f3ba6b26825e1e992a4053f15d4629a71b83e35adb9b9b865ad1213b6d05ce8c

Analysis

max time kernel
11s
max time network
130s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
05-11-2023 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.5cb19c52551c16f1368ce8020a486e10.exe
Size

1.2MB
MD5

5cb19c52551c16f1368ce8020a486e10
SHA1

6f0380962db98fceffa120cb429917b352429c0d
SHA256

f3ba6b26825e1e992a4053f15d4629a71b83e35adb9b9b865ad1213b6d05ce8c
SHA512

608d737ad1b99beb251fd18e3e6666b29ed2528c145f19367cae46d42aee09f96edec8646f672c31c155fad924f7011ea66dec6762d1fcaab48b016cc5fa2dff
SSDEEP

24576:7r4gpoQC7QNOkRmnhY8Nb3SXm9+8+UTSMF/BAo5u1tU1oYf8NIV0Kg:/7+s0hqW9T9pF/BA/tU1Rf8NIW

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 46 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2040-0-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000015eba-5.dat	upx
behavioral1/memory/568-13-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2628-56-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2176-57-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2040-58-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1680-69-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1104-73-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/888-71-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/568-76-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1092-77-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2628-81-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1908-83-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1536-84-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2344-85-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1352-86-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2176-87-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2760-88-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1680-94-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2160-95-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/888-106-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1776-108-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2360-109-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2824-112-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2832-111-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2112-114-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1100-115-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1008-113-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/972-119-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1092-117-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/436-116-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1908-122-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1352-123-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1600-125-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1800-130-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2160-129-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1724-132-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2112-134-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1256-137-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/856-139-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1964-138-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1100-136-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1776-133-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2772-140-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2148-142-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1832-141-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	NEAS.5cb19c52551c16f1368ce8020a486e10.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File opened (read-only)	\??\Q:	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File opened (read-only)	\??\S:	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File opened (read-only)	\??\W:	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File opened (read-only)	\??\A:	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File opened (read-only)	\??\B:	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File opened (read-only)	\??\E:	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File opened (read-only)	\??\G:	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File opened (read-only)	\??\H:	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File opened (read-only)	\??\M:	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File opened (read-only)	\??\R:	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File opened (read-only)	\??\X:	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File opened (read-only)	\??\I:	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File opened (read-only)	\??\P:	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File opened (read-only)	\??\U:	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File opened (read-only)	\??\V:	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File opened (read-only)	\??\Y:	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File opened (read-only)	\??\J:	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File opened (read-only)	\??\K:	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File opened (read-only)	\??\N:	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File opened (read-only)	\??\O:	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File opened (read-only)	\??\T:	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File opened (read-only)	\??\Z:	NEAS.5cb19c52551c16f1368ce8020a486e10.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\horse [milf] .mpg.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\black horse girls cock .mpg.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\american animal sperm [milf] ash .mpg.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\british kicking lingerie [milf] legs .avi.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Program Files (x86)\Google\Temp\tyrkish gang bang full movie mature .avi.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\japanese action hardcore [free] .zip.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\cumshot big glans blondie .rar.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\danish sperm lesbian pregnant .mpg.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Program Files\Windows Journal\Templates\horse lesbian licking cock (Ashley).rar.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\norwegian lingerie gay hidden young (Kathrin,Melissa).mpg.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\gay gay voyeur ash (Anniston,Karin).mpeg.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Program Files\Common Files\Microsoft Shared\indian lesbian several models .zip.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Program Files\DVD Maker\Shared\african xxx full movie (Janette).mpg.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Program Files (x86)\Google\Update\Download\swedish sperm bukkake licking boobs .mpeg.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\tyrkish beast several models sm .rar.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File created	C:\Windows\PLA\Templates\indian cum beastiality [bangbus] titts redhair (Anniston,Liz).mpeg.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\gay big .zip.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\brasilian kicking hidden ash boots (Sonja,Jade).mpg.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\german beastiality horse several models (Melissa,Karin).avi.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\japanese cumshot lesbian castration .avi.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\gay sperm several models .mpg.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Windows\assembly\temp\german fetish full movie .zip.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\danish animal lesbian hole .mpeg.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\brasilian xxx catfight glans boots (Christine,Jade).mpg.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\handjob bukkake licking feet balls .mpeg.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Windows\mssrv.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\chinese gang bang gang bang [milf] (Sarah).rar.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\tyrkish animal [bangbus] sweet (Anniston,Ashley).rar.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\spanish beastiality [bangbus] hairy (Sandy).avi.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\indian hardcore [free] titts bedroom .mpeg.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\horse [milf] nipples leather (Gina).rar.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Windows\assembly\tmp\japanese lingerie hot (!) upskirt (Liz,Jenna).avi.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\porn beast sleeping Ôë .rar.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\gang bang licking legs bondage .mpeg.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\spanish cum full movie .mpg.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\fetish gay full movie hole ash (Sylvia).zip.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Windows\Downloaded Program Files\american bukkake [milf] femdom .avi.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\gay action voyeur boobs femdom (Tatjana,Christine).mpg.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Windows\security\templates\spanish fetish licking glans hairy .avi.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\lingerie horse several models penetration .zip.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\lingerie [bangbus] .zip.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\african trambling nude masturbation 50+ .rar.exe	NEAS.5cb19c52551c16f1368ce8020a486e10.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2040	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
568	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
2040	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
2176	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
2040	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
568	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
2628	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
1680	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
888	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
1104	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
568	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
2176	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
2040	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
1092	NEAS.5cb19c52551c16f1368ce8020a486e10.exe
2628	NEAS.5cb19c52551c16f1368ce8020a486e10.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 568	2040	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	28
PID 2040 wrote to memory of 568	2040	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	28
PID 2040 wrote to memory of 568	2040	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	28
PID 2040 wrote to memory of 568	2040	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	28
PID 2040 wrote to memory of 2176	2040	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	30
PID 2040 wrote to memory of 2176	2040	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	30
PID 2040 wrote to memory of 2176	2040	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	30
PID 2040 wrote to memory of 2176	2040	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	30
PID 568 wrote to memory of 2628	568	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	29
PID 568 wrote to memory of 2628	568	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	29
PID 568 wrote to memory of 2628	568	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	29
PID 568 wrote to memory of 2628	568	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	29
PID 2176 wrote to memory of 1680	2176	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	31
PID 2176 wrote to memory of 1680	2176	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	31
PID 2176 wrote to memory of 1680	2176	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	31
PID 2176 wrote to memory of 1680	2176	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	31
PID 2040 wrote to memory of 888	2040	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	32
PID 2040 wrote to memory of 888	2040	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	32
PID 2040 wrote to memory of 888	2040	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	32
PID 2040 wrote to memory of 888	2040	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	32
PID 568 wrote to memory of 1104	568	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	33
PID 568 wrote to memory of 1104	568	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	33
PID 568 wrote to memory of 1104	568	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	33
PID 568 wrote to memory of 1104	568	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	33
PID 2628 wrote to memory of 1092	2628	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	34
PID 2628 wrote to memory of 1092	2628	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	34
PID 2628 wrote to memory of 1092	2628	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	34
PID 2628 wrote to memory of 1092	2628	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	34
PID 1680 wrote to memory of 2760	1680	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	35
PID 1680 wrote to memory of 2760	1680	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	35
PID 1680 wrote to memory of 2760	1680	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	35
PID 1680 wrote to memory of 2760	1680	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	35
PID 568 wrote to memory of 1908	568	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	39
PID 568 wrote to memory of 1908	568	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	39
PID 568 wrote to memory of 1908	568	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	39
PID 568 wrote to memory of 1908	568	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	39
PID 888 wrote to memory of 1536	888	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	40
PID 888 wrote to memory of 1536	888	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	40
PID 888 wrote to memory of 1536	888	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	40
PID 888 wrote to memory of 1536	888	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	40
PID 2176 wrote to memory of 2344	2176	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	38
PID 2176 wrote to memory of 2344	2176	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	38
PID 2176 wrote to memory of 2344	2176	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	38
PID 2176 wrote to memory of 2344	2176	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	38
PID 2040 wrote to memory of 1352	2040	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	36
PID 2040 wrote to memory of 1352	2040	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	36
PID 2040 wrote to memory of 1352	2040	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	36
PID 2040 wrote to memory of 1352	2040	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	36
PID 1104 wrote to memory of 1600	1104	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	37
PID 1104 wrote to memory of 1600	1104	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	37
PID 1104 wrote to memory of 1600	1104	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	37
PID 1104 wrote to memory of 1600	1104	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	37
PID 2628 wrote to memory of 2160	2628	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	41
PID 2628 wrote to memory of 2160	2628	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	41
PID 2628 wrote to memory of 2160	2628	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	41
PID 2628 wrote to memory of 2160	2628	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	41
PID 1092 wrote to memory of 1800	1092	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	42
PID 1092 wrote to memory of 1800	1092	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	42
PID 1092 wrote to memory of 1800	1092	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	42
PID 1092 wrote to memory of 1800	1092	NEAS.5cb19c52551c16f1368ce8020a486e10.exe	42

C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:568
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1092
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:1800
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        7⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        8⤵
        
        PID:5924
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        7⤵
        
        PID:5584
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        7⤵
        
        PID:4400
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        7⤵
        
        PID:6564
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:7252
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:1964
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:3240
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:5452
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:740
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:4348
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:7228
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:4248
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:2160
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:1724
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:3248
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:4324
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:892
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:5600
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:4220
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:6172
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:2988
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:3284
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:3864
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:5808
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:1576
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:5724
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:4272
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:7244
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:1600
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:856
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        7⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        7⤵
        
        PID:9224
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:4572
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:6164
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:7180
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:2300
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:5540
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:3848
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:4884
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:6328
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:9556
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:972
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:936
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:4380
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:7196
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:4204
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:2704
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:4372
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:7236
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:3596
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:4464
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:7284
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    PID:1908
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:1256
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:2868
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        7⤵
        
        PID:6356
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:4228
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:6188
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:7204
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:2332
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:4472
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:9120
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:3580
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:4588
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:5892
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    PID:2832
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:2264
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:4412
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:3588
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:5776
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:4580
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:6156
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:7268
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:9788
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:4444
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:8672
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    PID:3292
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:5916
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    PID:3876
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:4744
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:6196
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:9544
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    PID:5340
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    PID:7276
- C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:2760
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:2360
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        7⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        7⤵
        
        PID:5800
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:3192
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        7⤵
        
        PID:6320
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:2928
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:4364
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:7220
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:1640
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:5708
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:4288
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:8452
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:1776
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:2148
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:3748
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:4860
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:3168
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:5716
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:1472
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:4564
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:5884
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:1832
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:3732
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:4852
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:5788
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:8460
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:2888
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:4388
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:7840
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:3900
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:4876
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:8660
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    PID:2344
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:436
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:2248
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:5576
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:4212
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:6268
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:7188
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:2488
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:4356
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:7212
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:3508
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:5952
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:8792
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:5816
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    PID:2112
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:1656
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:5264
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:8648
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:3724
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:4752
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    PID:2828
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:4332
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:8396
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    PID:3572
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:6536
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    PID:4596
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    PID:5900
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    PID:9532
- C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:1008
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:2552
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:3884
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:4892
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:4180
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:6180
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:6572
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:1380
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:3548
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:6204
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:6664
      - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        6⤵
        
        PID:9256
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:4900
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:3304
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:5488
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:3892
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:6212
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:2496
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:4340
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:4196
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:6252
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:8640
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:9200
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:4424
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    PID:3272
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:5700
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    PID:4908
- C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
  2⤵
  PID:1352
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:2448
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
        5⤵
        
        PID:5592
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:3856
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:5908
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    PID:996
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:5280
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:8632
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    PID:4256
- C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
  2⤵
  PID:1100
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    PID:2312
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:5480
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:9112
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    PID:4188
- C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
  2⤵
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    PID:3532
- - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
    3⤵
    PID:4868
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
      4⤵
      PID:6552
- C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
  2⤵
  PID:3740
- C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.5cb19c52551c16f1368ce8020a486e10.exe"
  2⤵
  PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\horse [milf] .mpg.exe

Filesize
149KB

MD5
e7facf2ded804362989ecf6e19974260

SHA1
41fb626a4f28d4c0f00361a48c6c3f5529c3ba7a

SHA256
9955cb3a65a460a68ecb21aa540dd93cbc0a0934849a7fd7e2b08676d7f8b81e

SHA512
c41db708c29eeb5a0957bf364b1d9aebc821e6b16daa10c0405d6637b9d4e9f9bc1447fa55e6155aa21dd7e30682f5a215d88b5366298f4258e2a64bfd70fcdc

Download Submit
memory/436-116-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/568-80-0x0000000004900000-0x000000000491F000-memory.dmp

Filesize
124KB

Download
memory/568-13-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/568-55-0x0000000004900000-0x000000000491F000-memory.dmp

Filesize
124KB

Download
memory/568-76-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/568-118-0x0000000004920000-0x000000000493F000-memory.dmp

Filesize
124KB

Download
memory/568-72-0x0000000004910000-0x000000000492F000-memory.dmp

Filesize
124KB

Download
memory/856-139-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/888-71-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/888-106-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/888-110-0x00000000044F0000-0x000000000450F000-memory.dmp

Filesize
124KB

Download
memory/972-119-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1008-113-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1092-117-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1092-77-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1092-135-0x0000000004910000-0x000000000492F000-memory.dmp

Filesize
124KB

Download
memory/1100-136-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1100-115-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1104-73-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1256-137-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1352-86-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1352-123-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1536-84-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1600-125-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1680-107-0x0000000004A20000-0x0000000004A3F000-memory.dmp

Filesize
124KB

Download
memory/1680-69-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1680-82-0x00000000044E0000-0x00000000044FF000-memory.dmp

Filesize
124KB

Download
memory/1680-121-0x00000000044E0000-0x00000000044FF000-memory.dmp

Filesize
124KB

Download
memory/1680-94-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1724-132-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1776-133-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1776-108-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1800-130-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1832-141-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1908-122-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1908-83-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1964-138-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2040-12-0x00000000045B0000-0x00000000045CF000-memory.dmp

Filesize
124KB

Download
memory/2040-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2040-54-0x0000000004B00000-0x0000000004B1F000-memory.dmp

Filesize
124KB

Download
memory/2040-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2040-78-0x0000000004B00000-0x0000000004B1F000-memory.dmp

Filesize
124KB

Download
memory/2040-74-0x00000000045B0000-0x00000000045CF000-memory.dmp

Filesize
124KB

Download
memory/2040-70-0x0000000004B00000-0x0000000004B1F000-memory.dmp

Filesize
124KB

Download
memory/2040-105-0x0000000004B00000-0x0000000004B1F000-memory.dmp

Filesize
124KB

Download
memory/2112-134-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2112-114-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2148-142-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2160-129-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2160-95-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2160-131-0x0000000004420000-0x000000000443F000-memory.dmp

Filesize
124KB

Download
memory/2176-87-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2176-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2176-92-0x00000000047C0000-0x00000000047DF000-memory.dmp

Filesize
124KB

Download
memory/2344-85-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2360-109-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2628-81-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2628-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2628-126-0x0000000004920000-0x000000000493F000-memory.dmp

Filesize
124KB

Download
memory/2628-90-0x0000000004920000-0x000000000493F000-memory.dmp

Filesize
124KB

Download
memory/2760-88-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2772-140-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2824-112-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2832-111-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download