801d150139bb02b26b77d73fc60ca2b028bc81587b544e619d1e423fe81bd286

Analysis

max time kernel
16s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
Size

1.7MB
MD5

8c8943122fead12e91f61b26e2e11ea0
SHA1

ffce2f5a61c0fc60b74e1d03f3f2625da78d441c
SHA256

801d150139bb02b26b77d73fc60ca2b028bc81587b544e619d1e423fe81bd286
SHA512

97e11e912cad77376a57f51dbbb97c0bf3a2152c8b868bc28ee50e76f5d9a4b8103fe04e438045b045c1d8fd4e0d28b4ab50a88deda0c44148605f9c67714c1f
SSDEEP

24576:JBbSX5pFeK/bJ5HClI+QtnKaKaLgFtjFTHdNowZPMpi1DkyEcCS1B4ZFelBSt2S:PbItz6Ia7aktJfowZPKgTCOCKlBScS

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3568-0-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/files/0x000a000000023b80-5.dat	upx
behavioral2/memory/364-64-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5020-156-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3384-181-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4396-182-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2312-183-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5056-184-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/396-185-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4288-187-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3568-186-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3116-188-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3616-190-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5020-189-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2744-191-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3384-192-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4396-193-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3568-194-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/1012-196-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5044-195-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4304-197-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2528-198-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/396-199-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3956-201-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4288-200-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2620-203-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/8-204-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3188-205-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3116-202-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4604-206-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/636-208-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4268-207-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5200-209-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5044-210-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5268-212-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/1012-211-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5312-214-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2528-213-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5352-216-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4680-215-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3956-220-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3764-221-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5408-223-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2620-222-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5528-229-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5200-231-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5520-228-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5128-227-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2868-226-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5440-225-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/8-224-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2416-230-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/6272-241-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5312-240-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/6156-239-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/6148-238-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5592-237-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5268-236-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/6348-244-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/6472-247-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5408-246-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/6364-245-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/6324-243-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5352-242-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File opened (read-only)	\??\V:	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File opened (read-only)	\??\U:	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File opened (read-only)	\??\W:	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File opened (read-only)	\??\Z:	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File opened (read-only)	\??\A:	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File opened (read-only)	\??\B:	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File opened (read-only)	\??\K:	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File opened (read-only)	\??\T:	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File opened (read-only)	\??\P:	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File opened (read-only)	\??\X:	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File opened (read-only)	\??\Y:	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File opened (read-only)	\??\E:	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File opened (read-only)	\??\H:	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File opened (read-only)	\??\M:	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File opened (read-only)	\??\N:	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File opened (read-only)	\??\Q:	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File opened (read-only)	\??\R:	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File opened (read-only)	\??\S:	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File opened (read-only)	\??\G:	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File opened (read-only)	\??\I:	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File opened (read-only)	\??\J:	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File opened (read-only)	\??\O:	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\african xxx several models titts .mpg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\SysWOW64\config\systemprofile\blowjob lingerie uncut (Anniston).avi.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\russian gang bang beastiality voyeur vagina .mpg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\SysWOW64\config\systemprofile\black bukkake beast public cock stockings .avi.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\SysWOW64\FxsTmp\swedish fucking nude public stockings .mpg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\asian lingerie animal [milf] sm (Anniston).mpeg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\SysWOW64\FxsTmp\tyrkish lesbian beast public (Sonja).rar.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\SysWOW64\IME\SHARED\porn lesbian shower .rar.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\american animal several models hole (Liz,Britney).mpeg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\System32\DriverStore\Temp\asian gay cumshot [free] ash .zip.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\SysWOW64\IME\SHARED\african horse sleeping .zip.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\fetish uncut .mpeg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\american xxx several models vagina ash (Melissa).rar.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Templates\danish sperm public .avi.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\japanese xxx trambling masturbation .avi.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Program Files (x86)\Google\Temp\horse full movie hole .mpeg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\german cumshot full movie boots .zip.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\animal lesbian lesbian femdom .zip.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\french horse hidden hairy .avi.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\cum gang bang public .mpg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\gay beast lesbian .zip.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Program Files (x86)\Google\Update\Download\swedish cumshot hot (!) glans .rar.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Program Files\Common Files\microsoft shared\sperm [free] .mpeg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\fetish porn licking nipples (Karin,Liz).mpeg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\hardcore voyeur hotel .zip.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\german nude action several models bondage (Sonja,Tatjana).mpeg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\horse hot (!) redhair .rar.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\asian cum nude lesbian ash (Christine).mpeg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\chinese fetish porn public .rar.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\german hardcore girls .mpeg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\cumshot girls glans penetration .avi.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\porn masturbation latex .zip.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\french horse girls (Curtney).mpeg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\handjob beast sleeping titts .avi.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\brasilian hardcore fucking [milf] glans sweet .mpg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\sperm [milf] boobs .rar.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\handjob handjob [bangbus] glans leather .avi.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\norwegian hardcore cumshot big ash (Sandy).zip.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_10.0.19041.1_none_ae957c4c35a7bf73\french beastiality uncut boobs 50+ .zip.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\asian kicking uncut .zip.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\black gay hidden blondie (Sonja).mpg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\african gay fetish big gorgeoushorny (Curtney).rar.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\kicking full movie .avi.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\xxx animal several models .mpeg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\trambling girls .mpg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\beastiality masturbation boobs pregnant .rar.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\assembly\temp\hardcore [free] (Melissa).rar.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\handjob porn sleeping .rar.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\russian blowjob voyeur hotel (Ashley,Curtney).rar.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\brasilian horse sleeping boobs mistress (Ashley).zip.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\gay hardcore public femdom (Christine,Sonja).mpeg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\cum blowjob lesbian wifey .mpg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\xxx trambling uncut .rar.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\canadian sperm big legs .mpg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\british handjob cumshot several models (Jade,Ashley).mpeg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\beast big .mpeg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\hardcore several models titts traffic .mpeg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\french horse licking titts upskirt (Jade,Samantha).zip.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\spanish action gang bang masturbation .rar.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\sperm hidden .mpeg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\cum public boobs 50+ .zip.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\chinese kicking handjob big granny .zip.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\lingerie hardcore full movie fishy .mpeg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\norwegian fetish nude public ash .mpeg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\black bukkake [milf] gorgeoushorny .avi.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\british lesbian lesbian several models .avi.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\japanese gay sleeping YEâPSè& (Kathrin,Christine).mpeg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\chinese trambling action [bangbus] legs mistress .rar.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\animal licking girly .zip.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\canadian porn animal lesbian vagina black hairunshaved .mpg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\kicking public (Sarah).rar.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\japanese animal xxx sleeping black hairunshaved .zip.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\indian porn girls swallow .rar.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\asian action beast catfight 50+ (Melissa,Karin).rar.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\mssrv.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\indian blowjob hidden .zip.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\asian hardcore porn catfight upskirt (Samantha,Sonja).mpeg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\malaysia cum lesbian mistress (Ashley).avi.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\security\templates\french handjob xxx girls vagina swallow (Melissa,Melissa).rar.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\chinese sperm action several models .mpeg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\asian xxx lesbian sleeping hotel .mpg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\gang bang [bangbus] 50+ (Sonja).avi.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\hardcore several models .avi.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\asian nude hidden shoes (Janette).mpg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\lingerie horse [milf] redhair .mpeg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_72a319bf8ee74a9b\british xxx hot (!) latex .mpg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\Downloaded Program Files\norwegian animal catfight lady (Britney).zip.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\british gang bang hot (!) glans fishy .rar.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\italian lesbian public (Melissa).mpeg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\swedish lesbian hardcore full movie mistress .mpg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\horse [milf] (Gina).avi.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\african fucking uncut legs (Jade).mpeg.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\action licking feet .zip.exe	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3568	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
3568	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
364	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
364	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
3568	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
3568	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
5020	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
5020	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
2744	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
3568	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
2744	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
3568	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
364	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
364	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
3384	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
3384	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
4396	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
4396	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
5020	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
5020	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
2312	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
2312	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
3568	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
3568	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
5056	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
5056	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
364	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
364	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
2744	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
2744	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
4304	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
4304	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
5020	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
5020	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
396	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
4288	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
396	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
4288	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
3568	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
3568	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
3384	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
3384	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
3116	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
3116	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
3616	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
3616	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
364	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
364	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
3188	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
3188	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
2744	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
2744	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
4396	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
4396	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
4604	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
4604	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
4268	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
4268	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
2312	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
2312	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
5056	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
5056	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
5020	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
5020	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 364	3568	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	88
PID 3568 wrote to memory of 364	3568	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	88
PID 3568 wrote to memory of 364	3568	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	88
PID 3568 wrote to memory of 5020	3568	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	92
PID 3568 wrote to memory of 5020	3568	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	92
PID 3568 wrote to memory of 5020	3568	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	92
PID 364 wrote to memory of 2744	364	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	93
PID 364 wrote to memory of 2744	364	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	93
PID 364 wrote to memory of 2744	364	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	93
PID 5020 wrote to memory of 3384	5020	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	95
PID 5020 wrote to memory of 3384	5020	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	95
PID 5020 wrote to memory of 3384	5020	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	95
PID 3568 wrote to memory of 4396	3568	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	96
PID 3568 wrote to memory of 4396	3568	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	96
PID 3568 wrote to memory of 4396	3568	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	96
PID 364 wrote to memory of 2312	364	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	97
PID 364 wrote to memory of 2312	364	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	97
PID 364 wrote to memory of 2312	364	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	97
PID 2744 wrote to memory of 5056	2744	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	98
PID 2744 wrote to memory of 5056	2744	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	98
PID 2744 wrote to memory of 5056	2744	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	98
PID 5020 wrote to memory of 4304	5020	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	100
PID 5020 wrote to memory of 4304	5020	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	100
PID 5020 wrote to memory of 4304	5020	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	100
PID 3568 wrote to memory of 396	3568	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	101
PID 3568 wrote to memory of 396	3568	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	101
PID 3568 wrote to memory of 396	3568	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	101
PID 3384 wrote to memory of 4288	3384	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	102
PID 3384 wrote to memory of 4288	3384	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	102
PID 3384 wrote to memory of 4288	3384	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	102
PID 2744 wrote to memory of 3116	2744	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	103
PID 2744 wrote to memory of 3116	2744	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	103
PID 2744 wrote to memory of 3116	2744	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	103
PID 364 wrote to memory of 3616	364	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	104
PID 364 wrote to memory of 3616	364	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	104
PID 364 wrote to memory of 3616	364	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	104
PID 4396 wrote to memory of 3188	4396	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	105
PID 4396 wrote to memory of 3188	4396	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	105
PID 4396 wrote to memory of 3188	4396	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	105
PID 2312 wrote to memory of 4604	2312	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	106
PID 2312 wrote to memory of 4604	2312	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	106
PID 2312 wrote to memory of 4604	2312	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	106
PID 5056 wrote to memory of 4268	5056	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	107
PID 5056 wrote to memory of 4268	5056	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	107
PID 5056 wrote to memory of 4268	5056	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	107
PID 5020 wrote to memory of 636	5020	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	110
PID 5020 wrote to memory of 636	5020	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	110
PID 5020 wrote to memory of 636	5020	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	110
PID 3568 wrote to memory of 1012	3568	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	111
PID 3568 wrote to memory of 1012	3568	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	111
PID 3568 wrote to memory of 1012	3568	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	111
PID 3384 wrote to memory of 5044	3384	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	112
PID 3384 wrote to memory of 5044	3384	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	112
PID 3384 wrote to memory of 5044	3384	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	112
PID 2744 wrote to memory of 2528	2744	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	113
PID 2744 wrote to memory of 2528	2744	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	113
PID 2744 wrote to memory of 2528	2744	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	113
PID 4396 wrote to memory of 4680	4396	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	114
PID 4396 wrote to memory of 4680	4396	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	114
PID 4396 wrote to memory of 4680	4396	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	114
PID 364 wrote to memory of 3764	364	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	115
PID 364 wrote to memory of 3764	364	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	115
PID 364 wrote to memory of 3764	364	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	115
PID 2312 wrote to memory of 3956	2312	8c8943122fead12e91f61b26e2e11ea0_NEAS.exe	116

C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
  "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:364
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5056
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:4268
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:5352
        
        C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        7⤵
        
        PID:6156
        
        C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        8⤵
        
        PID:10396
        
        C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        8⤵
        
        PID:13984
        
        C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        7⤵
        
        PID:7736
        
        C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        8⤵
        
        PID:14224
        
        C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        7⤵
        
        PID:10192
        
        C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        7⤵
        
        PID:13920
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:5408
        
        C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        7⤵
        
        PID:8532
        
        C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        7⤵
        
        PID:11148
        
        C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        7⤵
        
        PID:15208
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:7192
        
        C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        7⤵
        
        PID:12496
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:9324
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:12580
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:2620
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:6332
        
        C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        7⤵
        
        PID:9876
        
        C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        7⤵
        
        PID:13276
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:7796
        
        C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        7⤵
        
        PID:14664
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:10124
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:13036
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:5488
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:7952
        
        C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        7⤵
        
        PID:15864
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:9980
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:13524
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:6892
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:11652
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:9012
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:12472
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:3116
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:5200
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:6292
        
        C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        7⤵
        
        PID:11192
        
        C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        7⤵
        
        PID:15856
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:7836
        
        C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        7⤵
        
        PID:15084
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:9920
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:13976
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:5448
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:8624
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:10892
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:15440
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:6856
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:12400
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:8256
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:12448
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:2528
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:6300
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:10388
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:13996
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:7828
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:15888
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:9996
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:732
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:5520
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:8704
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:11516
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:15952
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:6884
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:12392
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:9056
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:12924
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:4604
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        Checks computer location settings
        
        PID:5268
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:5592
        
        C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        7⤵
        
        PID:9716
        
        C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        7⤵
        
        PID:12212
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:7728
        
        C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        7⤵
        
        PID:15164
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:10208
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:14164
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:5440
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:8696
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:11432
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:15872
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:7156
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:13728
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:8560
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:12432
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:3956
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:6272
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:9768
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:13296
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:7772
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:14488
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:9988
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:3040
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:5504
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:7688
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:15076
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:10200
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:14040
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:6900
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:11644
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:9036
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:12384
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:3616
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:5128
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:6284
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:11156
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:11528
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:7780
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:14604
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:10148
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:14596
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:5456
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:7652
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:14656
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:9956
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:712
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:6712
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:12032
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:8752
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:11352
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:15848
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    PID:3764
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:6568
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:4564
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:15612
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:4392
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:15472
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:10804
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:14804
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    PID:5496
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:7500
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:14172
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:9836
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:12732
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    PID:6908
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:12416
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    PID:8324
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    PID:12456
- C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
  "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3384
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:4288
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:8
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:6484
        
        C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        7⤵
        
        PID:11756
        
        C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        7⤵
        
        PID:15960
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:7940
        
        C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        7⤵
        
        PID:14672
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:10164
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:13612
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:5480
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:8992
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:12040
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:6748
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:12060
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:8940
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:11932
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:5044
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:6348
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:9820
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:13304
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:7788
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:14648
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:9796
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:4060
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:5528
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:8212
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:15792
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:10856
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:15192
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:6864
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:12088
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:9044
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:12376
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:4304
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:2416
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:6472
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:10784
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:15156
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:7964
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:15880
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:10760
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:14684
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:5464
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:8540
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:12464
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:6756
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:12096
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:8968
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:11924
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    PID:636
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:6364
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:9812
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:12204
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:7820
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:15448
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:10116
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:3516
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    PID:5544
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:8744
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:11344
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:15840
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    PID:7052
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:13844
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    PID:9296
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    PID:13064
- C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
  "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:3188
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:5312
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:6324
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:9844
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:13268
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:7844
      - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        6⤵
        
        PID:15172
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:10132
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:13912
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:5424
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:8976
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:11940
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:6916
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:12916
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:8576
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:12440
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    PID:4680
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:6148
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:9868
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:13284
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:7712
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:14720
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:9932
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:12740
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    PID:5512
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:9580
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:12652
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    PID:6656
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:14780
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    PID:4028
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    PID:12488
- C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
  "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:396
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    PID:2868
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:6492
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:11200
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:15484
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:6780
    - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
        5⤵
        
        PID:15008
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:10748
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:14612
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    PID:5472
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:8984
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:12048
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    PID:6720
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:12080
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    PID:8960
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    PID:11880
- C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
  "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
  2⤵
  PID:1012
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    PID:6544
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:11844
  - - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
      4⤵
      PID:15968
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    PID:6928
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    PID:10776
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    PID:14796
- C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
  "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
  2⤵
  PID:5536
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    PID:8472
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    PID:10556
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    PID:14932
- C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
  "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
  2⤵
  PID:6836
- - C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
    3⤵
    PID:12104
- C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
  "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
  2⤵
  PID:8852
- C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
  "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
  2⤵
  PID:11888
- C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe
  "C:\Users\Admin\AppData\Local\Temp\8c8943122fead12e91f61b26e2e11ea0_NEAS.exe"
  2⤵
  PID:16164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\german nude action several models bondage (Sonja,Tatjana).mpeg.exe

Filesize
1.0MB

MD5
25f51b3f59b96ee247333b672520c959

SHA1
2c5226f9c190b2701ff7af9724ee33a69f28cfc0

SHA256
4c685cb61f38e5adac7a08f378935330a4e3f17ee0ccde2421fefbe27ef55483

SHA512
b704b90bac28faacc819f5a52143b9109ae00b982205805a73a197abf0abbf5b63bca6267218ec4fa7eba5c54d54d92b31435283806a55d2eb713b13fb8ae832

Download Submit
memory/8-224-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/8-204-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/364-64-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/396-199-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/396-185-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/636-208-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1012-196-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1012-211-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2312-183-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2416-230-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2528-213-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2528-198-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2620-203-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2620-222-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2744-191-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2868-226-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3116-188-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3116-202-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3188-205-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3384-192-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3384-181-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3568-186-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3568-194-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3568-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3568-453-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3568-295-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3616-190-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3764-221-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3956-220-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3956-201-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4268-207-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4288-187-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4288-200-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4304-197-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4396-193-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4396-182-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4604-206-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4680-215-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5020-189-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5020-156-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5044-210-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5044-195-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5056-184-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5128-227-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5200-231-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5200-209-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5268-212-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5268-236-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5312-214-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5312-240-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5352-216-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5352-242-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5408-223-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5408-246-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5424-248-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5440-249-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5440-225-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5448-250-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5456-253-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5464-254-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5472-255-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5480-266-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5488-267-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5496-257-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5512-258-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5520-259-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5520-228-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5528-229-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5528-260-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5536-261-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5544-263-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5592-275-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5592-237-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6148-276-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6148-238-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6156-239-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6156-277-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6272-282-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6272-241-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6284-283-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6324-243-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6348-244-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6364-245-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6472-247-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6492-252-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6544-251-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6568-256-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6720-262-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6748-264-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6756-265-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6836-268-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6856-269-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6864-270-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6892-271-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6900-272-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6908-273-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6916-274-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/7052-278-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/7156-284-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download