dc921bbe8fd76aead5cd7f1e1e83182af90b59ab2a463ebcbfa73baa428c38b1

Analysis

max time kernel
150s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
Size

202KB
MD5

f7161f431e5ffd38b200f70b967f01c0
SHA1

34e875f7682d942696525e20470f6f586d6cd4f8
SHA256

dc921bbe8fd76aead5cd7f1e1e83182af90b59ab2a463ebcbfa73baa428c38b1
SHA512

7c004cf06f7ab6d249f57fa47049ed242693e74e5dac37ea0c3fc4f782976d1bccb90476c13b14bdcc288711714eef4166a912fb88b63de97675e3686f3f88cf
SSDEEP

3072:yCXKPODMyOLH4x93AiDS3zzvMHuxfq0276HoWlrC912rZZH/8UIQT2t35yB:mmn13f5WoPsZBfEt35y

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (73) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

IAEUMYUE.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	IAEUMYUE.exe

Executes dropped EXE 4 IoCs

Processes:

IAEUMYUE.exehMsockII.exe

pid process

4584 IAEUMYUE.exe
3864 hMsockII.exe
4968
3676
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exeIAEUMYUE.exehMsockII.exef7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PyQgcwkc.exe = "C:\\ProgramData\\uUYsUYsY\\PyQgcwkc.exe"
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IAEUMYUE.exe = "C:\\Users\\Admin\\QAIoYwoI\\IAEUMYUE.exe"	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hMsockII.exe = "C:\\ProgramData\\PmMEAswM\\hMsockII.exe"	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IAEUMYUE.exe = "C:\\Users\\Admin\\QAIoYwoI\\IAEUMYUE.exe"	IAEUMYUE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hMsockII.exe = "C:\\ProgramData\\PmMEAswM\\hMsockII.exe"	hMsockII.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OYskwcos.exe = "C:\\Users\\Admin\\VQcQYcIc\\OYskwcos.exe"	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PyQgcwkc.exe = "C:\\ProgramData\\uUYsUYsY\\PyQgcwkc.exe"	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OYskwcos.exe = "C:\\Users\\Admin\\VQcQYcIc\\OYskwcos.exe"

Drops file in System32 directory 2 IoCs

Processes:

IAEUMYUE.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	IAEUMYUE.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	IAEUMYUE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4724 3020 WerFault.exe PyQgcwkc.exe
1740 4492 WerFault.exe OYskwcos.exe
5112 4968
3304 3676

pid	pid_target	process	target process
4724	3020	WerFault.exe	PyQgcwkc.exe
1740	4492	WerFault.exe	OYskwcos.exe
5112	4968
3304	3676

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
1204	reg.exe
2920	reg.exe
3212	reg.exe
4836	reg.exe
4308	reg.exe
4448	reg.exe
2340	reg.exe
3940	reg.exe
3280	reg.exe
4812	reg.exe
4800	reg.exe
4056	reg.exe
2244	reg.exe
4968	reg.exe
528	reg.exe
3488	reg.exe
4448	reg.exe
2120	reg.exe
2712	reg.exe
4596	reg.exe
4088	reg.exe
4856	reg.exe
1800	reg.exe
4084	reg.exe
1664	reg.exe
2404	reg.exe
4476	reg.exe
4596	reg.exe
2884	reg.exe
2352	reg.exe
4476	reg.exe
4868	reg.exe
4992	reg.exe
752	reg.exe
2716	reg.exe
3432	reg.exe
4480	reg.exe
4892	reg.exe
2432	reg.exe
3428	reg.exe
1120	reg.exe
3960	reg.exe
868	reg.exe
2292	reg.exe
3360
1068	reg.exe
2880	reg.exe
4828	reg.exe
4508	reg.exe
3752	reg.exe
4852	reg.exe
324	reg.exe
2792	reg.exe
4828
1432	reg.exe
1716	reg.exe
1464
4556	reg.exe
2716	reg.exe
2864	reg.exe
4596	reg.exe
1416	reg.exe
1864	reg.exe
3872	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exef7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exef7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exef7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exef7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exef7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exef7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exef7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exef7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exef7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exef7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exef7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exef7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exef7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exef7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exef7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe

pid	process
1048	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
1048	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
1048	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
1048	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
3388	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
3388	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
3388	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
3388	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
2712	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
2712	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
2712	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
2712	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
1744	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
1744	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
1744	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
1744	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
2848	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
2848	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
2848	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
2848	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
3704	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
3704	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
3704	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
3704	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
3216	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
3216	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
3216	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
3216	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
2884	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
2884	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
2884	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
2884	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
4636	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
4636	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
4636	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
4636	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
3800	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
3800	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
3800	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
3800	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
1496	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
1496	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
1496	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
1496	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
3296	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
3296	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
3296	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
3296	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
2548	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
2548	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
2548	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
2548	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
3724	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
3724	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
3724	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
3724	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
2352	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
2352	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
2352	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
2352	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
4580	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
4580	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
4580	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
4580	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IAEUMYUE.exe

pid process

4584 IAEUMYUE.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

IAEUMYUE.exe

pid	process
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe
4584	IAEUMYUE.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.execmd.execmd.exef7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.execmd.execmd.exef7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.execmd.exe

description	pid	process	target process
PID 1048 wrote to memory of 4584	1048	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	IAEUMYUE.exe
PID 1048 wrote to memory of 4584	1048	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	IAEUMYUE.exe
PID 1048 wrote to memory of 4584	1048	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	IAEUMYUE.exe
PID 1048 wrote to memory of 3864	1048	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	hMsockII.exe
PID 1048 wrote to memory of 3864	1048	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	hMsockII.exe
PID 1048 wrote to memory of 3864	1048	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	hMsockII.exe
PID 1048 wrote to memory of 3428	1048	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	cmd.exe
PID 1048 wrote to memory of 3428	1048	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	cmd.exe
PID 1048 wrote to memory of 3428	1048	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	cmd.exe
PID 3428 wrote to memory of 3388	3428	cmd.exe	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
PID 3428 wrote to memory of 3388	3428	cmd.exe	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
PID 3428 wrote to memory of 3388	3428	cmd.exe	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
PID 1048 wrote to memory of 2672	1048	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	reg.exe
PID 1048 wrote to memory of 2672	1048	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	reg.exe
PID 1048 wrote to memory of 2672	1048	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	reg.exe
PID 1048 wrote to memory of 4044	1048	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	reg.exe
PID 1048 wrote to memory of 4044	1048	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	reg.exe
PID 1048 wrote to memory of 4044	1048	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	reg.exe
PID 1048 wrote to memory of 4312	1048	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	reg.exe
PID 1048 wrote to memory of 4312	1048	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	reg.exe
PID 1048 wrote to memory of 4312	1048	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	reg.exe
PID 1048 wrote to memory of 3724	1048	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	cmd.exe
PID 1048 wrote to memory of 3724	1048	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	cmd.exe
PID 1048 wrote to memory of 3724	1048	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	cmd.exe
PID 3724 wrote to memory of 3192	3724	cmd.exe	cscript.exe
PID 3724 wrote to memory of 3192	3724	cmd.exe	cscript.exe
PID 3724 wrote to memory of 3192	3724	cmd.exe	cscript.exe
PID 3388 wrote to memory of 5112	3388	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	cmd.exe
PID 3388 wrote to memory of 5112	3388	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	cmd.exe
PID 3388 wrote to memory of 5112	3388	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	cmd.exe
PID 5112 wrote to memory of 2712	5112	cmd.exe	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
PID 5112 wrote to memory of 2712	5112	cmd.exe	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
PID 5112 wrote to memory of 2712	5112	cmd.exe	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
PID 3388 wrote to memory of 644	3388	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	reg.exe
PID 3388 wrote to memory of 644	3388	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	reg.exe
PID 3388 wrote to memory of 644	3388	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	reg.exe
PID 3388 wrote to memory of 1444	3388	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	reg.exe
PID 3388 wrote to memory of 1444	3388	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	reg.exe
PID 3388 wrote to memory of 1444	3388	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	reg.exe
PID 3388 wrote to memory of 4868	3388	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	reg.exe
PID 3388 wrote to memory of 4868	3388	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	reg.exe
PID 3388 wrote to memory of 4868	3388	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	reg.exe
PID 3388 wrote to memory of 1576	3388	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	cmd.exe
PID 3388 wrote to memory of 1576	3388	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	cmd.exe
PID 3388 wrote to memory of 1576	3388	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	cmd.exe
PID 1576 wrote to memory of 1984	1576	cmd.exe	cscript.exe
PID 1576 wrote to memory of 1984	1576	cmd.exe	cscript.exe
PID 1576 wrote to memory of 1984	1576	cmd.exe	cscript.exe
PID 2712 wrote to memory of 3576	2712	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	cmd.exe
PID 2712 wrote to memory of 3576	2712	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	cmd.exe
PID 2712 wrote to memory of 3576	2712	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	cmd.exe
PID 3576 wrote to memory of 1744	3576	cmd.exe	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
PID 3576 wrote to memory of 1744	3576	cmd.exe	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
PID 3576 wrote to memory of 1744	3576	cmd.exe	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
PID 2712 wrote to memory of 4600	2712	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	reg.exe
PID 2712 wrote to memory of 4600	2712	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	reg.exe
PID 2712 wrote to memory of 4600	2712	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	reg.exe
PID 2712 wrote to memory of 3828	2712	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	reg.exe
PID 2712 wrote to memory of 3828	2712	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	reg.exe
PID 2712 wrote to memory of 3828	2712	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	reg.exe
PID 2712 wrote to memory of 4568	2712	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	reg.exe
PID 2712 wrote to memory of 4568	2712	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	reg.exe
PID 2712 wrote to memory of 4568	2712	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	reg.exe
PID 2712 wrote to memory of 3928	2712	f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\QAIoYwoI\IAEUMYUE.exe
"C:\Users\Admin\QAIoYwoI\IAEUMYUE.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4584

C:\ProgramData\PmMEAswM\hMsockII.exe
"C:\ProgramData\PmMEAswM\hMsockII.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
2⤵
- Suspicious use of WriteProcessMemory
PID:3428

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
4⤵
- Suspicious use of WriteProcessMemory
PID:5112

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
6⤵
- Suspicious use of WriteProcessMemory
PID:3576

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
8⤵
PID:3340

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
10⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
12⤵
PID:4204

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:3216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
14⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
16⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
18⤵
PID:3340

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:3800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
20⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
22⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
24⤵
PID:4632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
25⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
26⤵
PID:4388

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:3724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
28⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
30⤵
PID:2404

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
32⤵
PID:2792

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
33⤵
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
34⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
35⤵
PID:3828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
36⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
37⤵
PID:2640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
38⤵
PID:464

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
39⤵
PID:1132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
40⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
41⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
42⤵
PID:4864

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
43⤵
PID:740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
44⤵
PID:4640

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
45⤵
PID:1416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
46⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
47⤵
PID:432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
48⤵
PID:4948

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
49⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
50⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
51⤵
- Adds Run key to start application
PID:2404

C:\Users\Admin\VQcQYcIc\OYskwcos.exe
"C:\Users\Admin\VQcQYcIc\OYskwcos.exe"
52⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 224
53⤵
- Program crash
PID:1740

C:\ProgramData\uUYsUYsY\PyQgcwkc.exe
"C:\ProgramData\uUYsUYsY\PyQgcwkc.exe"
52⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 220
53⤵
- Program crash
PID:4724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
52⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
53⤵
PID:4024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
54⤵
PID:1448

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
55⤵
PID:1172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
56⤵
PID:2164

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:4864

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
57⤵
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
58⤵
PID:3348

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
59⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
60⤵
PID:3268

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
61⤵
PID:404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
62⤵
PID:3340

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
63⤵
PID:1352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
64⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
65⤵
PID:4008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
66⤵
PID:4024

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
67⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
68⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
69⤵
PID:3776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
70⤵
PID:2404

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
71⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
72⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
73⤵
PID:312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
74⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
75⤵
PID:4568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
76⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
77⤵
PID:3776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
78⤵
PID:1116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
79⤵
PID:1248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
80⤵
PID:3872

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
81⤵
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
82⤵
PID:3856

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
83⤵
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
84⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
85⤵
PID:940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
86⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
87⤵
PID:3936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
88⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
89⤵
PID:2244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
90⤵
PID:4460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
91⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
92⤵
PID:4728

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
93⤵
PID:3204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
94⤵
PID:2664

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
95⤵
PID:2064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
96⤵
PID:4636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:3872

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
97⤵
PID:2244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
98⤵
PID:3016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
99⤵
PID:632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
100⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
101⤵
PID:3348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
102⤵
PID:1120

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:64

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
103⤵
PID:4168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
104⤵
PID:2688

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
105⤵
PID:2244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
106⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
107⤵
PID:5000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
108⤵
PID:3576

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
109⤵
PID:4728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
110⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
111⤵
PID:860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
112⤵
PID:1988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:452

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
113⤵
PID:3752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
114⤵
PID:3268

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
115⤵
PID:1644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
116⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
117⤵
PID:1444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
118⤵
PID:1028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
119⤵
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
120⤵
PID:3364

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
121⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
122⤵
PID:700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:3860

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
123⤵
PID:372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
124⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
125⤵
PID:3828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
126⤵
PID:2024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:4448

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
127⤵
PID:3916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
128⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
129⤵
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
130⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
131⤵
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
132⤵
PID:544

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
133⤵
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
134⤵
PID:3580

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
135⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
136⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
137⤵
PID:2920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
138⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
139⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
140⤵
PID:3532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:3828

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
141⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
142⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
143⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
144⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
145⤵
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
146⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
147⤵
PID:5000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
148⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
149⤵
PID:1040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
150⤵
PID:3236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
151⤵
PID:3100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
152⤵
PID:4024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:3520

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
153⤵
PID:3752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
154⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
155⤵
PID:1772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
156⤵
PID:1960

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
157⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
158⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
159⤵
PID:3776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
160⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
161⤵
PID:408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
162⤵
PID:1644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
163⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
164⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
165⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
166⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
167⤵
PID:3168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
168⤵
PID:400

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
169⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
170⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
171⤵
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
172⤵
PID:860

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
173⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
174⤵
PID:4204

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
175⤵
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
176⤵
PID:3696

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
177⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
178⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
179⤵
PID:4892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
180⤵
PID:4936

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:1032

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
181⤵
PID:3128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
182⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
183⤵
PID:3640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
184⤵
PID:4028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
185⤵
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
186⤵
PID:3596

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
187⤵
PID:3828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
188⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
189⤵
PID:3376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
190⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
191⤵
PID:372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
192⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
193⤵
PID:1232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
194⤵
PID:1740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
195⤵
PID:4800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
196⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
197⤵
PID:372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
198⤵
PID:1028

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
199⤵
PID:3364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
200⤵
PID:3156

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
201⤵
PID:2244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
202⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
203⤵
PID:3452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
204⤵
PID:3364

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
205⤵
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
206⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
207⤵
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
208⤵
PID:2688

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
209⤵
PID:1248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
210⤵
PID:1100

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
211⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
212⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
213⤵
PID:3116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
214⤵
PID:2548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:1000

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
215⤵
PID:2432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
216⤵
PID:4432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
217⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
218⤵
PID:3468

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
219⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
220⤵
PID:1444

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
221⤵
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
222⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
223⤵
PID:4308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
224⤵
PID:632

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
225⤵
PID:4232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
226⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
227⤵
PID:1184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
228⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
229⤵
PID:2300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
230⤵
PID:4532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
231⤵
PID:1176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
232⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
233⤵
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
234⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
235⤵
PID:2368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
236⤵
PID:4344

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
237⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
238⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
239⤵
PID:3872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
240⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
241⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
242⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
243⤵
PID:4476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
244⤵
PID:5112

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
245⤵
PID:2120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
246⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
247⤵
PID:3116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
248⤵
PID:1112

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
249⤵
PID:3804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
250⤵
PID:860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
251⤵
PID:212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
252⤵
PID:4336

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
253⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
254⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
255⤵
PID:3832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics"
256⤵
PID:4232

C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
257⤵
PID:4624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
256⤵
- Modifies visibility of file extensions in Explorer
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
256⤵
PID:3428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
254⤵
PID:4936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
254⤵
PID:2776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
254⤵
PID:2884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
255⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\esMoIIYo.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
254⤵
PID:392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
255⤵
PID:3124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
255⤵
PID:740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
- Modifies visibility of file extensions in Explorer
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
PID:3860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:3220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
252⤵
- UAC bypass
PID:3304

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oQYAIwUY.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
252⤵
PID:1960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
253⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
PID:3176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
PID:3384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
- UAC bypass
PID:528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWcsUkoY.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
250⤵
PID:1860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
PID:3280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
- Modifies registry key
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FIsYwUEw.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
248⤵
PID:1620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:1032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:2952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
- Modifies visibility of file extensions in Explorer
PID:3124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
PID:392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:1772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqMQAMUw.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
246⤵
PID:3068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:4008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:4728

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
- UAC bypass
PID:1068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZwkEIkcc.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
244⤵
PID:4992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
- Modifies registry key
PID:4596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
- UAC bypass
PID:3088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MYsAkocQ.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
242⤵
PID:3220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:1040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
- Modifies visibility of file extensions in Explorer
PID:1416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:1620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgIUUgck.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
240⤵
PID:4624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:3520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
- Modifies registry key
PID:3488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
- UAC bypass
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkEgkAcw.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
238⤵
PID:4280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:1772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
- Modifies visibility of file extensions in Explorer
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:3360

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
PID:4600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amsoEUkA.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
236⤵
PID:4292

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:2664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
- Modifies visibility of file extensions in Explorer
PID:2952

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:3296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:4836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
- UAC bypass
PID:3580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCwkAMoo.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
234⤵
PID:4388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:1960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
- Modifies registry key
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
- UAC bypass
- Modifies registry key
PID:4852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xGwIgYAA.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
232⤵
PID:3776

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:1000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
- Modifies visibility of file extensions in Explorer
PID:1464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:3860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:3936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
- UAC bypass
PID:2664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmEIUIow.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
230⤵
PID:1744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:4280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
- Modifies visibility of file extensions in Explorer
PID:3452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:1112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
- Modifies registry key
PID:528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\giEYwgwE.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
228⤵
PID:2340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:3808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
PID:4632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MqssoMsI.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
226⤵
PID:3116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:2548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
- Modifies visibility of file extensions in Explorer
PID:4072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:3088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:700

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
- UAC bypass
PID:3464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:4856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yksgIcMc.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
224⤵
PID:4600

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:3360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:4204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:1032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
PID:4896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuYUsIos.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
222⤵
PID:4008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:2244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
PID:4908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:4812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
- UAC bypass
PID:3368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgcwAkQY.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
220⤵
PID:740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:2548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
PID:2640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImcUYIIE.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
218⤵
PID:3176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:3916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
- Modifies visibility of file extensions in Explorer
PID:3676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:4844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
PID:4632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMwAsAYA.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
216⤵
PID:3364

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:3860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:1032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:3104

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
- UAC bypass
PID:3492

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYEYAgcA.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
214⤵
PID:4052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:3128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
- Modifies visibility of file extensions in Explorer
PID:4892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwIsoUsU.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
212⤵
PID:3320

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
213⤵
PID:4724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
PID:1460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
- Modifies registry key
PID:1716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmkIIYwg.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
210⤵
PID:2884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:2920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
- Modifies visibility of file extensions in Explorer
PID:1000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:3492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xWkQYQsQ.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
208⤵
PID:3124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:4168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
PID:3208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:1232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:1432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
PID:3960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqIUgAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
206⤵
PID:3940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:4532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
PID:3296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:1460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:4908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yogQgEUI.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
204⤵
PID:3676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
PID:3576

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:3752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
- UAC bypass
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GacYMgUw.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
202⤵
PID:3872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:1248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
- UAC bypass
PID:3916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkcwkgUo.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
200⤵
PID:4812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:3204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
PID:4532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:3188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:1444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
PID:1172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jOIoAkUk.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
198⤵
PID:1564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
- Modifies registry key
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- UAC bypass
PID:1068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUUkYQEg.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
196⤵
PID:3452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:4280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
- Modifies visibility of file extensions in Explorer
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
- Modifies registry key
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
- UAC bypass
PID:4736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AkcoYoQk.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
194⤵
PID:3580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
PID:2064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:3752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- UAC bypass
PID:3856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MIAAAYoM.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
192⤵
PID:2776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:4596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:3104

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
- UAC bypass
- Modifies registry key
PID:1204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AcQcMAck.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
190⤵
PID:4792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:4460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
PID:5072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:2116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:3860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
PID:3936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCIocAUk.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
188⤵
PID:700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:4084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:3068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:3776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- UAC bypass
- Modifies registry key
PID:868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYMUwgck.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
186⤵
PID:940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:4936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
PID:432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
- Modifies registry key
PID:3872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
PID:3860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcAMQsgA.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
184⤵
PID:1080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:3468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies visibility of file extensions in Explorer
PID:1960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:1232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
- UAC bypass
PID:3928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hcYAwgMA.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
182⤵
PID:1432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:2320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:4908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEgEkEYA.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
180⤵
PID:2196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:4296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies registry key
PID:2864

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:3300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmIQsgUA.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
178⤵
PID:3580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies visibility of file extensions in Explorer
PID:4568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:1000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- UAC bypass
PID:996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icgkwsIw.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
176⤵
PID:1924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
- Modifies visibility of file extensions in Explorer
PID:2376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
- Modifies registry key
PID:4800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
PID:2664

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:4852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ouckYkII.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
174⤵
PID:316

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:3360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:1100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
PID:1776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
- Modifies registry key
PID:4084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
PID:1444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgYwkwYQ.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
172⤵
PID:3576

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:2032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:4168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
PID:3128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:4612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
- UAC bypass
PID:2192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\toMwYkEw.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
170⤵
PID:312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:1040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:4908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies registry key
PID:1864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
PID:392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYAIEkgg.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
168⤵
PID:1116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:1336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
PID:3940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:3640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- Modifies registry key
PID:2120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WyYoUoko.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
166⤵
PID:632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:4168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
PID:3956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
- UAC bypass
- Modifies registry key
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IgkgcUQc.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
164⤵
PID:4600

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:4448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:1960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
- Modifies visibility of file extensions in Explorer
PID:3428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:4152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- UAC bypass
- Modifies registry key
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMgIAccs.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
162⤵
PID:4432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:3296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:5000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies visibility of file extensions in Explorer
PID:4624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- UAC bypass
PID:3464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOgcQggU.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
160⤵
PID:5112

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:1760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies registry key
PID:4812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:4292

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
PID:2032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:3576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xsIMgUsI.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
158⤵
PID:1120

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:4596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
PID:3300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGoggUUc.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
156⤵
PID:2300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:3236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:4728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies registry key
PID:2716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
- Modifies registry key
PID:3960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- UAC bypass
PID:4204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DeocIMkU.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
154⤵
PID:3296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies visibility of file extensions in Explorer
PID:1032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:3348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- UAC bypass
PID:2936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XKYokcgA.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
152⤵
PID:1800

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:5004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:1776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
PID:3384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:2264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
PID:1828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYAwogoE.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
150⤵
PID:1664

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
- Modifies visibility of file extensions in Explorer
PID:1212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:4964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
- UAC bypass
PID:1120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oeYUQwww.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
148⤵
PID:4948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:3940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:3464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:4852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
PID:3520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wigowkwg.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
146⤵
PID:3376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
PID:4768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:1776

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:4664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- Modifies registry key
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WaUcocws.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
144⤵
PID:2164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:3960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies visibility of file extensions in Explorer
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuIsswMk.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
142⤵
PID:2400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:1080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:3916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
- Modifies registry key
PID:4828

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
PID:940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FeoYUows.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
140⤵
PID:1828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:3288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
PID:4664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- UAC bypass
PID:2164

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:1444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOcAowQE.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
138⤵
PID:4596

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:1040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies visibility of file extensions in Explorer
PID:4992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:1232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- UAC bypass
PID:1116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:4308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OOgwwMMw.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
136⤵
PID:3704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:4060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:4836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
- Modifies registry key
PID:1432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\giooYEEA.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
134⤵
PID:1664

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies registry key
PID:2716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:3576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
PID:2120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aikAoIYI.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
132⤵
PID:1172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:3320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies visibility of file extensions in Explorer
PID:2336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:5004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:3348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
PID:4568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\igggQssU.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
130⤵
PID:372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:4664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:4728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
- Modifies registry key
PID:3752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
PID:2064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMIgIEwQ.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
128⤵
PID:3936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:1116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:3776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
PID:3912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:5000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuUIEsUk.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
126⤵
PID:3376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:4152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
- Modifies registry key
PID:4596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:4664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LSUIQggk.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
124⤵
PID:316

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:3576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:3388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
PID:2352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:1116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:1232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYIkMgUw.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
122⤵
PID:4796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:4964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:2244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
- Modifies registry key
PID:1416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- UAC bypass
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWEMsggM.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
120⤵
PID:4296

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:3752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies registry key
PID:4308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:2404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:3828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kIAYkIQo.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
118⤵
PID:3776

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:4492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:4812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
PID:468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:3956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqgkMcIA.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
116⤵
PID:3348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:3296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies registry key
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
PID:3520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LIMIcoEI.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
114⤵
PID:1716

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:5056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:3204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
- Modifies registry key
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:3376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NeMIAssc.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
112⤵
PID:2244

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:3116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
PID:3156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:4600

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:1444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xiUwIgYE.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
110⤵
PID:3388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:3884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
PID:3860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
- Modifies registry key
PID:3428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- Modifies registry key
PID:4968

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEIoQgIQ.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
108⤵
PID:4388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:3696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
- Modifies registry key
PID:752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
PID:3236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uEssQAgw.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
106⤵
PID:940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:1644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:2716

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:4568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:4628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:2708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WUoIEEAY.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
104⤵
PID:3752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
PID:3696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:1116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- Modifies registry key
PID:4508

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:3340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MegcAUwg.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
102⤵
PID:448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:3088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:4152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- Modifies registry key
PID:4836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LmQYwggo.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
100⤵
PID:4728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
PID:4460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:3776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
PID:3828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\niMYcYoU.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
98⤵
PID:1956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
PID:1196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:4852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
PID:4660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEIMwYAU.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
96⤵
PID:452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:1348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:3376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
PID:1716

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:5056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
PID:3300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEQQAUEY.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
94⤵
PID:4492

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:2300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:64

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
PID:940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
- Modifies registry key
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aSQwYAUI.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
92⤵
PID:5036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:3532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:3340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAsUgIQE.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
90⤵
PID:4888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:2400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGMsgcMA.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
88⤵
PID:4008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:3872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:3576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
PID:3960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
- Modifies registry key
PID:2712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:4640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
PID:4432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKoAssok.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
86⤵
PID:2776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:3368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:4824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:3320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deEAkkoM.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
84⤵
PID:4072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:4664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies registry key
PID:1068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:1040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
PID:4568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgcoMsMo.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
82⤵
PID:3156

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:4296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:1100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies visibility of file extensions in Explorer
PID:4968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:4640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:3192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\laUMUUoA.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
80⤵
PID:4624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:1604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:4800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:4428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:1348

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:4992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
PID:1232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sGwsEkIw.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
78⤵
PID:2404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
PID:1772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
- Modifies registry key
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYQEggcU.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
76⤵
PID:4948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:4204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
PID:3956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QosQoMsE.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
74⤵
PID:920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:3856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:1032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:2300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAEQwMow.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
72⤵
PID:4388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:4892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:4868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:4292

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:4768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OWQQoAEs.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
70⤵
PID:3280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:4008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
PID:1336

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:2892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgMIkwEA.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
68⤵
PID:4824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:3912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:3288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- Modifies registry key
PID:2432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JMsokgUw.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
66⤵
PID:3872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:3348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
PID:5048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:1348

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:3280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgoQQUcI.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
64⤵
PID:324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:3212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:4384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies registry key
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:1232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- Modifies registry key
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgAsscYA.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
62⤵
PID:4296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGwgMkAQ.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
60⤵
PID:2892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:4652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:4292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:4968

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:4300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uygMgcIE.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
58⤵
PID:4204

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:1800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:4600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies registry key
PID:4556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:2212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:2400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\keUMIwAk.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
56⤵
PID:1040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:5056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
PID:1268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
- Modifies registry key
PID:1664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AscUEEgo.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
54⤵
PID:4824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:3884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
PID:5000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:3212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:4284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NAAYAQcc.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
52⤵
PID:4388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:3856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies registry key
PID:3280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:4864

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:3576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
PID:544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XAYosgUo.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
50⤵
PID:452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:1232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:3088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:1800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqIckwAs.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
48⤵
PID:1480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:3212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:3268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- Modifies registry key
PID:1120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hUQIkAck.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
46⤵
PID:3288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:3368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
PID:3576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:64

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:4232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIwoQkUA.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
44⤵
PID:4952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies registry key
PID:324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:3724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:1348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUsAAUAA.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
42⤵
PID:1460

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:3188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:5084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
PID:2376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:3904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMEAgQMw.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
40⤵
PID:372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:4836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xGcYgYkE.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
38⤵
PID:432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:3232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:3128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:3928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:3116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zskoMUEk.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
36⤵
PID:2352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:2192

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:3904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
35⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqkwsgAs.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
34⤵
PID:3724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
PID:1040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:3872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:3204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PKwMAYcw.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
32⤵
PID:1272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:3320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:3116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:1100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwscwUUI.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
30⤵
PID:3532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:5080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:4968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:4204

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:1772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYgkMEQc.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
28⤵
PID:3628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
PID:812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:3800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:1448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yqEUwUoo.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
26⤵
PID:1336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:4660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
PID:3176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:1864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:3592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XMoIogws.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
24⤵
PID:1480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:2716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:4024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TacssswQ.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
22⤵
PID:1444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
PID:4168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
- Modifies registry key
PID:3432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:4660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYEYkQoM.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
20⤵
PID:3420

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
PID:4484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
- Modifies registry key
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgkYoEwg.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
18⤵
PID:4044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:3428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
PID:1352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:4300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
PID:432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imsUcgUg.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
16⤵
PID:4296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:1988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:3088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:4568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aUYUoYMw.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
14⤵
PID:2892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:4948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:3468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
- Modifies registry key
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:3388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqMMEUkI.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
12⤵
PID:4800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:2160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:3960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amIoEMgY.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
10⤵
PID:5052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:1268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
PID:2204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:1212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DOcQUswQ.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
8⤵
PID:3968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:4156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
PID:4600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:3828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:4568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmEoUogo.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
6⤵
PID:3928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:3776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
PID:644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:1444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rSoccIIE.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:4044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:4312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICkIIwgE.bat" "C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4492 -ip 4492
1⤵
PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3020 -ip 3020
1⤵
PID:4992

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
Filesize
318KB

MD5
c5c6343a0fc6f3742bc816ac8543868f

SHA1
080518e42c1f623a59ffccca75d8c0f14f744001

SHA256
97797c86b125fa733dafc783aa8eb3efed59ad6cc2a779d295459668035643ee

SHA512
67408fffeda6f24efa5aca01a90e8c0771786d8a0db3ffad01e7afd6f1e5e7e4b74c5af2ed7418de4113e6586f60201042d34531d7c843670d6674cb645c7655

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
Filesize
210KB

MD5
cf0957c628e6493167d098d534806a85

SHA1
39836334d8a7d311bf8e831cccc0ee370655e4e6

SHA256
f8c074e09579c79ab8ca63d86bdd7112842281c9939c8e297bf85ee4271c0efc

SHA512
eecf612be348a197e808ece1f505b6f7278c83bcf978b7e36276c4e4f9b271b76b0941d6a1c0ca58b114cbc7ef58e8349a0e60742ca194805329fefc86e82258

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
Filesize
815KB

MD5
bdb42cde55ce48c7d855a84f434869d7

SHA1
fa1a728dcd38fb9c19eb8b9ae9e715be50ba19a5

SHA256
363ca9b9eb6a146ae93925bb469ea6ea04545e7931aa964bef255c6e2d408eb5

SHA512
82804601f73494dc4ae65ecbcbc18aee8818d57b26fe37066c98e9dda9f7f59b773837750001e16be94f30fdd4077fab3fc5955b086717d99c2a8aa7bf37c497

Download Submit
C:\ProgramData\PmMEAswM\hMsockII.exe
Filesize
189KB

MD5
5dfa2386eb7e2f6c2480f7272b27b68f

SHA1
0e85d8fa3d3b02d9631764981f1bc6edf27414dc

SHA256
618fad3b4e4282759c39bead8e556ca134aa5eb485e5efe520a5a5888fad653a

SHA512
792881f7329b65db5210e0dd9aa8153696bede27e65adcb2b6afbad42d6d07b2c8b1fdb09d54440417a60507d1ce3ddec40ac8a4e32fc613c7fc06092961733d

Download Submit
C:\ProgramData\PmMEAswM\hMsockII.inf
Filesize
4B

MD5
e19d1f0d57f92a70b6a2aeed067963c8

SHA1
4146942b27fb5b1dbfb07f3ecbf2e57ac4bf4259

SHA256
5365f5d46388e22ba94c845cbd4f73784108b0914d1e10d1e86c8e97a4bcaa91

SHA512
fd066668cd7a84fc7c833170c9d8d92853049cafb5546b2190cae5586a473a4d2a049a5d9571ca0b56d23fa8c80de4a2ae70c0edc1a604390fa0cdb1d5e6c258

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe
Filesize
221KB

MD5
9385d69e13201ec9e1176fb90efb4eef

SHA1
1998a1ea8f888a143a6fec210eb24b7b4d6c235e

SHA256
f1ab1fc6ecb5696b9026e0be2248904419cff3fea3a43b147f8fcc4d23a5a33d

SHA512
5d4b53cec0e5a6bb1caf3409cc5cc3f29266af65b962f1284a55705483edea15e57d5ac363141d561a6caf0e26dd9938e2589388e86eb4e8d18801806c51f8bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe
Filesize
204KB

MD5
756088208a625df7872191889576969a

SHA1
8d46301cd58d49856e70fcb73bfe29ec3f7aa4e6

SHA256
2884b852be6ba9a95c6c7bd95e746e262b3f35d939e8862706d04bffdd7cfb31

SHA512
195264822f11204d3342c30effc1672afd1cef76b689329348d207b684f9726bdcbb71ed29b4e59139077e84fb84d0a965599a49324de53a2e25d2dd7fbbd90e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe
Filesize
205KB

MD5
8c289f04503484c4cac4211b7f479073

SHA1
f78c78897204fd471991928107df6bf614cb6dc8

SHA256
ec6fde3f7bb9b322bf9ec936ae78bd9baf1ae73d94ef180cd29e51065c14b1c8

SHA512
3c45a6324c7885d2e6fee465b5846182f0acd2e68e217973d57cd0df6fcea437caf467e09ea8fcf56cbba380c7676ddf90a75bedec6554ac52cfb9f13456e98f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe
Filesize
194KB

MD5
4f93936fab0a1daf91d3b22d4c8d55bd

SHA1
245902c64cb86d8faef9fa582724353f738c55ea

SHA256
6918641c222d1096634fa71274ee0d0b45b9e976c49d223a1da233e9b704c4c0

SHA512
c78c262bed767b63c464adcd6dd579dff8ae4309bd953274bd20002745d2bc5a92cfb48ea9a341c17dddc712a102b2fee99473affbd26c49476123b67d0d8f6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe
Filesize
199KB

MD5
8068f851da35fd272ac0d9cfb0e426f2

SHA1
cb6ad46e35a1d271047508dfcbbda5cf1af6fe8a

SHA256
aa6e03b0057744859bd29e559557bbb3dd1c39e3571fe512051f77eaad13be99

SHA512
a86b10b11772f562c60a59870549f4299aa4fe16131d8a417e564578b8dce8da4ee54361794ddfdbe2166748f5a50adeecf60d1c04d28696f1933244372dc0c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe
Filesize
187KB

MD5
51f6f7d33f30935d0ad2a23a2f83ecb7

SHA1
1990bfc11b4983f7832bd6d2ce2fa6e301ab687f

SHA256
7ae42009aa7be5481e0efcb21ac76b814fcc7f89dad70043d8d5c8cc251510bc

SHA512
68e18efc3bc85b9bed4c3d8faceee56136c9f2610cdf35f0012352a165fc7b22d71d6d955e5f44a2239f76a5c71e632df6f9096b816fb24835037e19c90fd3ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe
Filesize
191KB

MD5
f00af6c413c8634e617d038217193ab8

SHA1
7ec90a474c181691afb1179e26f1306cfde24f66

SHA256
99563e98123001fd8ffbfb33828f1b8d140798b9db2c6206c836c0fb9aa7fcc9

SHA512
1a7eb5d0689b45d7e9d7ff70a12db8d8d7d2891574a58f57f67a5b2d5980008eb87a31ea5e8ccb644965a10e611cc14d3c391db3078ee1fb13467e7c611e98e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe
Filesize
194KB

MD5
e8a98740e52a7310628f177e3ab86b45

SHA1
6a3ed50fdbe40171ef7e2f7a8a007f72bf59179e

SHA256
d05c345410e17f3c27e40aa465f5ba42f9cb752e4eabe95ab30e002c452d078a

SHA512
ea5aa98187fc3cb903fe647efa2720f746cbceb6ce20be5f08d478dd59dd4023d1e333177759d169440c470c3d5a260d7f9e4565828f6e6e5ce4b43f8a866857

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe
Filesize
197KB

MD5
c45aa51166e9f1c1d0e3b66d669013b5

SHA1
ca37a2b01227f786f4a1d7b5dd4ae9a92c314123

SHA256
53ffc04679f6a966cd2547099b67366b1f7446f272e4de7b013bf2287dd0288c

SHA512
98048b38482b38221fd8ecf43fd1ca4aacd504abee2dd19ddd6cb62e38b42307debb0336cc19a1ce3351ef14b65570a3f3e473419892d1e21ba4b5a54aaacb74

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUEm.exe
Filesize
213KB

MD5
89d252591f48daf916ae87d56ea6418d

SHA1
aabcab532b805036d7cdf117a39123983797ba0d

SHA256
8ebbc457d928bdf55a4d96ee6e7817d96ab31f3d885673c0304e085ac935daa1

SHA512
d56265eec5490e973daca2af28cb5a582df86cd01a7f516c24e406a6692645b974124c377a03b21682c6994fd82a0d68373b06a0f47c6bdbdceefbcbee225cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIoA.exe
Filesize
202KB

MD5
004f8df521515169a28ad173a6b41f4c

SHA1
8caa9aeefd9005be8dcc69d6da01527786ed062a

SHA256
75b42d3471bfc8ee449e6ea16c9cafe673046edfe2f25985bb9caaa729c80711

SHA512
7f914f9312903d068e7abfd63643552af6aa53a4028d4288f87b2adfc67ae984a93d19702d85eba3c2c7fdd1b80a4e1ae80a0a3734e4958e5ec45eff143f9c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMEI.exe
Filesize
196KB

MD5
8cd4b5cb4d9d5fed2a0a14c910fbb9f1

SHA1
37a3100da2e9cea478e5544d97af261b41d35687

SHA256
ad0731f4f7c56c72c78a98f2cba7f67863886431d170a491e278096fab411bde

SHA512
e82e452086c04943497d80cf41e1e54169f44853dabfc9ea4bdc5a3460c8c11fdd4426d97c5ea5578f091cbe18cd0badf2c33115d984f8cdc7abd82b70be369c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMsG.exe
Filesize
266KB

MD5
f51aa6f3852c3374033822902df8335e

SHA1
9034863febf84ee0cf97fa55517e4e13b25e5dcd

SHA256
00f4cda8214f8ef8aceb75315398dde0d32176726863d4f16fd08037282ff7b8

SHA512
b79cf26dcf10b8d76a1309e504422c61cbb328766c85ff56e4ef81887b213b4a91a2689ce89d789dd133b0b52316afedd889b3f05c785ebcb52d5cefad78d0d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYsq.exe
Filesize
570KB

MD5
979e053a4e83102af74a4f53a3ffcfc2

SHA1
fe50dc88e6891c64ee1c064ad4ae1b9cb17f8afa

SHA256
a2b718602bbd89cb9d50ef95709f43197840cbe9464d28140ca55ecdd9787bed

SHA512
545fab18363d40264a22a2909127553b82da596af1eb3660ae1f10d66a238314291779e81ca449ef997e4a481a9a7506665b0ca2c7f4d48094a71fe1c510d521

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwYw.exe
Filesize
225KB

MD5
181c6c50d50decd22d348c6d26b3b18a

SHA1
f232ba8dd03573a36e1ddab06f075eede8aad02d

SHA256
0fafc996864624f12211215ab6e55deab25645e1e453b567549b8ececf5991a9

SHA512
7f4cfb53be322e66ec19ef7e299b5c5a5923df49626d91870d49b8e45331369e0cda9fb317be9f6508f46b10737ba42f9c1943bc17a19ce25774759e5fbacc31

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwoC.exe
Filesize
207KB

MD5
b0bb641f283117f8f7618fa2844e4463

SHA1
f4b07f9d008b3a0dabbb8e1c21e2181e6de54baa

SHA256
5734b53faaeb598862c491aa5f21b8dbce5fe82dd785172fcb164c6748cbb216

SHA512
0dd75f0dee4ea67abacfc453b9c7c47972e7ccfc552c5f098bea4ec31e26d47e9f873de84038d1bd01e3230273604919c2213ad0cf86a5a1c8d5f3e7e690f2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYYU.exe
Filesize
326KB

MD5
bdc8e46dbe141ded2a4e3886f6dbac2a

SHA1
cec256e1bc7844f33efc70bdc7d3b9118e9d9044

SHA256
70277c68c1ee8466796ef433f881b19b258526eb537c7bf456c05de693790fa9

SHA512
2a723cd156abd42bb67806df33864db33c19b2b563d29e063a269aded1d31711a998cbb939904f8cdcf23e3898bf4f5d4f7377159b103875855b5c3b2f643c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYgy.exe
Filesize
190KB

MD5
bfa4cf8a5e6ab2653def38d242f55c14

SHA1
e8722ea6b915c775947095ae2749eeda8c9a112e

SHA256
10ec6d1b6f928601bdd0d734da4bcc7b9634a44ba9a03e17ddce07db9049fcdc

SHA512
d29f3503834ff07f1287309ec69c149bd310e35ee109a3e91b13ee8783ebcbe66604a8129801d1b012e4a913999cd32b1dc349bfaa9db93aaf2c8cbe2408e92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYka.exe
Filesize
639KB

MD5
b385e3ead583a3b2b4487795c7f61dfc

SHA1
dd2b0cfd9242a85b826a53e9d86f6f6e3bafaed4

SHA256
1e7861a2f0c49de9ab05090ab56ada57b5c30ae52d72f0160700cc8756c20a9e

SHA512
ec25a548cff01e0020cd589d09b2fc7e5e5c2a8e023dd2e864f22bbd020bf0d06243c8e971bdeefed9a337e33e61b10c20835017a2500b9b155a479d95f5a1f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcYQ.exe
Filesize
777KB

MD5
1dc21f7e116c53f997ff6e7d9f82e112

SHA1
c5c650dd1bc310ab5ad562ea2a869340ad6374dc

SHA256
0463eb31c047363a3779493a35875ea8b3b1402fe48bc9d52f767683eb5869f1

SHA512
df0bce7ce14944d868b98c17d20c8f42be6264d328d7e883c3b413276654306769e67f05bbb0cf61ce64498e917987b728581aa7f238f88e6f84fee8859ae4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsMC.exe
Filesize
186KB

MD5
61dc4d38bac7eaee7db59a72d0403f08

SHA1
e877f9f1d347f9aef863e55d033a5f282460ea49

SHA256
b33dd77c3b47cf296820c6b0fa4cd10cb31deec621a80e4354c8b6e8d106bb25

SHA512
da3d392668ad4bdb50ee67e6b3193781deb2100f9dd45adde77617e9fd3d9bfe3ddba46fd7f99bfe63eacdaa1f31b618531476e0e50c7ae8fc1387a8a69d4911

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwUA.exe
Filesize
209KB

MD5
3ab431a5be4593388319dc82ba9c4713

SHA1
78f8c40081546696b4cd904944790ba459c5600d

SHA256
87a53b64fa70b1f8878b758310863c651404615d3e506ef22038635585bef286

SHA512
29e9c59dc073090ed372e9ee67b8e1813b744d49bbe25f2a39801b8b9b93f89696ae609b56bd67f9116c221cb15541ebfce5d51389d42f2a3421fff18984ed3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIws.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMwm.exe
Filesize
190KB

MD5
25b430ec6d18d7ed2b7280e48926cac4

SHA1
dfa29a6cab98d5a619f6c8a9ae5630d16904359d

SHA256
54b6b5d88e96f4fa4aa3dae0c5a84c303ac5f1b6203b16ae42f54250a993ec48

SHA512
bc74b7b29ebf977fbdcecb87af90673445c6b7e79b7d32169ee5e8aadf6ef38638748aef438a0a1bde3edd25313a85bec35808cb4ded270b9785667684005ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYsQ.exe
Filesize
1.2MB

MD5
1f6a4807f4ae91810535aca557f35b4a

SHA1
68600540ae46491ad79dcde52e265298f02ebbd1

SHA256
148b8858559951663495aeb56f8ea9e67889ca176de49e45b587af091dd0076f

SHA512
b74b2f32dccd7991f89b26c96c9dc4873d036bbf70637855854d254da2f2041d6976f0c6a027c204d15e064164e8c99f710fb0aa83b5f796f7235c4291ed8e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcAA.exe
Filesize
242KB

MD5
8861fefd3ec650b6a5cf5a13e0588dee

SHA1
ddb76d8514ed4ab120d78b8c9adddb5ae341df88

SHA256
d5e1d61d7b1c904129a7f7f0be27275fcdadb716e14db0bc59489bf8bb6c0dcc

SHA512
fdb45225891417a11ba2c0d02971f4c4ba0ee425f0f873e57cc173e6a93ca8bdd4f54c1e2a67b5c352a6331c4f3cf34e4bf699e2cbc6fcb02bb2d4e9b5f0b854

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcwW.exe
Filesize
194KB

MD5
c5fe2975a43d5700a13137e739a114da

SHA1
1b40405ada05812b3149d6e695cb639dc752521f

SHA256
16e9ff437b18bf1b337308dc8b17c6ed288035c9cd33eebe8427ebec42d83de0

SHA512
0a0e265e097e0762a0bf7d3380c1440ccf5279a7e9842c21568a551d7d91e80cd3282ef31660240bba529be5d33ddaba056cffb73d8b6196b2157e2020b1e516

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsEK.exe
Filesize
189KB

MD5
6f56e7b3d15a2e251819fb65ebcc8614

SHA1
1c9d9b8caab23f7a570cc8aa046e9bb8d1c268d1

SHA256
00c6e3cddd8a83ed72e5cfe0cf44832fc34183e4cccee14042c1cd5cb7f83a42

SHA512
8cf95e30f15ca43e8c5afb2ee2d7ce08534bf051d34b3a37556628e0f01fbd43b5bafa8c46465d8991b7fb68359f91dea5190439e7e9349c8a53d3862acc3746

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsQE.exe
Filesize
205KB

MD5
c6e55e48a8465fa15269ec4d3d448a99

SHA1
3b387c51f8e61e58b1d53bd4f4dd09f13e7da753

SHA256
6ae42ca716ec30fa06be92613ae8e21d053ae053bd5d797787ec8149e97d74cb

SHA512
57e36e6cc1ee0e2c4804c9cd35f1a79ee2ecbbeefac6166d72b2506a5a64f5b0077d51d68c68596e25b26b22ae532d420fd44377bfc1f97e5bbee1e8b47442f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gwgg.exe
Filesize
191KB

MD5
b9d2bbb1849b0fdd618dcf1857a4b340

SHA1
4195013d6b8712d1d7a81c23225f0947095b67e2

SHA256
c16ad651af15e9498e7d343bcaf4866828a257c230e913820352179c844574ec

SHA512
d6c54db3f8b99e55b12bd03dfa25712b8bc412b6bf8bb11a4a247da9ecbbd0fe176e5ae9069139e078b9f49a72f524b2487030ad78335b2dba1e02987181d51c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICkIIwgE.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMES.exe
Filesize
321KB

MD5
457f57c6f9248e79a69a6a0185ea48e9

SHA1
0ff4ed4944d5fc66b7cb4adcf8a4d63cde64a4fd

SHA256
be172151201a707354ea1afdd38d4bb35e59f626f0693094188e50fe41f56b5e

SHA512
7e5d5757d816adf20bd771ad2c5410a8ac14705e1c58a5eeb107c4927a4d986782fccceec94624df08f5af200cb095c435524616d5427cba3860c79fd4408987

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcUs.exe
Filesize
196KB

MD5
2bec13bf189bfb4a682653e08516df26

SHA1
99db7b04d8437bb9844d4a3a992a504ca326bf1d

SHA256
2a4259ecfa64e44febd0d3dba53d63b3547c778eea561436044f378924ba3a3f

SHA512
c93fc9d63c330fab47df0194b528e8f9d2408ff57ce95e6ba794db10fb0131f1bb658daa414f2c515b98e1e601112f86abf496381ae415a5a0c3c53a348d7303

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ikke.exe
Filesize
309KB

MD5
78ab327a864720d78242df4ebcf19ad0

SHA1
93579d065648c84b4685c0a41b8b78f4eff6ff5b

SHA256
aa614d21df76739ec76cc615f7ebca1ad902ad01f933b42d884b4d2d041e2b2f

SHA512
01ce4676d224f5eb726a21bf9d6d4913460a851019b2aa54daf609b70b592c15cf83188c1b9a57f61ace8255e100da7cb7d3e750a322a707c385ce9e5cb10305

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoAC.exe
Filesize
202KB

MD5
83e0ee7c72c7eef78877af938e8df116

SHA1
3e073b0e953cde4698923887f485fcb53cfda8fd

SHA256
0171c3fef714a78cfd6c251edb8008d0339722680571f01bc0db34554e21086b

SHA512
5ccbf329d511fa3882e2c39be257414df741fe4e7bd5dca1ffa19a93558c340d8460ab862ce000843a44e13abce5c13d05d24b6c16c6f843357d26ad52c1f0f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsMq.exe
Filesize
204KB

MD5
0c88bba724e719849c7400bc8ab7b326

SHA1
ac6b81a3985b9794c98494990adf78c720b5be4a

SHA256
90a725a93e3225a36115fb2027e62140973048a5f2ef452d802b8794764842ca

SHA512
dda9f0f1f9974679da4c7a875240515865b62e0b0d829c30c81eb87e6da9508c902a17a13e42d05823a4e0f73e3a9f0ef9504b7dab103662413a03bcef64054f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAIW.exe
Filesize
208KB

MD5
9b74311eed89e2aa2d5b10bb61a45393

SHA1
a8cc5dc9d21a8b9eb3e6edc4a6d58e524546295b

SHA256
6c4063231e48347d523bd32d72c4d2086342e55a19e3b4719c3b5e745d226e0d

SHA512
afa67d440c79a42ccc41d2930fee6063d7bafff52b8291df9c5f4d0b2925ead1726e0faa798c5526f89761e5f0cc3165d37a557bb9e16b585215c93407ca5894

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcYW.exe
Filesize
189KB

MD5
dcf500f1975fa48e06b9d874ac321d1a

SHA1
942c6290217fd7bf3d7acd5b0f538beb1501e119

SHA256
779da8899b1f63b7bf9772abf54a11c282a53105093e5829f2bc373cb7dbddc5

SHA512
75bb75f62c98e22708b2cbe37b75b0b084b88f0c4690298e4d22ca85b8bdc2f97909482eb32432ebf6fa14f26bb7adc339c04d7b1c4b1a00d696ecea46acc4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\KckQ.exe
Filesize
5.9MB

MD5
bb774398f338f90ecb0ef5ddfaecde5b

SHA1
fae909f52493b07e4f56358b2e941fa2cce01610

SHA256
84317d738fd4bf1a71fc41db62e5c550da5612a510d5837b757a822faf67b2a4

SHA512
65b2c6f2a7dd27f089cedd9c6a7a1d27991a1495958196e24e0588377c2e319f99a7c6a6270bc15844532152aea2b6df7031704f7e58032c7b62b0b243e8b08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkEY.exe
Filesize
199KB

MD5
75bb373c5499918ac814e1ead35e5aee

SHA1
22505ce733bfa0a4f524daa5c6315c5ae3b07da8

SHA256
83b90aee104f8b649b9fe6aa818ec8ae421ddd9735c58db22be4f3b1a07d5234

SHA512
23969247d675350004d69d510f4f501d5ca3531b27e0fd447d53feb38fbdae0eed5910f34f364bbca816377e49907b99e01f26132c225719f926b58227ec3ffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\KswK.exe
Filesize
187KB

MD5
f8666cfb62b30e1dd64dea097455a2aa

SHA1
ff5d2f965049af01dffe77f9ce48f07bf0ed7ec0

SHA256
ba3b6d99aedb1158648827270b376fd51b03afbb9d2bc065a4fc113997499a21

SHA512
436c2b8a5ecf76c1be03e824af5c3d9efd1c7aa5fba660a72bbe73f9925baf09db2e68e39e4da8959e0cad31abbc9eba617f2faf15f650bb7dc003174f4647d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQMC.exe
Filesize
186KB

MD5
992ddd4b869fc5fa6bfe160e870d5211

SHA1
06c04efb6c036695e9a022493b75918f222a10ae

SHA256
05f0cb986d0973db1359cb4bc2e904a22e207ad0fe302baad7e936d75e4003af

SHA512
d7f9eaf9e7479b561d60097f5b73fab15165ff17c09645416b2c08094ec9950711d116489f71aea09fab7358eddbab5bfd68c3d17eb0ff2383a4530f80c1cfd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQgU.exe
Filesize
778KB

MD5
8422dcf8c700f7098f39fbbfb09d9dea

SHA1
13c4c06318bf0f4412fd9c1fd61debf3f07590eb

SHA256
34a6e7c6d20786ea05e125b8f97ace73a14511efe255af8d99909d1480944bf2

SHA512
9bfa1e1a5194e75b3d2fde1d96325f65f190950f5f71145752e1d314ea3017954b30beaa745971338c0a88b2a9fb0a1065ec9e2f14b337cd39ad9118e524634f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEUw.exe
Filesize
798KB

MD5
5717f75123f65a1ae38e26d675ea7829

SHA1
3217edd471509b9cefa0ae92f83e9529c5d8a86d

SHA256
0de4a15e493a83afe43bb26c4c6fbc005f71dea56acd6611dc34551c6de58f95

SHA512
078489d9d363bb86757307636de87bf150ffee05df0d219094e3daa87b0c6cd152e0b8864f11ea8b61703434dd2fb09932f99e913dc71113db92752645da4ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAAG.exe
Filesize
195KB

MD5
d0d213fd18160a5856f35696eaddbcdb

SHA1
9d2f96c545348da3378e5d65e8e2569168e48a99

SHA256
40eb4a8daea620617f5a4e8e9014a9557bb87b7d974e9449817aed4b1c97f9a3

SHA512
4940445b7456b5cce5d643a410d9f5029f489514b403cec7ffef319d6208cdd17f81a51dde67e8e0a08dba9604b2bf9b5b85957515e9d8656b2c77c31ea43d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMEY.exe
Filesize
184KB

MD5
1b38a10c9371e0353c9b9fa10a546427

SHA1
76b9cde8e67f8151d8215d7e7b6be0d6b832a5e7

SHA256
f8ddf67dcc62a69e4f67cbb30e19145d1b34f13fceb7a1a3137a1990d21a4489

SHA512
f23a0a52a9ebc0fd78dc855584427748739b43207448d3bd3112cefd8e88b0008c9fb25092dc984d559d21b4968d3f1bfeba505b63cf3b55ab556a9722035160

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQQY.exe
Filesize
453KB

MD5
4c8359a57827c955671e1d7c04aed951

SHA1
9df58745da86582d1b87ad9536ab5ed35159485f

SHA256
a092de139768308c0e354ac7c2012f0289c1de1d33285aa19eed84ff4f9cc0d8

SHA512
2a5cb9c917492a954aef746c095bf4dcc6752de0b1083130c2e69370eb224e9953469d34e156b3e8816364ef862e371a0c0fe7dc3ecac5b31fb4cafda7f262a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYUi.exe
Filesize
202KB

MD5
0ecf2011ad5a175e2362b489d5ed8f07

SHA1
17a74f55c3be14ad5ef6b4cb24bb76be64684e45

SHA256
dceb675bdb2fd0224acf86731d6e071870ebf31bff57ce9d505d299117a5328f

SHA512
6bff27e57d9644c709dee4059f6a20d0fa32c5b4e360101dd0bbbab84c0c942765c46ed6d90680e1514c257988cbc85453ac4ed04272b0c488cc68fc51481652

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIMk.exe
Filesize
655KB

MD5
98e8c62b52d4bc2bbf3ca299d45a8255

SHA1
beab0197b70f68cd0958e55cedb502de39e3030f

SHA256
036665bd957970c8e4f0388583e2236eb63f045517d8e48ff639a539be0ebde7

SHA512
0cb150b3564b584ccdec32e1777d1e8c6ba104b11f9cd917a5ebc66c50e5fb7628ff43b9666e4c98cc82853efd33763d2d5b78d9b2a9f9d75667fdcae4be6870

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMcY.exe
Filesize
204KB

MD5
fc33cd4ed25fc42d58c2064852024dc0

SHA1
fa4ab15c5b3156f1866756c077b2a159508b3066

SHA256
519de8c13fdeb15ef51d5e7bfd70d54d0be6bcb730b6ae43bd039a0d33a7df2d

SHA512
66ccf21593659604fe2ea827dceabc7b1be7e4c9ee01b7b38d8f8ce0bbb666612b83d122f7cff16f6a80fce1b77c44f0baa8411ce45e58ba95643784e34a79cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcwE.exe
Filesize
210KB

MD5
59ed748053dcf0bf207ff5f2f63c4060

SHA1
333a5d4a8fc49516e1243fbbbbf7cb4b8ad8e050

SHA256
6b7c5e7138583ee1ab742f6df78701e5827b8632722ecd55f60e647f32dc4aeb

SHA512
d22c8eb215e8da3f4350b304f88cb81fb02743c7d0a93e7e7dce5c9df3a1b8a5a6a9baabb7cbedee40447dd93eb90d3ba37a9853bc1191dc2eb0f58eb0f74c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwAy.exe
Filesize
207KB

MD5
c5a76a2f6036f438e81367799ce8429a

SHA1
0d42929e69ffee8142634a76f5408a26c130ec90

SHA256
7d1246d4bc96b29b11c97df7c760634dc98c5591d8e496061afc0163732af6b6

SHA512
fdb571af45bd3d26f20f8682ad0643eb66628194cfca902a346e050e66b1ce29765df0eba460595e25965b04b131502b59244695b2cbb2f246ec7ee715482676

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAkq.exe
Filesize
205KB

MD5
0727567205cec6de12de22fb83cb7a89

SHA1
c3670110308801022526ccc377ae54e29683fdd9

SHA256
a098219fd714801a3a1ef0a7d4566313f09199815fce02a3ff5e980798095bdc

SHA512
ed3a3fbcd87b44eb5d37f3428a981c96764c5ad688f8e9d53823daa839577f9042d9717231025dbcb06d9c8540ebb181856ceeef19dd119024d0690fb30afbcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQAE.exe
Filesize
197KB

MD5
fcae0eb51af716e62910b86853b99da6

SHA1
e7b8909684ba0b5642ca7ba69f9e6673b2bfc517

SHA256
e0625d62444ae4bdd2072a62bf7fcf71f83bb59504e135c7f8abc0d9953d5a5d

SHA512
fb6783c37df1d9aae206c44053f221b46b62ba7f18572ab36f3ca97253d04837e92c38ef3f6e88ce4557726ae8318212c65258bb289488512d70cc32d48a9ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUQI.exe
Filesize
5.9MB

MD5
0f580f324b445dfbb37380a5c5019573

SHA1
6bdb5fd1e27d10f35d3904ac5066c389256e954c

SHA256
f1116f0973fefca895c310b0e3ec5ae64adbe2c2ee26c6469affdf4ee53361f0

SHA512
53cd3186155473c27ac04b02580595c16f143639d60fb9c1939eb36aef791e1b5412ffac73fe941a9e436fbc9bee4ae6f5cc4e9f7e4ecc6d51c63736d5c91731

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUQg.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEkW.exe
Filesize
197KB

MD5
94a66c938be1c7744e28f64ad53177cc

SHA1
f34596b14ed2fad5023edecf1565e8c324b8ba51

SHA256
2f37c3771be7f2756b99319e7d948a55d295617adbc6bb9fd3f9ea3ac0c811f0

SHA512
1f0ab106b8ce1b366444db4423d37b258c82612941d7ae6f684778af95888c24d215db32bed42e50f5b54566ffe15acb12c0eb96f44d027e59703fa9a15cb9fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQgo.exe
Filesize
1.8MB

MD5
1267b131bfaabadc1fde8d45661c84a8

SHA1
ca91183efd14fb35a4aa2176198ef868a2f8c31b

SHA256
a8c1c9850f22bd92d24f6f1fbdc8b9607d4efee84b2234ae61c034294c9cb970

SHA512
2f36cf937d4182794bd5616a37696aef3696abb418c733030cd58484c03afe8741197c37e916a92368907ff25596ffbb0c110db4f1600873a896235d32a6d12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\agQy.exe
Filesize
658KB

MD5
2ec4ecf16edf2dcdfb2378937ffd17ca

SHA1
13399272dbb45c2559dd1a0921b56139f6b30c9f

SHA256
37133ff9092d2f7b0f50e9fe2cc770d9eefae7251e0ff589b17dbd8fbcfd6dce

SHA512
57b47ec42ff2903b710aacacd06a69b868f318f03ae617ca4e1816fa6b6463505a2e10f95cb03523fadcd9140041a0060495f1c923a19d03437558f4f582eb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\agYa.ico
Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\akUm.exe
Filesize
205KB

MD5
cca574b6ed6f76a9f93e60312923b1e6

SHA1
9a20fad8961e9279677e8b3027059214407e14f5

SHA256
f93aff5c610fb1b3481b7ad78dcde4b74823d698819a37f1a0270e13324b20bc

SHA512
35a4a0b60bad4060d4dc83d7bda33804bb88031c7fa2fa6f2792798f570ddcd50da7874663a7f084e8d42653762d5dab0bbe357a2578c824a7e343967c77c4e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\akgS.exe
Filesize
189KB

MD5
8144e8acda2ee83f7b30ef70736964d2

SHA1
8b1c25879312122a47b401481c2029f066cb8cfc

SHA256
d8a4e7eedcbe3c96eb199f5f77e70fe154e89d4137753817c0fbfbcd696adc2f

SHA512
1818d7a8ef9cd376b5c58939b7371c3331750fa5120f3ce28f11e68de11bef80eb7323f92e25269b639db3ebec11ab4c50819a19d0a7f43371ff36c1e3e7946f

Download Submit
C:\Users\Admin\AppData\Local\Temp\akks.exe
Filesize
203KB

MD5
f7e8e9593c1e09d82f4fac10cd0c6342

SHA1
cf35d3643d2176acc040c843ece6157fed429cf4

SHA256
cfb1401a4bc03747d32b0c2e4579b3704bf25c4d1ea7cd936e7b6410e1538947

SHA512
75c6e280e7c9db2fe01590cbab22978cea6b46434189c306c64b011034cbf6e1f81b6612b0e47e626f0490975e6e3daa634c42a4fa36d1b0c72105bbacc5af82

Download Submit
C:\Users\Admin\AppData\Local\Temp\coYy.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAkG.exe
Filesize
189KB

MD5
08bc77bd5d12d7d53032b1d7be8aecbf

SHA1
a882f8db2c8a218733f8c888da2ecd4a91cd1219

SHA256
42dbd242a8e70f73502f053c6aebd005d6c61de1b6ceb14421c458c8d48a9318

SHA512
e7588ce1fa09493d99fa9a34c42330581612397b10d1d8cc6ecc6af8d0dc29dac0eb21e209419a1dd72d2990bada83b532df2e63420c463f0f29d7d6d33c40cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMUo.exe
Filesize
437KB

MD5
95402d5883945e419f6d76f00e637a29

SHA1
ebf046ea4788f3f99669d0ee6719b2b89a0c4a00

SHA256
f1d1919813a69b0c5dd224390a74c9e82fea3aadc63cd4ca0b6b5884ab50e3d0

SHA512
fdb15eb9d3e94d7423a0229d149e30a57489cae402755e2c5d98db136922480fe2b1c6b3f157615d5bc08251fd01d257de3d32a2b7e23825708650a86b406aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUAK.exe
Filesize
197KB

MD5
d61ab45ece4943362daa7657349e9f87

SHA1
b1c4afee026925b491007bc3022a93b65fd50cfe

SHA256
d4af394d587390f876ebfc1b23cb033287cc3ea181f8e0218fe3884b95d42f79

SHA512
c393fbcb47f1ecf5be681739bc5f0f8a8f24556e1c2a11d2aa4043c1ae37ca0e4372221fb96b6f2242349843491e52bf5d873873f62cef0de055b3d874aafed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\egcQ.exe
Filesize
238KB

MD5
e7c0eca5e1d39cac35e119c667c5454b

SHA1
b46e446bfa910320f760e94697624921f10f36cd

SHA256
bdb5159523f49f2005d7ae145f329e8f02bc457965dded3047bbe7eae5111f5f

SHA512
20816b007958458d8e6bab8a6f3448a0efc980ba2b2fae35d16cc567253cf1933328682c76edaf76032bbc9e69280ece336b86b9f273e7a783b826eb0c773d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\eswE.exe
Filesize
218KB

MD5
fc33c64cddd7cda585df64112e248608

SHA1
0fcf2b5ea40f5becdbf9f07694d1e6ee3ecbaa63

SHA256
5ef1aa72390c16742834aba5bbbdafcd843e2a85021a46008627642176a20df2

SHA512
7687984b029db038bba850731d9b450ebe54d73dad1ff7e66af2d7a10967d5d65f41a225d435fad07e0a2d9fe55ee57115ee65a1743050d52d0d88547e799967

Download Submit
C:\Users\Admin\AppData\Local\Temp\esws.exe
Filesize
200KB

MD5
fd003e340acc57a3806ad9b930581a1b

SHA1
9b5f4472d1c85432af9c7e50f8f2de4f422b7a53

SHA256
7cb4f92dd38ecab327d59e5b3e620471fa1892e9747e48343b04de5c78410159

SHA512
ae9b8a53807afdf5830f3261ebaae6eaa53c292f9fe17f6f773a1e90777140ec0e8d60e984d6e640b291d23bd15a98fd50d2e528ce388cc3b649eed14e463f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f7161f431e5ffd38b200f70b967f01c0_NeikiAnalytics
Filesize
2KB

MD5
da5fb10f4215e9a1f4b162257972f9f3

SHA1
8db7fb453b79b8f2b4e67ac30a4ba5b5bddebd3b

SHA256
62866e95501c436b329a15432355743c6efd64a37cfb65bcece465ab63ecf240

SHA512
990cf306f04a536e4f92257a07da2d120877c00573bd0f7b17466d74e797d827f6c127e2beaadb734a529254595918c3a5f54fdbd859bc325a162c8cd8f6f5be

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEwu.exe
Filesize
192KB

MD5
20d0d4eea70934dbaf97886a2c097cb1

SHA1
cdde7376a7e21a8e1885ded08a8d90e127ca2581

SHA256
78e48e29146ddbf73238dcbb73fe48b9f85ba34cbaef2bf1c7028e28b7686b1c

SHA512
f2f0d7ad0be3cb88f2d165c4e68f7aef36079e48096aaa4bf10d2a0da463c7d5b345d9ccc642b2d96831ca6269e43dd1af88a686dfbdb8a9f44d0a28feb8be91

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIMk.exe
Filesize
186KB

MD5
1c1c88f27f4a3dc446859147f2e8dce6

SHA1
88d5c2feda5562e7d47d3c46dae6d1732900953c

SHA256
ebcbd73eb7aee512331dc89373f667a9d1a43660f62bdbf81a0351a2ea2f6c5d

SHA512
dc61bf6d66437441d55218581884c92c16277a0d649a73120530fe9d68bf527ddd09cde55dc7f45432e506ebecbeb640e80467d3b665efb6cec78e4802f47fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUgo.exe
Filesize
245KB

MD5
64d211a9de79f4c25a89055dc337dfca

SHA1
73ab15348a3c943a8cfd6eab8ba683a33512bb2d

SHA256
facc903bfe1bb51dcaa932524eb317c242f8f997b17c1f6adfdd948be1e594c0

SHA512
292681cf0642f9b9896f50f60cbb09c3ed724a8fa92d1c0f99a100118765133e9e0907146b5d49c78392250fc4ea2d5aca4141c399eb9806a3970c8e8baa3b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gscI.exe
Filesize
196KB

MD5
043d832ba39f6cf8467fb3c2f38b8384

SHA1
7a350df820e764720857e0dc5bf0fee7b006ceea

SHA256
60c3a98a39c45a058018a96d38c574c08729dbf52d3dbf3eb3d925b3dd1803b7

SHA512
7ce3e26918b3a1d10eca69c3d172b151381d2e34160fc65416c2d09755ba2c40f19b1df7d093b9d49e0d466a6efdd7ea0bdd179b47149f541b9d14a9835cd213

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwIA.exe
Filesize
663KB

MD5
be581fb12242dcaab864281916e73f6e

SHA1
a79be9954d197c839958652de1642f7314f34cf2

SHA256
84c2570407b440abbbc6819b35cb5494ed1569210dfccf86490da8846e097fd8

SHA512
46ee363ac5ad45e56cb26e98af2cf339e143992173fe5c73f3b0346176a47a6c80c9f50546270b61fd98ac0cc9d0a17026e513349ac0b2471a610f34e0cc796f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYQS.exe
Filesize
641KB

MD5
f481244bb019db7b4c231cf7d78fa407

SHA1
b01e529d730d1e46d8e3fb674d4d5612d48abc44

SHA256
427c838b9670be55848feb920ae8d5261487521678fd64b84bb2b064a3111e37

SHA512
b2d07c86a454344f745f986b1d9b94d5564e6d372626e9a525dafea603e932ac10447de56397c5011514cea49f2b2c50894512ac7442a611bd81f5df02fdfb36

Download Submit
C:\Users\Admin\AppData\Local\Temp\isQE.exe
Filesize
789KB

MD5
5ca22952adc4a53ef6fcca117c2e9d53

SHA1
78138a9738b771d8456fd1d14c1a75d8c800572b

SHA256
acb346b3e254a477d4b8729a711dbec6975ad5a6f38da2518b7ea74f51cb2278

SHA512
f87b185b3e12de59b7c8d83914127ab66d5ff0909a55045bb6aa088fc5488afe2f9701f2f6081e6a17f5820c81141d60efe1ce8e26802827c5640ca1598a34f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAUo.exe
Filesize
818KB

MD5
d383baad42d96290aa5a6ebd4fed279d

SHA1
d801996b1e000241bfe93206808c58be132ece40

SHA256
b70c3262cb8b12195d2207efac129dc9035c435fee42dd7e9791047efd254286

SHA512
2c1c2a1380ba42fc27d673433f86dcba0d5a1f9697ea4e3c61c92019cd1a514ae6469e4879c33905e75093b759607e6de44f062d75edb1a048ed7d83172c747a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAwk.exe
Filesize
191KB

MD5
4ae78307eee915ade4a39b183decafc9

SHA1
3c7a16a18cc0765df157785ea044ce11c29e7471

SHA256
461be28b6c2d755524af67fa78afb2b247c6447d70fc77bfba931bfbaff1e549

SHA512
7ff0475b250df67ae3ae14dd8818b04051f6ca424e8c4b4240dacaec9187d38f09aeda5bb258c44b7083412ec27217db067808fb3bea1883d9a43575b746ccf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMMU.exe
Filesize
193KB

MD5
23333018b52ed1dca9b73c46938af403

SHA1
6d3c9a3470d1c1b07008d08a528f06d4fe4b84e3

SHA256
75bcb1dae7d0e612f978b08371bafd7c24ffdd3d7deb460ed2c9e17722bbf6f8

SHA512
863d6e50d2559783a5047417bafb318c275cca22ea5f51ea804520b8f4d5cd14c40098aea29349dab9b92deb87ee900f345412d7e934901d3fa063eb568ebb13

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksgA.exe
Filesize
184KB

MD5
1baba198319216db8f47b106e64f2c8e

SHA1
5290f251ec31bfc9f54fad00bd5d547aa4cc4b8c

SHA256
b068ef6423a9a6431eef158e86ebcda0cd2462da79d281317c405736d4ee597f

SHA512
100906d3bababa65a608cedbfd33f75871dbfd7e1c09ad7bb352d2635562e220b359d1be98dfe7243291b0f0741587a950490cc3223dfbafa62b795803898669

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwow.exe
Filesize
193KB

MD5
420e57cc310f5cd6a77ecc9ccf2b00c3

SHA1
fbc4c78e20a211e41fbe7d2067957c626d7bbb7b

SHA256
3510a8c729a341c0a5b182b1d1e8463dcaab936a0e13acfb69ee00b0ae6c7ab4

SHA512
feaf121191fdfee8d622ab455d66e0bd7965a0f1796139eee82d27bd31277ea6c7e50ef98ad623a35d4f830f57c325718154df90b3cae8291f03c853581e00a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIMk.exe
Filesize
5.9MB

MD5
4e070ce8da527127e1d662c47be1454c

SHA1
490a5adbb675c062f31e9e22318ec10286a1a639

SHA256
c3f224a78dad9303dfd1f351f8ff039942c91a67546cfd532a39806a325e42b8

SHA512
c186697ea343dfc84d30f66698ff579d7c65a3f5d9787f04ec6a16eeda4c00ef661e861d37beb7fb36b0e559a817988f45709a035bc161da9e2a28ebc5c5e7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIka.exe
Filesize
811KB

MD5
e165c5f9eb4e20f4887ae64c6d53e462

SHA1
f9e2ac6bc427bc6919b692b0547fe6569593b9f5

SHA256
aec9075aba4e0ddf2895a14fca0c7e1ee8d7d8cc328114fd66980528405eea98

SHA512
aed4a82e2fed92cf7e7e5713a3c0e6081516c6afa896db3659e4e1d080bf4e4f7db8a80b405780f5c90bb84f9b2c333c77e2ff119c5f57fac0697abbd2357e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYoo.exe
Filesize
188KB

MD5
c168b7764a19b0eb95a939e109caf77c

SHA1
2fa83caad465862ca1756142476ed118ba012f98

SHA256
6499a7b2e80258e520543dd7116c4ae5ffaf87a8a6968ccbdc0dc16b4c9ae0b6

SHA512
99075776d0708150b79e606296b3e2ebbdd192ec7b546cbb0d1814e06214f22b6289b5dcc7979c181a163e22dbda27b15494ab8ea937a0a2fabb7f12ad1a26d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mksG.exe
Filesize
388KB

MD5
678012dbbbf18915619acc2cc7dea267

SHA1
e31c5c4a4519863b4a563cb7a6a6dff021c545ac

SHA256
ff9679676daea762b2b15f72238ea18a07c83ba353caf01bf91d62aa0a1cf344

SHA512
aff574ddec0dc260a62a3b1781e394b40a95200cedc8794a56afa822a0b56dc4387c16e1046615318bb3f9acdea5ff6e7998e9bac5f915e03dbedbe4aef4c3b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\msIk.exe
Filesize
221KB

MD5
5aed55dae90c879fe4bce5b8ddb64607

SHA1
c84373ae8a9578f3ce7533df83adffe5f7473e0b

SHA256
00172522b4fcb74a21d897b1909fa11278ece28313e826b35dccaf365c1a7e6d

SHA512
cffa2f1260e40659d1aa4cf425f49c506236f52f8f4fbfee793429d0298abec4b90c06b12def354389fc5124677ce29548d7a4562487bebe267abedc9db11215

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIcI.exe
Filesize
798KB

MD5
554f34f19e08fe848cc9f46a6f55d8b2

SHA1
0415e451e5f458307cad949bfb0d00bf3574dfd2

SHA256
2ecf3a7b32104c4a772bdfbdd42cc270af6205cb2743bb5576d4ecbe74305ca3

SHA512
441af59919c500607f27c862d596e1140e252fbe3498a071939da47a340e5700ccf6408b0f2da8e04428d8679131f67bea1d39ad57d3d2f23fde5a59aac69248

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYUG.exe
Filesize
218KB

MD5
6cca12903158353111e8ed83fe14914d

SHA1
941318646143e9c7981559e9fcc7b651ce6ba306

SHA256
9b1c2b5b99aee0a7fb1acfeb6df5cb1a66e431892d8d65d721a4ddbbe7b3603a

SHA512
4f8444b002084b843ff9d8700e0b7ff65dc1e0d49632448757b14d09117684d763b69ff3351e78b10647a34bd5f64fa5c471a7b80aafd24529a43b9f46a13f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoku.exe
Filesize
195KB

MD5
e24cf424f694930c6ddca928bbd1464a

SHA1
ad0f546b2c37ce60455a555acb0e7dbf3acbc7ed

SHA256
df67e177940ab326a06eab3f81ef042b86c093e8f475f729498c8aea0464797e

SHA512
fb7478493e7a96eab1fd2d6ab906e74645a828c21d8507d49855295bcd00616c2748d8781291fec7e9b850f4c9623db83cbf3f83da703ca501861e4094c17f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAIk.exe
Filesize
939KB

MD5
966423a7613cd2b3b0257eab20f5f124

SHA1
8036a4bc609ac30e3611881511799c6d4039025e

SHA256
9870a0965821154ec3f77a0e30b5fed58d6db4a1c3c97cf51d7b5d138546c81c

SHA512
20dc8ec8d4cc1b81740b848546dbfd04c4ea3f0f24873e65d3369e67900ca59f9e520cbb29baee30d7e04db32f276aa5fb9feb7c425e7b5d0424d5d6bddbacf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMIM.exe
Filesize
194KB

MD5
80ec6321961b58567de63c6e85d48086

SHA1
bd59c897344de5e6d2f79ae8b06a951b81570f3a

SHA256
700a5e51033e06b841a4b4ad6a1b50f49b666f17f82e7ea4993fd6713d582757

SHA512
7bb6fb4936c79408348d9d503895333e33112fbc8720ba6b802ca7a6ab391aed51a0af182b39451858363de52d701eeeb1c9581b30ce2c05f9058c5bc6cab331

Download Submit
C:\Users\Admin\AppData\Local\Temp\scYo.exe
Filesize
188KB

MD5
240c66beaab449d8057e110375157820

SHA1
0cfbaa9be487c781d5dd9e2b450475090d843135

SHA256
5e7ef897e7d48dfb7978c8e1a5771609028f744dfd7a84d33a2b3193b257f7e7

SHA512
0cf34fa9c8595119d2116489a579348f6db3f74a404840dd2e1942be70f0115a5157e5aa04aa925d89afd877ca4ffd5a03926f661257ac8bf3ce535a59b13984

Download Submit
C:\Users\Admin\AppData\Local\Temp\skAG.exe
Filesize
188KB

MD5
cc327f72ab8a533dd7589c61ad5d025c

SHA1
1915ecef3ed3a0e47535436713e9258266c7bb89

SHA256
d98ea1f34750243d7f3e751c9585b40788f0ac6e14c8ebb98074e849070ff59a

SHA512
49ac82961fc74cbc81ae3ff4bcec359dff0d5d277080af0d7c14d52dcce75248748e43b9dd823edf1576c84ac245ab406de99ba48f0d01b1248119afd601d10b

Download Submit
C:\Users\Admin\AppData\Local\Temp\swwq.exe
Filesize
194KB

MD5
b6a28bc5269f6112714e8597d01beb65

SHA1
53ff6b133e743ec195c15f9f9021ae5185f355b3

SHA256
e05ade885118fc56ea9a09a4f41d93ef6992aadde5fc2604b18b43d7ad8a46b8

SHA512
7a34e059fac03e419320a4309c13f8503ded2fa5ae9c8f92a97f386f527a158f1d6badf19c9823e75145bd802d6a7193fab5ff7b5f71a294c4b2956b1fb34e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoIa.exe
Filesize
438KB

MD5
d0aa63817a3eebb2a16ccc2ea41f31fb

SHA1
68ed309e80c984eb1f9aba9c275df8eb42d0cae7

SHA256
26a3d23a2577963adbb3e52ffc7e4719b7e026ca2d4045210d29541872e94ad9

SHA512
9224c8d510de6e2be7f140d52b5673655cf8d718e46a69bb79c69f86b7f75dae71f98b807556908f1734d3b17fedd38afcd79abc6255107be6babd6ea0a39d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwIo.exe
Filesize
199KB

MD5
224bbecb08ce5941254b4ae3ae715d00

SHA1
3618113d33eb1bebe36e346f69cc10f6f1c5b0e3

SHA256
74a93e4935e00845f4dbf8bf2a6e7b57e391b4585378bb147e4a1df6c836275a

SHA512
b4f7974bb10a21e1d00bba448b0286c74efeefc25d9687586e85e8c03b78caacb24f287a00ab848d85e83c2e3a78add70b22d85895c089d069dfa54cbf48fcfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcco.exe
Filesize
209KB

MD5
aa02617e76cfa66585c5cc990cd22635

SHA1
15b15aec79ee9cb89a2d5ba07e3800a202a49c2f

SHA256
2706977b0de293e347aebf30c7c8aa09389e46f0b5fd00b2d7087f64bc9295df

SHA512
5aa403f44737d0c11aae8ad4b22afb254cf075f017d1c7a888196d308663f853c9f0cd84bcd755bdba6908a7be4dde5711e63f69241b03da51e46b5a2e708ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wssc.exe
Filesize
192KB

MD5
a616241c320a209f6f391d51a2532bb0

SHA1
4de6c863130aba3b136072ee445e1a060648a907

SHA256
5e4e27b545832a523a319c59a8e9790320e415ff7318dc304a36c833636effb5

SHA512
df34c88ce51718ea2e215ceea735e2830c0e85b8f2a58744218e80f735e996f095426b26e76ea3044601f0035ab08548f8a6aab03a8cbbd85e598f74efacab67

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEgS.exe
Filesize
656KB

MD5
6565af549fbab68d1c8a354405acf4a4

SHA1
30ad87bc00a751c12b409f38c2b929224aa5034f

SHA256
3b852941e47ff10884a37a43250c5a7b5769306eadbbc0556a995ab58f0e92e7

SHA512
7f0c3902ef33a7534ee221d520ff4a97386ee4fd9f1ca8dfe7dcc6299f74d9757abd977a726add9f40036c464d6d944f8ca5ef20a7525321a3079614abb286e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\yggi.ico
Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykgW.exe
Filesize
344KB

MD5
0d81b1a5e0f71f2ddb706581c7b4c00a

SHA1
49cfdefe1f755c91dedb7cfd7ffd14487b004e4d

SHA256
497aab4abf8561efc973af4c3ef00900e25cfaa84612b2c261b146a515a15d80

SHA512
dd06c1006a98dc50a9d2a226ffa6312959819da5efbdc05ae1b079e3132a34bf4d3aeeac73d452428e3da66a0121081e587f35d5f47357aab4966062ea5fbaa0

Download Submit
C:\Users\Admin\QAIoYwoI\IAEUMYUE.exe
Filesize
179KB

MD5
2780f6acdb040431c3070179ba5b2afd

SHA1
830fb9ecea3eaa5d56b752d7248111defc046dd8

SHA256
728f6467f3bd4bdf70050d7bc1e1b4ff8f4037d1a5f30d9628a40e4d5fefdae1

SHA512
beada1837fc7283590c8d42dddbd6ecd8b1df87fa4fedcd6b5659fe01919c89f46fdcca77ab76e2cd736d3b28765dc0f8a32d3c61928ea8ac2e3e59037ccf4b5

Download Submit
memory/312-415-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/312-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/404-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/404-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/432-297-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/432-284-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/632-534-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/740-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/740-277-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/940-459-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/940-471-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1048-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1048-20-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1132-259-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1132-244-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1172-330-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1172-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1248-443-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1248-435-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1272-451-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1272-439-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1348-397-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1348-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1352-355-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1352-368-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1416-288-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1496-130-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1496-146-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1584-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1744-42-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1744-60-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1744-498-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1860-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1860-350-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1924-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1924-373-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2064-516-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2064-504-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2244-524-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2244-487-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2244-513-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2352-182-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2352-193-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2404-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2404-312-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2548-170-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2640-228-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2640-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2712-30-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2712-46-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2848-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2848-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2884-110-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2884-92-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3020-309-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3204-492-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3204-507-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3216-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3216-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3296-142-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3296-157-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3388-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3388-34-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3584-204-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3584-220-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3704-84-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3704-70-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3724-181-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3776-434-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3776-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3776-396-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3776-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3800-134-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3800-118-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3828-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3828-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3864-15-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3936-479-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3936-470-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4008-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4008-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4024-321-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4168-542-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4492-308-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4568-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4568-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4580-198-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4580-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4584-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4608-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4608-306-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4636-122-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4636-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4828-326-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4828-339-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4864-460-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download