30264b5993122c541fd30703046019ab0a050923b1d112dbe3adaa7486b1ba89

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
Size

203KB
MD5

7c371d13aefb5594f50c8d7a8bb03410
SHA1

b4e3647a35a520198a0c3c6594f9adfdb1339a9e
SHA256

30264b5993122c541fd30703046019ab0a050923b1d112dbe3adaa7486b1ba89
SHA512

f9e65ce5027840daa668336f2c8685fa7958cf09925d95c8354a90a20ba92d667a3226b810a40179c373ab71fc77d3b1f8eefd160864eb8fbe50d506d4b72694
SSDEEP

6144:u0waM/BuBVBFjBhjJ+jyZGjwHRwTvPjsD5dJjHZmN8je/eOLjpdjBIjBgBQ8ISAy:lzTWTSNlGx

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (83) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Blocklisted process makes network request 4 IoCs

Processes:

flow pid process

36 2500
39 2500
42 2500
43 2500

flow	pid	process
36	2500
39	2500
42	2500
43	2500

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

KyMcUIwg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	KyMcUIwg.exe

Executes dropped EXE 2 IoCs

Processes:

tyIsYYwM.exeKyMcUIwg.exe

pid process

3560 tyIsYYwM.exe
2848 KyMcUIwg.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3560	tyIsYYwM.exe
2848	KyMcUIwg.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exeKyMcUIwg.exetyIsYYwM.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tyIsYYwM.exe = "C:\\Users\\Admin\\nKAEsoMs\\tyIsYYwM.exe"	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KyMcUIwg.exe = "C:\\ProgramData\\UwcEEwsk\\KyMcUIwg.exe"	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KyMcUIwg.exe = "C:\\ProgramData\\UwcEEwsk\\KyMcUIwg.exe"	KyMcUIwg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tyIsYYwM.exe = "C:\\Users\\Admin\\nKAEsoMs\\tyIsYYwM.exe"	tyIsYYwM.exe

Drops file in System32 directory 2 IoCs

Processes:

KyMcUIwg.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	KyMcUIwg.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	KyMcUIwg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
744	reg.exe
4952	reg.exe
3360	reg.exe
2688	reg.exe
5068	reg.exe
2488	reg.exe
5044	reg.exe
1828	reg.exe
4784	reg.exe
4704	reg.exe
4656	reg.exe
4332	reg.exe
1192	reg.exe
1416	reg.exe
1700	reg.exe
4348	reg.exe
3532	reg.exe
4496	reg.exe
4844
2760	reg.exe
688	reg.exe
1196	reg.exe
2252	reg.exe
1828	reg.exe
4928
3096	reg.exe
2460	reg.exe
2252	reg.exe
3652	reg.exe
1204
4668	reg.exe
1272	reg.exe
1328
2324	reg.exe
5044	reg.exe
1512	reg.exe
3864
548	reg.exe
4648	reg.exe
1440	reg.exe
3780
3780	reg.exe
1536	reg.exe
3908	reg.exe
1032	reg.exe
1412	reg.exe
3408	reg.exe
1536	reg.exe
3652
1832
2344	reg.exe
3048	reg.exe
2460	reg.exe
1872	reg.exe
3652	reg.exe
1296	reg.exe
4768	reg.exe
4548	reg.exe
2224	reg.exe
4452	reg.exe
1512	reg.exe
3192	reg.exe
4856	reg.exe
2724	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe

pid	process
4868	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
4868	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
4868	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
4868	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
3404	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
3404	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
3404	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
3404	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
3684	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
3684	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
3684	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
3684	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
736	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
736	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
736	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
736	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
3048	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
3048	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
3048	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
3048	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
4312	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
4312	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
4312	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
4312	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
1920	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
1920	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
1920	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
1920	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
1060	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
1060	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
1060	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
1060	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
3096	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
3096	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
3096	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
3096	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
1200	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
1200	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
1200	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
1200	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
5004	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
5004	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
5004	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
5004	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
4992	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
4992	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
4992	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
4992	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
2712	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
2712	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
2712	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
2712	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
3424	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
3424	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
3424	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
3424	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
3756	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
3756	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
3756	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
3756	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
2136	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
2136	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
2136	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
2136	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

KyMcUIwg.exe

pid process

2848 KyMcUIwg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

KyMcUIwg.exe

pid	process
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe
2848	KyMcUIwg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.execmd.execmd.exe7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.execmd.execmd.exe7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.execmd.exe

description	pid	process	target process
PID 4868 wrote to memory of 3560	4868	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	tyIsYYwM.exe
PID 4868 wrote to memory of 3560	4868	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	tyIsYYwM.exe
PID 4868 wrote to memory of 3560	4868	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	tyIsYYwM.exe
PID 4868 wrote to memory of 2848	4868	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	KyMcUIwg.exe
PID 4868 wrote to memory of 2848	4868	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	KyMcUIwg.exe
PID 4868 wrote to memory of 2848	4868	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	KyMcUIwg.exe
PID 4868 wrote to memory of 4268	4868	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	cmd.exe
PID 4868 wrote to memory of 4268	4868	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	cmd.exe
PID 4868 wrote to memory of 4268	4868	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	cmd.exe
PID 4868 wrote to memory of 3044	4868	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	reg.exe
PID 4868 wrote to memory of 3044	4868	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	reg.exe
PID 4868 wrote to memory of 3044	4868	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	reg.exe
PID 4868 wrote to memory of 4144	4868	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	reg.exe
PID 4868 wrote to memory of 4144	4868	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	reg.exe
PID 4868 wrote to memory of 4144	4868	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	reg.exe
PID 4868 wrote to memory of 3192	4868	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	reg.exe
PID 4868 wrote to memory of 3192	4868	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	reg.exe
PID 4868 wrote to memory of 3192	4868	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	reg.exe
PID 4868 wrote to memory of 3492	4868	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	cmd.exe
PID 4868 wrote to memory of 3492	4868	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	cmd.exe
PID 4868 wrote to memory of 3492	4868	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	cmd.exe
PID 4268 wrote to memory of 3404	4268	cmd.exe	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
PID 4268 wrote to memory of 3404	4268	cmd.exe	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
PID 4268 wrote to memory of 3404	4268	cmd.exe	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
PID 3492 wrote to memory of 4072	3492	cmd.exe	cscript.exe
PID 3492 wrote to memory of 4072	3492	cmd.exe	cscript.exe
PID 3492 wrote to memory of 4072	3492	cmd.exe	cscript.exe
PID 3404 wrote to memory of 3980	3404	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	cmd.exe
PID 3404 wrote to memory of 3980	3404	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	cmd.exe
PID 3404 wrote to memory of 3980	3404	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	cmd.exe
PID 3980 wrote to memory of 3684	3980	cmd.exe	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
PID 3980 wrote to memory of 3684	3980	cmd.exe	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
PID 3980 wrote to memory of 3684	3980	cmd.exe	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
PID 3404 wrote to memory of 548	3404	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	reg.exe
PID 3404 wrote to memory of 548	3404	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	reg.exe
PID 3404 wrote to memory of 548	3404	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	reg.exe
PID 3404 wrote to memory of 2688	3404	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	reg.exe
PID 3404 wrote to memory of 2688	3404	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	reg.exe
PID 3404 wrote to memory of 2688	3404	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	reg.exe
PID 3404 wrote to memory of 4924	3404	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	reg.exe
PID 3404 wrote to memory of 4924	3404	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	reg.exe
PID 3404 wrote to memory of 4924	3404	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	reg.exe
PID 3404 wrote to memory of 1996	3404	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	cmd.exe
PID 3404 wrote to memory of 1996	3404	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	cmd.exe
PID 3404 wrote to memory of 1996	3404	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	cmd.exe
PID 1996 wrote to memory of 3012	1996	cmd.exe	cscript.exe
PID 1996 wrote to memory of 3012	1996	cmd.exe	cscript.exe
PID 1996 wrote to memory of 3012	1996	cmd.exe	cscript.exe
PID 3684 wrote to memory of 5104	3684	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	cmd.exe
PID 3684 wrote to memory of 5104	3684	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	cmd.exe
PID 3684 wrote to memory of 5104	3684	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	cmd.exe
PID 5104 wrote to memory of 736	5104	cmd.exe	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
PID 5104 wrote to memory of 736	5104	cmd.exe	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
PID 5104 wrote to memory of 736	5104	cmd.exe	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
PID 3684 wrote to memory of 1256	3684	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	reg.exe
PID 3684 wrote to memory of 1256	3684	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	reg.exe
PID 3684 wrote to memory of 1256	3684	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	reg.exe
PID 3684 wrote to memory of 2296	3684	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	reg.exe
PID 3684 wrote to memory of 2296	3684	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	reg.exe
PID 3684 wrote to memory of 2296	3684	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	reg.exe
PID 3684 wrote to memory of 1156	3684	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	reg.exe
PID 3684 wrote to memory of 1156	3684	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	reg.exe
PID 3684 wrote to memory of 1156	3684	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	reg.exe
PID 3684 wrote to memory of 4848	3684	7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4868

C:\Users\Admin\nKAEsoMs\tyIsYYwM.exe
"C:\Users\Admin\nKAEsoMs\tyIsYYwM.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3560

C:\ProgramData\UwcEEwsk\KyMcUIwg.exe
"C:\ProgramData\UwcEEwsk\KyMcUIwg.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
2⤵
- Suspicious use of WriteProcessMemory
PID:4268

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
4⤵
- Suspicious use of WriteProcessMemory
PID:3980

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
6⤵
- Suspicious use of WriteProcessMemory
PID:5104

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
8⤵
PID:448

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:3048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
10⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
12⤵
PID:2488

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
14⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
16⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:3096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
18⤵
PID:4236

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
20⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
22⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
24⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
26⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:3424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
28⤵
PID:4920

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:3756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
30⤵
PID:5004

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
32⤵
PID:1348

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
33⤵
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
34⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
35⤵
PID:3172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
36⤵
PID:5104

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
37⤵
PID:4132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
38⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
39⤵
PID:736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
40⤵
PID:4064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:3376

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
41⤵
PID:3264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
42⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
43⤵
PID:3048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
44⤵
PID:1440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
45⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
45⤵
PID:2200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
46⤵
PID:688

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
47⤵
PID:4700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
48⤵
PID:1928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
49⤵
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
50⤵
PID:3300

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
51⤵
PID:3540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
52⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
53⤵
PID:2712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
54⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
55⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
56⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
57⤵
PID:1196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
58⤵
PID:924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
59⤵
PID:3488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
60⤵
PID:4172

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
61⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
62⤵
PID:4580

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:492

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
63⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
64⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
65⤵
PID:916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
66⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
67⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
68⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
69⤵
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
70⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
71⤵
PID:2108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
72⤵
PID:3064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
73⤵
PID:3372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
74⤵
PID:812

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
75⤵
PID:1268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
76⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
77⤵
PID:2724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
78⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
79⤵
PID:1060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
80⤵
PID:4840

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
81⤵
PID:1412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
82⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
83⤵
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
84⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
85⤵
PID:4432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
86⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
87⤵
PID:3928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
88⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
89⤵
PID:3424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
90⤵
PID:3404

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
91⤵
PID:4536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
92⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
93⤵
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
94⤵
PID:4816

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
95⤵
PID:3780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
96⤵
PID:4060

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:4348

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
97⤵
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
98⤵
PID:688

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
99⤵
PID:3696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
100⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
101⤵
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
102⤵
PID:736

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
103⤵
PID:4840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
104⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
105⤵
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
106⤵
PID:3048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
107⤵
PID:688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
108⤵
PID:1028

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
109⤵
PID:768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
110⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
111⤵
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
112⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
113⤵
PID:2472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
114⤵
PID:876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:2340

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
115⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
116⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
117⤵
PID:5032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
118⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
119⤵
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
120⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
121⤵
PID:4536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
122⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
123⤵
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
124⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
125⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
126⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
127⤵
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
128⤵
PID:3700

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
129⤵
PID:3856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
130⤵
PID:1348

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
131⤵
PID:4312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
132⤵
PID:3080

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
133⤵
PID:4516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
134⤵
PID:2404

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
135⤵
PID:4320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
136⤵
PID:3064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:3396

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
137⤵
PID:2344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
138⤵
PID:1560

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
139⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
140⤵
PID:368

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
141⤵
PID:4132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
142⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
143⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
144⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
145⤵
PID:660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
146⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
147⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
148⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
149⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
150⤵
PID:3524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
151⤵
PID:3912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
152⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
153⤵
PID:660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
154⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
155⤵
PID:3752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
156⤵
PID:552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:2736

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
157⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
158⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
159⤵
PID:1560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
160⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
161⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
162⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
163⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
164⤵
PID:944

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:2796

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
165⤵
PID:1832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
166⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
167⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
168⤵
PID:4448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:3424

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
169⤵
PID:812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
170⤵
PID:4288

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
171⤵
PID:3828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
172⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
173⤵
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
174⤵
PID:452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
175⤵
PID:4844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
176⤵
PID:3416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
177⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
178⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
179⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
180⤵
PID:2072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:4064

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
181⤵
PID:3196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
182⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
183⤵
PID:3652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
184⤵
PID:4072

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
185⤵
PID:4900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
186⤵
PID:3232

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
187⤵
PID:1032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
188⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
189⤵
PID:1644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
190⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
191⤵
PID:2340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
192⤵
PID:5096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
193⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
194⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
195⤵
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
196⤵
PID:2712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
197⤵
PID:3716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
198⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
199⤵
PID:3752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
200⤵
PID:3928

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
201⤵
PID:3592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
202⤵
PID:1000

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
203⤵
PID:4940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
204⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
205⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
206⤵
PID:3372

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
207⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
208⤵
PID:3664

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:4452

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
209⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
210⤵
PID:2580

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:3752

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
211⤵
PID:2592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
212⤵
PID:3604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
213⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
213⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
214⤵
PID:1208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
215⤵
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
216⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
217⤵
PID:4900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
218⤵
PID:1648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
219⤵
PID:3232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
220⤵
PID:1368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
221⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
222⤵
PID:1284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
223⤵
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
224⤵
PID:812

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
225⤵
PID:3652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
226⤵
PID:736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
227⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
228⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
229⤵
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
230⤵
PID:4916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
231⤵
PID:616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
232⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
233⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
234⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
235⤵
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
236⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
237⤵
PID:1412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
238⤵
PID:3524

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
239⤵
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
240⤵
PID:4312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:5004

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
241⤵
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
242⤵
PID:3324

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
243⤵
PID:1044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
244⤵
PID:2380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
245⤵
PID:4592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
246⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
247⤵
PID:2252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
248⤵
PID:2040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
249⤵
PID:1412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
250⤵
PID:812

C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
251⤵
PID:3196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics"
252⤵
PID:3232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
PID:3080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
252⤵
- UAC bypass
PID:4320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
PID:4928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
PID:3176

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
- Modifies registry key
PID:2724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RiAsYAYM.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
250⤵
PID:4972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
PID:2108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:4896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:3408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOIMIocU.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
248⤵
PID:2548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
- Modifies visibility of file extensions in Explorer
PID:4364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
- Modifies registry key
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
PID:4924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vMYUckwU.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
246⤵
PID:4280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:4188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
- Modifies visibility of file extensions in Explorer
PID:660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:4916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:4536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:3404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OMgsUQco.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
244⤵
PID:2676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:3716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
- Modifies visibility of file extensions in Explorer
PID:548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:4900

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:4508

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
PID:3828

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QuwIoUMg.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
242⤵
PID:1576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
- Modifies registry key
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
PID:688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKkoMMUU.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
240⤵
PID:4840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:3140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
PID:4984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
- Modifies registry key
PID:1536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
PID:3780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LIgIMAEU.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
238⤵
PID:1408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
PID:1976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:616

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
PID:1088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tsYsMocg.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
236⤵
PID:2372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
PID:224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:3212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
PID:3012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:3216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIMccsQw.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
234⤵
PID:1464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
PID:4700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:4144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
PID:1560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uaAAIkAE.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
232⤵
PID:4704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
PID:3300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:1996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:1836

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
- UAC bypass
- Modifies registry key
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MksgAQkg.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
230⤵
PID:2492

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:4592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
- Modifies visibility of file extensions in Explorer
PID:3492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:5108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWMcQAoA.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
228⤵
PID:4944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:1060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
- Modifies visibility of file extensions in Explorer
PID:1440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:1204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
- UAC bypass
- Modifies registry key
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\daYwskQA.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
226⤵
PID:3064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:4608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:3096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
- Modifies visibility of file extensions in Explorer
PID:4920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:1832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
- UAC bypass
PID:3516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:2680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWAcwAkE.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
224⤵
PID:4432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:3044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:1404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
PID:1540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:4300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqggIAMg.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
222⤵
PID:1704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:4896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:4400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
PID:3216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
- Modifies registry key
PID:2460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
- UAC bypass
PID:3080

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSUsQAIE.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
220⤵
PID:5080

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:4492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:3244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
- Modifies visibility of file extensions in Explorer
PID:944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
- Modifies registry key
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwsMQcIo.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
218⤵
PID:2680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:3360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
- Modifies visibility of file extensions in Explorer
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
- UAC bypass
PID:4300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQswIgwU.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
216⤵
PID:4480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
- Modifies registry key
PID:3192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:3300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:2488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
- Modifies registry key
PID:2252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMwkggYw.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
214⤵
PID:3876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:4192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
- Modifies registry key
PID:1416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAQkgUUY.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
212⤵
PID:3540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:2428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
- Modifies registry key
PID:1828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEswUkYA.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
210⤵
PID:4448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:2324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
- Modifies visibility of file extensions in Explorer
PID:4288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
- UAC bypass
PID:1836

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:2472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAoMYUUc.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
208⤵
PID:404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:3064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies visibility of file extensions in Explorer
PID:760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
PID:3540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYogIEcQ.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
206⤵
PID:2280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:2428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:4536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
- UAC bypass
PID:3300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEMIAEcI.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
204⤵
PID:448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:1296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:4312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
PID:1644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
- UAC bypass
PID:4188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SaEAQoUo.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
202⤵
PID:2532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:1268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
PID:4804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
- UAC bypass
PID:2592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meYQkcAU.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
200⤵
PID:4952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:1816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:4072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
- UAC bypass
PID:1416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FIgYoYwE.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
198⤵
PID:3300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
- Modifies visibility of file extensions in Explorer
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- UAC bypass
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XaowkckE.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
196⤵
PID:4056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
- Modifies registry key
PID:3652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:2136

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
PID:4312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:3244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYMEcMQM.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
194⤵
PID:1996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TCMwAIIo.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
192⤵
PID:4652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies visibility of file extensions in Explorer
PID:3780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
PID:368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkwwkIYg.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
190⤵
PID:3216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:4144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
- Modifies visibility of file extensions in Explorer
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
- UAC bypass
PID:852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmQMQUEM.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
188⤵
PID:3700

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:4836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:3300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
PID:448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:2444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kuIsIIUk.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
186⤵
PID:2904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:5056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
PID:1028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:1756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
PID:2500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqQAAIwo.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
184⤵
PID:1976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:3520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
- UAC bypass
PID:2472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwQgIwMA.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
182⤵
PID:2712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:4896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:3176

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:1908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:4844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
PID:3112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tIwkkAcE.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
180⤵
PID:4448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:3360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies registry key
PID:4952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
- Modifies registry key
PID:3408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
PID:3532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKUMkwkk.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
178⤵
PID:4300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
PID:2268

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:5004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:3752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- UAC bypass
- Modifies registry key
PID:1440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYUkgwAA.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
176⤵
PID:2712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:3828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
- Modifies visibility of file extensions in Explorer
PID:4900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
PID:3488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KeEEoEkY.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
174⤵
PID:4064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:1448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies visibility of file extensions in Explorer
PID:5048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UiQgYAcE.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
172⤵
PID:1196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:4684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
- Modifies visibility of file extensions in Explorer
PID:3524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:8

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEkUYcEA.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
170⤵
PID:1204

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:2280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:4768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
PID:2364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSEokwUg.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
168⤵
PID:924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:3492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies visibility of file extensions in Explorer
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
- Modifies registry key
PID:3532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
PID:1044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWkcowIk.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
166⤵
PID:1756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
PID:4060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:1852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
- Modifies registry key
PID:1196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hWgoowkg.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
164⤵
PID:3404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:3540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
PID:4868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:3436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- UAC bypass
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqwkYcgs.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
162⤵
PID:1236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:3360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies registry key
PID:4548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- UAC bypass
PID:4536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:3876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uyYswkgE.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
160⤵
PID:388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:4652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:4692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:1544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:1308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
PID:4496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUkIsskY.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
158⤵
PID:4300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:4064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies visibility of file extensions in Explorer
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
- Modifies registry key
PID:1412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KuwwcwcI.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
156⤵
PID:1296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
PID:4312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:5004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- UAC bypass
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aWgcIsEM.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
154⤵
PID:4896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:3080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies visibility of file extensions in Explorer
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:3716

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- UAC bypass
PID:1816

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:1688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgoocUEg.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
152⤵
PID:224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:4692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies visibility of file extensions in Explorer
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:4300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
PID:1396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PygYUgcU.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
150⤵
PID:4192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:3216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
- Modifies visibility of file extensions in Explorer
PID:448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:2380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuAcIEAU.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
148⤵
PID:4564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:4872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:2732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
PID:884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imYYcIws.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
146⤵
PID:1220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- UAC bypass
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAoMgwwM.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
144⤵
PID:2324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:3244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies visibility of file extensions in Explorer
PID:4312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:1348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:3876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
- UAC bypass
PID:4552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wucIEgEU.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
142⤵
PID:4540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:3112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
PID:540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UcMAIcQw.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
140⤵
PID:1196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:1268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
PID:4768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:4532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:2072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:3372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- UAC bypass
PID:2604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSkEcgUg.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
138⤵
PID:4872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:3540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
PID:732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
- Modifies registry key
PID:4648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:3856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
PID:3524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NAgwUckI.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
136⤵
PID:1924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:2796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
PID:436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIUwUAww.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
134⤵
PID:3424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:4684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
PID:2604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
- Modifies registry key
PID:5044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:3488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- UAC bypass
- Modifies registry key
PID:4452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEIcQock.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
132⤵
PID:4692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:3300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:4952

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:4916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iaMMIIsU.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
130⤵
PID:1560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies registry key
PID:4656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:3064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
PID:1236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YUUAgYgg.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
128⤵
PID:4652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:2580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- UAC bypass
PID:2280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYUEIQsg.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
126⤵
PID:2736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:5052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
- Modifies registry key
PID:5044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:1320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- UAC bypass
- Modifies registry key
PID:4768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:2532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fuwswkII.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
124⤵
PID:2428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies registry key
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:3604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
PID:3264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FyEQQogE.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
122⤵
PID:632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:1836

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
- Modifies visibility of file extensions in Explorer
PID:3436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:2324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:4924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
PID:852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qeoscgAw.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
120⤵
PID:1044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:3416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:1272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:2616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:3520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- UAC bypass
PID:1620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWwcsIck.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
118⤵
PID:3360

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:3372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:3592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yaoccgUc.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
116⤵
PID:3012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:1328

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
PID:388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:3928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUEIUAgk.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
114⤵
PID:1704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:1816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
PID:3416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:2592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PEwMUgIA.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
112⤵
PID:1588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:4592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:4896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:4532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tEcAMYcc.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
110⤵
PID:3488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:4868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:3404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ReEogMoU.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
108⤵
PID:4976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:3912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
PID:3396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OMYIQIkA.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
106⤵
PID:2240

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:3696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:3928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
PID:4900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
PID:2472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EIEoUgQM.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
104⤵
PID:4192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies registry key
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
PID:4064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQoYMYgE.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
102⤵
PID:3752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:2108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:1836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
PID:4916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DyEwwQAo.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
100⤵
PID:2532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:4124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:1020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
- Modifies registry key
PID:1032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
PID:1044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQMkIUoU.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
98⤵
PID:4976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
PID:4900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQQMoAMc.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
96⤵
PID:1448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:4692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
- Modifies registry key
PID:1192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
PID:1320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fWMgkMgs.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
94⤵
PID:1996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:2428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:2724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKsMQUoY.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
92⤵
PID:2492

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:4432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:4924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:3244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
- Modifies registry key
PID:3908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEAcMAcQ.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
90⤵
PID:3652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:3592

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:2604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- UAC bypass
PID:2368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKMUMcUs.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
88⤵
PID:2616

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:1268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
PID:388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:3756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- Modifies registry key
PID:4784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ReQMUcIs.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
86⤵
PID:4268

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:1604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:5096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:2572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:3144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
PID:1328

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIgoAsUE.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
84⤵
PID:2428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:4496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies registry key
PID:2488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:4812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TeIAMgsg.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
82⤵
PID:1088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies registry key
PID:3780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:4124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IoEQkAoI.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
80⤵
PID:1192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:3360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:1368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:1560

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SIEUwQIA.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
78⤵
PID:4952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:4784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies registry key
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:1296

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:4852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OsMYMEIY.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
76⤵
PID:4496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:4608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:4304

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:2604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meYQMsUE.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
74⤵
PID:224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies visibility of file extensions in Explorer
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
- Modifies registry key
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:1396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xyMAEggk.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
72⤵
PID:2136

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:2572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:4700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:1644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
PID:1000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGsMQosI.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
70⤵
PID:1604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
- Modifies registry key
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fiYgYMMk.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
68⤵
PID:4552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
PID:1952

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymMgkQAQ.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
66⤵
PID:452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:2604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- Modifies registry key
PID:744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgoQYQso.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
64⤵
PID:1540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies registry key
PID:688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:1644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:3264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:4508

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMgkYQUI.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
62⤵
PID:4712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:3856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
PID:3196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:2472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IGMYMkkg.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
60⤵
PID:1028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:1704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZQEogggY.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
58⤵
PID:3020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:1440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:3908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
PID:844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:2544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
- Modifies registry key
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
PID:3416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQwwAwUs.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
56⤵
PID:3980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
PID:368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:4812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
PID:3716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PkkIkUIo.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
54⤵
PID:4512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:4852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
PID:4688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:4172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jsUYgUQE.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
52⤵
PID:4188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
PID:3048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:4676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:5104

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:1416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkIAUkYM.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
50⤵
PID:3192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:4804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:2876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
- Modifies registry key
PID:4668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:3856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwAAEwcs.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
48⤵
PID:2344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:2380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:2572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:5004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
- Modifies registry key
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yKEAcMwI.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
46⤵
PID:1512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:4928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
PID:2876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- Modifies registry key
PID:1296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKAQwQYI.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
44⤵
PID:2676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:1412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:2544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:3172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:2364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAAIgokM.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
42⤵
PID:4236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:1852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:3208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqYsQsIc.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
40⤵
PID:916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:4692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
PID:4608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQYQEUUw.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
38⤵
PID:4172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:4688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
PID:3064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:4840

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:3756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:1920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:1848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\teEUYAIg.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
36⤵
PID:1516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:3732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
PID:3096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
35⤵
PID:4784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:4564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwAMgwEY.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
34⤵
PID:4896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:3244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
- Modifies registry key
PID:5068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:4372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wqwocUkA.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
32⤵
PID:1320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:3376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
- Modifies registry key
PID:2760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- Modifies registry key
PID:2224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMIogIkg.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
30⤵
PID:4172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:4992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:3076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:3212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:4312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSwAwMQQ.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
28⤵
PID:4308

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
29⤵
PID:4928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:4804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
- Modifies registry key
PID:3096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:4784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fuMcckAE.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
26⤵
PID:2428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:4768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:3908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:3780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NsQswMwU.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
24⤵
PID:4688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:4924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
PID:1848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\boYUQcko.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
22⤵
PID:4188

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:3732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:4928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QwkAMwEY.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
20⤵
PID:2008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:4684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
PID:3188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:2500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cecIgkMc.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
18⤵
PID:4300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:4756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
PID:5068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
PID:3112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgUwEYkM.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
16⤵
PID:2732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:4280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:2576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:3604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWEcwQAo.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
14⤵
PID:4872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:3964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:4132

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEIQwsUA.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
12⤵
PID:3144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:1908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:1708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
PID:732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bmgsssIQ.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
10⤵
PID:4344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:1396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
PID:760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncUkosMM.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
8⤵
PID:4580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:2592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
PID:1256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:1156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCUAkQEo.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
6⤵
PID:4848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:4984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
- Modifies registry key
PID:2688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIwQAYgk.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:4144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:3192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAswEAkk.bat" "C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:4072

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2008

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
Filesize
234KB

MD5
917429fbfda3c94c451530c4e0e8c69b

SHA1
7eb0d5ac292cf5d77cd75a1f41e2faacc62a34e8

SHA256
48dc33256dd95706781aece6fb607bb25be23a4ea7b764a7e99da925e74b7835

SHA512
a0de5c2d11761ad890ab3083b1c506fc2c6f907ae7f2bed58a3914c9ac96e319c7e64daffedde0a1f22fa42681054b6062bb0776abe9c6edd89d94409f38d6e6

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
Filesize
235KB

MD5
b83bfad3efaecb125e5959b63ab62bc8

SHA1
3071eb6a9311c0c1f519018b2d7d3e780b6a91b3

SHA256
328c51b4f05cc53f5c82d2559826007f366173cb88b2d2788d8205021caddca2

SHA512
9cfd4d22ec4c26e6a87a0134ddd094ec42a32b8ea774f7993462dc1a561cd09ef336d46df20d304d1eb16e2b69bf967ba5eb33ddc524bf6329a9c3a2111c15c0

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
Filesize
210KB

MD5
c1bc9992270bd67503a0e67002b38812

SHA1
431f494b97f07a054abfb903bc677dd15b378593

SHA256
30c443f2063a4fa3c0776c62189fb06f3eb6cc967d1b979ff942008688925455

SHA512
1ebbda9deea0eff0bcb1638b352bcc38eece9128a3ccf149e5c95922d6e3c96a66993620b28b959a7bda87e6fafb33dd477234624ea73fdbc303ade020a5f53e

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
Filesize
652KB

MD5
4236c88c4afa1a56f39a1bd7cc97369a

SHA1
1286a61f81f9b834c1ebe3b335170dd8f08ad921

SHA256
fd71900d1bb6660788a40d2119bd23a81f09c9e5c0654fea629540b08bb9c67f

SHA512
8015781d09b8a2e07a8a378d10b5dc8f220620904096a06d3297b66ba68f81e612ebf15c239d23435500b7fedf87e3837e537978a28049e0afff8017b4eba4de

Download Submit
C:\ProgramData\UwcEEwsk\KyMcUIwg.exe
Filesize
185KB

MD5
3dee972a5b23e65ced3739e56b348b53

SHA1
e9a53bd805e9c1ccbbd86ae40b6477c7ac66d6e8

SHA256
99e559e516c51bc13a5170fc66455ad1813ba6d4c67f7ad4e85f29adb5a5441b

SHA512
e888c30c97d778f7e5d9b067457e95d2dd204837bbdeaf0c7f0d3a21cfe186c3101a2bc9fe8557d2bc045430c6f73ba66f28c915615d6f744256afe0453563d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe
Filesize
205KB

MD5
dd2230f1afa601dc538da636cc147071

SHA1
5df0e5eaa02a8d5dc2b74e6a758ef669e4507690

SHA256
6d409fdbdcbfa61c26fb9e04cdbb958938b9a1f89d3b5d8618cdfc351dea3b89

SHA512
c8415d01604fe4911e35ff75846142d2be76697d3806a6ec4230fbb73e99b2461e01f226820da3cf091b4afa73598c4fe0b14b306790f03a8e00988870076cf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe
Filesize
201KB

MD5
5277131196534157a183ac2f6750311d

SHA1
fa1998f7b702528bc7f7aca43d1e2052da0aa8b8

SHA256
13988159c43686f7abab32e0e523e08cfa050e92285001e161e04977ca152889

SHA512
948303a66b8944d74e4bdbf136cc4642352184c68a52055a487f592c3c580a9c8f8b7cc915826ef3f0c0678c0d2d438205d09557b06cd547db330166bfccdc37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe
Filesize
191KB

MD5
6eb8ef419054eccb485854dd8f57a520

SHA1
dd7a5f0fc8630c07a5306d111ee7615a8d4a1a85

SHA256
05b42b26c4fcc4a836837db1754ed79571eb677e27667c3ecc3f72a8cce4062e

SHA512
2c3e5ccd4e30b2371aed73ceaaf955be9012587372699966a30051663dd0a02bb3b852cd231bf438009fd65a98bc27589a7f01fd691618f627887ba821ae91cd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe
Filesize
203KB

MD5
fd89ad8c4f3187e4ed87d4dd39ea40a6

SHA1
67a2c13558219f11491197126c182e33e70e4bf2

SHA256
312e44bf9bf212db01f055f78de29cce2afa68cf4feb5851d5be2fd3f7097b1b

SHA512
87acf2ab9220c8ee0e0f08cd44066dc95d41678d78bcede25764765a9467a62bfdd70cc14cb5baaa2ff0786350d224294bcac5b653e1634b7c6f40ef0b4ed958

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c371d13aefb5594f50c8d7a8bb03410_NeikiAnalytics
Filesize
6KB

MD5
588e8e645526676ae2f8644d4dd82f06

SHA1
607f0d19028f909a02b5a4b00ab7096dfb7f30d8

SHA256
46f556f484064bb3cc55694c4fca9344b1432ac341861e56bac17d15cca46c7c

SHA512
69766a05b8874d7a0b4ce8b7fc7888b05cb4c3be56883db39fcd63d31742aca901c056b655b716960054fdde71abb56905d73038a5974682cd1092c5a7efe6c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAIc.exe
Filesize
201KB

MD5
183b5e3fb049fd7a2ab7cecbf6d26980

SHA1
56acc9859eec89c5d9212339ef7e6a726898b241

SHA256
e40124b6263658431675305752f2a7f40678a1af270015b2d627a173397d3e8e

SHA512
430553589ee95bc56d4b1f446bf9c8a72dee0c5cc259912f027666299dd6ae2359c19026938b3f0bb0153768e4ebb4d9ee8fe9e5c55f9d473688a5151ccb3660

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAgS.exe
Filesize
191KB

MD5
8c6154eeebc1c3ea8fcd98a0f1d89221

SHA1
e9955321bb850d6ee112e79612dc888e3e931ef8

SHA256
03da46de2c4c8e02763c135f7ed0dd12f6f51aa8a9f7918a43adf44633a1fbbc

SHA512
5c6af419b15e86424863eb48ec679b18f526f8f9aafc4262f8101af09e60330b68520d22b46629f4fcdf554eb56419c8014e7cc62c9421d0ecb73c1f0f997ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEQc.exe
Filesize
311KB

MD5
fdeb426c208e49f58e89fc3a3450623a

SHA1
e0289c95a7eae66ad84c79c14a82e292d90a5832

SHA256
ddc75a113cbf6bc151a33308620b38dfa3ec5f6c8001e3519483c1cc5a809a26

SHA512
81a18b5ce1f5635e10fcd811cbb09dfbba3d7a0dadee78d9e107962a26c4da3799775069dbb3fa2ff14aced656df5d40c3095057bea8e6178f95dc69c040301c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIQS.exe
Filesize
197KB

MD5
5c0d4e0dd8bb2991ee7bb81f9820898e

SHA1
3efdcf9af430857ca1dda83cbed1e4553c207c1f

SHA256
ea85cc4a683aa9752bcc4252b15ee0bead414b46afb472dbe146fdb04dbe6cf9

SHA512
9f9703fd96b07f1cb986ae34fbf6ef0b388e2f53f6261626411b0e727b773312c0fd88d94cb63dd062ad8299ee1149a7e9f4101e084a22eb680243a40ff42369

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQYO.exe
Filesize
653KB

MD5
f715766f230f34ea243171a0ba432678

SHA1
48c08e30a00f15164d330eff6bc983ec28b4bf48

SHA256
3b82dcc99c1a7bba50d3530872c563d0bd16262a637b2a3cb05a0c95e2c33ba7

SHA512
a74cbd6e58c042ef0cd6b8450bc3f40afa15d0cfa81cc3969eeb8f79fda9175c12b711e22d6512af77b04db363baae60b3069b0cb03fc2ff00a6d39055c4797d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYQc.exe
Filesize
188KB

MD5
843dacb795fd903849a557ecd0ba3049

SHA1
30419e0e98a0d147247b7c9bb8d2a4370e24a59a

SHA256
d177d05fcf699ca1a840c447077cace5e758556bd43087152d90f2ca524ae916

SHA512
2b9839d1ca7fbbae8f9c8513b686b3d5d1dd736d0afe9772df2896a9410a08b2705147f410bc9d574046f3263e667e837f8ccf207df236172d94e54c72f7e080

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgIA.exe
Filesize
974KB

MD5
f9b46f4d337c533695ebde07e9333088

SHA1
359faaad78a99b212c8e2d163c1e681a092b68c9

SHA256
5e1c3092105b0248027793717cbdf8898438a4f63d9fa9af0dab7b3b7622dcc0

SHA512
1c0c99cadaeb757ba1181941e7fdc007fddf6c14fd0eaf035a35dfa82bca7591e699945dd2564635650782b2e5816b768782d13e08b02b5779d421f1dff9b982

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aggg.exe
Filesize
775KB

MD5
c3c56ff82ad89e5a49db8cfc33f3c3d8

SHA1
28b491d63047bd20d0958d09b6b775ade297ccf3

SHA256
96b789d9879c619bd0d5ad3e46a806be1784f78bcda0c7f6044c0c7a3f758222

SHA512
69af4cc52ae5df4a65a8c0ac074108c7bdbb00ad4977e527821d746ac7ffcdede42b784bd4b3d7d8b158766380c976f63d9f11f60f7ed8758cc2416354972caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoAM.exe
Filesize
879KB

MD5
e7107c52055d523705d1f3a650b16f39

SHA1
2c13fc79340b9dc345bfc2f79d311d590b778c92

SHA256
d5e0590854b6adfef50406689e710f1b6f512939956c3b3bf338b1a332b094d2

SHA512
1146d5f109778620ff12fbabbb93c41090a6310a794b0401401e07f82180a96b197aa9cf8e754ffcd6e72e8a27d1e60767cdf67c643d9979ec854c162d28c851

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMUu.exe
Filesize
186KB

MD5
92d455c1c57bac742d1175afc052d3c5

SHA1
5c2cd694487acd2f8e32143e901efd4f9bc79c9f

SHA256
37c98618e1f2f5a097935f9520f6c38600a4561300f8e4d3d1dd54caf879fee5

SHA512
8331ce87f9c2c319340d81ac39d192ee1ad3af7c23b81c3752a73940b3939b6064ac5ffe1fca936e2e88a8d10cf09346b9ed42bc3c04ba9536f8c1f5414f54b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUQo.exe
Filesize
200KB

MD5
08598dc973599f8f6c9074d87996df67

SHA1
cc99d3d76dbf8cded05fce7a30e1eb8913a56c1d

SHA256
3dbf1ad7a264fbbaeecca89535530b6c621fbc4e98a045ad7edb14199e286321

SHA512
88a7652cdb98366a121d2c92308770e9ab0850b5980f10287df017343d1f2541e1c13d9e752a8e04ae28983f7becd7ec2868f9ecaa666f1479322a170f37c437

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAoG.exe
Filesize
184KB

MD5
574bfc1c1fcd0bbf1356dce5c8364f96

SHA1
8c3490a566b38eb56b866a8b969721ce5b8e5363

SHA256
79749422aba82bd4083387717d1c2ec784ff64d9a1a78db0377e1dbddc0b55ec

SHA512
b0d8aa2b63e05a8759d5f3dc9276e638a4e056790a6ec5ed027e55d1fe2cbd2cd742f522a04f619d70b309743f6d74992da6b9933fc75a929026f868e0082ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYII.exe
Filesize
330KB

MD5
7f8ab1db488d3f721e6170f8295d78a6

SHA1
54ee387488569e1fdc2f85107bc6622465d29603

SHA256
28f2ff75d681a4669ae2423139dee9e14849cd0d1b9c061f21914bf6313742f1

SHA512
f5c2b97c146d81aa764c818f333336344d830df38aa6d89f3bf5ab052b34b7ee65bc43a72221797843c31f6009218ed56264582a79eaf663c537be8d0b14a9cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkYS.exe
Filesize
839KB

MD5
fc07180eb8f11b53bc4fe58db330ecc4

SHA1
a017d92bdf88c857356a447829c829621c03acec

SHA256
c5241703c60cf23d793961a3e9196b545794a58ca9798dc9c50b5aac4d7bb0e7

SHA512
b03f1e0a41797c29c4ccc4cd24280ba8b16b17cac8c9b3026839a3224730a7dd7819aeb8c09f4bc41b6c44a1fdabe85ae73bdadbb2d1828646e3218c66fa22e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkYe.exe
Filesize
1011KB

MD5
caac944c412d8837a2c33451c48a6049

SHA1
0d741d82b7f032739045a4e9a37c5bd5d6e2af0b

SHA256
50acaf29bd3e7a605718d8f12d3c31e9610eff9c7ee6f9add558ee210aeb1426

SHA512
2a378c164d5a7026408f539b7a58a5309d0cbf3c1c05ba18b883f08890b1a339fba340fd7a57c4e21e01f20cf8d6341fe8fc15130dfdc26f91b3c474a6407b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAgW.exe
Filesize
201KB

MD5
997196e41a09724158b65151bc10401d

SHA1
a12ef84af9fd26d0e645e6f8e112483c7e0130fd

SHA256
86475c0274e4d785b82da11cebb7ad1f04c2fb124e5dd22a76c0c1ce95e51be8

SHA512
db95f1133d3483e2a1667cb254bc7ff62647dc43fd401979df0b0e23747816419bd5feb79fa446dc4d150cf762493deea76ecdb9886e500490f6401fadd9f89e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUUA.exe
Filesize
200KB

MD5
9eb5902756f63b464bb1b7ee8567f59d

SHA1
b70d835b5f718433cd8b71c669257652635abaf2

SHA256
481e0300c8291116f5ce2951a90a949c073071dcdb5b6a2ebe7ffc54f776c766

SHA512
e0a229560e2e41cd51d3e366b963fb2a4380a9f5793f5964a289318dd9b9ec88dd9801263c0e50cb4ecb1e353b264feb893d25e716f21ea3edb386a56cb1dff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcMc.exe
Filesize
200KB

MD5
88985a3df7192c95dd064602eebf7763

SHA1
828ea9ba982149e6a1291348352b3fba1724473f

SHA256
96648e447941a03f9c06453f0cf45c691d742a6a3146c7c764eec7291cd405a1

SHA512
95d93fdf15bf3cd0f9419aade7d13242fa8a1707c8b5bcfe63447a4a81a6e4e2fc42d0a82466c06eecbb1ea00c5266bb00cf5a95ea93a7355cef7189201235c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gcke.exe
Filesize
199KB

MD5
69a2b4a2c2e1a7f4727b688cc8f525ac

SHA1
c588d0010d079c671dce568587956e18e414c0bf

SHA256
a16a57602214898c402030333b46ffd81f4aac7deec68bedc5ddcca0e8c94e7e

SHA512
bd4cc271b94fc53144421ca9899cb04158557c9530ebb5dd1e516d1043f4ae44a2491690e233ec34f3aadd6342bca84110b0f57e949346571d9be831181e12f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYkw.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYoO.exe
Filesize
198KB

MD5
31aa78d9531df4514564f6119614630e

SHA1
8919adadf44e108bf9967ee4153fb13dd9d1c039

SHA256
211c95c0481b6f7247c4cf1f08540c8a15f052f74d4e27789c15f42f560a95ae

SHA512
9ce40cf3b8de53766008222d24c4bbb5bd8f1131e0d127775b0a79f5a7588aa010950a07c6d980a54cc49d58cde78177042feacf56e53ee8a7dc7e9f7d2ad4f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkEO.exe
Filesize
185KB

MD5
7920b69f5274698c3dd0abd37b6cc602

SHA1
099f53a447cb08f5ba2559a141138831fc0f7ff7

SHA256
d6c9883ded73d931f65d56ef3a78b321f39936cbb3062e657d2b49413e76ee44

SHA512
14bc399ca9253bd9c4d73d041e51b256b56ecf2f1fc3c5908842c466f7737fa4731054439099317fd682761392a74122ee19072c6565c7f54e0996d0770c6bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAYE.exe
Filesize
639KB

MD5
faa201a10ef1de7fa2aa95131a5db888

SHA1
7e2aa962e5b48d24cfb4f5c819b4133e944b9b65

SHA256
3987ea168786d58ab224ec05194f223e89f48f88d46362d9bfe956485d31396b

SHA512
cba79bc02f64a4153686817f3f4c74ce4327141e07ebaea4164dc04be4d98e0712820e88e8ca82fd1dc76d18bb2c86eb97982ca3745b6b7f723b500244122126

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIge.exe
Filesize
198KB

MD5
90aaa49818e7c139c5d52c513d34c62e

SHA1
4f059efd0047bc59e7922be9eb0d0622df018424

SHA256
f983d8f5ddd8d403a7aa7c3aa82362336bd71bce00913d3824a3c1b80cdb5770

SHA512
ad43caf206b2d11a6038ff86b56bdc3ba6cefd54bfabfc6e6f8e695dd3b17652b290974d52c75809f4bacd297d187d049236a394f0ceb503fbb8af4cae52e3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYII.exe
Filesize
224KB

MD5
0574dd47ec55e3eb43457f6eeee4d412

SHA1
45cdbadf2d066b884254b89091f4a008ac883a43

SHA256
942643189a8741f164d19765f949da77038df0b3316630fe281c450e1023c4c2

SHA512
bf8147c5c767ccf86c8b8514a74ba05544b6aee77ff72acd0c22ceeaf848d407882477e7e1d92c58bb7ff0f05b8453378517ee8b6d3660426e2afbd50430c4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYwU.exe
Filesize
220KB

MD5
c4a8aeb10d15ba66a0df29be537ab13a

SHA1
c2cc59463e4b3851f2a7544dcad491d24c2b65ab

SHA256
9879be9ed215508768e3da4ac81bfd608c398ebd27c17ae043f599734f2a49b0

SHA512
d411e49046a3682b3c82e886e79a15a448889e6a5de657dbc78371872fa31d91b5080a5e7d6f0c62e44e63bb0ae9ca0a60c4a4d1638e5fba07dfea2cee911575

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwAA.exe
Filesize
197KB

MD5
b79ee51f89519494e2ae79328c988efc

SHA1
9f4e86b3f5c16f4a69342a1e2c7eceaf06dd3ba4

SHA256
522b370366a29868045e263e6f0bf5ea6f638640958435c08ea47619ef2f045f

SHA512
5598e4723105776617e048a88830b87eebdbbc5b41b7ada97c8eb68834127d45e747dbc0f37fbc68e1d9cbf2a3ab4fc63111905ac8e9042331fb0adc5b08d460

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEUg.exe
Filesize
727KB

MD5
8bbbb537bffa01b8618abb4e7c441ec2

SHA1
021d6eb29b4f97cf432679a274af76d3bad693da

SHA256
02f4a594b2cd73bd26c8f9d0ab69b0d2b7fc54274729824012c69559a711d555

SHA512
3952ff4c0088d5e64a968ba5f207416c972c97567155efd154f8b5adcf8341fc2bcb2a443aff409e0544e4a227cdf1e123181fc1208c05180c1701379266f75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUke.exe
Filesize
188KB

MD5
2e082d70960cd10634d8c37f07e15f72

SHA1
63168f6f8b683b5043388cb9672175b11e296c69

SHA256
169625e2d05eae8a9576dbe695e328e5f830ade59109ecba91349c9267036925

SHA512
dde693d3ac8c00f7ef03b82fc2440e5612f8c569db895312a7058b99f458db0e293895032ab6175bd3f0da5016270d373b00acf73fa3be859a9b749c9c953e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mgsq.exe
Filesize
201KB

MD5
0a612ab16372360f2a1c88334df1b8bc

SHA1
88d530c0281dc0bc09741a8502559ede013db2f4

SHA256
4945b546b74b39d4b435f6839ae7014452c0f53e5dd87ed524a374255232d9df

SHA512
55d3fa43c5fc28685213547e64398e7267026ee4eb61c93e851ede3b58e8f376ed6b65ed1a369ebb33a73a36c26381dfd7a28267b3aa4411981f8a16972f6b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mkkc.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwEy.exe
Filesize
810KB

MD5
91428eb628f935856d430cee246b14e7

SHA1
6c1822a746d24b68e67da305fca71e820017a909

SHA256
52b2fe65a502e62f7591b9b432c1e03372412c1340fd11c0dfe856c8f57ef9b5

SHA512
c1bba096e046bd76897f349bc91a4ab45cbf113323ce17dfc7f72fd908732a708c52effb3e6e353ad3bde9a6970df3c6fb14dcdca06f8a8491043327140b7b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEoC.exe
Filesize
206KB

MD5
d2ec9450590e0e6d7ecd77b4544c9b01

SHA1
57fdda73b75eca710d2cbad92125cee028a40ac9

SHA256
0b610e939ab518e50748dafb6869f1e990bb6cfcdd6ec4c8b9f0f465e8cd6478

SHA512
8efbeed1ecd056f66c19c5deb727dd68529d1893fd32e724528db61f92469d6973e6180c6e9aefe98a8bc43564cf1dc44e031083bd31a05672e41636f807613f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIIg.exe
Filesize
5.9MB

MD5
ff95f79a00080923de353163c712e206

SHA1
dcd4712a7d8b374fa44c63cbeb9d6aa76258e9f2

SHA256
6c73670c6fe271765ab3c3c4ecf0951253be6e6b94d9d36bc1461ac73f0135fe

SHA512
815c792272aaac162518f77d3bd49cdf021c165e5d2d62c9d5e60cd882b6a307605d21108fecd6a1caa97ae658b1762fce7d771cd8a20c2eaa4cdc46c1dcf0c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OokK.exe
Filesize
226KB

MD5
f3eac4ee12ec4325f3253473c46f0507

SHA1
71c86e22cd9331b662a009727007b5e9c8355a20

SHA256
5f60caf2cd44435b8c6eb7c7fd677642d7c4073d3079480aee8d4e598cec550d

SHA512
dfd3c8deb1291865d725cb1131c260839470807bfb296ce80d64d89dc512e6b9ce9e76455b3c608addae3f48f798d551735800cb776f2bb5ae4ed9a3b3fdfcb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAsq.exe
Filesize
428KB

MD5
17b2ad30cb6ec426290d68ccfbef1a1c

SHA1
20ccd8eb6a864254b0e4d2a7a21517ceaf4d7758

SHA256
afe805f40d3b8f1cc711b4bb2ad8ddca4a57f3e9c26f0337d5bbaf8667aa358b

SHA512
b9ab64a045a12e6ebea171c4377a96df4447eb23711096c3163b260fe4df87e09de85a983e64edc7a38b2384c9c92148c58daac1ba869ef58c326a7d2df59bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgcC.exe
Filesize
661KB

MD5
3e45e7b4b29b9cde43b93c35dddf3594

SHA1
04920d9405a0ec82a056b4e71e8830536c53ab58

SHA256
1d084ca8aa40ec8b6f53dc4bbfc5caa6e26b7f14b158c6fe9d2dfb5e38e21d45

SHA512
ed9c62d660217cddacfd8b1f2fdf7b00dba024ee9ec77d9b1ac681d582c7f80c5d9e5100ad3e34d9a17cfcda92572aa15f439b6b633906b8395ae4a372c08cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SswS.exe
Filesize
707KB

MD5
5a5ea3a06f855a3fef6a092f850a8c5b

SHA1
73edf3e8f59ebb22700a4b9124bd14914142e112

SHA256
9740cf7eed45cc77faef0bfac5171d3f9f373503ca6774e0297db696276302ad

SHA512
7d4e972ae8163b2658ac7c57bb6db084a70e5a0789ed1907636bc8990d6ead5df922a5a0dc1b0efe290b26e6d0bc188a6b860e557849b44a97c3887aef927570

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEwU.exe
Filesize
567KB

MD5
49c58677f3304eb72feb27f0dc4197bf

SHA1
b18c9acc3736404a04bac0a0a53e9b9549b5b4fa

SHA256
f5bc3d5eafd2a919b194487f006cbafb8099a677a96ead579c1b5a701e3a85df

SHA512
08a44c74339626ad329fb15037c13a76240d4675f513154a98626ea4e38d75656882e8085eda12caaf13c1ddaf4c624fbcf0f0ff1c51772d1b701a24b296d82b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkIW.exe
Filesize
623KB

MD5
d411d94ceecea8ea9e839314a0930b06

SHA1
087d9696894e564b88dc553042d3fea63116b4f2

SHA256
2351f66bd7994240ca56378b5158a7b371e4ceabdcef6e1bd75539447451f9d8

SHA512
163ee21cda2eda3bf7e94690d39126103e4bf74bc8ba236cb96791167d12e8e8534a60c4c622ab79a04dd35f522c3a4d3ae91a55c20eb14c3cd52e5bfcd0b9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEks.exe
Filesize
202KB

MD5
9717b3d477d1bb6c38923bd74e9f9743

SHA1
2d1cc6410f216625430184e7a0c5f499cd3953a5

SHA256
9355523ba5204807863bf70ee211f53773df7ed0b3bea2ffe6c119baf778c611

SHA512
e6d0eb8a2b6c92804ebcdf1c008f940294915ba529360b24ca295f084dc756f83c87f51a1e7a4cbe5dee6ddb4c939df8353dec7643eb4c5ef51f1ceef0ffc033

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMwQ.exe
Filesize
225KB

MD5
7e6db6e8c2a99ca5c16388500d32b3c5

SHA1
dba14c4220894dba0c87c9a66d090ab5b2e945e2

SHA256
93415622cb9491bc5359a30a83c1b827942f47318726356dde6f4ffc93be067c

SHA512
3b532ac0305d56b6cc04261cfa17b35c312859e68653ab350515deea3e885dd9af5525d29888b5c51715aea5364682a1c4b7600a72eefb58545124f5b6233922

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgUA.exe
Filesize
199KB

MD5
f77c7997dc936cbba10bad94706c30db

SHA1
57c334877020fcfce84f0061e5b80098eae830ba

SHA256
1efe4de6c27c296043d2f2cf52394b397ff36461132ab4a5a59063a6ecdd86f7

SHA512
9994ac5560fa5a427d374372659279fafd00112246d1411c97c50cae5c254cb4374dce5275367dfbf83952cab5818d3f50dc22581b95ecad8c9b4eaa1d4c0be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIwM.exe
Filesize
832KB

MD5
93c9b1d617bf2c895e6bf5be84011586

SHA1
af0d99e91b1c7c80f8199ff01c7b72445fc8ee80

SHA256
c79d6a92bcf85b332871a399e25c095e4d110b383a0c10d9e19b13e2a61086ef

SHA512
df88815ea998a0e16636eafea9afeaa52f53fd3481899af2750b3bf552899411ab4c74f903bf4f81df7874d91612360f81640a9d8a4b1ebdd09044dea4245c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQwe.exe
Filesize
188KB

MD5
771d035f98a0e520df9c03715440cd06

SHA1
4079e92cc709f91e3ab75e94bbf100edb61f2163

SHA256
f01a44cd9deaf1796459b0a413c66c751d2ce5fb4d7b5e2bfc7f71afbc6d8d3b

SHA512
b7f61efcb8e09c625bb17b7984cd7f3c762f641ab0bcdc236cf74bc688bfecc79dd1134bd145a5103ff6a0c1cb74d5e165b331c0d5848de4311205052c84dbac

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYQC.exe
Filesize
222KB

MD5
fb2f7a93ce7c004237ef924154173c83

SHA1
f88c334129c9abdbe7efa5869672de7b63f818bc

SHA256
16e1bdcc8c22012b3abc08d43768013a38967e85e3c93360ef3bb4c8b3556fa2

SHA512
812d131fd802f0393a69dcc72d0d2862c3d641a23033597477d8b6ca10de29f70a23249e422f83fa64a3b13e287f370ca22c40ffff5faca1d24fe60a0c0b2d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYoQ.exe
Filesize
185KB

MD5
1eb235097f2fb328243b706864210409

SHA1
66040cf12edd759ce7f61e891e0eac8b5913954e

SHA256
3c4c3ea3787219be04753c13a71fac4b6b9bcc56e4724f923accf3acb1053368

SHA512
8f5a97b037c2e931f2efb07a61a0468b3635d633de2b89e3b465ca12f797f6d8788f574c14724fa7101deac1a9bc67d5dcc326cb23f54c8108ea51f89c3ea4d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yggm.exe
Filesize
185KB

MD5
50e1e5ab3276f9859d5bddab789501ae

SHA1
0fb0f8282fd7b1a60a5f90f88fe286e965c37141

SHA256
867db03a2b6d363690a02c679115a29409618a4e13249117c981487ffae46d8e

SHA512
7e41e3decd37f389370a4f6947d1955f83cbe666972866feda30c778ab0bb198189b8ff7160eb53a6ded99b8f8ffad00f9385eda37c67286d27985ec68101b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkES.exe
Filesize
192KB

MD5
fa82fd4fa1be00c78a193deb1d54b56f

SHA1
c1132b2fbeaaa90ee3042edd5927d9c6376b785d

SHA256
9d61448d45dbe109b3bf40850d9c0778d5270b18283060147f2f65db5f3e57ac

SHA512
482f64f7caa103acc3989a3ec08ed31a18c8128b2f21da818865c824bc590b06b4eea368e1a372a226ad361c9f06fbb9c6bfcfa0ddc84ebc6643eb49bb000b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ywwy.exe
Filesize
1.9MB

MD5
b1a4c90237ee52310f0a715aabe016c6

SHA1
fd8d295a0365f2a3265e15813b51314c267c91fc

SHA256
ba8ac9bd50ea6599a49701d1081520eca3bf06764025b570283efc142d4e167a

SHA512
2be0222b257de9c1423d20ff2871798bbf2cb555079d02531fc810536abb5a2e97c6810ac85318eb658d0632970144db28d2e9b2faeb78bcef4bd8b66dd36269

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMgS.exe
Filesize
784KB

MD5
39a99a32d39cc858ec2cf6720c524174

SHA1
ff93c6bd02573fb7cf98c0db6d4fb44ce12c6e2e

SHA256
ec4af9dec66c1039434ee81ec2607f8052a31bcdfb7e78468f9f3fa9691cd635

SHA512
97c511adb0d2e648b04ebbea859cf0754667f41a4d05ff39cb2a8b6f870c9cf16c4abf047c4bbfc6868dda479bec6d9d8490bedbc22f69ceb8bb10bb34f4a443

Download Submit
C:\Users\Admin\AppData\Local\Temp\acom.exe
Filesize
789KB

MD5
62ac194af7d947bc6b5973d5eba31b9e

SHA1
ce53ff03e0ee81b1d78a21b664f1f4acd2ef3b67

SHA256
460ad083f8618f3876221261379ed155386a96fbcd46b167b619fde8fab3394d

SHA512
89652ca1ab6e5a0c8c48ec3535f7abe7dda2c30bfa34e9ae62040e1bc242fc0f069eb5a70abecd3ca62984071a9e37543dc6a52d717a6f022320c26daed3e368

Download Submit
C:\Users\Admin\AppData\Local\Temp\agES.exe
Filesize
188KB

MD5
fde92735f0d55f366d6de72d80b0428d

SHA1
cf3b3db8fb9cae5c99c3bc516eecc9e39c7c5ebe

SHA256
2730508deabd91bfba4c851d61d653a9e8b07e3f65c20f0f4c0679213554672d

SHA512
b1fe412056ab153abe214a23a087193be665cf64b09a1ca285e2239e3f0d379b86e3530dc88fe68d5b6f691110a148a19a0c836c10b52675ffaf52fb023b0472

Download Submit
C:\Users\Admin\AppData\Local\Temp\agoS.exe
Filesize
199KB

MD5
05f3a328605c4465af1899720a79179d

SHA1
8b98ed0bfc0c7822b0e0cb6aff124171208566c6

SHA256
e452aea18a30fa0c1bc07ef7bbc096535ab93c2ec53b7d4c02ef8c23753da361

SHA512
dc3d3dde3f7d1f9a9af57dca6220b1fb1a2cb69073110ce93fe875906e1476e0626249f5b53652043fd9e8c2d459091266304c89cf8d7c47e2569814f05eddcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAswEAkk.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUMi.exe
Filesize
205KB

MD5
a71348303a6a63f1ec91e8b022fdb469

SHA1
34c1f1014dab665778406ba16bfe0115427fa837

SHA256
3364f930829056316e23fa463c3098b2178c5664fe96553bd1f14042f2291604

SHA512
6b3c37380740650b1ecf01666125080db61c70b48fc84e22276b8fec2a941b0bc0c16cf39732084dca13418d30c33f99281573a95be80adffcdcb507f5857af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUYg.exe
Filesize
202KB

MD5
d070564c4523dd1b393cb84b190e273a

SHA1
a0f2c1a4706641132b9a45a26e7d2657e08e31c5

SHA256
0d3adc6512d5317227f0d2e82c4068fc99ee54a85c78991cb5561262ea5297ea

SHA512
706938a99eebc5002cf5a01e5ae6115c899be909738491a1dd07e9b35d670a1bb1a482daae0f6bd671cfcf08e1653cfec4b766d9a274c387a88cd44fd8588a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUom.exe
Filesize
196KB

MD5
535630248f5353be6cccb50d9480a579

SHA1
18948a7a40e773192d228eb12e04cd0635e92b77

SHA256
c04174079cffe4f4f5d38838d3bc366fdd1badd0c04801c9d421cd1ba6b96078

SHA512
c66f0db35e2dd7fbfb475f134aa772578938333eb0a19b0964f3c0697672ec5ee11ea7ec1feaf9e437cc89e8dc59b85c9c17235bbe2ba61a763b05a0306ae4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\egUe.exe
Filesize
541KB

MD5
67dcb74b999db046f4195847a3413c85

SHA1
6203c742f6a4cabbfd11d501c1d3848c97987ee0

SHA256
c23a418bd31b4e52eb9a01bb169dd0f95feb010dac6bde29f8fc88a6d80231d4

SHA512
731d0ba589446fd9bb7c798cb61fd57f77e41fea934690aebed86a8ef97593181fb92511d2c44e1d323537f6deeab3acd75dc1cb1221f69c67f18707149b6b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\egwK.exe
Filesize
204KB

MD5
0282caa87e54f52ad35cc607d4e8a0ee

SHA1
23c3350ae00e322527a471c672a997064cb41fb5

SHA256
49542b003a349dbf145912d9a64ac99a671c2b03f166ef7d6f403957d3f7c07a

SHA512
a7d3ca9f35c62745d319f122af642e6aba0b42332d8479c3da3850d97e0f77510193b240fbf2ebcb413ec975d5db0cbd1b7805396417cbbc77f7eb67e6b48023

Download Submit
C:\Users\Admin\AppData\Local\Temp\esAQ.exe
Filesize
244KB

MD5
41e47e1d32ddf45c9c369c003df388e5

SHA1
571532a3494645c20f419c298ddfab730f9ee51b

SHA256
5a03ea5ca2d38631b9034091a573c430222a715f793ec702643021c072e6f1c8

SHA512
96c1e319f911b7c9678081940f8b5a0014a364b5ab199232e32ad9fc77505589d7b9fb36ba555b9ea03bcac8fe9a8cc8716bc820ab844b818d4bd91167392461

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEUy.exe
Filesize
181KB

MD5
fa9d768d3c9214e35197ac565f9b8da9

SHA1
7283ab195b4911bb14caf9328680b7e501c822b0

SHA256
b9cf8038dbbfae5082d7ad2d98ed8f17fb5dc8d63a391a7ff06ed3c321313db3

SHA512
26d45b3de5cffc3e1df95165591a67b7a651f1f7bf18f6d0e1ae13654871774b289bcf9f108454ba6f7a91fe7d6eb731f3080f943bba36b98c015dc21f73c7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQMo.exe
Filesize
190KB

MD5
a70e76e678953ef3d444453aea5d384b

SHA1
02f3416d3d768c36226cf286116b2caeb8596e95

SHA256
fdd5a57da150067b1bc5da27253b5bcf5051dc03d3d518e364210189a45ab772

SHA512
07d4dddf1291338beae9d97748f2093d6de5cf24ebafd4097bcd2eec5f56872eab5bc97c394cdf295569ecd784a2e6c7a8275ac2289a1c33a154a36d6014dfa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\goQM.exe
Filesize
187KB

MD5
92b3df8eef53fe54926e5199060334e4

SHA1
83083749744124ffc3f7bd1c10fd82478dce9f09

SHA256
86581a01e4a9d2019c41d87e576ff6bc40af750624d88f4611ab09cb8507be48

SHA512
8511b9d43950c96b23c8e74428659b15273344a73b8b2d62db761d36c75c9e7a578ba1ed3d204d9fcac11f7cb84f789ec17c3e1271d8a890f3a0c65f2803366b

Download Submit
C:\Users\Admin\AppData\Local\Temp\goQu.exe
Filesize
897KB

MD5
56837ceef4f7ed5bee608cf9d3d36ff1

SHA1
b77e4158a8cbaca8094c37c7a8eb121c7b286765

SHA256
72e1acbe6fc1be3d8e027c9656bbcb16621183c5617ceb3675fd87f400592241

SHA512
1ef052eb474a9da5f2893a468373e8ddbb303849d4fcce84c8a20da0721a838788a0dff349a29753b2c31374a50ffd02577ce7df0eca638e21a194167670220a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsYq.exe
Filesize
634KB

MD5
b82281bc00e78629a5405099b33b8660

SHA1
17b9f7c5dc5fb836062095dab398482ee5cca0f2

SHA256
c1add19034f9df94a92ce8dc01e058168e117e87842442d8113d6618cf686dbe

SHA512
c9f928d0d61a39f02750539fc6902d19ebb17877a98cb619cfd43e28fcd8def2c1d002cd4a58ea36be9e4055aff54a6a2a0424fc7d12979d48cf2dd59cbf6056

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAEw.exe
Filesize
191KB

MD5
4704582b50bfff125617bde5833607fc

SHA1
bb58c593d00ced4e1747a9c374052371a3c67a94

SHA256
5f5fddb7e73943a9427476002dc0a605bfcb9d5f01f870c7d3562aa5e8ce71ec

SHA512
59dad4137092f17e540b551b7ed9345a0fbfc06fc20b73eaafbffd88671f443458b49800fbd0e9ed0f9c092b5244f0fa5957ade72f5dbbaa6cd6a01c265e4a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYoA.exe
Filesize
1.5MB

MD5
a7159e075a5c7a6b75cc7566a8da9963

SHA1
67d3ad50869b6530afab62bea78a1e8b33136517

SHA256
9a3650ec445f5eb0499ce047e856be92f50cde53c3bc4639e4d833ed68bb2a20

SHA512
0ce7c49b188c981bee0c02715f109274d4421147f521b59808c4b7c233bb8ea65b48e1e2bedc8883f7276c1a9004684795a31465a55ed07f674055d1bbc81fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioIQ.exe
Filesize
5.9MB

MD5
2d853bd72b796110017b009b147538a9

SHA1
5b7456c948121f4fa48effc3f96efa534c301558

SHA256
15e24aa24e5555524faee82c48121adb6ed5743d15dc8a3acad32076e7079f99

SHA512
0f4308ff935e9802a68461c2f745805c8449ef265e08edc029605024e6d9cce519b8acfdc912de98de496a708a301eabf2adf86365f52d79434ef8e6440f0e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEsO.exe
Filesize
206KB

MD5
e04724998e5403f7f237380c6581ef8a

SHA1
20a10c22b4a79f0808a133654a8c0e916b5e7edb

SHA256
cd1d920e6bb5b6009322fcbe61140784db45ced696f13e9668dbf74955bf559e

SHA512
2cc425cb7545d4b881e3f94b7c5d6b6a1aaf04619cef04105f44f69f3cb648e1b323e3801625394ccde6e87e46830f4da0aa12e2f182f208771055542cde6c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIAM.exe
Filesize
184KB

MD5
44ba2941e0ee0e169dbae21a76880124

SHA1
06b4f4206b6bb874a5baa58d91072f57218afc20

SHA256
0fae16ac784d70e1b927a3526cee38d6108ddd1572a580c8efef490751323d12

SHA512
2f4d71c30cace4a725bc88b025aa5a95454ba93c8dc3d6bb553572e1d9ef8b1aba1a28d88c6203d9319d26b239f9e305091f9ed4b9fbc959ca2389c9db91ea69

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUog.exe
Filesize
195KB

MD5
58699b9cc7800e1df9b9693607e053e5

SHA1
32ba4478b4f1fbcfe766f407dcc415bee570698c

SHA256
1be9089fa38212cb86c1820a66455de67fa397803b5dfe22e5e94f9a3b1fa5bb

SHA512
fdda93192d161f097fec58b7cf3b2626ae4db2113d23b2586f0fb6398600dc4e928b3914ec0e31dcb17dc7c4f9e2f0f4c71faa17a9414e24f36343569a92f3d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwEY.exe
Filesize
184KB

MD5
a78a3c3be8027b896df56d3b35941134

SHA1
ba2fd7f2e734607e8cccbee3f914cd3837acc37f

SHA256
77108bb9efeed4a0d890f413ebf8535d431d4b3862ccdca161309d57158b2b35

SHA512
93f879a9fc143efaf97dfa5893a462c66cf545a76150821269ba743b978abf2bdaf0bf1d53a3051763fad2dc3428be9679d6ae77ee2e73a5fe57c68523843001

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIMu.exe
Filesize
199KB

MD5
6aee7b83e12d5aa90cb9f73f78055907

SHA1
48ee680d1272f9af6e653e939de36f0a224bdd78

SHA256
8ce14e4afab22ac5932718c34b27a8b210e5924c59beb7a434a087ec48e7320b

SHA512
670dd1400494bcc339c5227b3a57e8c43fb2f6179f0376fabefe111f4271cb7fc92ddf90564f996df4829bff16a6ca20a60ce19f43ba83197c40203189da869d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIsq.exe
Filesize
845KB

MD5
36e2e77426af1239992b1f61748f909d

SHA1
32760a6d4a8c857111bc2044d8404fd7caba99eb

SHA256
0b6dcf16e1120a35aa0061e9b006880018d0999e387451b38ce0e44da4c01096

SHA512
959a17a5b5c3bcc8a50e38acda9e75703fd87593098925be9d93c290e01c128bfa369fcee722545ad1d3630163658b24248f6074975803af21ca6800fb68255f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYEa.exe
Filesize
182KB

MD5
c6615b95e30fa4568173b4f761b91ba8

SHA1
3f78b5ac5d72d8bd7d42792222cb1b650b685976

SHA256
21c48f463f390f7eb17b1a4819bc273ae95eb2cceb4dd75b0b09981e47f83703

SHA512
622502fe4503adc7e2fae0ccd465c4d5eea96485ea83ea3b786d234f4196d3929028e26af6e237231a7be58ed7418d7e84dae47c141fa124eba212b8fbe3eb15

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkcK.ico
Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\msMy.exe
Filesize
1.8MB

MD5
9fda72bbc2dd3a56cee1b14f9d449968

SHA1
b299a6b17aef78a33d75861556d73462069a6815

SHA256
9db7dd977f2983e57709f101b8240d1056129a79b50bc79c5278c6d19ec3e902

SHA512
530119bc5d35b588cdfade15867741af830b5f06313cb1a326682d560dbf5bf9cdec2563489d0f949c3a6763b97a8397ae7453b676ac1de586e1a194191769a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMYO.exe
Filesize
197KB

MD5
868292ec7cd608c70fe6be3b635f7386

SHA1
559557512ad512196f32fde904bc45fc4aa7ab3a

SHA256
45912ff5e0787d092ff460caf7918753cd59732a8f5cf068dd77ae7f4d7c0751

SHA512
92b1685a5b0d0aaefb65ab05a97d4898f183ed020c91cb8a680f76957da0d2ce3b95a8e75304ae97ce7079b28b3bcf3d485cfd6b1354ce092bb3cf57e624c07d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooIC.exe
Filesize
200KB

MD5
49f532d9cbe825ecaea39406fe5d5589

SHA1
65c3c1faaec0d13c833b79fe5abb028cd3c65ea1

SHA256
3a9d46c00f80016f38c7fa1e9ae96c94b22adb094ff75927af1f8cfe56bd11d8

SHA512
982fb74c37cc1878df02e67581d62deba04c5f24ea05883ed06e7c082bd5666fc0353e9a7e69258a56e013935a56479298986808f30308ca23fda85682b9e39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQMu.exe
Filesize
309KB

MD5
622579b33e0b4eac04ddfaa514c99b47

SHA1
69818aecce264023fe401d4a90135d1e0636cecc

SHA256
e12b12f3c6a5ea270b78eacf983c5a81fe5d236ef7db39d16d5ae777ea37adcb

SHA512
9c0fe8bd635db1c701b79029205e983cc868edf688c8e918d93d7fc6ba12f0775bf2b7393ac4024245187215c7f4d105f2264319985445be5e343500c657a9aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQQK.exe
Filesize
575KB

MD5
67bb9989ddb0382deacbed7fb3031222

SHA1
81d3a3772e9c99b860210be47ac414a5a13a5f97

SHA256
650edd32ba0557a74f476db2c284e5afffb11a06e992c79fb0a6d87b7ee99283

SHA512
2980562db0aff6033f9c773b240454f9ae33038769f3c751f70e7b5984fa3f5df417b34f6a4760d881563f9581c84652bad4a8546b34255a272c043791bff39e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkYY.exe
Filesize
799KB

MD5
a5828e74cb9eb902c909bd2a62e184bf

SHA1
9b87b6c04213ec1c45c1ec9909a742983850336e

SHA256
f8a2e50e85032e5f1db798c35e26f3344f39c224aad170bcb1a3d754002e8e63

SHA512
9941574724eb3e3cc1163e357b999f8bc2ca4a8b5de0a1c1e6d49fdc4ec5f9767bd2c28bf92bf0e04f5c82eefff71aae8270cb31fb90d8ed22ef8b4e2592f13a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qswy.exe
Filesize
191KB

MD5
625b8df5efc297b4e594590ee32f2f70

SHA1
b61693b7c0348cd27b6bd0986d4de88fa34cb975

SHA256
221bb3c9b002b29a9d1ad175a4689ea46faa30caf4916a25dfb1e209dee4b9e1

SHA512
358b32294da2488989e47dce54ae6f0d295d111c1749a7461252ed708c8c748bd74ee580203371b119b11191788b68a8eaac40197b3e7e53aa26798db28fdb9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwQK.exe
Filesize
813KB

MD5
a517f0a12d1495489c7b0f6369a5d3a3

SHA1
29da4f096fcaf1e3c1db82f21ea073938eb6ef63

SHA256
42241692f84f7c1ecdb62e7f47b51374484168a1a3618df154e9f7d450779844

SHA512
c7a1a1d73c5f55dcd11ded60c3de6c9bf4bdfe35f1eaf91a98a681826668f03be46b5a6aa74f8a468762515d1fc46a3198189c1e6bf24738c45739dca6432665

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwQQ.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAsU.exe
Filesize
199KB

MD5
d950c5755346e57cb9b2f679dc064b48

SHA1
14b508cc764617a7efb30b42996241846d144a17

SHA256
40e531807c7e3e8683a095b30a4433a5cbb0340fbce556d270358f99c63b9f7c

SHA512
ac265662f44e2474d97cba39a4772fdb3f8b1826af377862b9f5131948638160539ff859f481d9c95cf82feb9025150e5473263bffff76000c0901075b4b4324

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEQq.exe
Filesize
199KB

MD5
2504a2cdb324294c08f7cd146207fe45

SHA1
049934937bd6fd5bc7e53545ff8dbf52d3460e50

SHA256
0c3854945161b9ceeeec9d8369c6dfa3fad29b03917d117e078b1d170ce07df1

SHA512
44851f9106c04decd2f94e3a1d8d7bb77d904b493e63a5f9febd9e51bdcd755e600289d10a09afe53e54261ef9b2b715a8cf03041f051c30957044344dc7139e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMoY.exe
Filesize
657KB

MD5
3fd87c0a7993e442416d8598e702f984

SHA1
03300ac719c52886ac6231bab748dff4610560a1

SHA256
7b17cb77be1dcd894187079b65a1d9cdf13ff17faaa3f1b4841b70488db25bd0

SHA512
2c85441392d2f97fba6cc8f5b882f04b58b9150dce089c2df671fe445990914f47550fd81dc3587ca7810011319f69fee653f4e0873306c96e9e25feaa1711db

Download Submit
C:\Users\Admin\AppData\Local\Temp\sggS.exe
Filesize
200KB

MD5
523f41955aeb8f9f57dfb1c643fc3bd7

SHA1
14e201a1c09b3efaa44de67bbd44688d90f39703

SHA256
096ed372eb841bd4f4fa9280cd58c0f411e732389d94ff3f9c20204f2eace346

SHA512
ddf488d866a260b931fa5257e39bb4b280012b8e44231c8c95ac2522ae498a004f5b9f2b2236c7f112e55bc4fea98e371187f8e5580dcf3671e750176e454ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\skEi.exe
Filesize
202KB

MD5
7ab36d5a119c66b4f37e4fa72aedae67

SHA1
7f0a2a4ab6060193fe8accd86cc54469012e5808

SHA256
54ddcae97d903ae41d317d1342fdf65a77628437e0d261e0ea3c706552d9aed4

SHA512
137540afe63685c75686fb6f84df8ffc6a414a78c7f6255c0260be2023493dcd1fa0779d72fb90249f05cc58b1fac56a61b5c8b4a9589374461efb819dcbaba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUQe.exe
Filesize
192KB

MD5
8b36287a116575a77899e55d1d29a434

SHA1
7ace283eb566a48b5a1e075013df5577ee16d205

SHA256
77eb804ded8ea4c1746e03d6b623dbf18cea25ce44c8d800c2e10e0da1c5b533

SHA512
fc3970206d31c96969e982483ae19576bc06e18383ad02f4eb22bccaac3d46a75e0bed770b3998876928d7077c41930366a7db86f449619d886be60520d444a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwkO.exe
Filesize
216KB

MD5
a1ede3864a9c370e3973f29b476489ff

SHA1
71af825e94c8536e22f7b0cfae36c8e7da584562

SHA256
9c133435ad100230f76b90065e47b6710d73c06dd16dc2e01cfe1aaa43857305

SHA512
a2d66ef7138ec611795260031f41eb71b7b3401f5a399ea9f56e04e77bbe895420063e79ac4466dca02c718c4630a68fc1c366f7a4e9e72b8cfaf0f9c395ecf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMoY.exe
Filesize
254KB

MD5
f59f5eca7928669aee022b0621969775

SHA1
649ee297e123825bac8f7cca13f87342d419b0fb

SHA256
e25fc7a51b2b12d6d532bfc107eba1ef9e931cf867d26574a40361d2dbf40231

SHA512
b84e45f4fcfd6df42b23a83b165444ba518c3f34e82cd5ba5a1a7d769600dbbde22da541e60c79cb82e27105692b0621436c31d143b15a87ed36cca587ca8dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQEu.exe
Filesize
309KB

MD5
8096ea9ada8fe822aeeb0c046a60d353

SHA1
7ee9aee794cff107810d28e3c9907daca627b184

SHA256
77a70cba0b6e70a56489a3bb8ef7a8227e0c9987d7ab17460e22c3711351e536

SHA512
dbdf6eab2c8754985bc3beabe5fdc7100a08a4831142beffc2bad97459a1015ead975ec5a63b0abd8468146e4d114fd98f5dd0b27ad8c9813b14d7f45d34a9f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgUu.exe
Filesize
189KB

MD5
c4c4635cfd5f6bafd33c3ccb973dbed1

SHA1
14403569dfb963087ac493a707d2be1b7506d559

SHA256
ad9bbed019c4fbad7c9c9f003cc6ab75c5a65b0fb876e95a5fc8f882a98963ec

SHA512
bf48fb5c2c95fd1f4a0f5ae6b523f3912ff173a449561ea0fe2b2936082aba0fb04b05cbe0d79e6667ac07ba95be94c7c1ac075b53edeb0ed07602199b7bd8a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwou.exe
Filesize
188KB

MD5
cbe2e6027dade787f096b2b1a1a70b2a

SHA1
ee357bd84595a046858bf3d1a06fe7015a54bba4

SHA256
8c62ea05437b716fa2ccea847a9a1ca4430d70d676d99140ee89aa24dc8d236c

SHA512
f934607ee70055133becdd4ccc3eccea057f92284579899a03d951ebe218b3bdbde772b8cf479c5ef12f2d31ff2da6395f89025d2d4fe69b360e351f3345cb17

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAkk.exe
Filesize
188KB

MD5
d694c663550503e228928345808eb15c

SHA1
7024b396d0f2842ec7f6d7ee3e1c9195b98617e1

SHA256
892f0e66e4804036d64135d06f744271d13cc74f7c1523ce9b48460f656ce118

SHA512
31f4d141aa400c3da5ea17ac02501a4466d5116d2cdb44ccf3243f852c1b985ccf6030a121f543f1fd9db8c1bd71ec2339c083c12ae77c3580f04da675903f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQMc.exe
Filesize
813KB

MD5
1ee469f7c9c0f0aff18cf017e265a58d

SHA1
33105dc38921b61918c881f8cc430476f6413720

SHA256
453c2ebb59b9391cc79c2a1902daa4944025bd1c0858d9fa8035668db70759fe

SHA512
bbba2e7f6b84b0674c8f4cf7d33ffb64b14a1cc015ca0077d86e66e0f450530b2883ec1559a031dd4e27b0f834f09fc1a073963ba8917140db54a081d6f5dcd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygYg.exe
Filesize
215KB

MD5
fec28dbd416e32e300d0a291b9c08baa

SHA1
d4f8f3920eab70fc5b1e03a39ada44dd74de9e1a

SHA256
e4e365aeb368b4761fe82e4124a0b8b908aee4bed00981ddf832f24f09b1f60d

SHA512
4b628f7b158648a7c3ac78baee315fc40ade2e39d5fdba4a8ce5d8dc342c974ed5b9356de8eb12a487cb52327888725852608f42b852c40f113f024119ea29e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yowS.exe
Filesize
209KB

MD5
9c3c09a79313e85e21efb138cd26d2bb

SHA1
7d862c6ba23ee2c7188ecb58095c83f661c12118

SHA256
496d4d8953251a67d6d42e0ec732e7b8125692eeeb7af56d52fa8e29964755e9

SHA512
bcde80a0dd3b5f79cb08bd0a9ef57de560820f486e6a57d1fb4e750ba670e7010ecf9a57a303fc5e8985ad19cf9956991f965ea0d4cf2ad3167e763b5aa92051

Download Submit
C:\Users\Admin\Documents\BackupLock.ppt.exe
Filesize
823KB

MD5
9b1b5fb3ad549e17725f3f156483cf44

SHA1
edc18f197bbd4c9a2a7cfc8a4df0f9f53e7fb7ec

SHA256
e2f1520a48ca9ce079345a145c8c83b854a90b0a5c1d6a61a0c5cc66673f146a

SHA512
503a83e8ee8104cefc473dc7475d8609026cf1059f67961fd8509b6abec67b4e5af9b2d93a89e13200c21df972cbd82a5d17401ef8172ee169e92cf66f8bb3dd

Download Submit
C:\Users\Admin\Music\AddLimit.ppt.exe
Filesize
852KB

MD5
18fbb1b044544058b809b6ca42b6c1c4

SHA1
97f548f4140106da41c4619d4b4db8990bab42c0

SHA256
f5c6b7e92779ed0072451fbf1ecd402a4b53bd06be1a2de541f284a8b4030130

SHA512
3d0d8fc2643924d59c88673c1c0fdfef8f19f85d70b19ff35a46f252100d40e0cefec2970ca9826ca0d5e3ea579cc34eed30aa93fd24585ef12973c7aa51a717

Download Submit
C:\Users\Admin\Pictures\My Wallpaper.jpg.exe
Filesize
224KB

MD5
6677424fca630b8f677494db4d1f052f

SHA1
25f00c69bde2bd0bd3fbe1ad09bf72e7fb354862

SHA256
e1343d451fdc3178820e5fbe1be6f9f8bc5fa0d030a3ae198ba0e8318e5495ae

SHA512
c727d099f2822d3d60ccbff50c50a44c7ef634b9efa790052d95fc98baa72a69255427198c48c5881082783158e782a0aec548d577e441279d0ee7dd4c2a3a07

Download Submit
C:\Users\Admin\Pictures\PushResolve.gif.exe
Filesize
748KB

MD5
8abc72a73afc817b18c7b5c218c3ad1b

SHA1
4849c92eb3a7dd7c0d31a03404244e4fa68ccc44

SHA256
d3571e5777fa75fa129985e89487538c2c46d9d71ae5335c92710dd7f0889c5d

SHA512
fcba74c56b952f6f127293ba98b4cf419078eb7d919c0fb6abb195da0221be22fac7a3ef558e9000cd71042ee5334b3b5f14794e84cb71a59df6f1a4396129ba

Download Submit
C:\Users\Admin\nKAEsoMs\tyIsYYwM.exe
Filesize
181KB

MD5
549cac9cccbb76c52ec454ccaaaa8e2f

SHA1
dc0113eb9ebb19c6fe1d6d3983bdf56efd902211

SHA256
48d9c71e0f15dd95b3115def9ebe8c72626bc2b8a2bb9228c93cf3407f0c0394

SHA512
e20942f817d11dcc59a57cedf00970aece218c648f4122e439324472f4dec750f888e2108a16b4ea2773ce05f9b3ade9233c3ed5c860add493c082bf74bcc6de

Download Submit
C:\Users\Admin\nKAEsoMs\tyIsYYwM.inf
Filesize
4B

MD5
82c70bee790a498cfdd35335a7ed1779

SHA1
f142122bd4ae3c5269d7e0aeaf92ba0b3d390d9f

SHA256
f1ffc4c99a463a855d732d3834eac43f1e7b34e4733fb5983133993660762558

SHA512
a3f57bd7a2a3928063f797f3a4c6b017a349d19dee08e9001bbfc621f7c5167c058d5d5331b746acf85f3e63b58bf79eb2e5b9ebc5ecc020c99d231fa289b894

Download Submit
memory/688-567-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/736-235-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/736-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/736-43-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/736-254-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/768-578-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/916-375-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/916-367-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1060-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1060-433-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1060-441-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1196-338-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1200-114-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1200-130-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1268-422-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1412-449-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1516-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1516-355-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1920-93-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1920-78-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2108-396-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2108-405-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2136-186-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2136-202-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2200-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2428-386-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2428-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2472-587-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2472-595-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2712-319-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2712-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2712-306-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2724-432-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2724-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2848-15-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3048-260-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3048-70-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3048-272-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3048-53-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3096-118-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3172-227-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3212-301-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3212-288-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3264-264-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3372-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3372-413-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3404-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3424-178-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3424-164-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3424-485-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3488-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3488-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3540-297-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3540-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3560-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3684-44-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3696-531-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3696-519-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3700-586-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3700-574-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3756-190-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3780-499-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3780-514-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3928-475-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4044-384-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4044-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4056-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4056-198-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4132-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4132-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4312-66-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4312-82-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4424-315-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4424-329-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4432-467-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4512-503-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4536-494-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4536-486-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4644-459-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4700-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4700-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4840-540-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4840-551-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4868-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4868-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4952-356-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4952-366-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4972-523-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4972-508-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4992-153-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4992-138-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5004-142-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5004-126-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5044-539-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5056-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5056-548-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download