286345e515b19cb0369f74903bf6e370ae5206ff5371c38ba14bf766a1462b7c

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
Size

118KB
MD5

19f47f9c7ec34d46c0b12bbe2cab9480
SHA1

1bb83d48db3da4f939186fd4a6792d193466b269
SHA256

286345e515b19cb0369f74903bf6e370ae5206ff5371c38ba14bf766a1462b7c
SHA512

c761545e0034a99935fd7d3f97638ed56e8a79b60ede0c49d09ceca5a336e8f30b35e7ca6d84606fe372f2c8f1fe904c69ea6a73f2919eb2c368048464a5397b
SSDEEP

1536:lugZl+NXHI7ATu3h49/DEaUOJ6cI5VxFNEVSRsfyD75hIj6Kl6wnhdVuMJZL0HVq:Yw0XHuQDEayffhImKlnrzH2V6nR

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (86) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	IwMIkcMQ.exe

Executes dropped EXE 2 IoCs

pid	Process
4828	IwMIkcMQ.exe
972	MigsEAsc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IwMIkcMQ.exe = "C:\\Users\\Admin\\gQQwUkkE\\IwMIkcMQ.exe"	IwMIkcMQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IwMIkcMQ.exe = "C:\\Users\\Admin\\gQQwUkkE\\IwMIkcMQ.exe"	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MigsEAsc.exe = "C:\\ProgramData\\ooAYoAkc\\MigsEAsc.exe"	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MigsEAsc.exe = "C:\\ProgramData\\ooAYoAkc\\MigsEAsc.exe"	MigsEAsc.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	MigsEAsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3192	reg.exe
3600	reg.exe
3512	reg.exe
4584	reg.exe
3240	reg.exe
2324	reg.exe
1520	reg.exe
4288	reg.exe
2204	reg.exe
3624	reg.exe
4592	reg.exe
2660	reg.exe
1304	reg.exe
3360	reg.exe
1600	reg.exe
456	reg.exe
2280	reg.exe
3500	reg.exe
2544	reg.exe
456	reg.exe
4328	reg.exe
2256	reg.exe
4212	reg.exe
4744	reg.exe
4824	reg.exe
4996	reg.exe
3228	reg.exe
2892	reg.exe
1824	reg.exe
2988	reg.exe
3096	reg.exe
4492	reg.exe
3044	reg.exe
3960	reg.exe
4172	reg.exe
1328	reg.exe
3956	reg.exe
2980	reg.exe
64	reg.exe
1148	reg.exe
1816	reg.exe
116	reg.exe
4904	reg.exe
3460	reg.exe
3396	reg.exe
4420	reg.exe
4376	reg.exe
4172	reg.exe
708	reg.exe
3224	reg.exe
2820	reg.exe
1212	reg.exe
452	reg.exe
4252	reg.exe
4384	reg.exe
1288	reg.exe
2820	reg.exe
4036	reg.exe
3504	reg.exe
3232	reg.exe
4696	reg.exe
1288	reg.exe
2476	reg.exe
2732	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2196	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
2196	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
2196	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
2196	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
3652	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
3652	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
3652	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
3652	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
4968	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
4968	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
4968	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
4968	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
4036	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
4036	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
4036	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
4036	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
2136	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
2136	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
2136	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
2136	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
2288	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
2288	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
2288	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
2288	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
548	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
548	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
548	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
548	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
4968	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
4968	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
4968	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
4968	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
4888	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
4888	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
4888	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
4888	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
4708	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
4708	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
4708	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
4708	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
2180	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
2180	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
2180	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
2180	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
3980	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
3980	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
3980	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
3980	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
3668	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
3668	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
3668	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
3668	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
2380	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
2380	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
2380	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
2380	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
2692	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
2692	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
2692	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
2692	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
4460	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
4460	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
4460	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
4460	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4828	IwMIkcMQ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe
4828	IwMIkcMQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 4828	2196	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	84
PID 2196 wrote to memory of 4828	2196	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	84
PID 2196 wrote to memory of 4828	2196	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	84
PID 2196 wrote to memory of 972	2196	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	85
PID 2196 wrote to memory of 972	2196	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	85
PID 2196 wrote to memory of 972	2196	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	85
PID 2196 wrote to memory of 548	2196	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	86
PID 2196 wrote to memory of 548	2196	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	86
PID 2196 wrote to memory of 548	2196	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	86
PID 548 wrote to memory of 3652	548	cmd.exe	89
PID 548 wrote to memory of 3652	548	cmd.exe	89
PID 548 wrote to memory of 3652	548	cmd.exe	89
PID 2196 wrote to memory of 3932	2196	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	90
PID 2196 wrote to memory of 3932	2196	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	90
PID 2196 wrote to memory of 3932	2196	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	90
PID 2196 wrote to memory of 2552	2196	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	91
PID 2196 wrote to memory of 2552	2196	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	91
PID 2196 wrote to memory of 2552	2196	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	91
PID 2196 wrote to memory of 4684	2196	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	92
PID 2196 wrote to memory of 4684	2196	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	92
PID 2196 wrote to memory of 4684	2196	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	92
PID 2196 wrote to memory of 4352	2196	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	93
PID 2196 wrote to memory of 4352	2196	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	93
PID 2196 wrote to memory of 4352	2196	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	93
PID 4352 wrote to memory of 4944	4352	cmd.exe	98
PID 4352 wrote to memory of 4944	4352	cmd.exe	98
PID 4352 wrote to memory of 4944	4352	cmd.exe	98
PID 3652 wrote to memory of 1100	3652	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	99
PID 3652 wrote to memory of 1100	3652	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	99
PID 3652 wrote to memory of 1100	3652	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	99
PID 1100 wrote to memory of 4968	1100	cmd.exe	101
PID 1100 wrote to memory of 4968	1100	cmd.exe	101
PID 1100 wrote to memory of 4968	1100	cmd.exe	101
PID 3652 wrote to memory of 5000	3652	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	102
PID 3652 wrote to memory of 5000	3652	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	102
PID 3652 wrote to memory of 5000	3652	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	102
PID 3652 wrote to memory of 4752	3652	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	103
PID 3652 wrote to memory of 4752	3652	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	103
PID 3652 wrote to memory of 4752	3652	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	103
PID 3652 wrote to memory of 3900	3652	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	104
PID 3652 wrote to memory of 3900	3652	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	104
PID 3652 wrote to memory of 3900	3652	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	104
PID 3652 wrote to memory of 3872	3652	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	105
PID 3652 wrote to memory of 3872	3652	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	105
PID 3652 wrote to memory of 3872	3652	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	105
PID 3872 wrote to memory of 4188	3872	cmd.exe	110
PID 3872 wrote to memory of 4188	3872	cmd.exe	110
PID 3872 wrote to memory of 4188	3872	cmd.exe	110
PID 4968 wrote to memory of 3504	4968	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	112
PID 4968 wrote to memory of 3504	4968	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	112
PID 4968 wrote to memory of 3504	4968	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	112
PID 3504 wrote to memory of 4036	3504	cmd.exe	114
PID 3504 wrote to memory of 4036	3504	cmd.exe	114
PID 3504 wrote to memory of 4036	3504	cmd.exe	114
PID 4968 wrote to memory of 1312	4968	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	115
PID 4968 wrote to memory of 1312	4968	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	115
PID 4968 wrote to memory of 1312	4968	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	115
PID 4968 wrote to memory of 2128	4968	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	116
PID 4968 wrote to memory of 2128	4968	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	116
PID 4968 wrote to memory of 2128	4968	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	116
PID 4968 wrote to memory of 2476	4968	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	117
PID 4968 wrote to memory of 2476	4968	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	117
PID 4968 wrote to memory of 2476	4968	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	117
PID 4968 wrote to memory of 2568	4968	19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe	118

C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\gQQwUkkE\IwMIkcMQ.exe
  "C:\Users\Admin\gQQwUkkE\IwMIkcMQ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4828
- C:\ProgramData\ooAYoAkc\MigsEAsc.exe
  "C:\ProgramData\ooAYoAkc\MigsEAsc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  PID:972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
    C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1100
    - - C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4968
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        8⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        10⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        12⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        14⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        16⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        18⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        20⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        22⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        24⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        26⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        28⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        30⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        32⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        33⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        34⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        35⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        36⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        37⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        38⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        39⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        40⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        41⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        42⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        43⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        44⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        45⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        46⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        47⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        48⤵
        
        PID:528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        49⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        50⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        51⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        52⤵
        
        PID:3844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        53⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        54⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        55⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        56⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        57⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        58⤵
        
        PID:1008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        59⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        60⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        61⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        62⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        63⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        64⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        65⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        66⤵
        
        PID:4008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        67⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        68⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        69⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        70⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        71⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        72⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        73⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        74⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        75⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        76⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        77⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        78⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        79⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        80⤵
        
        PID:2012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        81⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        82⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        83⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        84⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        85⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        86⤵
        
        PID:456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        87⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        88⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        89⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        90⤵
        
        PID:2256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        91⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        92⤵
        
        PID:1408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        93⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        94⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        95⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        96⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        97⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        98⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        99⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        100⤵
        
        PID:436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        101⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        102⤵
        
        PID:2004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        103⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        104⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        105⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        106⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        107⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        108⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        109⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        110⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        111⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        112⤵
        
        PID:4272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        113⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        114⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        115⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        116⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        117⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        118⤵
        
        PID:4528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        119⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        120⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        121⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        122⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        123⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        124⤵
        
        PID:3244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        125⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        126⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        127⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        128⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        129⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        130⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        131⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        132⤵
        
        PID:2316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        133⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        134⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        135⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        136⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        137⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        138⤵
        
        PID:528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        139⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        140⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        141⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        142⤵
        
        PID:2012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        143⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        144⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        145⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        146⤵
        
        PID:2280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        147⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        148⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        149⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        150⤵
        
        PID:1596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        151⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        152⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        153⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        154⤵
        
        PID:4844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        155⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        156⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        157⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        158⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        159⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        160⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        161⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        162⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        163⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        164⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        165⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        166⤵
        
        PID:1360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        167⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        168⤵
        
        PID:2892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        169⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        170⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        171⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        172⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        173⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        174⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        175⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        176⤵
        
        PID:3504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        177⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        178⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        179⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        180⤵
        
        PID:2316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        181⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        182⤵
        
        PID:2476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        183⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        184⤵
        
        PID:2228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        185⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        186⤵
        
        PID:3924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        187⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI"
        188⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe
        
        C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI
        189⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        Modifies registry key
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:3108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:4544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:4792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:2836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KSkQwosg.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        188⤵
        
        PID:4692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        Modifies registry key
        
        PID:456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        Modifies registry key
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YwkQsckM.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        186⤵
        
        PID:4708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        Modifies registry key
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NuIAsYgI.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        184⤵
        
        PID:4292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:3240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZqgcsQwI.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        182⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        Modifies registry key
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hoEAEMog.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        180⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:2892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:2640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EAosAkQs.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        178⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        Modifies registry key
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmoIgMAM.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        176⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        Modifies registry key
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:3440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WokEEMsk.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        174⤵
        
        PID:4432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:3168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LeAQYYMI.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        172⤵
        
        PID:3956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwsUkcYM.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        170⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:1688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        Modifies registry key
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PkMUYQgQ.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        168⤵
        
        PID:2204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        Modifies registry key
        
        PID:3624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RykwsYsg.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        166⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies registry key
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:2136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        Modifies registry key
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQEcMwwc.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        164⤵
        
        PID:4824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aooAcQQc.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        162⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        Modifies registry key
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        Modifies registry key
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKAgwAoc.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        160⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smkgcIQE.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        158⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMgMkswE.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        156⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pusYEsgg.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        154⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:3600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DuMIUsAs.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        152⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:3972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        Modifies registry key
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aqcwUYAU.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        150⤵
        
        PID:2696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies registry key
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msIQIIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        148⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYcMkAoo.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        146⤵
        
        PID:2008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        Modifies registry key
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GuUIMcAg.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        144⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:3636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FwcssEUo.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        142⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuoIMkgE.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        140⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        Modifies registry key
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        Modifies registry key
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqgQoIUc.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        138⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oskgoIcU.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        136⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOkUwMUw.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        134⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOMwIYwI.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        132⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:4348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOkowUYg.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        130⤵
        
        PID:4220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:1716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCAAAQAg.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        128⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:4220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zywkQwsE.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        126⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eiUggMwM.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        124⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkswIMoE.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        122⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:4584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AyUwocEU.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        120⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:3076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xoEAowEM.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        118⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feocckcw.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        116⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        Modifies registry key
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FAwQUAsw.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        114⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GygMAsok.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        112⤵
        
        PID:2992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        Modifies registry key
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYYQUEEI.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        110⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKIIEgIc.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        108⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies registry key
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:3092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZuQgEgoE.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        106⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOEIYYUE.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        104⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:3504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:1148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vaUEcggE.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        102⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        Modifies registry key
        
        PID:3600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZokMMcAw.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        100⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqQIsMsc.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        98⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:3512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kucMgMMk.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        96⤵
        
        PID:4456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        Modifies registry key
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MsYIMkck.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        94⤵
        
        PID:4824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgsUQwYo.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        92⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:1448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSMgwYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        90⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RAwoMosA.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        88⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        Modifies registry key
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgMMkgAY.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        86⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AoQwAMIM.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        84⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:2464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\csAkMEAM.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        82⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:1008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cicYIoMw.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        80⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        Modifies registry key
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUMMAsYU.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        78⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jkMUogwQ.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        76⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:4980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DEwUsYYs.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        74⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies registry key
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMcocIEY.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        72⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        Modifies registry key
        
        PID:3396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sGIAoAME.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        70⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:4124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsUkYgEA.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        68⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        Modifies registry key
        
        PID:1328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ayscssws.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        66⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCcQkUcI.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        64⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies registry key
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LoocAQEw.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        62⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSQIcgcA.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        60⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkQIsAUU.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        58⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:3096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqEgswsM.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        56⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWoYwkQU.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        54⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies registry key
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSwEksck.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        52⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:3500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TskAIkYI.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        50⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:4172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HMosEQoo.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        48⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fEMIUAUE.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        46⤵
        
        PID:4176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pKskMsIs.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        44⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEgAYwQE.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        42⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aIgIkEgc.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        40⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asYsgQkw.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        38⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qmskYUwo.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        36⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgMAAAEE.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        34⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSMkEkAQ.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        32⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\regocQoo.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        30⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqEYoQAg.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        28⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ciQkoUQw.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        26⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:3760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KyYEcgMA.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        24⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgkEcIAE.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        22⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PQYYEQwY.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        20⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DOksYkEM.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        18⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWckwgoU.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        16⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMwoEoYs.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        14⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AQYIoMYM.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        12⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emYAYoMk.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        10⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies registry key
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        Modifies registry key
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IGQsQoww.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        8⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3760
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1312
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2128
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:2476
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kekkUwcA.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
        6⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2344
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:5000
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4752
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:3900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TeYIQsYA.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3872
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4188
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3932
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2552
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FysEkQwc.bat" "C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4944

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4968

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv FckLHZ9XPUiK2Z+dPTwDAg.0.2
1⤵
PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\user-48.png.exe

Filesize
111KB

MD5
6ca3b6c1780341eedf6fbb117bb97f02

SHA1
500d7138fad3c065342daf6b79930d8b655c3f1e

SHA256
1bd2792f83343b88c0f0ae6703e1cbee53d30702b33c2dc9a8f2eaba03d88188

SHA512
7e093884451466d93f3b0da05495c28be0c36882cc6f3a75ae065a46d2a57b98ac2fbf8e1c8d748f575baa02b2f78856474c0ecec92157166386b789dfd20a62

Download Submit
C:\ProgramData\ooAYoAkc\MigsEAsc.exe

Filesize
110KB

MD5
5f98bcf3d3f32b196b3f34ef0aa86b6c

SHA1
a0b6866e9c041abecacd558ac7c042323d3f541f

SHA256
3d7a9bf99dfaab497d2d4dce843b3608ce6034501f6c72ec9e61cd2d81fc4755

SHA512
8905f834941dcebdc2dde638a2ca4e86c7f654a190a4cf56df3665d900aacb54780681a199f12feee60a06bfd085f9673a0eb5ed3ef25810fb1c1a5a8eac1fb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

Filesize
114KB

MD5
3e641bbbc16e12d648275456602e3bc4

SHA1
131c0d3c47e32805a4d2267cba8df4d0ba48975b

SHA256
23a9860b73fabae7f11430fce0bc753f1bf5a9b1f935dbf6863e67846837f474

SHA512
9ca218a256d295de01b76e38feb99cd13eec4472e61d0e38c79baaee87495fade628b5fe0536ff97e062e6aa8c212fd1ab46aebede4b86c0b003d35510757d05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

Filesize
114KB

MD5
b1dfa03474c716c5bd037b0c6060b2bc

SHA1
6ea17357bb4077574a1487ae3b7fa3d9054e5092

SHA256
c7ed0feea9e010efc00bcd49d0c625cdb3bcd899ba639022e29d2c8da1cc5ad6

SHA512
b52ffe054e4ef1b6ba207d311d78f28ef4deda53dd6728b7d3db5ce491a9e8be46b0315f4bf908b506ca095fdd550ae2609fcf5529c556c1c4ed01ae7ea216b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png.exe

Filesize
111KB

MD5
a1c39fae6593ec73a83c2f585ed0eabe

SHA1
c5c3e20294037c316434ef5a5c40bc20d7cd4a4a

SHA256
8bd88ea1f022e18bb36437c7fc16c3e659d458734c6bb7f3d401d5d6229f60c7

SHA512
6725c2d8c852fbf0b0de0bd10d952240c97457e7127c78ab4eddc8e4a6e6f7823ab7995ff7c17b987a5e967eab4e24d78689b855c32193a6852a9fefc993dcf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png.exe

Filesize
111KB

MD5
c134918cfde4af64b1d38206eeaeabdf

SHA1
1a8d16c0154865fc720544c3aa8df95c3bdb513f

SHA256
1e575bdefd618a029d9ee5936695172062768a2d2267d23932b096907d8d9e8b

SHA512
808c3056c47f289f5e0dee53954ae461443bdb5a7fe3b66a5eb82aa25fbb1abd0a57f2236aee35839fd6944b46f2b68b784d8b4efbc1f092b60181be79be2d28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png.exe

Filesize
111KB

MD5
47006f820f8904970a8e186f5173a189

SHA1
a3ca16ca8c72b4b0c668dc2c9cec9e6acafbbc6e

SHA256
458d2a6142e2062cb54aa9ec2794c6598be5eab37897bf3ed66e5bd802be9170

SHA512
da02b8e090846702d0bf837a38c604b96f0d9cb82c084a1090d2d75f2bd8d44a2cb4e7998126b85e7f299b06451764465bd22b9b4e76aee11c0c79a7b7bb0540

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

Filesize
113KB

MD5
dcd881ee75183f8675ce1f8de03e3fa3

SHA1
9406e3b6f23d9b2371bd87dffb4db499e7a9dfc0

SHA256
af4d6c5747563856ad474ac44d659e039f6b0841ee88a76950820b35e6e60cfc

SHA512
76e61ad04b81b2c49b2acd757addec0dbbbf84c2472d0a56e6521c4d41cc3ac98586437f80de37291c0b4e5f2eb7f0db0411de7f1ad836dc2331c6b76261fd00

Download Submit
C:\Users\Admin\AppData\Local\Temp\19f47f9c7ec34d46c0b12bbe2cab9480_NEIKI

Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEgO.exe

Filesize
112KB

MD5
b1cb0c886279f062d0613f7edb6b509c

SHA1
ee602bed843240a9d50b5ddb99b8895e264ff625

SHA256
a298b6bfbf9039ce150096364b8ef11bf3d54e010e9e5764c6fcf46db7babcbf

SHA512
2ba2510bcaa2ce6791523d7add07ca0ed1edc7ea36f80a8bce847f798cae22708292398c854649439ab913100616eee83b7b29b62c3df284e31051dd24b27182

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUUA.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsQK.exe

Filesize
110KB

MD5
e8e6401ab65d5f90f8439b169d456f96

SHA1
20d263e6da8cfa62eb9e13ebd68af7a15f493d12

SHA256
e256f3a9a2ea3589f0c56f9af638133b20486edbddc12cd6078102a613055ecd

SHA512
f26234514fb3f69ad81e373b104ab92ce2a779c97ca927ac4bc2680fb3f16b2140bcf24a14e9e8f0d400492961ee91f22754fc417c5f61bbe2f442c483c27551

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAcY.exe

Filesize
117KB

MD5
ff4ed6cf422192f74b5a36a0a45a930c

SHA1
a3d09787fbaf41ba5b963c342043c0e69e103348

SHA256
82d051f369066e709865e0564de1d6ed8e17f93ef85f6a346f77031b827c85e5

SHA512
bdc27816bdb2545c49141e3b82d4df880f4539edda83dd5033b01e961a698cc0f3fe8a5968ff9ea0bcbbf8b7f091032148994337993789df850c42f24e95bc96

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMMe.exe

Filesize
138KB

MD5
84ef71d69913adb182fd6e95892e1b3b

SHA1
62472cadfe6f89fc9ae2fd8ac8da9dbf0fae9885

SHA256
6820d5d5ce346450c231f54418a36f5a10d1d288677d82b9029615e12046183d

SHA512
418019357b380ffa55b232375720ecbd7eadc729f52af0867893c5d2687229cf64f5b5ee0ed41cb5c4857adbf0121ff99c15f03fcbeb6012c27c7cb08689d991

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQAO.exe

Filesize
236KB

MD5
a6813c4d68b26572699006cb7367fd30

SHA1
c5ccbe95f5011063283772a2bfd06693bce6b01c

SHA256
a9439cb6d8a322a44869e3cbec1ab4a3a2988f8c513ff4d5540fc85ee2e35898

SHA512
3188986d16d0d0b28466697bde27b78b216892bd3cf038e761768ff7bce6a4b7de8d6243f21cf1acc5e9b8d6b82be2845daf194d0ead3dd52fd88ac4618ef1a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUgO.exe

Filesize
124KB

MD5
240c5f22475fde454bbd8270ad501b35

SHA1
f0d98e2063fb30d2622f47ca2c9c338958e1b340

SHA256
7a8e087018673a98f8e434886ee1b6b78f34190a28456ce1f87b18550a13d7dc

SHA512
4f6fef4f09e007ed55d3a183d04bb19439d62694208c3d042e95e1b752e008a649ae47b4ac025cb055792e18da631bdd2255cd0d8061232b79f48ce19ff9ec18

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIMk.exe

Filesize
124KB

MD5
5259193e34a4b1c17237cf9f94ac8927

SHA1
1f515f9ae6645adb311956884788f6904d002967

SHA256
3211794ce899dc489a4917a71463f2d8753191fe108997917179e30c3f6c9257

SHA512
eb89d4a7b3cadeb3b63e9a99cdc28aff5469dbd9b231b8afd4f457c129c1f91e80abed38bab003d1b176a42ea9c44978c38781af70d01f9f5274ed446fdfc93c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Egsc.exe

Filesize
297KB

MD5
36e280b12edadd496142f2e3d99e3df8

SHA1
deb2c671d489b224d23d6ae3a23051b268afa98c

SHA256
f0b3a03cf1863aec4feeb429665b42f17b30248d5765f1665dc7b2d35b11eb3f

SHA512
80045957e25d9774c0bfc6f5f3b1d393140cf8328047c5c72d20bfea9e468c7536afbada4dd374993fa93f05dd5b7e17274095d1c67fee8ef911c17f92fc4b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkkM.exe

Filesize
582KB

MD5
9c254d0d0fcdab5df4fb6d2d2aa1680a

SHA1
4852fcca3bb2abab4888f921871563570fafff90

SHA256
418d54e41a4b73177cba87dd579d736483a756932e5b918005d120aac9f21962

SHA512
ef4cdb9315b5802e69c94b964cc3028718e5d341e42fcb50301208b6261151fefd0f99ac0e2d562e2cfbba00a3ddfa8fbe48d3c38de27224329c4c6876f822d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FysEkQwc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAYW.exe

Filesize
120KB

MD5
b3636633a294244423572f47f32cdd50

SHA1
933b1c60d25465e24901b3886e7dbce3ad4f50ff

SHA256
27963e8ab62507eece6b7fd129088a9f564615334472cf67ffcf043f453c5fe6

SHA512
74963d59bdf90465b6cfa09290279a07ec968baf775623808d2caa3380f2af0502b033a37a0d310a00d0b68c995110865f15188889a36e4adb39db2ea5b95450

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAcq.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQsc.exe

Filesize
281KB

MD5
95e270dbff6969038c87998f889656c9

SHA1
f5a26ecb3e369c787207d68030ef8239e2d88590

SHA256
a505ef620dffe93171f957308849765e6bb0e3024044f7b317b2ee7e42b7d49f

SHA512
87648691e1a2867bf2a4d6b8edab7feb6b7850858702a816bc583415d36171658e387254679cc42d2fab11ec7b3cfebe5b36d827bda71c1d57fb6a79dcbfc0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwIW.exe

Filesize
119KB

MD5
1d222d72473b8e45525b6a451c95ee38

SHA1
96a0a7d7bec5dd311fdf6dc214c81d14796bb2ec

SHA256
6b3befa959c10f5d8b52c6ec42a8cac9a38f5ecdbeea276fd36472466735c35f

SHA512
ed73024c1b6b53d0b0beec3b9dcef9e078c9ee225b924db4436f978a70dfd500adb531dc3b222e58f4634e05a407de63d73c6c88c88784a5be9cd9e0ba52ac03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYMi.exe

Filesize
111KB

MD5
f588f138fc33f5e7d8d652ccd7ee69c6

SHA1
0283b000646d84adc66a220c5221939a949602ec

SHA256
a5c1af64cd7d4829bbb0318d6afac100d1c903892b7f8f17ba1aa1be10d5b890

SHA512
412022a65adaafdc5e2a6cb6f6ab62a134fcf7700454b8334b8d0615c723105a7db77ab5fc1404b7d19e9619be44922027a648b26c8af609d1c834af35c2376f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Isgq.exe

Filesize
113KB

MD5
301e5c03689a83f51c311b92b8b11877

SHA1
b73b38558d84ac71bb89c3213905f071966cebba

SHA256
6596445e38a994af5d5ed908d2da4f00304d5948d5fb4d7df25091be5643359e

SHA512
dbb0c3c55c5aa86f8f1be21f8fb87d41f0565ae0e8ac5eff9be0111a7ac90414b6547e4af10ed5dcf9c70b8e4a874a1aa89f370fbd74cf554fce800967a46b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iskg.exe

Filesize
109KB

MD5
976dd1d5e467b2a80420a56d1b7c7bc6

SHA1
090184f87efe754cda11595beb8c3f84deae3cd1

SHA256
3bef31d746c819360d2026557bab656066a55c91316e78f78f41dfd1aee56429

SHA512
232e8a57f0b9c4db67929d7f8b3465f5358d0af41fe4c2ccd499562bffcc9ddc0c9a030df6a0ab41cc806cfbf2c5c85699055f6af8dae3e5ac0c43754588119c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iwko.exe

Filesize
110KB

MD5
2481efe3dcba7a16df17bb942eac01cc

SHA1
f03e321f97d2d20e706f6d7ff0ef3523f0fa20aa

SHA256
4490cb0120f9a1246b6d3411a68bacb450bb550f7cdac451fbd4338dd9a753c9

SHA512
c9f05b3251e942d42560b51fb2b2dc50f354a6811ecb454a6ccbbe5dfa21749ae939235a0223bcb82c888609c87131d63cd8db9b7f9386b41f827562e169575a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQYm.exe

Filesize
638KB

MD5
e2b64a3eeb847709fca81a479c41c1e6

SHA1
c54d08bccda03807c0fefcc10f8936ea43fc9aec

SHA256
5e6b71385651bc4ebe6b067036d2694dceb4c9683e437a1b4fbca7dc7597de9a

SHA512
aa56a7ace2d80d9235694df86abfe4ddc5852f4230ebbefacc2a840546493541c4e83c64ae5c2d7356211013ca803de580910eb91060d2a2582d987db529489e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkoG.exe

Filesize
150KB

MD5
612a9d51932025991bd9eb1d2f459414

SHA1
063b6a9d13952250a4a31e5f45488160b0932b93

SHA256
ad93ffc1b81f5a3b64eb60034b3f827d5acc97bebd2857164f05142053c18ce6

SHA512
7af208336bf6234e899470ef163554e1fe3619903e3218a581f312e85463d98ae2ec389e3e0b6a77af474a052df2e96419fe302b615526452590ec3ce69517ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kwsy.exe

Filesize
359KB

MD5
0b4a200eee1411fcc3522e8d2eab4e06

SHA1
ca57ca7bb73b1743cf4c21feb136db06151fe005

SHA256
f6fb009979a9305269f86b9e65593f38c2cd1c4f5fb7a78eb9c6fe0a53cd168d

SHA512
5425ef26f2892d9988dd86990a9a64e08da80d204063b461f21fe5ce498d4b6902f9c2e9e216f1703e17ec388c9a0075526b00f6bdeb70caaf81650104ead587

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMkI.exe

Filesize
116KB

MD5
6d75d59f5f2105a021f4262fe7e9c901

SHA1
0ad9ec513073f25a28d3f99de3ae62c635a474d8

SHA256
ae8b69b52af1e360ddd9e2e2bc1257e7316eb0ad43f6f5dd6ca53d859ee6567e

SHA512
afa38b77ddc6c1e438edce9d7cfeb31c3816e054220f9fcb5cc0717a644f2b7c451b25f8cdd64b484e499d28f2ed3b3ef4c1984b6376ecc874560ff06588827d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MksW.exe

Filesize
492KB

MD5
b683532fdbc20756d3c58de588176dfc

SHA1
446da3777b1dc2c8185749d53753c83a5a8e1c1a

SHA256
c33634af92baba5032397c87d11c883fa4a66ab199e9a599390b7a4536e5d582

SHA512
d0a10eb3b613e4767fe075e9ab1150184ece3a608bc8811ed03a37c2b56eee1116bed5d758fde0c0e7a4ba353b6f2634227c22649a1469267e9001de74fb884d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsQa.exe

Filesize
112KB

MD5
8a418fa90cdc97c61ad13443a6ee1c9f

SHA1
1f4270bc156e72c9985f8e7017bf761f41bf948c

SHA256
e1b6c0ba1850040442da2bce8bf5efc5d426fed6328bf8c1d5dd17f88aa5fe1e

SHA512
dee4ea4404064e504ec9044be2c6bc35542d74a2b3d1e319a1a5307ac5fbaf180980e32d256a5d5ccf0608d3d9933054771acfcd8d5eb6c0dc749a59fd4562a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEAg.exe

Filesize
112KB

MD5
981426726f96706851da8a75dc99a162

SHA1
d6fef81187e820d9b455e9142bf7b4c2268049cd

SHA256
bd76c28c3d100b7dba1822a76f19fcc3c8fbf1d10fc2a48dbff1c6d49aba1456

SHA512
c82d88789d5add103f41835e122e4057fee59d27df2920ec43c78469390724d50e5397595fd53b9d963c7f1df41d8b8f50ca01d71ad51a389a97fd55c8c7339a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIYy.exe

Filesize
348KB

MD5
29f00351cf383ce5e00ffc5f6754f9d5

SHA1
6a5ac44a8bd084e05297997a19f9013be1b4fc2e

SHA256
2c40ac3ccd791e3a01355e57235b03fface06a4cba938f2f5023803e4575663a

SHA512
739d2ab420faac09a69fd6a616738ced948c7189a287e9a066b0fc12944592930e270d309ebc635d4647fa565f96ac0c527cb8d2363cc8ef26342fe29732ce3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQkq.exe

Filesize
114KB

MD5
4b3b600ecc56ea1e6a7781ea94caf668

SHA1
4e257cf569f82a377db304f08a467910f87a127c

SHA256
9606f6e0162edbee71fb6f01518f25d59d161c082c26bcac4da0e0b1b0ee2b40

SHA512
47037693f4bb8874e192f1f216a958f3efdf422e23699b2b394c404e69c87ece54d67c98a5e2254ffa666b748b8f85a6e1656152755e19562aa4f2c90e0f6b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgMo.exe

Filesize
743KB

MD5
8e7299597ebe9489880f7c3b2bb8a119

SHA1
17ba1ede4d7d1e7d9b5da4daac5faadcd8650214

SHA256
2ea848349cc3fb4e3f24d6fa34c45bca4994517cad25a937e6f6548884dd7ee7

SHA512
2e0aea5571c42cae2a9fe3765231105f772057d4c0eefc96e67fc69fcb4093f606b71146ff924ac29c3e0a36958221f44c344f6b405371955c35ab15377ff276

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcIY.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkEy.exe

Filesize
697KB

MD5
c75d4662f4ea79b3521c1370e5e32b80

SHA1
2a8a87610459527155e8a968566d115a2730cebe

SHA256
3303b467935e6418103a858189e184be30585ddc235b9e80085aaa71c123fdfa

SHA512
a4f61fe0f8ced4cc86d757c88c4329804bf954a8aae142efb7c3ce4fff9da9d677fc524fdd949f786f190e23a4cbbe1bab710f2a10b64bc848f4fd66e467c8f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qkwa.exe

Filesize
111KB

MD5
07d4f2c8f333d1faf6ff32fb626ae98a

SHA1
c45f798c77d07c029c077554b93d4e869e1a498a

SHA256
8b4a46b613cece7e6db1962a71fe7388df77e068abef6c05253e1e130796f6fe

SHA512
9946e028a9cd1aff07dc40a820b62c9a4a172f27fe366cabe1cba574952b400320d9eadb4f051cbe7ec73db20c1e90012a808f6bf467c9a78bf294ff9b1a33bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qscw.exe

Filesize
152KB

MD5
efd321172c4ae72f68aa9a5a58d38e40

SHA1
c57a1edfa254456bee7ae57affbe6ac1f31ceb07

SHA256
d0d449bcd9b4e38657c684d1177fc0a42fcf369ba3a5ca139156d7fa68a0cba5

SHA512
ac477a1b89384d71970179b0748060d3ded0bd1faddcdc9a1fb4371f0ae52b87915e6a5d26c9e8c44a8c7b75513b1a3c5c6cf2e9e3acb82a23e3c596bfbed8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwYG.exe

Filesize
111KB

MD5
4c84743739c0bb5272a177df5e21c02e

SHA1
6952cee0ecdebaae41d94e7a70aeb3eb53711748

SHA256
82cef73f403182845a01a4692b3a67377eb074a33ca7266a19d126f7e53012f0

SHA512
aa2783ee85e978ab6ddc6c490c8c94de42c097718016ddaaf550804e2caa4ddd9ffce4f2eb235e275c8ccadd342fbd0ce2ceff3916362292c3432fe731465cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUsE.exe

Filesize
117KB

MD5
f5bd1593c8d9d2e277bbe83523db9756

SHA1
98d6767c2c3e51538833b6514fcdf5290a589f76

SHA256
4c642ed44a39b69d8dcdcb87feb8f99eea2a95fd6dada2e50ed5164a5aa685b5

SHA512
606f554a7bf9b9bf6cce7a0ec039335057fa6bcfc9d3ba48c07bc1023fc5d6d4347697c249f297b900eca75fe5000adfa971cc6271c96dead908ace42926cbc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYYS.exe

Filesize
117KB

MD5
8c28828ed0ab5eca0d4c67187d520e23

SHA1
8fa8bcd1ac45cd3549e89b97b139ca32f0af0428

SHA256
91223eb80aeb861c7e5c1ba0ff7a1496d95ade85962dc6e76078e404b00679f2

SHA512
221414768d4c4f55454e4fd91409b826127efd3d44e9d6598137c88b61157bca3e17e49585c1d7d6ffd1abc0909f36b51b6218a981fde397b50bc19f0f42e359

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sckc.exe

Filesize
114KB

MD5
67e7b068a556916e9aa1bce10233ccb7

SHA1
dd2a385f75772e46bb3e070c8f0215614f2c1992

SHA256
9b65af73b68b0fcaa66d210de76488b351c0715b2561ff90d9c8e3e1b9677dce

SHA512
6d3696a3fbcb472013a363ab3becc6f7577a496eb37162c62b359a646c37596c74fd2ba852765b9054dc0b4bceace75e6a809b06107f5e9d4cb8ef323a01e34a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sgwq.exe

Filesize
484KB

MD5
3212a272fb17d0a7fdf7e8300a45624e

SHA1
ab743c2cc253b9eeb78661869d9926224fa5ff10

SHA256
c9213ad009d576eaedc5e4cc57e6c14ca1e72832f533c790ae819c524da3a4ad

SHA512
6463eb5926c48b04435be44efb7c2c2ee2a65a047908abab40b9fba34bae31263da7622e53816bc49a7c80d1e9d18e6678f656620309c4f0bec83dc912c3a114

Download Submit
C:\Users\Admin\AppData\Local\Temp\SogE.exe

Filesize
139KB

MD5
f5c2b7698e0af7d48a352bc28ea23f66

SHA1
80b2f2fd0edeadec72c876f701d5829987b766c4

SHA256
299d1aad059e3ddc2da04991015d5a3e7438463e674afe925d82f4a9e2c73086

SHA512
a889ef5e577b958b317584d60a63fd08caa539436a8d1ae0ecb8e578d947fcb11365b5e72579c4255ca2ba56edcbfa6c4b6c24d7fc08129c4f0c658d1b80ab3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwEc.exe

Filesize
368KB

MD5
710c5479b0d1f9d1d1d59501b96f217d

SHA1
09675887cccb16e95762b575089ada62dd292cb9

SHA256
1b9c0c600df0be606c607e4dd904340a6419322177ce28f2559e6e8c0ab3dac2

SHA512
d223f108159363d31fe6ea3125909dddb71b72ba6906146cb2e06a79e19ad98d97dbb884cdda9365936087822c4ea29fbf26ce5341fbfccc3d22d33435c98b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEEi.exe

Filesize
112KB

MD5
4a31ca8cb15e1872cbdf40f950ea56e8

SHA1
0cb8e801a3f6b6fc94261fc2864d625ed759b468

SHA256
8a0d98ed6317f215dfe8b01ebf9e97872c041e5bad790fb3b14e1214ac18623d

SHA512
6d51252d2d84fdf35cf68961cbe82327148c0e7c3c9ad5bb91f332fd30556db5574e45021ac502b7694345e2a9e44da7d0e2825546846722fda8c5e6a18f0842

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgwS.exe

Filesize
722KB

MD5
abb2949ea6a72a312ca09f8bba9725c6

SHA1
8f18027b650e3e7c812c10ae8b2dbf44236690da

SHA256
0a4e31fc6e122108e2a91c6741c5230cb91f6d9eef0ac39ea7d51fd0b32140c0

SHA512
c51cbeba2903468a99258a4a96c85f7dd0e83bf9775b12ea5487fd9cd00cbb0fcd4eb9a0b537a7ae9bf683462394bdf885a453ef41feb1a61cd869081eebafb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uksy.exe

Filesize
114KB

MD5
299bab728e7419f0abf4dc6ff304409a

SHA1
637eb9c069cfc326952e73e47976a851bb24dea6

SHA256
fd1a2e7ea1466c6568df89d80e098f908d60534b2779c6bbe8d533f5b04a134b

SHA512
2f98e901ffb9f0e27f985cbcea089f0f90f810c9a4c4d2da51a584cdc680f36c0fadbb5ca220df8789bb606b65c7f258a70de0702d718a7ebde63d7ee5422d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uwgq.exe

Filesize
5.8MB

MD5
cd26f20e072860f535511f410cb90fc8

SHA1
e2ba2595ace4fc07b5d4dc44053fb019ce5e8544

SHA256
a71df20fdd90919d624550d78a8d4a890a034873ef3d4a5556def9d177242645

SHA512
e646de0b9ecd68b604f3ec26a0373bb8f02a1ae1401a23a5e1ec6dd1ed0be8652e8c3c2ce5d39892b3d7ab10f955acded7b317b80f7b5b73bfb3102f09587314

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAIe.exe

Filesize
566KB

MD5
5fc8d1902a79e84cd4923e0e1797ac1d

SHA1
3001f89b09a197ca7e7dc9fd7f93d28626cb503e

SHA256
51172bbb19bf7c01eb5394d4ddcc1828bead6f2d105ad8b1cca4475e942df36a

SHA512
2bf4b7c4b0e74ea0f03ec7eaf53854c144f342301fb6016f510288fa89d4e8ec435d44b80ca5c104bedd21d3b2873458e65729708838c4d6e1aa7f47bd47808b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAcq.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAgs.exe

Filesize
110KB

MD5
53c9cdf1d3164655b4f473ce4631ea2e

SHA1
5db812b3be659fd8acf50a7b13d52ee8462820fa

SHA256
175abadaa0515aa440a0f9a04eafe058a97e927a2007e9735e75ab7aa426ebea

SHA512
85e13d797debee9ad2a0233ed61626584fc8bf66e4df5738847f22d1b0065e9dbbbbaedfcb3701ff16bb801d3997668260c8e842e237cdeb39ec4adbbbbd3b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUUu.exe

Filesize
260KB

MD5
496079493f4d1bf9964dd1ca5841e9c5

SHA1
deeae77cfdfcc2c5d9a73d710ec83c5887f24095

SHA256
76823f95181ac70a1b1e5757d1394ba4b0dfa7c9dfa5dc157c9868a006740065

SHA512
a9f3694d0dc5607b663a8171d0a00caddd57514c3c0fd7246c7a16671359de599e4955f1d8c1469bd0d986a4bfa6808a2a174c2c0a4f4044470a24555cb453c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgYK.exe

Filesize
908KB

MD5
ff03a8ec2cd5e8afcefc1949b1fe99a0

SHA1
6fa22507c15ebc5f3704a6f8d3d420361eb31ac0

SHA256
65fb1dceab7f1af2458836e6a59b7660a5bf4fc39a5e5ca9f8b01464fec4b284

SHA512
62afb3453021644ad003ee294c5d14fe5b59d6402a1f840d86627e42badc34a66c99d53a11f910447011d2577e3368d6451774b7964deb547576b48c991c2724

Download Submit
C:\Users\Admin\AppData\Local\Temp\WoMG.exe

Filesize
384KB

MD5
98701cf42fc1611dba350f61a16a464b

SHA1
2982c5662bfa92e0655dbf05c89b0a7bc5a1d23f

SHA256
7dc9904a1578a13aa00e3da0276300cbcd1685a159b71cfae1bdf210ed025e20

SHA512
ec4acaa1befe5175ce80524a2a53862b54f7cc355b616ed298f4c2ab7d6a7c64d4d493d5f9387d5e6da1d29d3be0c14dd41331a5dbc554062fd81a9c987b79ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEgi.exe

Filesize
113KB

MD5
980ad479c5b84f743d7e4177d13c4050

SHA1
970a24ccb2e2364e0b69cf11ffb6034bdb52bad6

SHA256
8deeac201375488973c09e4ce501c8f538d4835b916d320d57ffa757b3141dc5

SHA512
b71b1289dfb52608f0ce7499b38a730a07d23d7207e83bf9cc20021694ed753636bcb2a628ccbe4ad17f44eeed8a2a2cc94de7d182b2241b730cb81d6084017a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEkO.exe

Filesize
113KB

MD5
c7fb37e5ce11c39384079fb81b07b446

SHA1
3b18a44703a14745aa0f7746d754b054d6dc9aef

SHA256
8d9d23a2503946ba301c6646d56abcb9e3494a0e409e4bbd7254d31e9e96b172

SHA512
4f88a98cede8e3f90222fef2f544df5810ff0005ce49917d472d06c10533f4503f0083101b78f01350258461dbd70232554b8e1ea127dcb817b79e239e7775f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIgC.exe

Filesize
115KB

MD5
8beaa97d40ab99f7b13335f5e0259242

SHA1
f73682456582db135f62de0e49a2c275c42a81b2

SHA256
5621ed374c5a128c5d7846ed9e19bea12fe663edba1bc4afd11aa598b66dde0d

SHA512
560aa6ce61d0a15b708d187d038eb2ee5019fd22a9d7215cf20adc4eb2d126e8998dc72a34038f4870a25ddd690851a619c0033fae00efa98bb43d12e08493dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMgs.exe

Filesize
555KB

MD5
cbbb1b81b276d02b820ef7be90036056

SHA1
19ff6eb51aac67e0812111b5f6939a5c2646baee

SHA256
fab607d022fac6a6c1d96f1005e434a1844f2ba9440b0cd58518a0c79177b69b

SHA512
69fe95efde9e9439f395adb99cdefad8ccfd2a9d239f69e5ce643cdc5c47afa5c2e8ce18beab0f67e6339e9e173b6a9501d8b451a52cdbc361d2e6f4f34d2ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUwI.exe

Filesize
1.7MB

MD5
374484c4d9d4c8ed099fcadda1e917de

SHA1
753a6d6a573def94cc09e8dd8e3047c96ce9118e

SHA256
dae51443db473d6c03b03c5cb785c0a019b1d3edc66271f01f43d01e93fb3e4a

SHA512
69fbb6a3991ffe7ec308e7c601b06cfcddb3e8ee0bc73ffb2b4d367b5458c0f499f43f4a5bfa26541e4fe21df0c50005148d449edca1e896e8ac3bc2ac0f9138

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcoO.exe

Filesize
112KB

MD5
72ff0e0a5188df5bd7663440948a7c89

SHA1
719294c2d95aea7492dcebfc24cdaf203bfad527

SHA256
a3b5cc76c482cd1fb8398c16d61f64aa0a5cdd29510316ae451761cf3fcf2266

SHA512
834bf1e446a02e50da2bd1b743554327631742e05a5d20d08ed7fe55da27f8d2228b1e33fe7f91221c69706db1d6053530652ff0742c700f3ed288490726ea6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkYY.exe

Filesize
154KB

MD5
7c2099a88b6c482113b09c7f1b3bda45

SHA1
80b11deb8929bef97a83134bd8490be10b6e81d1

SHA256
c76f82e2d969bffca7967d53cba2b991c69212a03f604d09da330efee8190039

SHA512
f5cc4e06b4eb62122b09ab018bb5cdc315645b793a173078ddb6fb21e59bcf88f0a219d106b22f3dbb9450ee4dec1cf220c2affd432cf4c60e1390fd10258ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoUm.exe

Filesize
111KB

MD5
beebb8c845e4b428ee6b497ef24ba362

SHA1
96e1db2bdc5471b76994279edb93e74a2a604288

SHA256
a127893c5cef1bb926a16c68254e07e153560eea5ebc30134c14b5505647eee2

SHA512
5f9952dfb442f5d8496b0bd6e6261f109440495bda00d301af7c08144b9868e27e239f2eb26d121111159e324df9fcdee7f31f0fa9ebcb8d3b1756a11084fc5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwAg.exe

Filesize
120KB

MD5
b6bd3089877663156a598eeca5fc1ccf

SHA1
e6a6fc0ca4b54367d7f51b9672896dadd077098f

SHA256
b3bb1a1674833599c52c8d3fc143efcdd9d1869886ed5ce3f0bb23cfa076780e

SHA512
b10e70d1fdcda9dd730279fd2e54ab1fd0ab946a937e33fffd80ffc946a69c6c4e97d2973a6c02e542b7f21377620ed017b2362cc6ccb66eb6143ee56a74fa12

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMMs.exe

Filesize
698KB

MD5
997e5c9cf3c55501ca0547e6eea95e92

SHA1
33bcf9acba183b520ac33ef6e4c2acc639764b00

SHA256
34acc3615ad60eddbf03ebdf9dc648186b385b83477a5f92fd1f489a5a38cf10

SHA512
ea8590767273785b574c0176013f7896de691eb5d41e86ff5c8f5d8a5badb14b9309fb1ae76f32f0447936a5f772fb68aad8d4cfb02c37d724178d34f9c08348

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMQS.exe

Filesize
721KB

MD5
df9c3e2b0092541b1a5f04bf8b0882b7

SHA1
a29a7c133422f395601feff296bf55b55083d13c

SHA256
d23c3f009bcaa3df846d1c437a6c2a65e0f383c6e0e3dd962c176cc6ec763ad0

SHA512
8bdf43bc65d689411c12e5e49f48f4f3c187428159a8a2daf9889bb6939a1d39c5d46fb8559a83d85d70fc5111cd11509241e555b2cb159ef86d77eceaa6d346

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUok.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\acwY.exe

Filesize
112KB

MD5
dd790039bed271d5cbf0950a0164e3c7

SHA1
fe65cd142f0d2c22d4c5f78fe16b40d6db71bc07

SHA256
afce6aaac4a728910268c48d5ab1bf4d69e3b968c1bd0ddd852f00b83c8e8d64

SHA512
bf50a9cd2fa8edf6d4345cf24e67f2450188ee85f8fce10a5b1c4fe78f364d127ffc0b8546014e6e995531b1d626b399824dd762e1c0bcd27dceee5c2980eeeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\awMw.exe

Filesize
564KB

MD5
16883fc38aed1ea16e999edfbbc7a8ca

SHA1
8b4e6ccb6ca56a79feb3efd7057772008e7eb258

SHA256
1cb0aed14625032732b7f96b260c2d5c25a40c75b21f716034611e5b724e3a90

SHA512
bab73c7853a800872f248fdf7fad650315811c3c8858291bfab7c2d0c30f9146a1614a73e10c5735d7fb292472f2e6279dbc3c18ac1c69fcf2bea5d5cd27cfd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUwS.exe

Filesize
119KB

MD5
dd479e31111ac90c2715630bc2392e88

SHA1
9ca2d85c1986d808681f012fef9f525570858d67

SHA256
ed46c6dfea7507119f7c3ee63fd18327eaa5202aa7cdb88460a8913d4ab982e8

SHA512
70127bc700e95cbe48d0351ddbf6d795b032d5ad120b0b815946ffed79b0de21c16a17e05d675d69d0861a71ab3152abc1632399cbbf38a6d1542ca89546dec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccYk.exe

Filesize
116KB

MD5
399523021676d8b89002d51dfe887978

SHA1
ed7ab7417bea227d5c1b214a355bb95c61eae40d

SHA256
3ff4724591219ba0e62cdf37420506c4ea02dcbe6b96dbd09499883e0053da62

SHA512
c1bc9abc9b0b4708b7e204c6ac51267fdc74ea819b0d54e9722df6dfc783898d0b3d814fd4c5bddde949d1f3515b1a6c95bcfb6315f109017615001905b7d714

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgwK.exe

Filesize
112KB

MD5
2ee96bd547322880de3180e717ad69d0

SHA1
1360f76f90d1a807568bc3529085da8d8843f3d0

SHA256
a06bd1a0e3f78ceb452454c3f089fbff0024ee631c7ae1409ce9ad20844da78e

SHA512
43e97e881fd61e96944bf5394329c8fa12a2fa43a2a846d26768e07c0b231e9669ce1a1e49354c228caa2d03641662e0260f4474a08dec6a637af7a526db7adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cocC.exe

Filesize
110KB

MD5
e31c8e32b72e6c7275b6eecf23ea6900

SHA1
fd91814d398904de49ebed27c5be73338b227bb8

SHA256
ee44c12b707a2966dcd389bf69a87e98fef21e4a745a856c3897d508abacb732

SHA512
57ade7114dd465c540a1bd298f211319fa746a0e4d7e085d1b29a7204c0d79db8400785da3838aeca35a664477f010daae155c31107024445fd1372b0a40697d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecMq.ico

Filesize
4KB

MD5
2d56d721c93caea6bd3552e7e6269d16

SHA1
a7f0d3d95a19f61d30b9e68b0dcee7c569249727

SHA256
f8e8be11d1062a945187b65fc5e5b1500bce03cbdbf6f4af9404b649aacc2aa3

SHA512
c01d86c43876fb8eeab79b72380a00f095d95c3047f530b777ca89d309e7bd797bf83857beab29527eddbbc491da3edd95ba343f6a0725cc565015f095cf0919

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAAW.exe

Filesize
227KB

MD5
eeae22e400b9618b829790f769cbc021

SHA1
ec4a7a76355492fe9d252f95bf1ea66b55d5108c

SHA256
8d71a0555ed944fa758246b7a6cb36c54c12c3e4753a1f3e04fc92c55692180e

SHA512
86ef4339dac55787be67f1357c5c305a09836c99318f69fb4d333e9986dd831a3dc4908011a3fcfa24d89b7be023efd709b1d8fd0e511957cb33bafbc9d79911

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAUs.exe

Filesize
138KB

MD5
e20330bddf19ea5a03e58ffcaf77cc32

SHA1
fe6f10ce8d1a841a15bb910fbde9c59ec3e811ca

SHA256
981bf25eb3d7594815e94920c1cf06eaa1e89aa2c7c293ac358e5b187a6ae9ed

SHA512
9f87b5cc9f50bce16f92cfb0401f6c7d7d93003712f88fd39276a0f4d8f479c4ec89e168290aa55e7cec56b5644079b379ad13075c54511681614ff779e64019

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQEc.exe

Filesize
116KB

MD5
2f61e1da00de96a64f66826e6a731678

SHA1
7da3498ba0a20ae5c486628ced2018614a895855

SHA256
0e26fae9ae2728b384cceb73e94189811dea4ba20bad13870adb93796202a5c1

SHA512
4e838cf77b095b88a762ee5f14dac7b01c051ec1ce8fa68ba0ab4759e803bfc6fbc7acfd24303d87726b4a29567b9cbece513bb99ad1f3e4690a649a555b668f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkMk.exe

Filesize
110KB

MD5
68d9109636d74ec681f6e7aa893b5224

SHA1
9d0d0ef5e2e81d352769a66f20cbc8a20678b3a1

SHA256
3f93a2c3d701c796cf50d7c4cdbb7be8c19cf99c1359b99a0ad626053532ec85

SHA512
92d5b391f97db177fd78ac719dd7cafc1934e60a7d6a673b99c0ca8899d60e841828523b9237ef11c76119b250ccdab4d67fd83ad99697b517f6d54803229fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsAa.exe

Filesize
114KB

MD5
340ca9dd51b6d653c1e42ce25c0320e9

SHA1
64899a1822ca4d33b4e777b3d69799c96fd29760

SHA256
0b8992a8bfc3e5fee0b39351d955d49cfc2a3a4b75d836d5c46fbd487b63f17d

SHA512
d743089cd866616e58e16b330f16af764cc4e704769d5dd3640713e71b006c72ffa6caac9198153e9c1d35aed84dc66980da910487e54120c08faab6e8192189

Download Submit
C:\Users\Admin\AppData\Local\Temp\gssm.exe

Filesize
620KB

MD5
76e8a0eb405d83299b4f91201b518fe5

SHA1
01628298582f873494e296bffaf5e679b003a25d

SHA256
42c1f0d341d190f6111a8fe1153d992167df6c54ca2a0ec36048558a7482759a

SHA512
def157abc47df3ea1785b88a901a17a291a79895d6041dcbcd3b41c196431bd941e8d9eafc006f260c3f0e55b8ffae4e7f652ba93fefc0b9a2881b5427108565

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQEs.exe

Filesize
117KB

MD5
c8951ce005ee638f62e95051935277cc

SHA1
1e722714230a620d0f03704d2108b4d63a061e50

SHA256
b72638b360f033b65d9bb214ba9858b5a90878e2350d6737915a8ac42074d705

SHA512
a704d4a1457171c195c2c19aaf852390fe05b89c240bc71da684ca125bbf99e46ee25bd2cca881d29cb60a131219b584630f05d43ecd5c751e1fc93c0514a310

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQoG.exe

Filesize
110KB

MD5
5e72d3a8f9e47ddb42cf31298ae3a745

SHA1
499543178965720c61ccef3ace3a27e4b0d3ace7

SHA256
3d7cbda5151ff8f7d5da86ce11be2f5f02937556660ad35c9598b94ce42ba3e3

SHA512
698352af771c1310d8c73320c6fc9863b7284dafc7ddc7d5e1e2cd95922ac24eb1c16b4b70f4757da46bcc2f3164c5971f855c6abc30800c06415ec92dbe1483

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYcO.exe

Filesize
111KB

MD5
96f04e681fa63b5ec170b5d2d329ec63

SHA1
a04b05bad1bb10652476ac300694bc858d406264

SHA256
26fe278b67c378e1ff87d74647b934c53632e9d37f9ceb05ada5ae3e39d28ca8

SHA512
ae556045086acce325dfb2eb8ddbb59b520d70c12efdd8c0db76de1b3e18fad09273f891ec2ee141e3328d53b54538bb1ecaf77828856278af38e73d6d977537

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQce.exe

Filesize
344KB

MD5
f4616a950d285336527d6c2566d31d96

SHA1
47a03836ce18604364515f61889c3dde5f266d67

SHA256
2c618e62ac5b700ac1861057b66f9c911298fdd89bae9527261a469853568a15

SHA512
9ade32e815797e15aefbfcfbf98054a8434b63241b8fa880dbb43ae9da8c14f345b1b40bdb5a93a727eaba8869e64f526f7dd2b67fb4a696a2209bf8574d9cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYMW.exe

Filesize
485KB

MD5
7b4108cb62b816a768bc14808d7a81ca

SHA1
b877da6121cad04b1aee6d866085138ff5991974

SHA256
d0adae914f19719c7d9eb01ff4bf84385809ceba753a1fee663b457b46b36914

SHA512
72ac003b85d4f31b2bad38e43e8dcbedc544fec9c07e95020a32169ce2d59806ec38991aeca8148a9b3e2114531e211a9ea2441ef4076b115841f5194c0e5351

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcgI.exe

Filesize
112KB

MD5
e0158c0964923e94422a5c6e04ee33d2

SHA1
fcea8058703e66f6259ea08f31ec40c834976428

SHA256
d084aebcdbb813cdafc78aea79a90b07acfdc52aff7d7bd25d428e5ae3a0f766

SHA512
c76b3b977959c903f1242702bf3434b48e8022e36c3c78b2f73cd5f550c1e27011686039b0b079e00395fa5d0ce3254e4aeb63f7caa513d8ba7904b4bbd4f337

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkYs.exe

Filesize
946KB

MD5
8097a517c9174f1fb343736c2e530eb1

SHA1
0a6f53d449868ef1feaca3a0d11730a4fb719121

SHA256
75554cb0f827076cee88174c4b73f1dbe69d42c2da4ee5ba244d814c494651bf

SHA512
86e47ad80e43ce07b87920f01e00765831f85aa04f034a3a24c850605abc7fdf3ebdc42ba815f3eb05ec90857248ee56a248ca9ffa2179ac78ad6c27cb8b1ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\moEO.exe

Filesize
238KB

MD5
da7c570bd60f63020a0987c4df224cde

SHA1
6b3b1490fc7c07e715e31be1710ddae0d38b3678

SHA256
4885105aa344bf38f5b4da6a479be1acbf21ce21aef5b2cd390f0b525ffc2c57

SHA512
0c87c0e1076490dd3ed0dd715e52b2c0d3b839e797c25b8b50b3ea6d2ef584ba12e405d74f3c17b96169c3331823a0d68e8646c4f07f00fda2ebd5e5e3ef46f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwUU.exe

Filesize
1.0MB

MD5
44108e275a1dccf49f347bc74775042d

SHA1
f5b981f2b8da3d8f35894cbdb908924705f50d9e

SHA256
d4e263cc65c2cfcf34e9df16c453065873022e17b95edd5c1fe94675869c1a01

SHA512
828b501ec5d2523e9f422945be1d489c164897c346ffd4b1a7d72a79e2d1b7a99464ba67c58859b903dc526f8891ac1a564fa61eec82e80ea6572934ea404f3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwgW.exe

Filesize
554KB

MD5
3ab1976b5b6f756c9d985e01aacbaf3e

SHA1
61edd4bac6905d772ed7fdf2c8a89aff7314fd52

SHA256
0c072de0e3759775a2e3111eaf89eae282c1979078f9fec60f23b7321f956cc6

SHA512
86ce2991d23f260a60e152f7ffb446a57fe8481a7a9cf4d26fe72b49ff2ccd44898f216be55db27f4f1c67753b24f5b5c2fe643bc6c3b68cf19ae2f9007e47d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAUE.exe

Filesize
139KB

MD5
0a9ad02c0dd3368752c54ee6015df346

SHA1
b33ad8fa02e9e144902d28a49cf6d7c6ca0d683d

SHA256
52574fd04ad67b0497f2bec97c3f61f30ab805393e449a5912fd3b1ad28de209

SHA512
9c814e7d308db4a98b15e3ea6fe16e2985e542c567e36d28c85d86bd2a38c6bb81b241f6f1bfb90818f206f4b952c6dfa5f59a0f41ee9e46e73e9fcd19013de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIIW.exe

Filesize
117KB

MD5
df9dace6e04722e4462500cf0398eebd

SHA1
55152d0ca1b647e915c2c6c29d4b22d7282f3e17

SHA256
f6279d53b6a75059b98777f479d762720600c80a13512aa6904ccea1fc6d0b9e

SHA512
a3b4977a43297f9efc8040ba060e91b5bda6879fb152fca08b39e1cea52964a03de847f195e21a646b1aea2877177d0cfe1904f564a6f931c128ca6c12000c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQQS.exe

Filesize
748KB

MD5
69af0abbfb6961ba2a22ba05307b5142

SHA1
7d385261ff3f9e464dad08e550d58b88718dd982

SHA256
d3b07258849893d3b5c301647b05e335abfbde7437cb3754ffaf220516cefe6e

SHA512
54959f40bdded97cf432ef0982e37359fe5577d713499beaf7f44efab73ddb941603a369f9e7546316b81ff0ac9d496926d0c0217655f4c1b001e314da04f6cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUMy.exe

Filesize
236KB

MD5
a1ebba81c52628689af80e85a9f73650

SHA1
9e907b24e5e1ea350f2a5dcd516d1e41c6e4ba6b

SHA256
da648ddf843766d61a4115676a2371dad9204fdc48b07d2fe050ce8baf09177b

SHA512
ecfd48c5c5c8afdfe3fa3de89a5fd3071827457e3a9b6a713233fbc30004818e7ae7fe8f945d93e48b8b27824487ccac76dbee079fd2018af7c06822c3ff9ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogMg.exe

Filesize
112KB

MD5
51041b1d9098e8aafcfba4de1fa5fb3c

SHA1
4173cab4f8ddbe03ea4e9674fc190ff2f9ed2f8a

SHA256
3849d5b30f68ce177fb02943c170e581396b967f2369d06bdc08c1f01e97b067

SHA512
1d740bbee06cefc0738d0e208b7551930396edc5397fb0bb7cac3a5c6f814f28d99fd253ac5819371636b0ff376be8a5f42726c0eed3637d22809b4722790e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQcs.exe

Filesize
112KB

MD5
66b66bafc3d81c37cb40a3d8f211e787

SHA1
99d7e6e895c59821a00b65246c54734d08ed83b9

SHA256
7dd3253abdd031ab41396edec844ce2d181878f23bea5f59a237230387b82a01

SHA512
c43ca5bbcfbf1afc3fded40ea8c568cc90c1a396ea47c178257016294cd13e3495bd3c06b82cb80d606eca1a43312a88c100364806b19098ad00bee2220c5f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQsi.exe

Filesize
111KB

MD5
80ea5cbc3431fa9ee9f362d0712f197d

SHA1
f0e5a12e8ddbd9cc3afeeb1bf8c4f469ad146584

SHA256
8a2dcabc8122d319aeff539bc0d1a7e37e84335413a2fc5b395ac0f744227101

SHA512
fc2e5f553c01662efd0ff75a79350bf0f5c6d82ab21a0116f4e328d9286961bea9d1b2404c1bd00138d0b94601c5c7955a35e85075c5187249135b71a449756e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcoM.exe

Filesize
111KB

MD5
2e250df4bc0e42edbbb8e069c7ea5dab

SHA1
c2cafbc3ea8970e2e814cdffd0b437de456ac22e

SHA256
36ac3bd73340e8ef8f571b1ce81da6595ae3570b7abc812bbaa7a08ed9966eae

SHA512
681cb2e437935bd2ead722c9328f6ab8e22eac6f41bd39c45232372b00650de97c2d843ee33ef84d2c392379438b41c4b9c891f8b6e76f110434954af7489c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgEw.exe

Filesize
132KB

MD5
b2bda45022cf0676ff2d4b90958dd98a

SHA1
34bf735496f89b6941683ba55eeb5a7d529cf5f9

SHA256
659912f365544f154368099a94912b13e5b4125799080db2153ae974ec6a0971

SHA512
2388734bd9a9eb72e13bf176dcffad7c7328d35e3a303b75f17c76d6ba97b3bbbb22866c0f1d621e821b6579726f04cb0dfe988cb02cede995ae7e1c50a885af

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkAg.exe

Filesize
111KB

MD5
e2ae3afdc9a204ed5f8988aad4dfff4d

SHA1
03dfd2f3cf238c91072bf76e59aa4f4c5741416e

SHA256
d462e4cca677d1b38fcf6db5ab8579cfcbee3149eb948f0db72efa39ebfc1715

SHA512
a5c7cb725b07c3a7fcef7e7a6ac8c2e69bec7666a07c5ebf54b3ff3ccb76b205a79daf006e010eeaa7b77ba87486db0b49b47753feb344a96ec0683cc979bd62

Download Submit
C:\Users\Admin\AppData\Local\Temp\qscQ.exe

Filesize
720KB

MD5
9a9d218b9ce24c3d6430cfca271eef2e

SHA1
72f6049b7741868cb01fe894ba7cc826a0cd54f8

SHA256
e179da2da1845981e17511fa7b82ecba3a1e8c1544191806243113109a7d2a7b

SHA512
492d06703f6d5736f96e99968149620ade58d390c9b629637223638d4499503852a5e93aa7f80c13145642be6a35d2d5d78fe657c9786e33a50622b5ecdb9890

Download Submit
C:\Users\Admin\AppData\Local\Temp\qskY.exe

Filesize
150KB

MD5
572b92e093ef9c50e59792a694499db4

SHA1
7d34342cb7f9037e5a6ab8a9c54aaa13cde70227

SHA256
40dad8cc6a8b1f6233c6a37c107803134f685a4e95379fe397f1892c38d79815

SHA512
a818fcf53dca462061534f142b16a2aca4073d2b1ca678e7b35c32c5205fcbb291b922f2f8f031fc7f7f2760ddeea86ca4974a5609685363e24c9d6a610c75d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIoU.exe

Filesize
112KB

MD5
14484464eac348f3b996a80a7e5a6429

SHA1
d6faec25bc822cb23578a7788b024db0eb9c9f5f

SHA256
b52ec7eb57f90f9f1159c80129e7566f8a23ce1e61230a917c9f36ed996b8980

SHA512
1b89f37a5d137765a377fd4cebaaf3471eacc2636b82240018e5d67263d653c6509b75bef6f5f4cae5735c4113a06e1a5ee310cc2cc9fe711d40128512c1d985

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYcA.exe

Filesize
236KB

MD5
bf9af6bef04d8c18e5c2e9eb42d08fd0

SHA1
0afce484617ab832ea1fab77d9716f0de5ff165a

SHA256
b3c104875acea6036a6164ac22551237c108df77069ef17ac11b6a58ac7e1a5b

SHA512
99fe1db0cf6751d8e0af68aad1491dfb6dc642397d045d1af0fc1f4423a7a70003b9ab64dea9d3f70bcff074dcb4f95732db49063329623d1dcca9ef90f27135

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssEw.exe

Filesize
115KB

MD5
53755505feb4fb478a1a0f49dece8f9d

SHA1
6bc9acf4d85e039bd7cb61a36741241fc0de3455

SHA256
7e86f09f23dc48f4efa1eeb907abbe6326611289e1e7bafdb627f5784db93669

SHA512
607817237844e29cac0b580b9354746329474e859b877db5441c5e52e253a5320eb5168268d6027c899c65244a4f2d206e5049bf38e7916f599ff2827156d9bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEsE.exe

Filesize
114KB

MD5
53da15d59b2ff35874d1e00ac264327e

SHA1
19e0a7c1971d0dbe5bef15a862a8ea2c77c39d07

SHA256
80c5092cb99da80e98c9964a7670c20d958e1943b23ea7b3f09660f9ed350e27

SHA512
df4cbc4934d6e652c68e46564d37d233ee741fd5b52dd92283465eb68dd114ee6ed6256ab394e27a2717e6f41ef34c5c86563ef18deace5e6495a18d4723d661

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIQG.exe

Filesize
118KB

MD5
f1c5fc674ae774c500c66436923824db

SHA1
e32518de7cafa7a69ad2b919f01b83f9c2b81f25

SHA256
07e0b8d1c361ba29c76979836d0b22aaa4f47cd4daaa8cd0dd50b9579f8b74c4

SHA512
db5971d7272c4b14850f3feef760707a454138802f56617bc0b6cbabafb6278a0b32f2d087681b06f21df39321f1f12c3f49641362c0defce5a5c8d5a3769834

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucQg.exe

Filesize
115KB

MD5
395cc0af448c04688b58b4ff3fcc6d2a

SHA1
f42b6c90e176d84bbe279506b13de95b0dcf7f81

SHA256
4863eb5fe6023753176312c041fde49bbf021814f6c67af8e061db39283aec94

SHA512
70561b514d2bab980a804b90e235cd472cf2fa507d6afef7a535324c4337869b4bb25413fb1147fd92024e1a26fcb141f17ded0ab9a53aca155e40ef45e62f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEEG.exe

Filesize
111KB

MD5
9a1fadd1088f6067c50cc261266af2e6

SHA1
751112c2b2f1d91487bde9f9703704ab80de3f8c

SHA256
818dd0325588a99d676b36daa85a15e491b41e087f980d88b51ffb146b84e560

SHA512
2b135d2e1f289e5c34b99ec59160f8fc6f9a95b9fe29d571e39283f65fa44d4d6a4be9553f65b372e7ec88f6dc68271f345c8f8e4245220146bd6cfdccd26923

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQcK.exe

Filesize
119KB

MD5
fc95aa17a6a737b08c31998dffc37836

SHA1
4cf75c7cc0cf38315d82a2fcfef10a4bb25962eb

SHA256
02bc4d71a292aea4cf1ded24ddd3a9780a90599ee3309084aed288179c7cf219

SHA512
609019f98dcc0fe8f3742cf4056bb80c785a82a06ebc01307b227bc3ff07fbeae17d27bfbb4a88cb4e1fc899474a520e32a5f86b873384e66a3a453a35d1195d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUMi.exe

Filesize
775KB

MD5
880e6e8087b90fbd7fb8f77cb34f2336

SHA1
c25279d47cd692b865eafaff4233bcfb9d043d85

SHA256
6d4fff68418440edf6d6eb7efc642af846dab9f6f60bd77b948354841330b633

SHA512
029bd14b98ba0d12cedd3d2193900bfbc32357a3a5f8387b32d684c70476f3c3e21747fd125ae7f929a0e5492c90f32500112ca29f159c65fca00a91ce225583

Download Submit
C:\Users\Admin\AppData\Local\Temp\wogm.exe

Filesize
111KB

MD5
8d1bd38458b9db81a475771ba062b79e

SHA1
ca82d880e077cee950929c9f5fc19dee6f60bf65

SHA256
d9d0ce015b11eb0b3ad59462d5f475216b18edbe1d42a8472ed9832ed5e60a09

SHA512
126a38855f23ee5caaf1c9387dcc4d713da63bb140674b3a3c7e7aba66c06f4724c383f9879508b048ae13cdf8caef05956e2d305fe3d06ca94cbf64cd49407c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsQm.exe

Filesize
115KB

MD5
d27b51665528286ab9882a59a28495d9

SHA1
c8b02bbf56c800669c180f7c3be9a02c492f5dd7

SHA256
ff1fce1b0d4c518d73efb35d5a2820a3442a8438256a7d1c8853c6a957ecd531

SHA512
b7452e7a590b1bc85fb615e1eb025c8c9673a346c33048ee5cb280560905ffcbbe57030ad3a8a8c5e1e7c83bb1dde9201d857b27ea1d4e29fdb7056b7c16e0e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycsw.exe

Filesize
566KB

MD5
13fa1c1d41e76a9781023acde37f7403

SHA1
4356d0ae7f14404aae48e6a869b1cdbd71ea2db0

SHA256
8d12f14499510c7212ba095d67c3cafb04056811015b437e8a4605fdf7c944a4

SHA512
ab677a87487ea5e6afc34cbb3a0e1b59411acd2724af6185ef7756c93f6607438f93cae68343be647c782af6e70ca70578cacd24b9f926435fb70cfdc0f7909b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywkM.exe

Filesize
431KB

MD5
d794e963f31bfea9b05a4873900cc46c

SHA1
9aa3e682f866b422c453645db2bef247146b3b68

SHA256
93187a39d3f455a71110a414a953d08ff6197352d713bc77433a6e20192ca0ca

SHA512
a8dad38921c36432471516f4f7d60a9de2c874939cf77df51b123cf78a4b4940dd8fb159ced6f085eee495f733e62322c186cf279c25023f69b985805fb16636

Download Submit
C:\Users\Admin\gQQwUkkE\IwMIkcMQ.exe

Filesize
110KB

MD5
fa504bbc3b87b7a0f2078dc66bbc8b48

SHA1
d352205a8d48cf4b0ab739455e9ddad6bf0cf8b2

SHA256
985eefd6caa0421e013b02cca044056c6d243459d2e0af546364f33da0d3eace

SHA512
e31fe40d8c6628552eadf643cfa2d389d1f85aff5b5f3e4bf185253bb9555b227dfb924a81d2c5af91199244a9faa3eb51dfd57cdf98643a3ee5cc62888f4275

Download Submit
memory/396-440-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/396-431-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/548-75-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/548-91-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/708-441-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/708-449-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/892-255-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/892-239-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/952-490-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/952-503-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/972-15-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1216-528-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1404-264-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1404-251-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1404-352-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1404-361-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1600-432-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1600-423-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1680-422-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1680-414-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1728-481-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1728-494-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1948-377-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1948-307-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1948-295-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2008-316-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2008-308-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2136-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2136-52-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2180-137-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2180-125-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2184-299-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2184-286-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2196-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2196-20-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2208-332-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2208-343-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2288-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2288-79-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2380-172-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2692-168-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2692-184-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2732-475-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2732-485-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2732-386-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2732-378-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3036-392-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3036-405-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3376-260-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3376-272-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3652-17-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3652-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3668-145-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3668-160-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3688-231-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3688-243-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3740-413-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3740-404-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3872-519-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3916-369-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3916-358-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3980-149-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4036-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4036-39-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4172-499-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4172-511-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4196-230-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4196-219-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4212-396-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4212-387-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4388-351-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4404-467-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4404-476-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4428-525-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4460-195-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4460-180-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4480-281-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4496-317-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4496-326-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4528-218-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4528-204-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4660-458-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4660-450-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4708-126-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4764-207-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4824-278-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4824-290-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4828-5-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4888-99-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4888-114-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4944-325-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4944-335-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4948-466-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4968-43-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4968-103-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4968-87-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download