ee8158658a88379ae33403b0ed8637e37e9581f2a1e8f72f42f4f9543e976769

Analysis

max time kernel
150s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
Size

193KB
MD5

806b9f92a4464a291ac1d8e90b08ed40
SHA1

cf11aee71eff829a95c35516931f9e19fffeca90
SHA256

ee8158658a88379ae33403b0ed8637e37e9581f2a1e8f72f42f4f9543e976769
SHA512

e70c2e6b19c237b7d77b1caded33f2f107e4b60133fb5c8c5d762f2cdd0a51495ba98c18cf62d7a406a7dc8eab745ba0ca7c43ca58ee5f3e227ce032aafb4fdc
SSDEEP

3072:E50o9vw26xczqINKYbJ487jeUyu7aCszXFHr63INiNUnQHC9qDmur+:TW7OMKSt3aCAXFHhiKnQi9qzr

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (82) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tKUkIYMQ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	tKUkIYMQ.exe

Executes dropped EXE 2 IoCs

Processes:

tKUkIYMQ.exeuIYscwkg.exe

pid process

2704 tKUkIYMQ.exe
2308 uIYscwkg.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

uIYscwkg.exe806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exetKUkIYMQ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uIYscwkg.exe = "C:\\ProgramData\\EsgQkYsg\\uIYscwkg.exe"	uIYscwkg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kYAQcYow.exe = "C:\\Users\\Admin\\UyAgEcoo\\kYAQcYow.exe"	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owEMYEoY.exe = "C:\\ProgramData\\cuMYwIcU\\owEMYEoY.exe"	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tKUkIYMQ.exe = "C:\\Users\\Admin\\fqcIwIsE\\tKUkIYMQ.exe"	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uIYscwkg.exe = "C:\\ProgramData\\EsgQkYsg\\uIYscwkg.exe"	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tKUkIYMQ.exe = "C:\\Users\\Admin\\fqcIwIsE\\tKUkIYMQ.exe"	tKUkIYMQ.exe

Drops file in System32 directory 2 IoCs

Processes:

tKUkIYMQ.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	tKUkIYMQ.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	tKUkIYMQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3944 1444 WerFault.exe kYAQcYow.exe
3984 4448 WerFault.exe owEMYEoY.exe

pid	pid_target	process	target process
3944	1444	WerFault.exe	kYAQcYow.exe
3984	4448	WerFault.exe	owEMYEoY.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
2740	reg.exe
2608	reg.exe
1584	reg.exe
2884	reg.exe
2712	reg.exe
4548	reg.exe
3428	reg.exe
5076	reg.exe
4468	reg.exe
2452	reg.exe
5076	reg.exe
1272	reg.exe
2492	reg.exe
1936	reg.exe
976
1216	reg.exe
3332	reg.exe
332	reg.exe
1348	reg.exe
3856	reg.exe
2260	reg.exe
1392	reg.exe
2124	reg.exe
4960	reg.exe
5000
1920
3244	reg.exe
2964	reg.exe
3012	reg.exe
4100
5000	reg.exe
5112	reg.exe
780	reg.exe
3368	reg.exe
4864	reg.exe
4156
632	reg.exe
3428	reg.exe
4132
1304	reg.exe
4476	reg.exe
3704	reg.exe
4156
2884
740	reg.exe
3936	reg.exe
4492	reg.exe
4512
1752	reg.exe
4344	reg.exe
4636	reg.exe
4444	reg.exe
4480
4700	reg.exe
2608	reg.exe
1308	reg.exe
2036	reg.exe
4532	reg.exe
1496
1672	reg.exe
4524	reg.exe
4156	reg.exe
728
3412	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe

pid	process
4864	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
4864	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
4864	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
4864	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
4336	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
4336	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
4336	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
4336	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
3416	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
3416	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
3416	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
3416	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
552	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
552	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
552	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
552	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
364	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
364	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
364	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
364	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
2408	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
2408	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
2408	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
2408	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
560	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
560	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
560	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
560	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
3856	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
3856	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
3856	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
3856	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
4580	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
4580	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
4580	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
4580	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
392	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
392	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
392	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
392	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
736	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
736	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
736	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
736	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
3016	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
3016	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
3016	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
3016	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
1148	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
1148	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
1148	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
1148	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
4580	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
4580	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
4580	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
4580	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
4408	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
4408	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
4408	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
4408	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
4796	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
4796	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
4796	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
4796	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

tKUkIYMQ.exe

pid process

2704 tKUkIYMQ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

tKUkIYMQ.exe

pid	process
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe
2704	tKUkIYMQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.execmd.exe806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.execmd.execmd.execmd.exe806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.execmd.exe

description	pid	process	target process
PID 4864 wrote to memory of 2704	4864	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	tKUkIYMQ.exe
PID 4864 wrote to memory of 2704	4864	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	tKUkIYMQ.exe
PID 4864 wrote to memory of 2704	4864	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	tKUkIYMQ.exe
PID 4864 wrote to memory of 2308	4864	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	uIYscwkg.exe
PID 4864 wrote to memory of 2308	4864	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	uIYscwkg.exe
PID 4864 wrote to memory of 2308	4864	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	uIYscwkg.exe
PID 4864 wrote to memory of 4304	4864	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	cmd.exe
PID 4864 wrote to memory of 4304	4864	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	cmd.exe
PID 4864 wrote to memory of 4304	4864	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	cmd.exe
PID 4304 wrote to memory of 4336	4304	cmd.exe	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
PID 4304 wrote to memory of 4336	4304	cmd.exe	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
PID 4304 wrote to memory of 4336	4304	cmd.exe	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
PID 4864 wrote to memory of 2608	4864	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	reg.exe
PID 4864 wrote to memory of 2608	4864	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	reg.exe
PID 4864 wrote to memory of 2608	4864	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	reg.exe
PID 4864 wrote to memory of 4640	4864	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	reg.exe
PID 4864 wrote to memory of 4640	4864	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	reg.exe
PID 4864 wrote to memory of 4640	4864	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	reg.exe
PID 4864 wrote to memory of 512	4864	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	reg.exe
PID 4864 wrote to memory of 512	4864	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	reg.exe
PID 4864 wrote to memory of 512	4864	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	reg.exe
PID 4864 wrote to memory of 1784	4864	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	cmd.exe
PID 4864 wrote to memory of 1784	4864	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	cmd.exe
PID 4864 wrote to memory of 1784	4864	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	cmd.exe
PID 4336 wrote to memory of 1820	4336	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	cmd.exe
PID 4336 wrote to memory of 1820	4336	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	cmd.exe
PID 4336 wrote to memory of 1820	4336	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	cmd.exe
PID 1784 wrote to memory of 3856	1784	cmd.exe	cscript.exe
PID 1784 wrote to memory of 3856	1784	cmd.exe	cscript.exe
PID 1784 wrote to memory of 3856	1784	cmd.exe	cscript.exe
PID 1820 wrote to memory of 3416	1820	cmd.exe	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
PID 1820 wrote to memory of 3416	1820	cmd.exe	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
PID 1820 wrote to memory of 3416	1820	cmd.exe	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
PID 4336 wrote to memory of 1996	4336	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	reg.exe
PID 4336 wrote to memory of 1996	4336	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	reg.exe
PID 4336 wrote to memory of 1996	4336	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	reg.exe
PID 4336 wrote to memory of 4700	4336	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	reg.exe
PID 4336 wrote to memory of 4700	4336	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	reg.exe
PID 4336 wrote to memory of 4700	4336	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	reg.exe
PID 4336 wrote to memory of 2304	4336	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	reg.exe
PID 4336 wrote to memory of 2304	4336	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	reg.exe
PID 4336 wrote to memory of 2304	4336	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	reg.exe
PID 4336 wrote to memory of 1932	4336	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	cmd.exe
PID 4336 wrote to memory of 1932	4336	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	cmd.exe
PID 4336 wrote to memory of 1932	4336	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	cmd.exe
PID 1932 wrote to memory of 436	1932	cmd.exe	cscript.exe
PID 1932 wrote to memory of 436	1932	cmd.exe	cscript.exe
PID 1932 wrote to memory of 436	1932	cmd.exe	cscript.exe
PID 3416 wrote to memory of 4808	3416	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	cmd.exe
PID 3416 wrote to memory of 4808	3416	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	cmd.exe
PID 3416 wrote to memory of 4808	3416	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	cmd.exe
PID 4808 wrote to memory of 552	4808	cmd.exe	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
PID 4808 wrote to memory of 552	4808	cmd.exe	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
PID 4808 wrote to memory of 552	4808	cmd.exe	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
PID 3416 wrote to memory of 1148	3416	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	reg.exe
PID 3416 wrote to memory of 1148	3416	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	reg.exe
PID 3416 wrote to memory of 1148	3416	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	reg.exe
PID 3416 wrote to memory of 4880	3416	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	reg.exe
PID 3416 wrote to memory of 4880	3416	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	reg.exe
PID 3416 wrote to memory of 4880	3416	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	reg.exe
PID 3416 wrote to memory of 840	3416	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	reg.exe
PID 3416 wrote to memory of 840	3416	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	reg.exe
PID 3416 wrote to memory of 840	3416	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	reg.exe
PID 3416 wrote to memory of 4056	3416	806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4864

C:\Users\Admin\fqcIwIsE\tKUkIYMQ.exe
"C:\Users\Admin\fqcIwIsE\tKUkIYMQ.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2704

C:\ProgramData\EsgQkYsg\uIYscwkg.exe
"C:\ProgramData\EsgQkYsg\uIYscwkg.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
2⤵
- Suspicious use of WriteProcessMemory
PID:4304

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
4⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
6⤵
- Suspicious use of WriteProcessMemory
PID:4808

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
8⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
10⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
12⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
14⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:3856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
16⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
18⤵
PID:4076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
19⤵
PID:4704

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
20⤵
PID:4104

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
22⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
24⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
26⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
28⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
30⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
32⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
33⤵
PID:1204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
34⤵
PID:1424

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
35⤵
PID:1932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
36⤵
PID:4592

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
37⤵
PID:1568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
38⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
39⤵
PID:208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
40⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
41⤵
PID:2732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
42⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
43⤵
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
44⤵
PID:4556

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
45⤵
PID:4076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
46⤵
PID:964

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
47⤵
PID:3724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
48⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
49⤵
PID:3692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
50⤵
PID:3040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:2868

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
51⤵
PID:3624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
52⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
53⤵
PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
54⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
55⤵
PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
56⤵
PID:1064

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
57⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
58⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
59⤵
PID:2636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
60⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
61⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
62⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
63⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
64⤵
PID:2540

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
65⤵
PID:2260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
66⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
67⤵
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
68⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
69⤵
PID:2416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
70⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
71⤵
PID:4148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
72⤵
PID:4108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:2804

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
73⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
74⤵
PID:2540

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
75⤵
PID:4540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
76⤵
PID:704

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
77⤵
PID:4112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
78⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
79⤵
PID:1828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
80⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
81⤵
PID:3984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
82⤵
PID:1348

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
83⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
84⤵
PID:1244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
85⤵
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
86⤵
PID:440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:3180

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
87⤵
PID:2608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
88⤵
PID:4880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
89⤵
PID:4956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
90⤵
PID:3628

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
91⤵
PID:976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
92⤵
PID:216

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
93⤵
PID:4700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
94⤵
PID:3424

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
95⤵
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
96⤵
PID:4736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
97⤵
PID:2296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
98⤵
PID:3204

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
99⤵
PID:888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
100⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
101⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
102⤵
PID:4800

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
103⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
104⤵
PID:4776

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
105⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
106⤵
PID:3668

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
107⤵
PID:3360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
108⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
109⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
110⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
111⤵
PID:4724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
112⤵
PID:4800

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
113⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
114⤵
PID:704

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
115⤵
PID:2416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
116⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
117⤵
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
118⤵
PID:5092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
119⤵
PID:2580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
120⤵
PID:4592

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
121⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
122⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
123⤵
PID:1168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
124⤵
PID:4776

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
125⤵
PID:3728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
126⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
127⤵
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
128⤵
PID:3764

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
129⤵
PID:932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
130⤵
PID:4084

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
131⤵
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
132⤵
PID:2752

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
133⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
134⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
135⤵
PID:2580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
136⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
137⤵
PID:3856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
138⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
139⤵
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
140⤵
PID:728

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
141⤵
PID:3752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
142⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
143⤵
PID:968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
144⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
145⤵
PID:2964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
146⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
147⤵
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
148⤵
PID:1936

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
149⤵
PID:4476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
150⤵
PID:840

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
151⤵
PID:4036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
152⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
153⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
154⤵
PID:1592

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
155⤵
PID:1284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
156⤵
PID:1168

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
157⤵
PID:2784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
158⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
159⤵
PID:4076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
160⤵
PID:4864

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
161⤵
PID:4808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
162⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
163⤵
PID:4796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
164⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
165⤵
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
166⤵
PID:3024

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
167⤵
PID:2344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
168⤵
PID:5004

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
169⤵
PID:2268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
170⤵
PID:3244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:4568

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
171⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
172⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
173⤵
PID:2608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
174⤵
PID:1356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
175⤵
- Adds Run key to start application
PID:3668

C:\Users\Admin\UyAgEcoo\kYAQcYow.exe
"C:\Users\Admin\UyAgEcoo\kYAQcYow.exe"
176⤵
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 224
177⤵
- Program crash
PID:3944

C:\ProgramData\cuMYwIcU\owEMYEoY.exe
"C:\ProgramData\cuMYwIcU\owEMYEoY.exe"
176⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 224
177⤵
- Program crash
PID:3984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
176⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
177⤵
PID:3264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
178⤵
PID:332

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
179⤵
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
180⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
181⤵
PID:4592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
182⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
183⤵
PID:3368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
184⤵
PID:5080

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
185⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
186⤵
PID:3184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
187⤵
PID:5000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
188⤵
PID:4172

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
189⤵
PID:3104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
190⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
191⤵
PID:2036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
192⤵
PID:364

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
193⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
194⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
195⤵
PID:924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
196⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
197⤵
PID:3968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
198⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
199⤵
PID:3680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
200⤵
PID:1740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
201⤵
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
202⤵
PID:5004

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
203⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
204⤵
PID:1900

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:4396

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
205⤵
PID:3944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
206⤵
PID:632

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
207⤵
PID:840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
208⤵
PID:3604

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
209⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
210⤵
PID:4452

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
211⤵
PID:2580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
212⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
213⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
214⤵
PID:4636

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
215⤵
PID:2108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
216⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
217⤵
PID:968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
218⤵
PID:4532

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
219⤵
PID:840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
220⤵
PID:4800

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
221⤵
PID:3180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
222⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
223⤵
PID:1108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
224⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
225⤵
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
226⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
227⤵
PID:2280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
228⤵
PID:3008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
229⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
230⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
231⤵
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
232⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
233⤵
PID:2952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
234⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
235⤵
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
236⤵
PID:2444

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
237⤵
PID:2140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
238⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
239⤵
PID:2608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
240⤵
PID:2784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:624

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
241⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
242⤵
PID:640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
243⤵
PID:64

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
244⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
245⤵
PID:4996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
246⤵
PID:1444

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
247⤵
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
248⤵
PID:1564

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:364

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
249⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics"
250⤵
PID:4448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
251⤵
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
PID:4168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
- Modifies registry key
PID:4444

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
PID:2624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CcYAIkwg.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
250⤵
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
PID:4636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
- Modifies registry key
PID:1392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:3492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
- Modifies registry key
PID:4532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSIswcwI.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
248⤵
PID:2104

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:3012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:4688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
- Modifies registry key
PID:4960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
PID:4800

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:2932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWAgsUEs.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
246⤵
PID:3368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:3652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
PID:516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:3180

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
- UAC bypass
PID:4476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:2080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWAIQwUg.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
244⤵
PID:1160

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
- Modifies visibility of file extensions in Explorer
PID:2712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:4796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
- UAC bypass
PID:4532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\voAwMcws.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
242⤵
PID:4772

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
- Modifies visibility of file extensions in Explorer
PID:1604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:1356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:1280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BmsIIgYk.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
240⤵
PID:2636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
PID:3348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
- Modifies registry key
PID:332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
- UAC bypass
- Modifies registry key
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYEQsQYw.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
238⤵
PID:516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:3332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
- Modifies visibility of file extensions in Explorer
PID:4396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
PID:4788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\keMIwAIo.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
236⤵
PID:820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:3428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:5080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
- UAC bypass
PID:4680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yewowsss.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
234⤵
PID:2024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:4844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
PID:4112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
- UAC bypass
PID:2804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eaAYQEok.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
232⤵
PID:4468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
PID:5076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:1476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
- UAC bypass
- Modifies registry key
PID:4156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCMcYIcA.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
230⤵
PID:4632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:4068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:4680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:2992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
- UAC bypass
PID:332

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xeQEYIIY.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
228⤵
PID:1488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:5000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
PID:4076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
- Modifies registry key
PID:4468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
- Modifies registry key
PID:3936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQIksokc.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
226⤵
PID:672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
- Modifies registry key
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIAMwcAc.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
224⤵
PID:4876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:2916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
- Modifies visibility of file extensions in Explorer
PID:976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:2416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKQkUUgQ.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
222⤵
PID:5000

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:4104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:3880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
- Modifies visibility of file extensions in Explorer
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:4248

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
- Modifies registry key
PID:2036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:3968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcAkAYMM.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
220⤵
PID:2080

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:2884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:4796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
PID:1752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
- UAC bypass
PID:3856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwYcQQkU.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
218⤵
PID:5004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
PID:4732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:3388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
- Modifies registry key
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
PID:2052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TyQocsYs.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
216⤵
PID:1108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:3368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:1664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
- Modifies registry key
PID:3428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
- Modifies registry key
PID:5076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:1224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAooUMYM.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
214⤵
PID:2556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
PID:3464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:4956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
213⤵
PID:4204

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
- UAC bypass
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMggEEwU.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
212⤵
PID:4392

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:4444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
- Modifies visibility of file extensions in Explorer
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
- Modifies registry key
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
PID:3056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:3668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ykkAcAAE.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
210⤵
PID:1756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:3944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:3628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:2108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:4924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
- Modifies registry key
PID:740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAoYocUI.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
208⤵
PID:516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:3652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies visibility of file extensions in Explorer
PID:624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAgAoAEY.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
206⤵
PID:4480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
- Modifies visibility of file extensions in Explorer
PID:3492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:4720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
- UAC bypass
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JSIMEAcQ.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
204⤵
PID:1852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:4296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
- Modifies visibility of file extensions in Explorer
PID:816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
- Modifies registry key
PID:3332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VaYQgcUw.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
202⤵
PID:4700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:1356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:3840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
- UAC bypass
PID:2952

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:3412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaIIgcEI.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
200⤵
PID:632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:2232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
PID:440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:1664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
- UAC bypass
- Modifies registry key
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swsooUwk.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
198⤵
PID:4548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:4172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
- Modifies visibility of file extensions in Explorer
PID:1308

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- UAC bypass
PID:2764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ssUMIosw.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
196⤵
PID:3204

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:1672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
PID:1476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:1736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
PID:4796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kqsMocgU.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
194⤵
PID:3936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:4168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies visibility of file extensions in Explorer
PID:1224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:4680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:1056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- Modifies registry key
PID:1304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIIAAogo.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
192⤵
PID:3416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:4952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies registry key
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:2952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
PID:2272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RAAAkMwE.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
190⤵
PID:4132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:4036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
- Modifies visibility of file extensions in Explorer
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:3388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
PID:1444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWMUgkMM.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
188⤵
PID:3840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
- Modifies visibility of file extensions in Explorer
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
- Modifies registry key
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGIAQIwE.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
186⤵
PID:4408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:3752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:2004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- UAC bypass
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSwYEUkA.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
184⤵
PID:1168

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:4724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:3496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
PID:4932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAEsgAso.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
182⤵
PID:4104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:4248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:2052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
PID:2992

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IUcIYkMY.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
180⤵
PID:4344

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:1244

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:4960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies visibility of file extensions in Explorer
PID:1672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:728

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:3980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCQMgMIs.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
178⤵
PID:4812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
PID:4868

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- UAC bypass
PID:2740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmEEAoow.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
176⤵
PID:3652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:4156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:4928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
PID:3700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
- Modifies registry key
PID:4636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
- Modifies registry key
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkkcUAIs.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
174⤵
PID:4948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:1244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies visibility of file extensions in Explorer
PID:4168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
PID:964

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RYscoAAo.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
172⤵
PID:2004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:3840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
PID:4928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
PID:932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\myQkQMkQ.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
170⤵
PID:4204

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:3032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:1672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
PID:3652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:3936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- UAC bypass
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eacYQosY.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
168⤵
PID:2472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- UAC bypass
- Modifies registry key
PID:2964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgEkccUI.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
166⤵
PID:816

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies visibility of file extensions in Explorer
PID:516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:2976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
PID:640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:2124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKYgcUAc.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
164⤵
PID:4496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
PID:1700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:3032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- UAC bypass
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dCskogQk.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
162⤵
PID:4036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:1752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
PID:3580

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:4844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:4924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
PID:2492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEsUkMMk.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
160⤵
PID:2268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies visibility of file extensions in Explorer
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:364

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:4532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUgEwoow.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
158⤵
PID:968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies visibility of file extensions in Explorer
PID:4132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:1056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QogQAIAk.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
156⤵
PID:5080

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:4880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies visibility of file extensions in Explorer
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:1796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:1308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
PID:4844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwYUoYYs.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
154⤵
PID:1740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:1336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
PID:4176

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:3184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:3764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- UAC bypass
PID:4956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:3388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGQAMYwA.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
152⤵
PID:2124

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:3628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:2580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies visibility of file extensions in Explorer
PID:4568

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
- Modifies registry key
PID:3856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
PID:684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKsssQQo.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
150⤵
PID:4132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:1444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:3364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:3416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BksskQcM.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
148⤵
PID:2248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:4472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:3788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:4860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
PID:1168

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:3368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\toAAsEsk.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
146⤵
PID:3388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:4960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
PID:4876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:3668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:4812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- UAC bypass
PID:976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hswwskcY.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
144⤵
PID:4156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:3980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:1308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:4532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uMAQEsck.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
142⤵
PID:4848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:2548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:4168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:3908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
PID:4112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGIAAkMc.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
140⤵
PID:2676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:5076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
PID:820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:1672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- UAC bypass
PID:5020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:1108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEYEoAgs.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
138⤵
PID:4880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:3628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies visibility of file extensions in Explorer
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:4812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- UAC bypass
PID:3668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yKUMQgIQ.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
136⤵
PID:4864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
PID:436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUYcoMAM.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
134⤵
PID:2976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:3496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies visibility of file extensions in Explorer
PID:3880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
PID:3936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tacAoAYA.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
132⤵
PID:4680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:1304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
PID:4024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\daQAYgQM.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
130⤵
PID:2764

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:4524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:4236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:1616

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
PID:4568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vmYIQoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
128⤵
PID:4548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:4800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
PID:2172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- UAC bypass
PID:2280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOgYMMsw.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
126⤵
PID:4476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:3936

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:4680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:2784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:1752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- UAC bypass
PID:404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kyUMYwUk.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
124⤵
PID:2224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:4952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:2004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yqEQwMUU.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
122⤵
PID:2140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:4172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- UAC bypass
PID:4236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fysAQUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
120⤵
PID:4076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
PID:2172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
- Modifies registry key
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:3496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZokcMIMU.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
118⤵
PID:1236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
PID:404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:1112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- UAC bypass
- Modifies registry key
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TeMYgcUk.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
116⤵
PID:4572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:1108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
PID:1828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYUAYUkc.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
114⤵
PID:1672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:4492

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:4408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:3604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmksQcIA.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
112⤵
PID:4864

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:4796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
PID:1236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:4956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:2976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:3428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:3908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKEsAMoc.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
110⤵
PID:4636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:4680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:4068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:4960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:2272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KIoQwAkc.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
108⤵
PID:2224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:3024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies registry key
PID:1584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:1244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:2004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:1348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
PID:2884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:3612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUEMkAoM.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
106⤵
PID:2036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:4172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
PID:3604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:4796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSIQIYEM.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
104⤵
PID:2568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:1932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
- Modifies registry key
PID:3244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
PID:2452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zUUsgAgI.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
102⤵
PID:3220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:1064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:1500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
PID:4680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MyUkggAw.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
100⤵
PID:1752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:3492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WoUEQMoM.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
98⤵
PID:840

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:3612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:3752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
PID:1704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:1316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uOcAcAgs.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
96⤵
PID:4632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:1664

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:4068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- Modifies registry key
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIYYUMUA.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
94⤵
PID:1996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:3220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
PID:3788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:2820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:4492

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:1852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEMQkogY.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
92⤵
PID:4172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:4176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:2416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
- Modifies registry key
PID:3428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:4796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQgEYkAM.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
90⤵
PID:1808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:1936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:4104

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:1056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LCIEcMUo.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
88⤵
PID:1316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:4632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
PID:3612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:2304

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yAAIQEgs.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
86⤵
PID:4296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
PID:2272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smcgEUUI.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
84⤵
PID:1852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:1752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
PID:3752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
PID:4036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMgMIkIY.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
82⤵
PID:3204

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:4540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:1404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:1064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ysUcUoME.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
80⤵
PID:4800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:2052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:1752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- Modifies registry key
PID:1308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgkAAEoE.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
78⤵
PID:3652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:1444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:5112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:3364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCwMUwsc.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
76⤵
PID:1568

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:1796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:4848

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:3840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
PID:1056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIYMsgYU.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
74⤵
PID:4532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:4396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies visibility of file extensions in Explorer
PID:2820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:968

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- Modifies registry key
PID:2608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gScwsUsQ.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
72⤵
PID:1820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:392

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:4068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:1368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
- Modifies registry key
PID:1936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
PID:2456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AsEYQAEc.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
70⤵
PID:2912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:4812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
PID:3364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:1444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
PID:2752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oSIIMgUQ.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
68⤵
PID:3944

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:1852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:3840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
PID:684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TggQIwks.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
66⤵
PID:4776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:3180

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
PID:1452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGsYwEgo.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
64⤵
PID:4488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:3220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
PID:1936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:1756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
PID:2368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iqIsgcQE.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
62⤵
PID:2248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:4672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:3652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
PID:1224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:1852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYcwkwQw.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
60⤵
PID:2416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:3416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:2952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:5080

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OIkEkkgc.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
58⤵
PID:3660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:1604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:3600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
- Modifies registry key
PID:780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
PID:1148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYEAckQM.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
56⤵
PID:644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies registry key
PID:2740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NasgQUAo.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
54⤵
PID:4672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:1356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
PID:840

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:4076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:4532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RgAAwIIw.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
52⤵
PID:4632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies registry key
PID:1672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:1452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RsIsIUwQ.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
50⤵
PID:4088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:2976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUMAIMMo.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
48⤵
PID:1336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:4236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:2268

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:4796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:4176

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OcswkwcE.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
46⤵
PID:1300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:4156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:4960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:3220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
PID:1076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEAcoMYE.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
44⤵
PID:1604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:3288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCgwkYsU.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
42⤵
PID:4148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:1672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:5000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:2108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:3016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
PID:1224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aksAYUUg.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
40⤵
PID:2976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:1336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:2104

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:1444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rmUoUQAA.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
38⤵
PID:4812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies registry key
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:4524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcQAYscU.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
36⤵
PID:1604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:3660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:2500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:3764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
- Modifies registry key
PID:3412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dKQsYAsE.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
34⤵
PID:2024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
35⤵
PID:1900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:3636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:2912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAEsEckk.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
32⤵
PID:1224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:4156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:3456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
- Modifies registry key
PID:1752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:3828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sAEkUMMs.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
30⤵
PID:2104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:3744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:2868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
PID:1604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
29⤵
PID:4076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKcoIgwg.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
28⤵
PID:4084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:1900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
- Modifies registry key
PID:2712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwAQcsQM.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
26⤵
PID:2376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies registry key
PID:5000

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
25⤵
PID:3856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:4212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jIwAUYYE.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
24⤵
PID:1796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:3688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:2648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
- Modifies registry key
PID:1216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fyssYUQg.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
22⤵
PID:4812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:4560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:3900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:4172

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
21⤵
PID:2928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcMgcwIE.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
20⤵
PID:3880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:2120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
PID:3264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQQIcEQQ.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
18⤵
PID:220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
PID:768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
- Modifies registry key
PID:1348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\quAsEMQc.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
16⤵
PID:2376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:1900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:3628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:4376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:2816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWAYkAgI.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
14⤵
PID:2080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:5000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:5080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
- Modifies registry key
PID:2452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgIgskIA.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
12⤵
PID:4024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:4812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:4476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AcMwokoU.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
10⤵
PID:2000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:2928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:4020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWwgsQEc.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
8⤵
PID:3864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:1064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:1148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMoMcsgk.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
6⤵
PID:4056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:2944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
PID:1996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
- Modifies registry key
PID:4700

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vQMAcEog.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:4640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JyAcYYYk.bat" "C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:3856

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1444 -ip 1444
1⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4448 -ip 4448
1⤵
PID:4704

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3752

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\EsgQkYsg\uIYscwkg.exe
Filesize
181KB

MD5
16ccc8868a8408b56dd93474b500e8e1

SHA1
901b0b1391a9bc7bcf294b71a284a3465178d1cb

SHA256
923ef67550b0deaa92a81cf9d60a899a18bea59598cf8abcd9e98697bad3f308

SHA512
b8fc6ecdf452ff3b677a3d16100312ca9eb09c4d04501ddced383e5258f0a995eabc006e24c0dcc7d5228917650d201fb3715c2b5c06c2ccfa2f74c0415dd656

Download Submit
C:\ProgramData\EsgQkYsg\uIYscwkg.inf
Filesize
4B

MD5
785870f290f112fb34b27916c8cce8e7

SHA1
789fbc3de495af1ccf805864ab98cc1278301b28

SHA256
34fdf81e92de61092aea4cbdb059de20f2c235572be512e3d018d4a3ad7b516e

SHA512
ad87d32b48a27e1f83b46e0f816f8d52a4ef23f9ffbe0202c6b275be1293ee69591be58317569911e65aa8cf50ab3c04b5b6956d7754be6767e9b08793a6e6f8

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
Filesize
230KB

MD5
c3c74f3970938f43458261464a888afe

SHA1
21236fffc2ee2c8fc77649d513afa5a6b5519177

SHA256
a75565942dd0eddb74ef254d2396c0a3f2ff7d0013d7c319c5f37f78cb8455f1

SHA512
90d5c9f38c72460bb077e31182714e48d7f1110612526351719cfb82c99190f4d57cd684af3d5d281e34cbed9b2352c6b25cacb9f24dc684a6682b10d4e05f5e

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
Filesize
631KB

MD5
07ed1f20bb866c5ddd5f2ecc8d4d7171

SHA1
608219ebef4ee5f8d05749ba8d7be83933d007b9

SHA256
b12e5dfd6215ccb5cd298cc362bb33485c6dcb42aebf705844410502b43301f2

SHA512
4ee6974a88e18a8afb3fa84747204204d555884b160e1aa80c975b8471f68cb73b6253030c8c9a6ef3b997f304c30d9a3b7c7b64f5c36bc5fff464d8b9f1a215

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.2_0\128.png.exe
Filesize
185KB

MD5
368faa40964cf287e4f52da62f1151b3

SHA1
c01d3d7ca4785055c6d2ab8c35c4eb7ba699c87b

SHA256
936672974eda22a6592ff66aad758b97f758edaec967c8445615a28a31f81513

SHA512
5a48eebac0eeda771bb58c17206dd0583018a3b440d8e160611dfa400692270e9771e063f289237b47840d3714886b734db06473c1c3228acd3062119fc8c71e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe
Filesize
202KB

MD5
13728703e60e86a315f634ba6158500e

SHA1
925f6c4073b02f22ddf3d32fc8e1cc20d0556c33

SHA256
3d4ebf90a9b97e0fddf79ccda9f38d147e407aa63c8d70642bd092c549d2efb2

SHA512
f5943c8f5187264055e1c1e9b8bcb974a1c9c147809c5dc674e0971504f76971ed7bae6cc2de01bb1bb8811de6e6b95294c30069226d73a6e21fb173b5b59cb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe
Filesize
183KB

MD5
30f29f633f3268edc4838181f5262720

SHA1
5a7cb6252f230f04c3a368b6b0499d42674dc303

SHA256
a3e4bda1077eeacb65e2393c8bf1e50778655eb61c97be0e92e0b3fad3946a84

SHA512
ca9c576cf4752552f830ec69fcdbd11bce1dca415b331b400f1084610d5e6e21a9c0f2a1fedb2c108c8572e8adf3cff8a54b486d0d36b5a85ff3cb37aef94f25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe
Filesize
203KB

MD5
27c29f559c37c28b9640e6ed14aa62fe

SHA1
911d07f5de2112b7234b8a0532423baa19a15cac

SHA256
8670c74a60c6dfdd98365fde177ae382b73cb5837becd7ba45a61cd842081934

SHA512
eac57f2291133b7995a41f6baf21b948d91aaa35c25ec1420236d1257095448b3a3921e16c538e7933de1514207026157eb5d73ad9dcd991a2709e6f566ad120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe
Filesize
184KB

MD5
78d1ca60c5de2dca3a133f86eefd8e55

SHA1
935af177f11dda57dc7cb73dd0f04b8ecf98cf19

SHA256
799c4c4e90a10784ab46b3eb5ab21de9ce8f711cb3e7461a38687ecd56f1539a

SHA512
91bf3e4a040ca144a09087d1658008b0fac259d895b74168d905827e485600851761f97be6aa08b5f5fec9050007abf8cbf9afea47539c7fcf210f985e12866e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe
Filesize
186KB

MD5
7d65d749aca84dc62de9f77cfd31d0bf

SHA1
d41472f3ad4214353fc8fe8a42c24f452bde39c4

SHA256
f887aabc089c8931f1c46aaad29e2f6277ddbf8524074faa2a9f019e6b01f7ad

SHA512
d01cfa0aef9e707d96522fb148f36c8c6655a24cb09ba7b265097c09f99590e28da25d45bb5fad8105c8c9e2db227497a0b87fb68272c76afb75928490a54eba

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe
Filesize
197KB

MD5
13c890a2e4864dffde35713ab1857309

SHA1
decf7f262509512bc09d937e59a53fa32da0ab46

SHA256
5e2a6452ef5ec465f433ce5b2a9d415cf70f9f3de709b35fa73750480b821137

SHA512
ce209a23429673a623c03e6994ee01684d6fb015034972cb306aeff2f988cc19e6ebd43f94599228fc8f4f4db4b7a5a88ab639a4eca7003ebb0ab231af245be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\806b9f92a4464a291ac1d8e90b08ed40_NeikiAnalytics
Filesize
6KB

MD5
8243501c8bec7c2fabcac8cb47d98048

SHA1
f03c28e2f966b10efdc0eafda6ed6d3ab14b7d43

SHA256
4f5230f4e5338c433953dfe6fc203f2cb1936ca7ad8a9d6aed0afb583a1639fd

SHA512
5de50003977c1b5c4f55132465d0a5589a32a00f388c6c57fbc9da42fcb7368578ebb6e9b541e2656dc07fb9c0a77cea75f990316be67ed5bffeed47385a5aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYcu.exe
Filesize
572KB

MD5
5cedf41a0c1a00958f919b4d2688762b

SHA1
cea45797db8a257109f4327b52aa815d5d7176c3

SHA256
064d2a788c86c28cae61c90d38e653d4d920f55caf6031cd876cdbb6a1c75bf1

SHA512
78a011d9dcf8152ad6871086eabb106309511f3ba66f1053854225925a8c1afb31dd989f2f21e65032750a9d10fa213e3557e0dbf8a98e1b25d069b7cc6215b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcQQ.exe
Filesize
220KB

MD5
0b4a37e9a39b4ce2fb65a0b3e0625bde

SHA1
23849d833f8aab96a82b6307296187f66901ed5a

SHA256
9fbe322c145bb04910720bfecc7f00ed58d960cfa07ed5cadb80b6f3888e4fc2

SHA512
88f0660e740c87954738a295a02f1bb2041af4b9a3b0ba2670a02038e1a5e5bb6d36d04d9413e06d19870a14aaad58773bbaaa208976fd3f67a2ffed3dbe8d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aksk.exe
Filesize
190KB

MD5
7253f7cf382ea9d9cafdb2fa28145d3c

SHA1
140cb4b02e977c35641d28422ace7c09889c1f31

SHA256
f431ef88f307b3a22814631b7f6553858922d29e5a799fb53dde7fb34ae49b38

SHA512
d73df6e61d0e6c8ef17631403ba85a498fa736032d7d2ada8501da193164724c3330b3982bad451ccab2b935da127ed600394407e69907173a921ceee83074ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cooc.exe
Filesize
184KB

MD5
5a6f92706fe167ff9385fa08c735f564

SHA1
8b1aedadb641dc2902bc7261df3e07c7ae805d23

SHA256
1985806268e0af13f0d2817f48a848a40d1685180385c53743d37ba2e04735df

SHA512
268a84747af62a3ebdb1a9129e3e8ec9e4e0b7f1c47954d1f13d79fceef79fbeb97758d2957d53da8a6fd4bfd4d70f6b96aab333eb5c3375d2e32ec494c4adf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAkE.exe
Filesize
188KB

MD5
c2ce5d0d170a6fc5d8eae8a7fd9e91bf

SHA1
b6f7c8ae39a734f880ad8000ff5b3cedaee23576

SHA256
cf24a0cacf49d6382249dbb0fb8e5f06c272cc29f54b7cfa31c3eedcc009cee2

SHA512
f52c7ab0bbd760e7bd4e9bc77ad876255b0fdf11bfbcfd782a50817d86bc63679627c58f40e623e078a6f4d1d793868a9b93830e764e3647f5dc5fcd6db52e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAoI.exe
Filesize
186KB

MD5
88f7db5dbe55c5a150f5cbad777eb5df

SHA1
7bdd788069f16365482a5d2701bb776e95170750

SHA256
aa634050d703e296afd4cdf06e41971149e6e5f7ef7f68ec7e98300e964afeca

SHA512
152a9e1e45c68755bb50481a8569c3c1ddfdeefecef781ef1d8d3a1573fbba5475ea2867432609413374041770edf42c8deec55cea0f2cbb7813ab6bca5a15d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEIK.exe
Filesize
199KB

MD5
deb1c94f494946aab913ac51703c4aa7

SHA1
a3f62331cf46b3215d7d3c47f3e21f31c5872dc9

SHA256
62ffb0cb2ed93824a55ec9e72d9fcab555e435a2c81c7f51de4c5981d08e9e44

SHA512
bd55ca3aac61095c58985ff1ac3d6715da33061ba810e128ed8e1901871865ff355906f93117ffc8b6f895a5343ce71dcf258449ac49b30bbd1f03878effe887

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEsa.exe
Filesize
206KB

MD5
579b89e8aaf7974edb128f0598263ee9

SHA1
e29866a7d4bd82a486f0d98b094b32e6b95a62c0

SHA256
f674607e009fa8d31ee434c4d9b0a503f027250bea28d9b7e847a3f25c1ac63a

SHA512
c8494c3cfb97bf83771cede49a4846be2cdbe2be97cec33ff12bf8f18d70c31a12642862ffff4b0575ab3336b6f439377a58c41646942e9167a3b50a56330630

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIQQ.exe
Filesize
371KB

MD5
df947e9d35d89324633c70fcab3deb12

SHA1
ee7912c1c01c760bcc0f913ffb030b080721cc44

SHA256
9079f59d25fc79cdcf529e4a0d736aab2f10fe773b01b2a1ae297ca65f9cd618

SHA512
20dd0b61c2c7edbe5e3f14f5b88e402db7565f75aac8f220197f0a99a6d2380502e4eedc862042d931e877e54e13b83a2db7e25be82b90c1d46ffd3eb84fbf56

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIUU.exe
Filesize
194KB

MD5
dd8504d64585f3ce633230ff816fd7d9

SHA1
00e39db3dec9e99b51b0d83f13545de0365e0791

SHA256
53fd984fb2d80eb23a4fada2f3051faa5eb7d8fd06b5178afc8eb351d31e5935

SHA512
badd484d534ac1846c1e34a993693e5c0b389628aab6c9405a0306bc042d07b5ca8216eae2e3a997dbfebbdd9084551a7008949006f4a1fb2cbff7a5f20f8ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUQU.exe
Filesize
197KB

MD5
1d524ddd6e0e1e9c2901e97d45d07d2c

SHA1
f091e85520fa50a409c39dc3cca36ab5bedb6c17

SHA256
c0081101a9721241b618791ca1a3ba749216ef6ff16d18107f53b64debe0ed6e

SHA512
f0ae4c318d652baf08ade75580b4c6c03b90392dabb2831c778aaf4d4032b48b8a5dc4fa6b3e14857f006a98f8c9176476533a0fd41a5becf2a015282d3a9e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Egsc.exe
Filesize
317KB

MD5
98f2e037830b58dc9fdc237d6bf70e41

SHA1
6a4403e034f9d204714552ed5592f339016d5d99

SHA256
84ef7b8ae0620683093fba119269470b8d3c1e08024a589622adde7ae989f893

SHA512
ecd6110222ffd2d3c0eed40c41e567a86e8405811415095242a032f11926551fd8dde44f11aac8aa2bf792a8c7f78d01cf9cf0dd8d2f1e1b3f5e6dbd046715b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoQe.exe
Filesize
200KB

MD5
9199b3cbbfa424e9308aa25112fea1ab

SHA1
a2557f5db0ce92fe1156522f338c9e1265d4d2a4

SHA256
ffc7ac6c8538d91741a1e88c507f1704675e20cda80036feb475e60096112652

SHA512
a7274fb4d93842be8de5068392465dbabc38f8c8a40c4a50e8bec7b049c0de40d4fa43553c6ec70d493f9259e531cba8c5d842bceab3066952d1de6ecd36e65f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eowo.exe
Filesize
193KB

MD5
5f28885b8ccca696c02a556ce752bb45

SHA1
1f935f5a84cb42c2d4029515d888fe066f724214

SHA256
1d8487ef45632a5ab2f6f4cddfbf831f80f443683c271654e4ed7852f81be075

SHA512
fe6771085d0a741c2c7df532f9cfa54e783e0e18d8f3143b785dc066e3e3c08cff1128dd2131bc8d4ad1447f1c3e0b3e49b2acef32d4b5b4f9183a212eedd948

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEUY.exe
Filesize
202KB

MD5
6f31c7faaa2a4048022ef5c0ffbcba61

SHA1
aee3d5832946719a9711da7e6d1424b0ef9cd252

SHA256
e6c964d799ed6a2c185f0da3e75f365a8c77da759a98fb07c8e70399f3543e37

SHA512
b8d2f78e701a75c42a685c2a77f5bea8684433f35f39cbb2e3bbe8833241a2d7852ef06eb2b5bfaf9f8ddffcfb960d095cc26f7cc8b074f1175d7cc3227a97a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEYy.exe
Filesize
189KB

MD5
d2732e83600bb75c267b421b6f6c98a9

SHA1
de5018a6eb8e2d318afe9d0b7f94ba8647b59b8e

SHA256
1cfefb04ebbbbf60f1168d400a5c543f5e11a47a7d8233952e0f47e1709d855e

SHA512
6d737ad9a32ca7df3afa09b3708e2d191dd3a64362a798b636d05166bbd8124f348fed569d00bc8a8dfb3d1517b43308db3b6953a6958ab5698279633221bd16

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQQI.exe
Filesize
188KB

MD5
83fbc2f1c81aff5215e65027aa1b75b4

SHA1
558f52ba3f71cb3729fc0b151840f8c3d9330c39

SHA256
521fb3422c317adb0ff47e8bea350ee0f349ef5556e95076cf5427549d61e524

SHA512
c5f2244eba3b6ba6d719a50b8bf49c7b991ab0ce6aa817e6447a4f39cebac1f7d9b2dc6ca0d73e155bf6c85e41dc2fe721c527959916747db98bc1b9015e6534

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQca.exe
Filesize
790KB

MD5
e8b151f5fd5b98f420f2129c21d9722d

SHA1
d4c84ea786265a9bade88babc44a9a8e6893e8f0

SHA256
bb7d90beb7ea5fe7f2951da8a5943aedab18310077e7f41b727d923d5d44ed6b

SHA512
a2d6f0995f58998b605fced37d819777629128580e15ca1b122e5e01dac487de4541d61d79734f3ecc29888c2a954688c6287bbd88a8ffe9cfdf3051acf3371e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ggko.exe
Filesize
190KB

MD5
762296f98381dd7363bfbd16919a7401

SHA1
4f32907eb010b7cd107ce3eaadaf57da44af1533

SHA256
780c0f93a1267bf30f60e1bf57064e95d666486064a2b5560311db88c671dea9

SHA512
4256a972257a2461e14d13a9e5ef27882d7c7a2c7bbf14d48fd9a9d454531235e35fb8882b779898a5da4a13faa9e32197239454ba183ff8f4bb5c56f2996f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIUA.exe
Filesize
791KB

MD5
657a4e911e411c54189376b7468de589

SHA1
d5529b096dad925bcad5b62bbc9fa20cff334d95

SHA256
e956bb717fcc192f055b28710e74b86c4f3d56334a0f2a4fa17266c2c9300fcc

SHA512
07b073a54e0bd935c545c49541c2b4930f91e7d74d3ceed8041b0aa329ef9e47474e873325e543dcf6565b24fb778ca32da07b96f2b728d93ad79aab6abc3a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIYS.exe
Filesize
211KB

MD5
177574c938570b12b3f38aa0d04de9b8

SHA1
501036940f516de2ffa7eaf1f3bbd1a91fd885d7

SHA256
80729873f2db0ff79540319dce5332c209a5aecd997837a162fe67ff5dc89b46

SHA512
126d7bb4584459a7c6c9b73dd4695a9a8a165d57873ea25a01077a4867c850f910d8680bddc5cfaebb76c7edaf881ebf32fb0e45f78b965d5ba49f6e28b346e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMMO.exe
Filesize
1.0MB

MD5
27a2859e49137a66cf12ff1867d6d074

SHA1
0e867435282c39a8b11505532b3630eaa6fe01c2

SHA256
9d62c9b7288b10713c4caf9efab9d71c4a3d44ef53606edf6815bbf21bd173e3

SHA512
7b2d23c4bcb5a27a04896f2fe79392006ccbe1f17d6af3ff89aad1d2c26cb56fdf75c3e487a2579fe50ba0c2c031d9155f472b6d80a0d6efa51ac7b37edb83b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQMG.exe
Filesize
211KB

MD5
eb0c2c7e4583757c0f3b90e3d6c1b685

SHA1
6775b3dce178377a8042e9684cf2ffd26c375878

SHA256
5d949300bd7eb21f13297cb60b66a5bce92c581f3b2b9bce89d6369f83a38aea

SHA512
39f7e7bb5644f79e22ca751b988bd69b2bdceff3eeda04bd6e5f5d1f5f44c9883e9f75f2603639c8093fb92a9e8ae0931eadaf051ce067cb1f702f5614f1818f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYUQ.exe
Filesize
810KB

MD5
28421cb225bcab69f341952690acebfb

SHA1
788e343e4547b6a4a64033f18bad5bab10138acf

SHA256
7a4cfe8bdd51322850868ba562e953345675075e9fa71525c65bbbac2e24e39e

SHA512
6954bacd43d12fa4a71575c763a62f6e04c9106220ac07c9f1ec7dafdb4b1c1be63ff661949c463687c1caa9f3bac00a49818dfdccf4fa157775223e3dded3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IggI.exe
Filesize
184KB

MD5
8452faf88b3f58903b1170055f9d192d

SHA1
195051a0c3c6a3b8dd46f69129f46fe97df46f4f

SHA256
ef7c932cfb6e9c07fe727f488e12e86c23115b64d90aaeb5865322b87614ff16

SHA512
6b543ca35e59794dee98a511b14fbf1bca1477ebc557efdc36e9ff71f41963787b0eda9f81c0ce635368b43077a747bf026eb02d14a29b757546bd3d9e20901b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkgC.exe
Filesize
220KB

MD5
e2851694607d0d4151d8cdbb046be439

SHA1
70619b7841652b90fe11323b9e6003c2c9e80c99

SHA256
88103008bc1e3bbbfbca30a240241ca1d05a53b6f06248580c2c97c5791a9a95

SHA512
6e45f93c04d1b6e20a5a29e813037142c4d351423e0ec4fa13d162d87559f6cbc8f5cdcb96e4d33121607e4d205163fd976f35f1d3b927e89d69f03a7d54b6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\JyAcYYYk.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQIk.exe
Filesize
201KB

MD5
f77f113312b664d13356ef360661f96f

SHA1
58e37d64c5d98f7b9bdc4f577e843a8018c18fb1

SHA256
90aea069e7d47b5612acef5bbf042457eac49ef17564b33cf2950ddebd7df88f

SHA512
a81bdc2c97f4c5212c67b62c9ae93aa46ac49fe0bedd5566b4bc07becdc22fb1e0bf6b12b36d460deef067c63b8bc6add1840203f40439dc9cc7a357b1eb410b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcAc.exe
Filesize
211KB

MD5
68b2ec792dace26a1ecb7b333c92a576

SHA1
caf9f3c61c3d91e6831b06c53cbea6623e32a862

SHA256
22461a598ff7f007c821ec90a2f2eb8e91d365629319859560339afb7c84c1bd

SHA512
c59f15ae09ede3b2a7bcaf79c5ee11525270f38e88bf3ebb87190fe18bdf15f993fc08ea4adea459e6124981fe80c64dce5ee663b8e459fc43a44e5cd3eb6e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsgM.exe
Filesize
204KB

MD5
46e7c3fc22e0f71423ef696fe6ecab0b

SHA1
95d82cde4282383d01b5ba19eaf269280bf9d88e

SHA256
7e54d6f034cee1bf1326ecf94c9acd62941297b8b485fe865ee6ec147261626b

SHA512
1a98ae0dc34a2a3af4909431ea5e4cfdaa4afef4d45ac75a39d4c65fbdb4c48cfbf40080d9266b9a56efc987cee96a67c08449b39ac062f03dbce229b0118abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kwsw.exe
Filesize
397KB

MD5
aaa04fc38591d925943dc835f3342630

SHA1
27fb9542cb12b5dfad6c89260296adf818782133

SHA256
121c7fef99a530e62ad916e81bc207aab6bccadc8f373e6888918ad51b58d3aa

SHA512
3b298ee80dc67180e5ced8eb1ce7c483a6d6be0c173f87f1a92c7d461fd3484f694b50a81f61aff93f413c33e7635782c496a0fc3e3ac98472f7e4f7ca6598ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEIa.exe
Filesize
194KB

MD5
67cdcd9c74ca05ddade5fc5e0960f135

SHA1
98a0aad62a65d266fb070fd7f8af42b3247896fe

SHA256
6d39b22709094de7acf9ceb7dab64a2cdd3d18a1b6de08b78198e67815869f45

SHA512
468560643685fc41520ef13c3f81686af15314ec7b25ecc88dbb6d5092187eb433940d0c1df681563957ce317bd03585f444d084a3739045e09be4125e60d417

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIUu.exe
Filesize
5.9MB

MD5
01c69d9109a20400f03da3239654cbb4

SHA1
3975860a4f376491d4de9ddfcf8873b41788e081

SHA256
9527728c4b25e975abe1c17478628acea824bc740745f0e89c3007b6b5c2d177

SHA512
8b14b096aaa2f00ce2e9243d35927c79773683437ce98635e5e3f5229015ed436a1daa97b72f79d1b2f8b32a7976e32d2f16d4b90215f205c2bac00f5b9ca5f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMwM.exe
Filesize
427KB

MD5
8e8b9bce8f50a428f13d6fc375b3948f

SHA1
76cdef80f93d0e3f17ade5edc714eee29362d26c

SHA256
9c49b3e669b09941208809a4535909df1f6cef62c74a76a6bc3fd73f00cc8913

SHA512
983bb7b739b4ce3d0efaa6be7c8debc10228ff9d89bc6cbe33a1612a3a27849588caab8224a45e3196c435445bb780ea75ae2aab890ef251f4162eea34f39946

Download Submit
C:\Users\Admin\AppData\Local\Temp\MooM.exe
Filesize
1.1MB

MD5
e53edd47ceeace20ae3eec8f9289c655

SHA1
0cc035c5f85f77157bfd09425403d4bd0281e216

SHA256
f180bccee5ff66c52760155c98fea36c3655dec553827a7787207f3cc1a4596d

SHA512
3617e1d3cc6ac9840b9b8428c0b8ce5cfaf9e45710947e12c7994aa71eee30b6214f10a5c68087fe97063873726957871c94987240bfa451f33f34c5aa82c119

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQIc.exe
Filesize
203KB

MD5
f6a8738431644a2854bdb9ce6ba58ef9

SHA1
db662c142f99d880c6130b7e3ea80f8aa103f47f

SHA256
ac204da9154ff8bc745b35b0933bf6e7eec67b8612210c4561c4474a47a25fad

SHA512
15334af0e30dffda0831289e14c2d8f4876bef0273171ef60aab1b51a8748305c89d073137d88d29300ddb463477ad888dcf57f4aeacfdf2a15718655fc8f9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUUi.exe
Filesize
472KB

MD5
205a949049e97fe544fee192209d1271

SHA1
06fbdae594db8290cdfcc2efe4031f0ea9c187d2

SHA256
2229b85963e9ed130528e818cee64e8ca2148dc090445212bc463866f73217b6

SHA512
33e5ac7c08bd026d4fb0d75b5e5c7b67e2e766d9485d13f75ff004d8cd106bef378ae5b803420b1eb61a0ca6392d52db2b1624e789dea5661e3f044f1ee98776

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYMG.exe
Filesize
231KB

MD5
bf22b87ba9bf3abbf8dd425148fa445b

SHA1
b4c454d2080364cbba448aaae86a1059709b404b

SHA256
108a3e098617243db5704b2b7de43257342f1eb1514a074ed0c38b3de67359fb

SHA512
9e1dd856122c265b1c6b30169e098fc425f7f812b96bbd94ef7113332f0cd6720eeda4ab730ed9bb820351a0f6f8dba4ce4383770ebbfc2eebff894bbfeac829

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYMy.exe
Filesize
196KB

MD5
e5898c87f748ef475b319ec1b1777889

SHA1
a80d980835b3b8fd1390a4b4c10b072d85b32f2b

SHA256
8924c8fe6f524b8af93d8be70db0d7aaf43be7f94f1ef54af20647cd2822c90d

SHA512
aa2e9af4fb1c1dc2e383ebce689029191c0b8c3c315cf7e0935d0cd80ba55cbb2f947a1436a285c8aa764bbaeaa6b2c4c3eb929483ac71d02a1eaa9ce39f7474

Download Submit
C:\Users\Admin\AppData\Local\Temp\Okcg.exe
Filesize
202KB

MD5
370b15c3711fde40c97bb0787f45c2dd

SHA1
febe1148414378e0ffb597cfa3b40789f33d03e9

SHA256
986518613f592dc8a8343e640fc39eafedc6bdf9f84b0db8fde767112b9d45ca

SHA512
71c0ffc766e10048e9b2f664c280695fe2629b717c4a0b7be3dac6956bcae1ba5471079610212202bc5f7e29778be0c67ac86e4aa04a30af7daa12542464db40

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMoK.exe
Filesize
382KB

MD5
fa3c04694169464aa787861746c004bf

SHA1
c4fd8c79c9c5250633daf2c21611cfa75f4293ed

SHA256
9bbafbcd7a4b6efe94d72d19b494edc6b3c3b825e59fb8e8de9f5ddb3d3e71e2

SHA512
2be4a5e5e828290df0538385543e25fc789bf7dcf9d651b2aafe9910c67a29c558d0c8b05d10b6de308ae74e61d4521c8dd2e06c99a971af0cc102a0b2065f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcIW.exe
Filesize
416KB

MD5
952a4f8316a7bed382951bbc84a8dcdc

SHA1
c07d4459746fbd18a07fc468b76e28fc352fd8aa

SHA256
eb45952a7cc49ccfa0065553e02e5e732eb2d39c4cb68662c6b956f0fb772991

SHA512
81ad82e27708aff27f50aab685e8413e4e993fb248343283bd07437a232bc0dabc263e48746e72d81c4afd972c7484e398346265bf6da702ba4876357396a39f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qcwm.exe
Filesize
189KB

MD5
cc3faac1231cec4ddc37378bb6d6d342

SHA1
d25fb912f9310cdc41134f0018561d07006ca485

SHA256
cfe0f021e412208c4bbb6dfd180dbcef3f5bd0d6bb0588edc3a8a2c6645cdc63

SHA512
f98588e33373adb5c82279461990b050028cf4fea13f94eea9206bb90876d93fb7c28ee2456b53067eda2282859dbcb1569c314afe1d985e45671eba49fea197

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgME.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkAI.exe
Filesize
322KB

MD5
bffaa62c1f40bd0ccbfba4b47989fb61

SHA1
337b08ea83ba3957f4840ba4c83eb4ab6c9d6c2f

SHA256
900e8985f03cdda94030cd2b3932b98b08772a0d1d180cb66f3e4afcfaa2df01

SHA512
40d1a2f5ac6359f40bb9cabc976f7bb1559ad61ec1c0a332e6b45e6681451ec7299819e9ec793252aee6ad8e9fcf7d89efe6f259c27b6c43990b90636c886311

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qokk.exe
Filesize
516KB

MD5
e21a3a9acd21bde649c3a66d70314fa8

SHA1
802282dd2bc1b9400c42b5ec5218c5f5a87b2a06

SHA256
7c118b25fe2f3a4a5e719ff049d862fad3ff22bdd6af44d261b4730da54681e3

SHA512
ea5536a051673dd2f10ad3612ec206639f78da1c09e292993da012b77b038e004034aabc37966f7ab66e54d4c0a17be4ac44a7fdbb32a516e92086a72c29af74

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAck.exe
Filesize
520KB

MD5
0c6e868c603f79e4d9b4115fa2382e25

SHA1
e5fe2c8300613aaccc6a5848aeb234a16e36c4c3

SHA256
b61740bdaa46bfeb760219956c38844aee8ee817893ff7e1cc6a994bf3471721

SHA512
46d2a4c06eb21525e580794f69ab177a2aeef641adba003a83698e61fd809855b630faf1e197efb7482f50d04c9c87568ac96b1ebf8d53b7bfcb98f339950b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEwk.exe
Filesize
198KB

MD5
e0213a1c641196694c0d3e9290d3312f

SHA1
012a01ea3286cd7cd2b47a8c4c5569e27a2da179

SHA256
3bcca3aa8aacca4ec691b36df5acaa2cf461d0df1ab80aedddb18c9aea6dd872

SHA512
e919fbfa7848344df649917f7ad316d14cae3bbd3df74e3534b26169bb404879deed755363e93bcdf8a4a8c8439ca15d04493253081448f1725973757fd12168

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIcA.exe
Filesize
183KB

MD5
c1745660984a99fed19a1af6fcba8118

SHA1
eed9f80134036ad1f07d7910efc7067d33180f33

SHA256
96f27397dcd76d965461f569a9ab7842aed0e0cf8a65da8c96ad9f6e64704c25

SHA512
27a6e8b79a9bb010f41e7ea540644b906719a5ae80e78c64d435245faf50b6fe9d5bb3062df335b68cbdea4eb8ae3d9264e09d8e9be124fb6be5dea75b68c293

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMIG.exe
Filesize
197KB

MD5
150b669b08f28f7c86aaaa312fdaa092

SHA1
548e05616174f9baae29b5901f433dd246fe5b02

SHA256
dbee4fde372f214115468574ea2608d50e8f103488a8a48dbf8d6b49de5d12bc

SHA512
bd2d4003c565588df257e138ca4f7b89140dc9a59ce12e7b9b7821e7a9c222a032e1c5ca66558fbc90abbc5dcac5b875755ee595825066a9812fe21558efaf3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScEm.exe
Filesize
188KB

MD5
aff8ee96a54bf31e5bd4a0aa09ad5d74

SHA1
d2172712598d0d95c00b9bf1425572e0d4307120

SHA256
f1605fab1cbcde91855a6bc5bbf65cf4803654322a5519e0bc25e9c1c5c3e76a

SHA512
3c733ab163085ca32f91a23905679251e3a3a3d2bd4a6ead582d9a4453f1944b8b23cb534ea6afddc9a135db3d145c840d40abec04bdbde5004d47b7b73e04ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkIi.exe
Filesize
656KB

MD5
84b265c2d0d199d79093eea003be70f4

SHA1
16517360d037e8b67c5ecfdd3eb72cc9a6601865

SHA256
afe4c173d5b2a7e2d2eee89c273d1220ec643f135b5cfa88fdad23cf2065c662

SHA512
3a019a10b28649cdfb2daf8137a069ee8b5a7fc01219f44491f574bd6640a55331b9ad6ae224c73c3fb082aa1db3defafe1120e71e8e5c65c48844fd9dfbc944

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sskc.exe
Filesize
771KB

MD5
a4e7ad4d245d621e2d4f38563327f84e

SHA1
10cdc4c9b51be258047a18061041c13ef35b0c50

SHA256
fcb92c65d8af48c33331e696a0509d9afdb3b71af71bfb14cbb63484c66e2eac

SHA512
561035174f6977d383232bceb927a23a80c01dd857aade1a9098f993797161be2b108bb79fc42cf1e7d7d53e3420a01c9a59d476c639063f4c5ad896ca9505f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sskq.exe
Filesize
653KB

MD5
e8ecb09185fe2aeff75fe6ebe67ec17b

SHA1
a115c47e48e2e8ce9799e05841290b07763addad

SHA256
cad8e49cb631e239309b2d4e437fe4e6031f3c467712df85d9a4f47b4fec3875

SHA512
f211fa9067d61a8cd28ee0f3d53d85d1b4f99e500cc5244aa5f8f3e59eb784955829b9c5eb3d9bff60524102b4f505f8d35fd792af558198c9788df2699b4c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQQG.exe
Filesize
226KB

MD5
d330f879e87c9f7b00cd2eaaf60aba40

SHA1
aee6f028c5b56ab209bf7c1a61c78e35a70d9043

SHA256
1679bf8ee4f6460b14d7d546f6d0e177b0d1a8a6cb86310b12525bcc50df99f6

SHA512
e58ae53afc9f888ff202d96034e735ec0cff40909dc85110fe3e3b1803280b797f59a6a82fbc0deddb115cc854a6d6df525eb8ead007345f740991b642fe5127

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUge.exe
Filesize
216KB

MD5
e38312e6e007ed4c59f75495c124bd80

SHA1
11fa7d18f85e6af1a42807b4c1da0829ae366617

SHA256
616e6610c9f7f86da72394b54c9a37028fbd14ae4f94c8a2b6c255616a1b11ae

SHA512
23c319f41fbdf953d73996f64de12e21e8b78fce0ba27308b9e137424b009792e7b33496b473d3cac319001ac6995afd25e456d274a1aeac7338a94b76a105b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcEO.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkQK.exe
Filesize
968KB

MD5
380c00ddbc9bce375c1ff80fd378d9b0

SHA1
1b94c45554b3b5c6f8b57537d7e82813886d2aad

SHA256
bd2ceb3fafd37d7941f6f3ae13079393fbc42442216143bfb4c708ec6c6b3d1c

SHA512
c970e67b734c5e92800274dacd6a9acff98f9db939a5c7cbcdcad6235844085ffa99f458495ff940aaac73b5f12946f00d9ed657df8dd7d40c3798ab42d7c12e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uwsc.exe
Filesize
331KB

MD5
66f448c3cf4f18348e66efe8df3775fd

SHA1
41c9dbd1e1e51e1a3e232859d9b6c608e5fa593b

SHA256
561f33f984dcf9c1aa354852f1ced986bf4f3181e5c644e65008e3823692500e

SHA512
c8c538ddeebb7647550bbbc65099e6fafb7cc4d77a655b3be7565cf137862aa42609835d91bc4a460ee8c29edffaf9ef426b72eb0221a3b26e030d7341aa5ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIgQ.exe
Filesize
249KB

MD5
e50380e279f7e6ce6bc89426fb38306e

SHA1
86d1b317164ce018503c754b542c4c1ddb3b2afd

SHA256
b1930b2abddc32b0c3841674e2929c079d6484ba901c7ff0938a65a652973b50

SHA512
b56ea9fc3efde39dc9d756bfab39ac030a3e1adfe51177e2c4a1e9a5ea5d43ff688a5700a36b917400bde007a7680fc34fdfcb041f276acc999a870962b7eec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQQS.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEYy.exe
Filesize
195KB

MD5
df63d46efa34ad2935dd88bfdd014b0f

SHA1
7d7297f6237ef284fa5aab29ca1f77ae73ee312b

SHA256
8bfac2f7e40f0755ffbda12a399217e4d58b0f10a50d9bef115ad56653e80dc4

SHA512
6436f11096221091f4b71c9760866487636fb844233011473c984dc88f8a3131fefcc78eb3215fe982f5536aeab192fb28a19ededc4e40619f634658741a7328

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQkw.ico
Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYsI.ico
Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMQS.exe
Filesize
1.1MB

MD5
c5f9a7b3619b1af2dd78bfd5be1ce885

SHA1
41db8eeb3c2720a2982b2bc2c974b2be6a49c26d

SHA256
2172a3797c4c0b85cb076f3f2034c08617ba75d95f156a24cf8b3f3ab249055c

SHA512
167b8db46e13cb6551ca74d4d73b6119029a422c5943218b55f503c450b937b6d27c3a27f88ae366f4aed44dfe868b18f2afaf7d470d3763ea19b167129cd0bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMkM.exe
Filesize
188KB

MD5
36632d5e5a37af789486d2d98f6bf6bc

SHA1
52990b61099f735c9c58b34b9fe1b5469ae160f8

SHA256
406b7f1056153c9af0d8137069e06ef76a217bb9a1e0333fe8a0fab27bcb78e2

SHA512
f4895894aa18355110472f3eafe3d548d63b78df227c00b589c6baffa1950642fc1fe7e469be5c99bd5e7bede75938919d62771be496a0fed0044d9605bc2018

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUcy.exe
Filesize
202KB

MD5
5cbe4341ce929755483f6911acd4dee8

SHA1
e2031f183f65f2bc965c49b14358271e006b3774

SHA256
18dae270af1cf4b091ea8ed67742ca34db97bb1572b12b580bae32acef132fc7

SHA512
860e04fc3b0e77a460aea7ee589ac138bf0189b4902f9fac1da5f8756cee853a9480d40ca91317d39c6f240e40e2b46e3662f205fa00baba16fa61cc2ec5fcc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccIa.exe
Filesize
187KB

MD5
253aa00d88ae026b5e2e4328c53898d0

SHA1
f64d36a712df567f922193968ea8bcda9fc9d284

SHA256
47fb54df1a1e287a6fa1c70a18d4bcfc27411900d8f2bccb4dc060f021ca0c62

SHA512
ed951cbfc0892a22537ee22d27f695d045b91b8bc00c1327dcca3d83eea0d32b76d3745e0a5f55c8b18ed5ae7306d844e526bc61f3468b9561e78e890d332040

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwQY.exe
Filesize
577KB

MD5
a02afb7391824523c4c5c3288224e7bf

SHA1
6cbe3e0bbc7af35a8a01f1ae3c1deaca53cb6ef4

SHA256
745411bb42c523c9551924c5504e8ec5f4a334b107af52b86ea821708f11d5f6

SHA512
aa76c66aaa8cd7d0dacbfbbea75a698e54736039c4c1644096e313e92d17b1fd1b9a9e149a76352ac2df6165ae2b23f14091b4ead4129680388b4bf046501be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eggc.exe
Filesize
196KB

MD5
64830d60d58a499ac51ef3589b1cb36d

SHA1
3c2b7d85db94b18ffb3a4264a01bcf5926d69b4d

SHA256
044dba860121ac22de04056671e8ed0a8c4e3887da49862a6edf5d0fb0147283

SHA512
d6fca0a0041600c1126a5ab5d044c6066ebca1ebe8b580f9b508c7237bf817c068c383ab9e37348e2b8430316d62c2152428edabc3bc9b8305224634bb5585d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoQY.exe
Filesize
213KB

MD5
c0eac315b3ed6f33eb753aeec2d3927a

SHA1
3c2c5cadf33c1a82d5e1d3ae05d68572612aac10

SHA256
9304eb86b994bd564da7eaece0205f724a25cb6080b7ab7fdeb9657426fe65ca

SHA512
f2c76e6b17e1d6b4b161779323cce5ffd24a72b4dfd5b4e4a4d9cefba7aa0ee43b6b663ee85838388f101d2c733358ebce6149d2f481d7d9b272a35293f57c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\eosG.exe
Filesize
215KB

MD5
21b27d668464bf4f40cecf0b2e7d410f

SHA1
bee5fde83b1372ee1e0af8a2562faacd718dd85b

SHA256
fd477d1062acdc0f0b08f8673142cb89a49ed72204c97d75d3f7b32e460cec39

SHA512
f79834da4c692ceff09d0a3518080856c71da5f9f728374a1a39fe615af20c08834450ea46df443f99e8db2fe635b2d7f7eb21037c0763351543e59df9bdadde

Download Submit
C:\Users\Admin\AppData\Local\Temp\esoA.exe
Filesize
213KB

MD5
b9b24069b93980821d5ef888c502af89

SHA1
1572ec11d6e39844de4465df497bd1b598ca91dd

SHA256
d69fb21f9bbf44f48e14c7cf9a196469245619111bb061a611d46eb27b4c52c3

SHA512
263082f5930fe873eeaaefa9bf35984d13075d7fca457fa74a582d2e07a24f890798aa7856be34df50a9d77e9dd24ab91170f0dd8fc891f69acd6c684159f0eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\goMm.exe
Filesize
659KB

MD5
e9f015242b1267fa1356e83a81be2a6e

SHA1
804705344550977c36b9c2e2d9af960056a96914

SHA256
17bfad98882f0f008391510b9c5a34374a0e1286db4cae9ecc8986fcc9e7dd71

SHA512
d636c86f1809d2b0b395689384d0622ece4e8b4a71d0363f38f25e6ccb46bb4e49b7f8cb8375e86205171d5de2ed0a39bf9cc142137afc85cb5af38851b292c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAEK.exe
Filesize
330KB

MD5
58f7a9703cafe97451500ede55d27609

SHA1
6afd08ba81ef19333f0574a72cfc59cd283e0f33

SHA256
f7be25b9920d9a97c38610e93f7afd456126c7db88ed6811db61348644e5ea63

SHA512
c597f4b7dfc21b27aa912b9850d4549e118015a314771bb376f50f38f8fefc33c6b01363d382f201b034bc9f1a688a0efba62f94253aae15c8bdcce7f34ce754

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAUu.exe
Filesize
635KB

MD5
18901860e8e6a62286fbcd732b91799f

SHA1
3e5d484f2dc985573d2b117aab1ebf9e5491bddc

SHA256
3e97160c5737a81793e34350eff3704daa84acb9e1c4f2aef7010b3a4dd405a5

SHA512
a81040026c2db8b787d65cad97308d3e4f2e51542684cbf3daa8de3f0b49c965008988cca61b9d9f9d83d529154fccfb42012669c10e1644e840ee740557a2c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEMS.exe
Filesize
1.8MB

MD5
0fc0408d05b29fefac7c4e17fb4482e6

SHA1
473c7e0102799a1f4bde2b2cd70145a1cce2ed43

SHA256
43c137a81250a3c0ac7da3334d4d52b276d16f85fcb6db71dbf7af1bd2d5ef26

SHA512
7cf98bebdc51f5cd706888d0493a8289adb6a99fa8c480a240ee28c22f7340d9964f97e25ef6bea05327de4050129bd611581d10533fa665029ed48c21e84f9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kook.exe
Filesize
819KB

MD5
4b5993ca3ab3100f576382d2e7fc4875

SHA1
71d5f264fdd8e141591135df7a877bf86922a3c7

SHA256
fe89eeb149847978216f462b0a5240eb2157f872dcd1e702291feb3273971d8e

SHA512
10f4d61f6834159b132e80ef58d23c567537de256b4b8f4bad03304d93874a4ae8f623cbc28357b18de023c20d18540c05ec5277efa62231700adb1e76f6bb3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksIk.exe
Filesize
204KB

MD5
08d658da4d650a2ea7b46ecb73de6724

SHA1
c77a69f3b5666c50b5e915af8be03c14dabe1796

SHA256
a6cec4670d852a53145e175e2ac15cad5801a03b1397f6c1f5ffd01455074c91

SHA512
b74821b87f70a09ab0ae03f4ac9374faef2f4847b06705b0487b2394a2bb4488914a36f4ed3fef3c3ff1363de81b49562c7d7bb8cfdb8d4272da396dbb2db18a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAAc.exe
Filesize
807KB

MD5
7bb7a2df8e7855d95709215a72de0d39

SHA1
c083da38c6bcefedc7709f28c23c886bd063af2f

SHA256
a9c3b9d7bf7eeb7badc84f07bc4cdde34eee0db69586c791aff99c3c124258a7

SHA512
d9017e463e707f1f97342c9475b3162574b473a4b74a0b7609aa40ee11f285b2a1176d00ae4a93843c5ecf7ef8ff58eeb881947998ae1a8b694cda59246a6bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEUa.exe
Filesize
190KB

MD5
c1573087a455ebf595b3e5617cdcf323

SHA1
699bcd9da9022429df27a04c5244f18f674f954b

SHA256
ee12503a2ac870dadacb725b696516b9eac5fbf3a0deac05e11b8b34428274d5

SHA512
f2cc3c00ce010b8908a05c5261d9c22ba96f1032c4c5d4f5fbf47b4471d3f68e543fbe188b776735073015de3716390d73757de9237028a161b6d61787bc77f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcAY.exe
Filesize
543KB

MD5
33144cf9607a9893836ad2382dcb5ffa

SHA1
89abecc814a44a8b9e831d85668a154eb75e4fdb

SHA256
982ee377eca86913fa3abf061a834594bd222b5af6d2d11e0808475ec966b4c9

SHA512
8cf8e0046e859d3bae23b846837cfb8b2c29efcb38854d1c25debf0213383d2e44bdc375c27cdaea71594f04adb6008d919b62b27b29a9d7aeba1c779c5d0912

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMQY.exe
Filesize
206KB

MD5
2a4d76a44d5bb8463efdb9be23e70867

SHA1
233df5d8626505faa4b1d51c271edf4554cdbcd3

SHA256
0c9705cf97309e702fd5e458be5e5f3a03b8c8ae2e3be23c7dd9cbfa8e3b1c6d

SHA512
ac9c5585be016ff2c602fd167d8890d9f2f3d2fb778d9775c1c7688236ae217a9c1e8dbf7b83dcb1eae8cf8c48ecd751294b9edef8b3b68145bb11de319ef313

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQIG.exe
Filesize
1.1MB

MD5
a648ffeb68586318b6ae1c1f5438ed93

SHA1
a0024c06b202aa0ce0c3548da476265f99644d3a

SHA256
a24c8869e2f644a3f99942b5254f68dce2e0502c3ee55841ff9872ff1d02ac6c

SHA512
05d2abfb32ace72348489adc7dfc89c42db823497384f4b655acecb84106ccb0369e298300e0f0fe5a783f017b3199289e9b521f8c7dbc3a0d3586edb0e38cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ossQ.exe
Filesize
441KB

MD5
7489e34a1eff5cbfee58d0de6fc0161b

SHA1
07c13eae6b35cde385c5102e5544a36c285497e8

SHA256
cb2f1d5e5151526ada7c38f10ba929d67f26138aad4f18806e3b3e11e47c27b3

SHA512
085357f3f4f06233eace5c4e0a201f6dfc9230db1f9e7032fba1fac64dfc117f6504e38b0d0f9051b2ea7766a8994391efdad2629275147e3a66c4191d34488b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEce.exe
Filesize
481KB

MD5
9af5ea01e9a99f89a2347aa99b2ab72c

SHA1
46af4bafa659fbdc2db48dac57091f679f3b9885

SHA256
5bd28f1d64c3aea49ac78b0d26058b76de20de73feaa4f56193b436b51b303a4

SHA512
d1ac744dbd7f63d12a317df9b77679273515b70e28aa3aae4074e5658f43c38768a09adcd0be9f8688a4030f7171982059ae32ee513473926fa3cb17cdb2578d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoYW.exe
Filesize
218KB

MD5
df554b91056e1ff4a1806352185b3bf8

SHA1
b1dcbfcb4951f241c547c6577b299fd6adbc0f30

SHA256
fa82175d275ccec1cacf5a911749b17478e26cccfb55699275b59b4b8dff755e

SHA512
42d2bd0623d83ecfb5fcd85474f48cc7a30f7b64e9d15f79f6f0aa2cf9a92243eb3647e9d80835ad8d56e07b19386a2ea3955b776735d27fdea81090d9b5447f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsUO.exe
Filesize
208KB

MD5
10084288085c7271772ab9cccf8b54fa

SHA1
6cc59c51a9f87c3f564c327f5b42ef39a388ba71

SHA256
17fe9c6659f5fa7b992a50e16948adcb507e27159724d3f48f80684300c5bf58

SHA512
d9a0109412341472617f5e73c937826c1314d60d87c97468164aed150c8b3a782df8783541e1d438cfeeb2da9d24ebaf011f33f7c24753cbcf356ee3f298cc79

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAoc.exe
Filesize
198KB

MD5
6e0a9f84321fae77cb3d8e040fc2adfc

SHA1
4daf7e1012cb0013a0b9f935e6dcccd107bea64c

SHA256
75e105786f33f1548bfbc05777ffec60567c138b6aa5a3931139e2c02e4c3487

SHA512
071a699669f8ce5e1078fe70340d97ccce1a2d95327f171a13e89905e208593c97e4b0c2e09f8f156f6ebab5175b735fcc3c50d318468c67034f0ca43d386eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\skUS.exe
Filesize
204KB

MD5
fd0761f40c8b571696137c254dae35b2

SHA1
bbbf9a69594e27b2a2d03eada7a562ae81cd2eb5

SHA256
67bff6ac78b612822bdbb903b3cdffb1f1974270e5d3b92e28c536580edbbfe2

SHA512
e9d9d605fd173dd70c385a5df15344a364917febf6962cf6d6120f06d5e39c4ac33c69f32f39af348e0ecd95c319056c8316b2473fff8168bbf2fb20ac146c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssUe.exe
Filesize
202KB

MD5
e04d4926d18d8f2e48eea81fdd7f9112

SHA1
f847ea954fc546bd0057f6b0e95c62d0d5d67381

SHA256
22150c8015277babac4ad2b87b3e90f3e3b70549dc4f236a8b37ea822c1659c3

SHA512
c91b0a0c351b866b91a588c4c21c805b8b007b59038ad91c35e8b34ad5e61f00f1d3f95f8e769be1e31f29492771d389cffdd0d67d3d4619713e297ed9acbd49

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAkY.exe
Filesize
194KB

MD5
e826be75050700e56b50c3f36b8e3943

SHA1
2f9ca6e28f39d85a70a9ddaa0f222bf409493db2

SHA256
993d1a55dcbf0de07069e7839dab85006b62d11fc46219423b0025e55a789446

SHA512
846e5ac9a638094ef7c9eb33157ea625321ef1fe98e1227a6e98ae7ea94e684603730c71de93849a4fec53f7331b863826e96e1cedc5f90716a3038a131a2a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEkU.exe
Filesize
194KB

MD5
b0aa986c58b741577f893501912289c9

SHA1
6f03fde0bbcbddcf2681dadd45748d494fda9b35

SHA256
f806a2d1adf78a6cf9ce12357a85c49b1046fa1871a6c9caa11067d6a09a0ad0

SHA512
02030153962d25240ef7e8e03fb96d19eca5de54a78dbd3ab900826817b3a42f8bc5e33c12c3c0a263b848b048d3d08f6ab735d98d18e75a9cba8358778d36d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMIE.exe
Filesize
186KB

MD5
759287362580b42fd0cc6ac2896530c8

SHA1
294db0f869e3c742a5c1b1572a64e6f8d411452d

SHA256
9cc976a2b811d11ffbd932d84e67d0040d3b4c817a9e7eda00ac33fc277c4579

SHA512
fb3d4f7b0223ca5cdc37106eb430e3920522c4ed437174e0479b0ad7ccc0698a445e5b5f67055c3c1cb646e206b7369b3aa268a323c17f76d1062d0852d77209

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUMw.exe
Filesize
5.9MB

MD5
b3cb1f040f80297deb2e331a41b00dd2

SHA1
bac21e589e78a1171dd8b1e331452ef8e8c23b3a

SHA256
386640d52c73e56b6ddabf901d63b322d97391001623ac5eadc5b50108b5563b

SHA512
c1c73c4b91baca62d49499f131a8800c54df5412f8fde9f90f142c968f7f930c1bf6188375d91e43f57b54f8a19cd0e7d73a33b5ae4715130593e642015a8214

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukAq.exe
Filesize
192KB

MD5
d120410c8914bfe0806bf405c6d7189d

SHA1
2c13ea3d6b73f3f1d0348658a4918e3f693de0dc

SHA256
b51de512c0968adee17b459bc711c3a3ccb2081b07b086bdcc2e406b1f926b5c

SHA512
54d6640ddfd1536f4a8943e335cd66db5a94e40e4d2b6af9bed0785b1c8c7d5559ad851f1dd0e6427805bd2e468b43b343644e2fc3f7620072841064d8cc9c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAwc.exe
Filesize
192KB

MD5
9d6d39894da60195d7257cb5eecb39c6

SHA1
a24208842a03a36f31f157ee439b0c5b26d3cc9f

SHA256
d8803571fb692c15d7694997f6cdf14a0c6316bf2c34617edce68f2c4816c986

SHA512
220caacdce758ddca1201e4957ba7441e1053e96965fff7250167000fc15ef11201d34bc69a05263697b8b8df05b4b00f8e7ad588119b97de5686cec25872afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAwo.exe
Filesize
197KB

MD5
0aad79e0d958888877c0c33042cfe371

SHA1
c4258b0e5114b788b72a7b60e1ba5ca5a6ca879c

SHA256
16ea6b6df9f2a4f63f9fae4b3075567755fd9b887778a6f256bdffa63b9258d1

SHA512
b31bc5585a0320beca385aec80ebc1fcb2002f69c7527edb67207933a811751ad6fe05f7e3ed6c22c9aa94dc7fc2bd5257a0b050a42d4fb2bde9c121c1384809

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMgg.exe
Filesize
270KB

MD5
4e400f955c14c7c6f12482aa01b95a2d

SHA1
92835926f9a3e70484658bed57b5dff08f6ccd9e

SHA256
8e007194bfac216f8e70e14fa09e7387907bd27857f0c26875f3d388a29ff7dd

SHA512
42fbdf8a5e0c51f2029fd4b8440ef21195c14ad63b4d02e2e623d2f4813c6d10d2d8793fc1d1d79c362b1f398c1488ed725e8b4969f0b71308776af497ad44d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAIY.exe
Filesize
213KB

MD5
b59d00739bca57a891ff8d16c4c86cd6

SHA1
26bdb0e594e7e90c5504ea46d12b598f1856d131

SHA256
206353c281a4f888aeb207e7da3fc09ec28746f67b4b1704cdb75efd34b8843b

SHA512
d1ebafa278e756b0aa818461bc70422b9c836cf252e8b8ab101ceae006c448c21a575ad21f5f1f1462486eb525eb3b9cd7e734e0612b2ce6e767b61610ba80b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygcc.exe
Filesize
237KB

MD5
926891f5817dc432b1d357b905a29776

SHA1
c10ca280cb7c0d20805612ba4022bf7a2218c4db

SHA256
02d596a2789da166b9aac3f7454b696055adbafe2ce9ac7aad61b12d6608d4ba

SHA512
6f8db9f8da952aa3d1bf39442902dc44e0f98401090942002396354dd047dabf5684daa539720190ed26295fdd411785d733148d6c75f818551f7b2e236e17a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykQw.exe
Filesize
815KB

MD5
36a780c1227fe997e8f04e2b1a943b17

SHA1
44a11dff8f78bff44d374bd015600e63b5e0075d

SHA256
8fc781466f69eae00b71d35d82cc068606a5b3c182ad3c7ad3e9c0166ece0964

SHA512
11af7eabf3ff51e23d7781d8c288ae97c613eee21d43f1afdb9176381c75fa7d18fd51673e19479aa2e030058e3c927857f21f0feb6b5569ad347085a1dc7bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysco.exe
Filesize
186KB

MD5
ec794695a5fc149b3cea06716064f5c3

SHA1
b074ffb7f5b8979c4b116c05599ce6bb39abbe2a

SHA256
4f127a3faef504222a3288e137438d242913d7da83ec5ee5a1bc2d416ab297a9

SHA512
b54e3052e02c54bbd8d6fcc61b751554686084b7fdeae2d8b7ee70dea76254836876f8fc6da32c1acba424f9386de60dabbae0648c6430c332885f2eff9b0fab

Download Submit
C:\Users\Admin\Music\ReadRevoke.zip.exe
Filesize
593KB

MD5
384354defd5cfbd4f80727ed81648fb5

SHA1
ee9f26502428f29bbb6031a53673058c5a974cb8

SHA256
2456ffefb5c394d9fdabdce3251060d69c765222347096d984699b97e2f09e82

SHA512
e504951ef5db1efee8c65d1584a135922be8456206f042629ed4c966e7a84fe3981fb249eb4d78d68c87d4ae3d8e2a1e946d5a4a941949a95f22eb7aa04c634e

Download Submit
C:\Users\Admin\fqcIwIsE\tKUkIYMQ.exe
Filesize
201KB

MD5
602d112cf5d3e40622da7276ff1918d7

SHA1
725c647d15a6e61d11b19a256c7853fa1bc37880

SHA256
2d21ccebd1ee990ec863f18082b363a8784cbbff76ddaf8964eacd643bb8fd47

SHA512
00f5c50f301699f32c131bda527f6e53e15be8599877c37de539d49e74d9e5a818d909d4339355616f3848f8a0e18e3700fc025419f863ee479163ff8e9c272e

Download Submit
memory/208-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/208-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/364-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/364-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/392-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/392-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/560-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/560-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/736-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-523-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/976-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1204-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1204-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-563-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1796-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1828-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1828-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-517-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2408-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-536-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3360-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3360-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3724-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3856-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3856-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-518-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download