\Google\Temp\swedish nude animal voyeur swallow (Anniston,Sarah).mpg.exe NEAS.9399f53943a362e0bca86efa9fc6b520.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\chinese animal bukkake sleeping nipples fishy .zip.exe NEAS.9399f53943a362e0bca86efa9fc6b520.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\hardcore horse masturbation .mpg.exe NEAS.9399f53943a362e0bca86efa9fc6b520.exe File created C:\Program Files\Common Files\microsoft shared\american lesbian masturbation stockings (Sandy).zip.exe NEAS.9399f53943a362e0bca86efa9fc6b520.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\gay licking femdom .avi.exe NEAS.9399f53943a362e0bca86efa9fc6b520.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\black horse hidden .mpg.exe NEAS.9399f53943a362e0bca86efa9fc6b520.exe File created C:\Program Files\Microsoft Office\Updates\Download\horse public 40+ .zip.exe NEAS.9399f53943a362e0bca86efa9fc6b520.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\brasilian lesbian hidden titts .rar.exe NEAS.9399f53943a362e0bca86efa9fc6b520.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\lesbian sleeping Ôï (Sarah).avi.exe NEAS.9399f53943a362e0bca86efa9fc6b520.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\danish fucking girls cock femdom .mpg.exe NEAS.9399f53943a362e0bca86efa9fc6b520.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\japanese horse beastiality hot (!) swallow (Tatjana).mpg.exe NEAS.9399f53943a362e0bca86efa9fc6b520.exe File created C:\Program Files (x86)\Microsoft\Temp\russian trambling girls leather .rar.exe NEAS.9399f53943a362e0bca86efa9fc6b520.exe File created C:\Program Files\Microsoft Office\root\Templates\chinese nude catfight traffic .mpg.exe NEAS.9399f53943a362e0bca86efa9fc6b520.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\trambling big hole black hairunshaved .mpg.exe NEAS.9399f53943a362e0bca86efa9fc6b520.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\swedish gay several models .avi.exe NEAS.9399f53943a362e0bca86efa9fc6b520.exe File created C:\Program Files (x86)\Google\Update\Download\chinese sperm hardcore licking glans .zip.exe NEAS.9399f53943a362e0bca86efa9fc6b520.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\mssrv.exe NEAS.9399f53943a362e0bca86efa9fc6b520.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5044 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 5044 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 1464 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 1464 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 5044 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 5044 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 1916 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 1916 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 5044 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 5044 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 2016 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 2016 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 1464 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 1464 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 4564 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 4564 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 5044 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 5044 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 2252 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 2252 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 4088 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 4088 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 1916 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 1916 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 1464 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 1464 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 3616 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 2016 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 3616 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 2016 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 1276 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 1276 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 5044 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 5044 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 4960 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 4960 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 1916 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 1916 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 4564 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 4564 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 4368 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 4368 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 660 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 660 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 1464 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 1464 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 3200 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 3200 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 2016 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 2016 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 4984 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 4984 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 4024 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 4024 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 2252 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 2252 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 2480 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 2480 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 4088 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 4088 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 3616 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 3616 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 820 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 820 NEAS.9399f53943a362e0bca86efa9fc6b520.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5044 wrote to memory of 1464 5044 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 93 PID 5044 wrote to memory of 1464 5044 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 93 PID 5044 wrote to memory of 1464 5044 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 93 PID 5044 wrote to memory of 1916 5044 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 94 PID 5044 wrote to memory of 1916 5044 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 94 PID 5044 wrote to memory of 1916 5044 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 94 PID 1464 wrote to memory of 2016 1464 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 95 PID 1464 wrote to memory of 2016 1464 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 95 PID 1464 wrote to memory of 2016 1464 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 95 PID 5044 wrote to memory of 4564 5044 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 96 PID 5044 wrote to memory of 4564 5044 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 96 PID 5044 wrote to memory of 4564 5044 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 96 PID 1916 wrote to memory of 2252 1916 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 97 PID 1916 wrote to memory of 2252 1916 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 97 PID 1916 wrote to memory of 2252 1916 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 97 PID 1464 wrote to memory of 4088 1464 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 98 PID 1464 wrote to memory of 4088 1464 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 98 PID 1464 wrote to memory of 4088 1464 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 98 PID 2016 wrote to memory of 3616 2016 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 99 PID 2016 wrote to memory of 3616 2016 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 99 PID 2016 wrote to memory of 3616 2016 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 99 PID 5044 wrote to memory of 1276 5044 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 104 PID 5044 wrote to memory of 1276 5044 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 104 PID 5044 wrote to memory of 1276 5044 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 104 PID 4564 wrote to memory of 4960 4564 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 105 PID 4564 wrote to memory of 4960 4564 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 105 PID 4564 wrote to memory of 4960 4564 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 105 PID 1916 wrote to memory of 4368 1916 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 106 PID 1916 wrote to memory of 4368 1916 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 106 PID 1916 wrote to memory of 4368 1916 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 106 PID 1464 wrote to memory of 660 1464 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 107 PID 1464 wrote to memory of 660 1464 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 107 PID 1464 wrote to memory of 660 1464 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 107 PID 2016 wrote to memory of 3200 2016 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 108 PID 2016 wrote to memory of 3200 2016 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 108 PID 2016 wrote to memory of 3200 2016 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 108 PID 2252 wrote to memory of 4984 2252 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 109 PID 2252 wrote to memory of 4984 2252 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 109 PID 2252 wrote to memory of 4984 2252 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 109 PID 4088 wrote to memory of 2480 4088 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 111 PID 4088 wrote to memory of 2480 4088 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 111 PID 4088 wrote to memory of 2480 4088 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 111 PID 3616 wrote to memory of 4024 3616 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 110 PID 3616 wrote to memory of 4024 3616 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 110 PID 3616 wrote to memory of 4024 3616 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 110 PID 5044 wrote to memory of 820 5044 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 112 PID 5044 wrote to memory of 820 5044 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 112 PID 5044 wrote to memory of 820 5044 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 112 PID 1276 wrote to memory of 4772 1276 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 113 PID 1276 wrote to memory of 4772 1276 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 113 PID 1276 wrote to memory of 4772 1276 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 113 PID 4564 wrote to memory of 2608 4564 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 115 PID 4564 wrote to memory of 2608 4564 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 115 PID 4564 wrote to memory of 2608 4564 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 115 PID 1916 wrote to memory of 3672 1916 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 114 PID 1916 wrote to memory of 3672 1916 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 114 PID 1916 wrote to memory of 3672 1916 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 114 PID 1464 wrote to memory of 4668 1464 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 116 PID 1464 wrote to memory of 4668 1464 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 116 PID 1464 wrote to memory of 4668 1464 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 116 PID 4960 wrote to memory of 2132 4960 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 117 PID 4960 wrote to memory of 2132 4960 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 117 PID 4960 wrote to memory of 2132 4960 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 117 PID 2016 wrote to memory of 5088 2016 NEAS.9399f53943a362e0bca86efa9fc6b520.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"3⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:4024 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"6⤵
- Checks computer location settings
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"7⤵PID:6496
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"7⤵PID:8336
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"6⤵PID:6012
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"6⤵PID:7280
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵
- Checks computer location settings
PID:3276 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"6⤵PID:6232
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"6⤵PID:8016
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:5680
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"6⤵PID:9440
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:7196
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:9632
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:3200 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵
- Checks computer location settings
PID:4028 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"6⤵PID:6284
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"6⤵PID:8088
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:5740
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:7240
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵
- Checks computer location settings
PID:5088 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:5296
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:7548
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:5492
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:8504
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:6692
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:8564
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"3⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵
- Checks computer location settings
PID:900 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"6⤵PID:6260
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"6⤵PID:8096
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:5980
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:7272
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵
- Checks computer location settings
PID:4476 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:5392
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:7556
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:5656
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:7108
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:9280
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"3⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:660 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵
- Checks computer location settings
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:6380
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:7208
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:5672
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:9448
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:5668
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:9552
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"3⤵
- Checks computer location settings
PID:4668 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:5972
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:7264
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"3⤵PID:5428
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:8520
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"3⤵PID:6640
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"3⤵PID:8464
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"3⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:4984 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵
- Checks computer location settings
PID:4012 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"6⤵PID:6392
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"6⤵PID:7348
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:5872
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"6⤵PID:9716
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:7248
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵
- Checks computer location settings
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:5796
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:7564
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:5616
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:9708
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:7052
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:9032
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"3⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵
- Checks computer location settings
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:6220
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:7952
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:5648
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:9544
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:7068
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:9224
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"3⤵
- Checks computer location settings
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:5460
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:9300
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:6668
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:8496
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"3⤵PID:5252
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:8048
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"3⤵PID:6400
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"3⤵PID:8320
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"3⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵
- Checks computer location settings
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:5948
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:7256
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:5376
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:8296
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:6660
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:8556
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"3⤵
- Checks computer location settings
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:5364
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:8512
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:6588
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:8480
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"3⤵
- Checks computer location settings
PID:5260 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:7356
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"3⤵PID:6408
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"3⤵PID:8472
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"3⤵
- Checks computer location settings
PID:4772 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:5384
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"5⤵PID:8220
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:6648
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:8488
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"3⤵PID:5168
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:7812
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"3⤵PID:6248
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"3⤵PID:8080
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:820 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"3⤵PID:5228
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"4⤵PID:7876
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"3⤵PID:6432
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"3⤵PID:8304
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"2⤵
- Checks computer location settings
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"3⤵PID:6844
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"3⤵PID:9072
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"2⤵PID:6212
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9399f53943a362e0bca86efa9fc6b520.exe"2⤵PID:7736
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\black horse hidden .mpg.exe
Filesize567KB
MD5122baaa3f057f0b5fe56a50b5a6d90c9
SHA1e49705b483d30b2a824c9edd520d9acfa9806689
SHA2565dce754bb63a2bb80673aec85ae0227c88b894f0f9c4c6b7705fec5e300c4dd0
SHA512275dcef966eede3fce1d24f2b80e74d274a8acfd16aee431969d85c230b368bd5ab1db85560875d12d28f146d4e02185b68ad54159c8438b8fa3d055826e7a3d