3007e35ec35eec82bc874207b5a9f96fe599e50c205e91fe9dfbac686a09b159

Analysis

max time kernel
14s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82a6346e662e017ca59c5ea6e8893020_NEAS.exe
Size

1.7MB
MD5

82a6346e662e017ca59c5ea6e8893020
SHA1

469577906f8d0f1442dd66a13e6f9c9414f908b8
SHA256

3007e35ec35eec82bc874207b5a9f96fe599e50c205e91fe9dfbac686a09b159
SHA512

cd9fbcc2e3241703d642aa7aac4109c516829f7916b1b65f3cfa6e337cc0f070f33e1f5389bb009a50284c4f00622172198b6149c5f12a390d42cfacec995714
SSDEEP

49152:PliRP5r/UVW/kZF7j44tV/hGnjGa3Bpb2:aP5RO7vhGjGa3HS

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	82a6346e662e017ca59c5ea6e8893020_NEAS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4944-0-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/files/0x000300000002297f-5.dat	upx
behavioral2/memory/1796-53-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3148-155-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4652-170-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2084-173-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4568-182-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/1240-184-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2396-183-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4600-186-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4944-185-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2388-188-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/1796-187-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2376-192-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2732-191-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3148-190-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4944-189-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4528-193-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4072-197-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/1352-201-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4512-200-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3824-199-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4652-195-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3692-198-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2560-196-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4256-194-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/228-204-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4756-203-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/440-202-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4568-205-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4744-206-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5140-208-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5132-207-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5152-211-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/1240-210-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2396-209-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5300-217-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5292-216-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4600-215-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5372-221-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5408-224-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5308-223-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2376-222-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5416-227-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4256-226-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3596-225-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2388-218-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5364-220-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5388-219-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5896-231-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3692-229-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5800-230-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4072-228-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/1352-233-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4512-232-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3164-235-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/6344-244-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/320-243-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3880-242-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/228-240-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/6336-239-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/6308-238-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/6284-237-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/1384-236-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	82a6346e662e017ca59c5ea6e8893020_NEAS.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File opened (read-only)	\??\A:	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File opened (read-only)	\??\E:	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File opened (read-only)	\??\I:	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File opened (read-only)	\??\M:	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File opened (read-only)	\??\O:	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File opened (read-only)	\??\W:	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File opened (read-only)	\??\Y:	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File opened (read-only)	\??\L:	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File opened (read-only)	\??\Q:	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File opened (read-only)	\??\R:	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File opened (read-only)	\??\S:	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File opened (read-only)	\??\V:	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File opened (read-only)	\??\H:	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File opened (read-only)	\??\J:	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File opened (read-only)	\??\T:	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File opened (read-only)	\??\X:	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File opened (read-only)	\??\Z:	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File opened (read-only)	\??\B:	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File opened (read-only)	\??\G:	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File opened (read-only)	\??\K:	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File opened (read-only)	\??\N:	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File opened (read-only)	\??\P:	82a6346e662e017ca59c5ea6e8893020_NEAS.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\american fetish hardcore sleeping boots .avi.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\SysWOW64\FxsTmp\danish cum trambling hidden glans lady .avi.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\SysWOW64\config\systemprofile\tyrkish cumshot gay catfight hole .rar.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\System32\DriverStore\Temp\beast masturbation cock (Gina,Tatjana).mpeg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\SysWOW64\FxsTmp\animal xxx girls balls .rar.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\SysWOW64\IME\SHARED\brasilian animal gay girls granny .zip.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\sperm uncut cock swallow (Liz).rar.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\brasilian cumshot hardcore [bangbus] .mpg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\SysWOW64\IME\SHARED\brasilian kicking sperm masturbation (Sylvia).rar.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\blowjob licking .mpg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\fucking hidden feet YEâPSè& .avi.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\lesbian licking circumcision .avi.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\lesbian big .rar.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\horse masturbation .zip.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Program Files (x86)\Microsoft\Temp\american handjob bukkake [free] cock .rar.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\russian cumshot lingerie [milf] ash .mpg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\russian cumshot horse girls .zip.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\american handjob fucking girls traffic .mpeg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\beast catfight cock wifey .rar.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Program Files (x86)\Google\Temp\black fetish bukkake masturbation lady .mpeg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Program Files (x86)\Google\Update\Download\horse full movie hole ¼ë (Jade).mpg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\norwegian trambling hidden .mpeg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\japanese nude fucking public (Tatjana).avi.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Templates\tyrkish kicking lesbian hot (!) (Tatjana).mpeg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\trambling catfight hole swallow .rar.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\american gang bang xxx uncut penetration .rar.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\russian gang bang trambling several models castration .zip.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Program Files\Common Files\microsoft shared\sperm voyeur glans stockings .zip.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Program Files\dotnet\shared\danish fetish trambling masturbation 40+ .mpg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\swedish fetish blowjob [milf] bedroom .mpeg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\african gay big feet .avi.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\gang bang beast public cock stockings .mpeg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\german lingerie several models glans balls .zip.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\russian beastiality xxx hidden glans hotel (Karin).avi.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\security\templates\italian fetish trambling [milf] penetration .rar.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\InputMethod\SHARED\beast [free] (Samantha).avi.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\lesbian big bedroom .avi.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\porn lesbian voyeur castration .avi.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\american horse blowjob licking (Curtney).mpeg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\british trambling big girly (Gina,Curtney).rar.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\african beast [milf] feet upskirt (Curtney).zip.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\russian action xxx voyeur lady .mpeg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\Downloaded Program Files\tyrkish cumshot xxx sleeping feet boots .zip.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\xxx hidden titts hotel .rar.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\blowjob masturbation young .zip.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\spanish lesbian catfight cock .mpeg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\swedish kicking gay uncut hotel .zip.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\chinese trambling girls upskirt .avi.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\mssrv.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\gay public feet .zip.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\horse hot (!) (Janette).mpeg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\kicking xxx public leather (Ashley,Liz).avi.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\american cumshot blowjob [free] hole gorgeoushorny .mpg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\spanish lesbian public shoes .zip.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\japanese action bukkake full movie .avi.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\trambling uncut black hairunshaved .zip.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\italian gang bang sperm full movie (Jade).rar.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\bukkake public beautyfull .rar.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\canadian trambling hidden .zip.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\trambling hot (!) titts bedroom (Curtney).mpeg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\norwegian trambling licking leather .mpg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\beastiality lingerie full movie hole high heels (Samantha).mpg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\brasilian animal blowjob several models hole gorgeoushorny .mpg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\assembly\tmp\swedish gang bang horse sleeping cock (Jenna,Jade).mpg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\cumshot sperm lesbian .zip.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\lingerie voyeur fishy .avi.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\russian beastiality xxx sleeping mistress (Anniston,Liz).mpg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\lingerie sleeping traffic .avi.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\SoftwareDistribution\Download\danish horse sperm licking stockings .avi.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\gay big tß .rar.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\horse lesbian uncut (Sarah).rar.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\norwegian fucking several models mature .mpg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\kicking lesbian sleeping cock (Jenna,Liz).mpeg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\hardcore girls 50+ .avi.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\asian beast hidden mistress .mpeg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\brasilian porn fucking uncut (Samantha).avi.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\blowjob girls cock circumcision (Jade).avi.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\cum bukkake [free] hole lady (Tatjana).mpg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\porn lingerie hot (!) penetration (Sandy,Liz).rar.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\CbsTemp\black porn bukkake masturbation (Jade).mpg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\italian animal fucking voyeur hole mistress (Sarah).rar.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\trambling hidden sweet (Ashley,Sylvia).rar.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\tyrkish porn gay several models (Sylvia).avi.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\xxx [bangbus] cock (Ashley,Janette).rar.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\lesbian sleeping mistress .rar.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\german beast catfight titts leather (Curtney).mpg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\lingerie uncut blondie .zip.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\kicking lingerie girls shoes .mpg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\cumshot hardcore girls (Tatjana).mpeg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\assembly\temp\gay girls balls .zip.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\brasilian animal horse [bangbus] boots (Christine,Sylvia).mpeg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\american handjob lingerie sleeping .mpg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\black gang bang trambling sleeping 50+ .mpg.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
File created	C:\Windows\PLA\Templates\horse several models (Curtney).avi.exe	82a6346e662e017ca59c5ea6e8893020_NEAS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4944	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
4944	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
1796	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
1796	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
4944	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
4944	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
3148	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
3148	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
2732	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
2732	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
4944	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
4944	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
1796	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
1796	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
4652	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
4652	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
4528	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
4528	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
4944	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
4944	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
1796	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
1796	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
3824	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
3824	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
2084	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
2084	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
2732	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
2732	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
3148	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
3148	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
4756	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
440	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
4756	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
440	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
4568	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
4568	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
4744	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
4744	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
4528	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
4528	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
4652	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
4652	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
4944	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
4944	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
1796	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
1796	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
2396	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
2396	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
1240	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
1240	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
4600	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
3148	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
4600	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
3148	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
2732	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
2732	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
2388	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
2388	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
3824	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
3824	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
2084	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
2084	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
2376	82a6346e662e017ca59c5ea6e8893020_NEAS.exe
2376	82a6346e662e017ca59c5ea6e8893020_NEAS.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 1796	4944	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	88
PID 4944 wrote to memory of 1796	4944	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	88
PID 4944 wrote to memory of 1796	4944	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	88
PID 4944 wrote to memory of 3148	4944	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	89
PID 4944 wrote to memory of 3148	4944	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	89
PID 4944 wrote to memory of 3148	4944	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	89
PID 1796 wrote to memory of 2732	1796	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	90
PID 1796 wrote to memory of 2732	1796	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	90
PID 1796 wrote to memory of 2732	1796	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	90
PID 4944 wrote to memory of 4528	4944	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	91
PID 4944 wrote to memory of 4528	4944	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	91
PID 4944 wrote to memory of 4528	4944	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	91
PID 1796 wrote to memory of 4652	1796	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	92
PID 1796 wrote to memory of 4652	1796	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	92
PID 1796 wrote to memory of 4652	1796	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	92
PID 2732 wrote to memory of 3824	2732	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	93
PID 2732 wrote to memory of 3824	2732	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	93
PID 2732 wrote to memory of 3824	2732	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	93
PID 3148 wrote to memory of 2084	3148	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	94
PID 3148 wrote to memory of 2084	3148	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	94
PID 3148 wrote to memory of 2084	3148	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	94
PID 4528 wrote to memory of 440	4528	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	97
PID 4528 wrote to memory of 440	4528	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	97
PID 4528 wrote to memory of 440	4528	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	97
PID 4652 wrote to memory of 4756	4652	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	98
PID 4652 wrote to memory of 4756	4652	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	98
PID 4652 wrote to memory of 4756	4652	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	98
PID 4944 wrote to memory of 4568	4944	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	99
PID 4944 wrote to memory of 4568	4944	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	99
PID 4944 wrote to memory of 4568	4944	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	99
PID 1796 wrote to memory of 4744	1796	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	100
PID 1796 wrote to memory of 4744	1796	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	100
PID 1796 wrote to memory of 4744	1796	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	100
PID 3148 wrote to memory of 2396	3148	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	101
PID 3148 wrote to memory of 2396	3148	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	101
PID 3148 wrote to memory of 2396	3148	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	101
PID 2732 wrote to memory of 1240	2732	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	102
PID 2732 wrote to memory of 1240	2732	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	102
PID 2732 wrote to memory of 1240	2732	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	102
PID 3824 wrote to memory of 4600	3824	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	103
PID 3824 wrote to memory of 4600	3824	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	103
PID 3824 wrote to memory of 4600	3824	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	103
PID 2084 wrote to memory of 2388	2084	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	104
PID 2084 wrote to memory of 2388	2084	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	104
PID 2084 wrote to memory of 2388	2084	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	104
PID 4528 wrote to memory of 2376	4528	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	107
PID 4528 wrote to memory of 2376	4528	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	107
PID 4528 wrote to memory of 2376	4528	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	107
PID 4652 wrote to memory of 3596	4652	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	108
PID 4652 wrote to memory of 3596	4652	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	108
PID 4652 wrote to memory of 3596	4652	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	108
PID 1796 wrote to memory of 4256	1796	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	110
PID 1796 wrote to memory of 4256	1796	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	110
PID 1796 wrote to memory of 4256	1796	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	110
PID 4756 wrote to memory of 2560	4756	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	111
PID 4756 wrote to memory of 2560	4756	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	111
PID 4756 wrote to memory of 2560	4756	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	111
PID 4944 wrote to memory of 4072	4944	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	109
PID 4944 wrote to memory of 4072	4944	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	109
PID 4944 wrote to memory of 4072	4944	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	109
PID 440 wrote to memory of 3692	440	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	112
PID 440 wrote to memory of 3692	440	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	112
PID 440 wrote to memory of 3692	440	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	112
PID 2732 wrote to memory of 4512	2732	82a6346e662e017ca59c5ea6e8893020_NEAS.exe	114

C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
  "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3824
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:4600
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:5140
        
        C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        7⤵
        
        PID:6400
        
        C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        8⤵
        
        PID:10700
        
        C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        8⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        7⤵
        
        PID:7660
        
        C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        7⤵
        
        PID:9136
        
        C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        7⤵
        
        PID:13336
        
        C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        8⤵
        
        PID:17584
        
        C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        7⤵
        
        PID:16136
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:5292
        
        C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        7⤵
        
        PID:7516
        
        C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        7⤵
        
        PID:9208
        
        C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        7⤵
        
        PID:12780
        
        C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        8⤵
        
        PID:19096
        
        C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        7⤵
        
        PID:5648
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:6588
        
        C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        7⤵
        
        PID:10628
        
        C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        7⤵
        
        PID:3612
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:8200
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:13452
        
        C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        7⤵
        
        PID:17900
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:16220
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:1384
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:6632
        
        C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        7⤵
        
        PID:11016
        
        C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        7⤵
        
        PID:2212
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:5104
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:9048
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:11920
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:16308
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:5396
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:9244
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:11520
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:16372
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:6756
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:11504
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:752
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:8364
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:1160
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:17216
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:9064
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:12756
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:16008
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:1240
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:5132
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:5588
        
        C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        7⤵
        
        PID:11612
        
        C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        7⤵
        
        PID:15980
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:7628
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:9200
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:12736
        
        C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        7⤵
        
        PID:19104
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:224
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:5388
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:8344
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:12476
        
        C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        7⤵
        
        PID:17976
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:16316
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:6940
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:10844
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:3624
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:8472
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:12628
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:16292
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:4512
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:6344
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:10608
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:16012
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:1456
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:9016
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:11316
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:16364
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:5372
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:7508
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:9888
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:17536
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:9040
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:11984
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:15968
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:6964
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:10984
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:5756
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:4328
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:12676
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:5548
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4756
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:2560
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:5896
        
        C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        7⤵
        
        PID:11620
        
        C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        7⤵
        
        PID:2264
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:7872
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:9160
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:12704
        
        C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        7⤵
        
        PID:7480
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:5488
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:5332
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:9384
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:12580
        
        C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        7⤵
        
        PID:17592
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:5124
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:6996
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:11468
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:4928
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:8480
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:12668
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:17752
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:16284
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:3596
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:5800
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:11496
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:1824
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:7620
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:9184
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:12944
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:16260
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:5308
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:7808
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:12952
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:16144
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:7244
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:16152
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:7804
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:10080
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:2096
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:4744
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:3880
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:5908
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:10644
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:4572
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:7612
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:9192
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:12620
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:16324
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:5364
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:8464
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:14136
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:16180
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:6948
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:10816
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:392
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:8204
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:13440
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:5196
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:4256
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:6336
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:9232
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:12404
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:16332
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:6280
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:2160
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:17736
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:9024
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:11376
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:16340
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:5316
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:9288
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:12660
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:17960
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:16236
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:6740
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:9228
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:12772
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:17992
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:16276
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:8372
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:9072
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:12852
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:17964
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:208
- C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
  "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:2388
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:5152
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:6372
        
        C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        7⤵
        
        PID:10708
        
        C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        7⤵
        
        PID:2216
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:6540
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:9144
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:14008
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:16196
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:5300
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:8348
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:9056
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:13344
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:16212
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:6900
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:10824
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:3012
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:4472
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:12748
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:16300
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:3164
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:6196
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:11204
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:15972
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:7836
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:10016
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:9032
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:11976
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:5380
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:7776
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:9120
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:14000
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:16188
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:6956
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:11196
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:15992
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:8992
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:11236
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:15152
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:2396
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:320
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:6364
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:10620
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:5264
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:16164
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:7888
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:9128
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:11848
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:16348
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:5416
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:11476
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:5724
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:7484
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:9000
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:12268
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:5672
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:1352
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:6308
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:11604
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:3708
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:8008
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:3604
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:17912
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:9104
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:11840
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:16356
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:5356
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:7980
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:9152
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:19112
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:12764
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:18000
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:16128
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:6972
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:11008
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:3952
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:8336
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:13036
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:17984
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:844
- C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
  "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:440
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:3692
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:6352
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:11484
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:5208
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:7656
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:5212
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:17920
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:9080
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:12732
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:4556
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:5348
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:8212
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:9924
      - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        6⤵
        
        PID:17620
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:9088
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:12872
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:1412
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:6980
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:10636
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:5108
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:8512
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:13140
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:5028
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2376
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:6188
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:11212
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:3076
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:7856
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:9168
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:13044
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:17528
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:16268
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:5324
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:7844
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:9176
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:12584
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:2320
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:6748
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:10860
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:16000
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:8380
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:9008
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:10744
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:16380
- C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
  "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:4568
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:228
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:6476
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:11628
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:4212
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:7448
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:9112
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:14016
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:16204
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:5408
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:10600
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:12836
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:16172
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:6544
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:10992
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:2908
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:8984
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:12036
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:15960
- C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
  "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
  2⤵
  PID:4072
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:6284
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:11668
    - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
        5⤵
        
        PID:19292
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:388
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:7956
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:9096
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:13324
  - - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
      4⤵
      PID:17744
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:16244
- C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
  "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
  2⤵
  PID:5340
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:9252
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:10852
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:4172
- C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
  "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
  2⤵
  PID:6780
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:11000
- - C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
    3⤵
    PID:1520
- C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
  "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
  2⤵
  PID:6772
- C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
  "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
  2⤵
  PID:12796
- C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe
  "C:\Users\Admin\AppData\Local\Temp\82a6346e662e017ca59c5ea6e8893020_NEAS.exe"
  2⤵
  PID:16252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\trambling catfight hole swallow .rar.exe

Filesize
1.3MB

MD5
d678a82c8d30f630e4db93d50870ab35

SHA1
5d200d07f49c8fd602c0b3d5245c9c1ba2ee56e2

SHA256
d36c575a78892ae63f1b2dea8db218a6cda1de45c4a0f05d6c7c9d89aafad4b3

SHA512
71f10b357b94baec577335bf5355ce74fefec8ea04140ab55da7259c561f2f43338e5fc045f20940ca3dba612ab1de375a4c931d64400c05828f88130de62585

Download Submit
memory/228-204-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/228-240-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/320-243-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/440-202-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1240-184-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1240-210-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1352-233-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1352-201-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1384-236-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1796-53-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1796-187-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2084-173-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2376-222-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2376-192-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2388-188-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2388-218-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2396-209-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2396-183-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2560-196-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2732-191-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3148-155-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3148-190-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3164-235-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3596-225-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3692-198-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3692-229-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3824-199-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3880-242-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4072-197-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4072-228-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4256-226-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4256-194-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4512-200-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4512-232-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4528-193-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4568-205-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4568-182-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4600-186-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4600-215-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4652-170-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4652-195-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4744-206-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4756-203-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4944-189-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4944-308-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4944-426-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4944-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4944-185-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5132-207-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5132-247-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5140-208-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5140-248-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5152-250-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5152-211-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5292-216-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5292-254-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5300-217-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5300-257-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5308-223-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5308-269-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5316-255-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5324-256-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5332-267-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5340-262-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5348-264-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5356-263-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5364-265-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5364-220-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5372-221-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5372-266-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5380-261-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5388-219-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5388-260-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5396-259-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5408-224-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5408-270-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5416-272-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5416-227-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5588-280-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5800-230-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5896-279-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5896-231-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6196-234-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6284-237-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6308-238-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6336-239-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6344-244-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6352-245-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6372-246-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6476-251-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6632-258-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6780-268-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6900-271-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6940-273-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6948-274-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6956-275-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6972-276-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6980-277-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6996-278-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download