2f8c2a3e9c56140414a1fa338feb3b3ac335e85fd15230d0a3d4e163ff29b2ae

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
Size

196KB
MD5

ebf37135bc754177868244c8b1c6f600
SHA1

3b8cee2bc495ac2b1b01d0eaee8e5b5a29b0cd70
SHA256

2f8c2a3e9c56140414a1fa338feb3b3ac335e85fd15230d0a3d4e163ff29b2ae
SHA512

50269b220addc2beee45d6b0c3f9a16f75cfaff02e17ef1d43ce5539a5f7d41c65a6fc0709d4fce4b96f953eb32b917e7da021cf21fb925dd911a602cc8a817b
SSDEEP

6144:QzHV4QWvzvmjdZRlc4l3+lFyk0KBwTlui63h6vW/xxXc3o:+dl36Y+fPXc3

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (80) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wOEgMYgc.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation wOEgMYgc.exe
Executes dropped EXE 2 IoCs

Processes:

wOEgMYgc.exeissIocYw.exe

pid process

1852 wOEgMYgc.exe
4884 issIocYw.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	wOEgMYgc.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exewOEgMYgc.exeissIocYw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wOEgMYgc.exe = "C:\\Users\\Admin\\RwUEUogA\\wOEgMYgc.exe"	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\issIocYw.exe = "C:\\ProgramData\\QmoYckIo\\issIocYw.exe"	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wOEgMYgc.exe = "C:\\Users\\Admin\\RwUEUogA\\wOEgMYgc.exe"	wOEgMYgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\issIocYw.exe = "C:\\ProgramData\\QmoYckIo\\issIocYw.exe"	issIocYw.exe

Drops file in System32 directory 2 IoCs

Processes:

wOEgMYgc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	wOEgMYgc.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	wOEgMYgc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
3648	reg.exe
1592	reg.exe
224	reg.exe
5100	reg.exe
868	reg.exe
2260
4004	reg.exe
2360	reg.exe
2704	reg.exe
1992	reg.exe
2768	reg.exe
1976	reg.exe
4596	reg.exe
928	reg.exe
3096	reg.exe
824	reg.exe
2480	reg.exe
3976	reg.exe
3012
2444	reg.exe
1196
2292	reg.exe
4128	reg.exe
3308	reg.exe
4912	reg.exe
2000
3296
2000	reg.exe
1008
4412
2032	reg.exe
3468	reg.exe
2064	reg.exe
4476
888	reg.exe
5084	reg.exe
888	reg.exe
4520	reg.exe
2444	reg.exe
3940	reg.exe
4580	reg.exe
1068	reg.exe
1628	reg.exe
208	reg.exe
1704	reg.exe
2092	reg.exe
4744	reg.exe
2704	reg.exe
3932	reg.exe
3708
4688	reg.exe
1724	reg.exe
2284	reg.exe
2544	reg.exe
1648	reg.exe
3848	reg.exe
3852	reg.exe
2284	reg.exe
3452	reg.exe
1404	reg.exe
4792	reg.exe
4352	reg.exe
4520	reg.exe
4128	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exeebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exeebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exeebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exeebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exeebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exeebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exeebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exeebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exeebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exeebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exeebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exeebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exeebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exeebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exeebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe

pid	process
972	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
972	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
972	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
972	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
3432	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
3432	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
3432	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
3432	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
4704	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
4704	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
4704	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
4704	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
780	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
780	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
780	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
780	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
3656	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
3656	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
3656	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
3656	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
208	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
208	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
208	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
208	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
4816	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
4816	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
4816	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
4816	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
5052	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
5052	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
5052	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
5052	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
2176	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
2176	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
2176	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
2176	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
3388	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
3388	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
3388	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
3388	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
1668	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
1668	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
1668	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
1668	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
3168	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
3168	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
3168	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
3168	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
4296	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
4296	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
4296	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
4296	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
4572	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
4572	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
4572	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
4572	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
2640	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
2640	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
2640	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
2640	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
1876	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
1876	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
1876	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
1876	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

wOEgMYgc.exe

pid process

1852 wOEgMYgc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

wOEgMYgc.exe

pid	process
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe
1852	wOEgMYgc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.execmd.execmd.exeebf37135bc754177868244c8b1c6f600_NeikiAnalytics.execmd.execmd.exeebf37135bc754177868244c8b1c6f600_NeikiAnalytics.execmd.exe

description	pid	process	target process
PID 972 wrote to memory of 1852	972	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	wOEgMYgc.exe
PID 972 wrote to memory of 1852	972	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	wOEgMYgc.exe
PID 972 wrote to memory of 1852	972	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	wOEgMYgc.exe
PID 972 wrote to memory of 4884	972	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	issIocYw.exe
PID 972 wrote to memory of 4884	972	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	issIocYw.exe
PID 972 wrote to memory of 4884	972	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	issIocYw.exe
PID 972 wrote to memory of 3768	972	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	cmd.exe
PID 972 wrote to memory of 3768	972	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	cmd.exe
PID 972 wrote to memory of 3768	972	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	cmd.exe
PID 972 wrote to memory of 4004	972	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	reg.exe
PID 972 wrote to memory of 4004	972	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	reg.exe
PID 972 wrote to memory of 4004	972	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	reg.exe
PID 972 wrote to memory of 3548	972	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	reg.exe
PID 972 wrote to memory of 3548	972	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	reg.exe
PID 972 wrote to memory of 3548	972	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	reg.exe
PID 972 wrote to memory of 5060	972	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	reg.exe
PID 972 wrote to memory of 5060	972	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	reg.exe
PID 972 wrote to memory of 5060	972	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	reg.exe
PID 972 wrote to memory of 1012	972	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	cmd.exe
PID 972 wrote to memory of 1012	972	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	cmd.exe
PID 972 wrote to memory of 1012	972	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	cmd.exe
PID 3768 wrote to memory of 3432	3768	cmd.exe	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
PID 3768 wrote to memory of 3432	3768	cmd.exe	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
PID 3768 wrote to memory of 3432	3768	cmd.exe	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
PID 1012 wrote to memory of 404	1012	cmd.exe	cscript.exe
PID 1012 wrote to memory of 404	1012	cmd.exe	cscript.exe
PID 1012 wrote to memory of 404	1012	cmd.exe	cscript.exe
PID 3432 wrote to memory of 1280	3432	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	cmd.exe
PID 3432 wrote to memory of 1280	3432	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	cmd.exe
PID 3432 wrote to memory of 1280	3432	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	cmd.exe
PID 1280 wrote to memory of 4704	1280	cmd.exe	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
PID 1280 wrote to memory of 4704	1280	cmd.exe	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
PID 1280 wrote to memory of 4704	1280	cmd.exe	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
PID 3432 wrote to memory of 3776	3432	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	reg.exe
PID 3432 wrote to memory of 3776	3432	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	reg.exe
PID 3432 wrote to memory of 3776	3432	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	reg.exe
PID 3432 wrote to memory of 4744	3432	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	reg.exe
PID 3432 wrote to memory of 4744	3432	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	reg.exe
PID 3432 wrote to memory of 4744	3432	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	reg.exe
PID 3432 wrote to memory of 4204	3432	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	reg.exe
PID 3432 wrote to memory of 4204	3432	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	reg.exe
PID 3432 wrote to memory of 4204	3432	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	reg.exe
PID 3432 wrote to memory of 4468	3432	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	cmd.exe
PID 3432 wrote to memory of 4468	3432	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	cmd.exe
PID 3432 wrote to memory of 4468	3432	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	cmd.exe
PID 4468 wrote to memory of 3332	4468	cmd.exe	cscript.exe
PID 4468 wrote to memory of 3332	4468	cmd.exe	cscript.exe
PID 4468 wrote to memory of 3332	4468	cmd.exe	cscript.exe
PID 4704 wrote to memory of 2724	4704	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	cmd.exe
PID 4704 wrote to memory of 2724	4704	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	cmd.exe
PID 4704 wrote to memory of 2724	4704	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	cmd.exe
PID 2724 wrote to memory of 780	2724	cmd.exe	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
PID 2724 wrote to memory of 780	2724	cmd.exe	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
PID 2724 wrote to memory of 780	2724	cmd.exe	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
PID 4704 wrote to memory of 4944	4704	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	reg.exe
PID 4704 wrote to memory of 4944	4704	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	reg.exe
PID 4704 wrote to memory of 4944	4704	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	reg.exe
PID 4704 wrote to memory of 3940	4704	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	reg.exe
PID 4704 wrote to memory of 3940	4704	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	reg.exe
PID 4704 wrote to memory of 3940	4704	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	reg.exe
PID 4704 wrote to memory of 1664	4704	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	reg.exe
PID 4704 wrote to memory of 1664	4704	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	reg.exe
PID 4704 wrote to memory of 1664	4704	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	reg.exe
PID 4704 wrote to memory of 1512	4704	ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:972

C:\Users\Admin\RwUEUogA\wOEgMYgc.exe
"C:\Users\Admin\RwUEUogA\wOEgMYgc.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1852

C:\ProgramData\QmoYckIo\issIocYw.exe
"C:\ProgramData\QmoYckIo\issIocYw.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
2⤵
- Suspicious use of WriteProcessMemory
PID:3768

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
4⤵
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
6⤵
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
8⤵
PID:2788

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:3656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
10⤵
PID:888

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
12⤵
PID:404

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:4816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
14⤵
PID:388

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
16⤵
PID:4024

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
18⤵
PID:372

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:3388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
20⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
22⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
24⤵
PID:4152

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
26⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
28⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
30⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
32⤵
PID:4568

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
33⤵
PID:2196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
34⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
35⤵
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
36⤵
PID:4236

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
37⤵
PID:3120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
38⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
39⤵
PID:3848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
40⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
41⤵
PID:2752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
42⤵
PID:404

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
43⤵
PID:4816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
44⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
45⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
46⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
47⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
48⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
49⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
50⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
51⤵
PID:3648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
52⤵
PID:784

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
53⤵
PID:2984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
54⤵
PID:5104

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
55⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
56⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
57⤵
PID:888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
58⤵
PID:2032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
59⤵
PID:3488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
60⤵
PID:2316

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
61⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
62⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
63⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
64⤵
PID:440

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
65⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
66⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
67⤵
PID:1212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
68⤵
PID:4008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
69⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
70⤵
PID:1288

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
71⤵
PID:3476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
72⤵
PID:548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:404

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
73⤵
PID:388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
74⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
75⤵
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
76⤵
PID:4476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
77⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
78⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
79⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
80⤵
PID:4816

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
81⤵
PID:4940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
82⤵
PID:5004

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
83⤵
PID:2484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
84⤵
PID:1648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:2412

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
85⤵
PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
86⤵
PID:780

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:3824

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
87⤵
PID:3076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
88⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
89⤵
PID:3332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
90⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
91⤵
PID:4476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
92⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
93⤵
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
94⤵
PID:3648

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
95⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
96⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
97⤵
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
98⤵
PID:3848

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
99⤵
PID:3196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
100⤵
PID:3424

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
101⤵
PID:1276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
102⤵
PID:3120

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
103⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
104⤵
PID:2484

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
105⤵
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
106⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
107⤵
PID:4084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
108⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
109⤵
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
110⤵
PID:2336

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:3976

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
111⤵
PID:4912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
112⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
113⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
114⤵
PID:4864

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
115⤵
PID:432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
116⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
117⤵
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
118⤵
PID:856

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
119⤵
PID:3412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
120⤵
PID:3388

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
121⤵
PID:464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
122⤵
PID:4236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
123⤵
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
124⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
125⤵
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
126⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
127⤵
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
128⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
129⤵
PID:784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
130⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
131⤵
PID:4236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
132⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
133⤵
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
134⤵
PID:708

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
135⤵
PID:4892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
136⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
137⤵
PID:4084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
138⤵
PID:1648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
139⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
139⤵
PID:3152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
140⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
141⤵
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
142⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
143⤵
PID:3488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
144⤵
PID:3892

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
145⤵
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
146⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
147⤵
PID:4736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
148⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
149⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
150⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
151⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
152⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
153⤵
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
154⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
155⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
156⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
157⤵
PID:3904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
158⤵
PID:4468

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
159⤵
PID:4204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
160⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
161⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
162⤵
PID:3076

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
163⤵
PID:3904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
164⤵
PID:824

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
165⤵
PID:4476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
166⤵
PID:1404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
167⤵
PID:4912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
168⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
169⤵
PID:2640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
170⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
171⤵
PID:3764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
172⤵
PID:3332

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:4204

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
173⤵
PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
174⤵
PID:4948

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
175⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
176⤵
PID:3388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
177⤵
PID:3468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
178⤵
PID:3076

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
179⤵
PID:1888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
180⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
181⤵
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
182⤵
PID:780

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
183⤵
PID:1428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
184⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
185⤵
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
186⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
187⤵
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
188⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
189⤵
PID:3528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
190⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
191⤵
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
192⤵
PID:3308

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
193⤵
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
194⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
195⤵
PID:4844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
196⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
197⤵
PID:4008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
198⤵
PID:2432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
199⤵
PID:408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
200⤵
PID:3776

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
201⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
202⤵
PID:3424

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
203⤵
PID:3196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
204⤵
PID:2832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:3440

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
205⤵
PID:1372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
206⤵
PID:3188

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
207⤵
PID:2412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
208⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
209⤵
PID:228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
210⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
211⤵
PID:3488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
212⤵
PID:2684

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
213⤵
PID:1280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
214⤵
PID:864

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
215⤵
PID:1036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
216⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
217⤵
PID:4692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
218⤵
PID:4348

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
219⤵
PID:4936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
220⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
221⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
222⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
223⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
224⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
225⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
226⤵
PID:4348

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
227⤵
PID:3564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
228⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
229⤵
PID:3188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
230⤵
PID:4792

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
231⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
232⤵
PID:3684

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
233⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
234⤵
PID:3232

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
235⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
236⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
237⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
238⤵
PID:1308

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:4236

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
239⤵
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
240⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
241⤵
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
242⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
243⤵
PID:4600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
244⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
245⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
246⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
247⤵
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
248⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
249⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
250⤵
PID:4128

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
251⤵
PID:1404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
252⤵
PID:3904

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
253⤵
PID:4124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
254⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
255⤵
PID:4084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
256⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
257⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
258⤵
PID:2012

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
259⤵
PID:4196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics"
260⤵
PID:3968

C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
261⤵
PID:912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
260⤵
PID:3296

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
261⤵
PID:4040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
260⤵
PID:3196

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
260⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGcwwwoE.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
260⤵
PID:4384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
258⤵
- Modifies visibility of file extensions in Explorer
PID:1992

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
259⤵
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
258⤵
PID:3640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
258⤵
- UAC bypass
PID:2088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWsMIwAk.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
258⤵
PID:3996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
259⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
256⤵
- Modifies registry key
PID:4128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
256⤵
- Modifies registry key
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
256⤵
- Modifies registry key
PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCwIQcoY.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
256⤵
PID:3560

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
257⤵
PID:3888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
257⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
254⤵
- Modifies visibility of file extensions in Explorer
PID:3644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
255⤵
PID:3308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
254⤵
PID:3472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
254⤵
PID:3272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOEIYgcc.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
254⤵
PID:1384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
255⤵
PID:4720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
PID:3768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
PID:1904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
252⤵
- UAC bypass
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYUIgQcQ.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
252⤵
PID:4440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
253⤵
PID:3452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
PID:2640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
PID:3412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
PID:3564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fskcsswE.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
250⤵
PID:4280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:2476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
PID:4544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:4604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:4916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:3476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
- Modifies registry key
PID:888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiYoUIMY.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
248⤵
PID:940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:1488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
PID:784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:3524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
- UAC bypass
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEYkQEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
246⤵
PID:848

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:3232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
- UAC bypass
PID:4128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:2412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\saEAQAcs.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
244⤵
PID:908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:1780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
- Modifies visibility of file extensions in Explorer
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:3440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
- UAC bypass
PID:1276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWAQYMQk.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
242⤵
PID:4500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:4744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
PID:1960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:2516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
- UAC bypass
PID:4720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EuYkEAgU.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
240⤵
PID:2884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:3940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
PID:212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
- Modifies registry key
PID:4128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
- UAC bypass
PID:3824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NSMwQAwU.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
238⤵
PID:5112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
PID:1404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
PID:4024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jikIQIAo.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
236⤵
PID:3600

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:4296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
PID:1936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:4404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
- UAC bypass
PID:388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dyAoAkUE.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
234⤵
PID:1480

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:3616

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
- Modifies visibility of file extensions in Explorer
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
- Modifies registry key
PID:1704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
- Modifies registry key
PID:208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DKYIIUYw.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
232⤵
PID:3944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:5112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
- UAC bypass
PID:744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\igAsQAIE.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
230⤵
PID:4940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
PID:3904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:1280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
- Modifies registry key
PID:3468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEcUEMQQ.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
228⤵
PID:4468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:4916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
- Modifies visibility of file extensions in Explorer
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
PID:1760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\agsoMwUw.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
226⤵
PID:1044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:1372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
PID:3560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:1904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
- UAC bypass
PID:4276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KaEEIYYA.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
224⤵
PID:3672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
- Modifies registry key
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vsEEEsko.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
222⤵
PID:2064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
PID:3440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:1008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
PID:1044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGkYoQoQ.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
220⤵
PID:2476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:1276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
- Modifies registry key
PID:868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:4892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rYYkcEYg.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
218⤵
PID:4912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:5084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
- Modifies visibility of file extensions in Explorer
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
- UAC bypass
- Modifies registry key
PID:3848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VMUAYYwk.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
216⤵
PID:3528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
- Modifies visibility of file extensions in Explorer
PID:3672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
PID:1404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaMUUMYk.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
214⤵
PID:4580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:3768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:2336

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
213⤵
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
- UAC bypass
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWkEIksI.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
212⤵
PID:3616

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:4908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
- Modifies registry key
PID:2092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:3600

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aawMogko.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
210⤵
PID:1760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:4428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
- Modifies visibility of file extensions in Explorer
PID:1640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
PID:2880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iKUcIkoQ.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
208⤵
PID:2068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies registry key
PID:2284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
- Modifies registry key
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qoYcIYwY.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
206⤵
PID:2064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
PID:3152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:1036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FegQIsAY.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
204⤵
PID:2200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:3332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
- Modifies registry key
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:3412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkosUocE.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
202⤵
PID:512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:2176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
PID:2476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:1488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
- Modifies registry key
PID:3852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zsAUwUQw.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
200⤵
PID:4568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:1664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
PID:532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:5104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:1640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:4520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
- Modifies registry key
PID:1068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hckAcMcM.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
198⤵
PID:2072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:4004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
- Modifies registry key
PID:1976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
- Modifies registry key
PID:2032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
PID:4916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IqcEAEog.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
196⤵
PID:4432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:1280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
- Modifies registry key
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:3296

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MGMUYgoY.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
194⤵
PID:1488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:3852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies registry key
PID:1992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
- Modifies registry key
PID:3976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SaYEUQUc.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
192⤵
PID:4816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:3944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
PID:2832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
- Modifies registry key
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
- UAC bypass
PID:4892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOYAogkg.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
190⤵
PID:1872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
- UAC bypass
PID:4692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XesoUMUw.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
188⤵
PID:5100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
- Modifies visibility of file extensions in Explorer
PID:3616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:3076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- UAC bypass
PID:4784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XKUksIYc.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
186⤵
PID:2480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:2176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
PID:3940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:4844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- UAC bypass
PID:4008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuIsMQMI.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
184⤵
PID:4908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
PID:1404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
- Modifies registry key
PID:224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TusIUckw.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
182⤵
PID:2244

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- UAC bypass
PID:2672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BKoQokgg.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
180⤵
PID:744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
PID:1340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:4048

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gugEogcs.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
178⤵
PID:2412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:3892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies visibility of file extensions in Explorer
PID:4744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:4236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
PID:4432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMgAcwUs.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
176⤵
PID:4404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
- Modifies visibility of file extensions in Explorer
PID:4296

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:3848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EkYoYwok.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
174⤵
PID:1960

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:4912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:3996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
PID:4892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:4016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEowwQIs.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
172⤵
PID:2696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
- Modifies visibility of file extensions in Explorer
PID:2032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
- Modifies registry key
PID:928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
PID:5116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JcgcYcsk.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
170⤵
PID:2088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:3776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
PID:4936

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:2484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:1384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- UAC bypass
PID:2880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQIcoAos.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
168⤵
PID:3468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies visibility of file extensions in Explorer
PID:228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:3212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- UAC bypass
PID:3480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwkcocgU.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
166⤵
PID:708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies visibility of file extensions in Explorer
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
- Modifies registry key
PID:3932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
- Modifies registry key
PID:2000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkQYwAAw.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
164⤵
PID:4360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:3332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
- Modifies registry key
PID:4580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAIYkcEY.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
162⤵
PID:4008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:4744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
PID:4892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GecIwIcM.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
160⤵
PID:744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:4568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
PID:3468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:3528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
PID:4152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwEIkMos.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
158⤵
PID:4476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:1068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies visibility of file extensions in Explorer
PID:316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:3672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
PID:512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOUUgMYo.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
156⤵
PID:4428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:3116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:4276

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:1792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
PID:2364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOYUkQgs.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
154⤵
PID:4236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:1860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
PID:3332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
- Modifies registry key
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQAssEos.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
152⤵
PID:2984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
PID:3488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
PID:404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWocwIck.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
150⤵
PID:1628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:4792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
- UAC bypass
- Modifies registry key
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ryQUQYgA.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
148⤵
PID:4920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:3476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:3940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqIwYAUI.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
146⤵
PID:3684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:3764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
PID:1340

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:2484

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UKsQcAwA.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
144⤵
PID:2176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:1372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
- Modifies registry key
PID:4520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YsMYAwAQ.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
142⤵
PID:3120

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:4916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:3648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
- Modifies registry key
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HscEcYAc.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
140⤵
PID:4348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
PID:3932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
- Modifies registry key
PID:3308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
PID:2640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOMIAcMI.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
138⤵
PID:972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:4580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies visibility of file extensions in Explorer
PID:3380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:3488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- UAC bypass
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuAMEIoc.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
136⤵
PID:2368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:4360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:3404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
PID:532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:2092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
PID:2424

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScoMcEso.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
134⤵
PID:5052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:4476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
PID:3776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:1452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:5088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- UAC bypass
- Modifies registry key
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QewsUksA.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
132⤵
PID:224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:3644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies visibility of file extensions in Explorer
PID:456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:2544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:1960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
PID:2672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGcAMEMs.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
130⤵
PID:4936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies visibility of file extensions in Explorer
PID:4352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:4008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
PID:848

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tqowYQkY.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
128⤵
PID:3380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:4940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
PID:5088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NmYkMsIQ.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
126⤵
PID:2696

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:3616

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:1276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies registry key
PID:888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:2336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:4844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- UAC bypass
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lSwUYcwU.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
124⤵
PID:3684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
PID:3768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:4520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMgsYIMU.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
122⤵
PID:4604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- UAC bypass
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cSgcgwcI.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
120⤵
PID:2832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:3764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:3332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UAgsAUgo.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
118⤵
PID:5112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:3308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
PID:456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:1776

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:1288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- UAC bypass
PID:4196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmcwcEwo.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
116⤵
PID:2688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:1960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:2424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:4348

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:1860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
PID:4084

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:1472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yMIoYMkI.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
114⤵
PID:1680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:4008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:5004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:2484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fewcwEoQ.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
112⤵
PID:5104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:3016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:2200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:3120

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- UAC bypass
PID:824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIccswUs.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
110⤵
PID:3536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:1276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XugUUccE.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
108⤵
PID:5100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:1068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
PID:4372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fSgkokok.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
106⤵
PID:388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:3452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:4720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:4744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goocEAcQ.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
104⤵
PID:2884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:2480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies registry key
PID:5084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:3968

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
PID:2360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\muQscIgU.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
102⤵
PID:4048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:2444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:4004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:2516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
PID:3888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEcMUEoY.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
100⤵
PID:432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
PID:784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:2000

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:4872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- Modifies registry key
PID:2480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGIwQocE.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
98⤵
PID:4084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:4412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:4048

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
PID:2460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCsgwkYA.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
96⤵
PID:744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:4004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:2516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
PID:780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HyUYUIAU.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
94⤵
PID:3824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
PID:908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
- Modifies registry key
PID:1648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:1816

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xisUggYc.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
92⤵
PID:1860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:4564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:1068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
- Modifies registry key
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
PID:4008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKEkkogA.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
90⤵
PID:2476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:1668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- UAC bypass
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQswYoIQ.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
88⤵
PID:5088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:3388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies registry key
PID:3452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:3644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
PID:3776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yeYocQcs.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
86⤵
PID:1760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
- Modifies registry key
PID:4520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:2336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CeIswUoo.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
84⤵
PID:4368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:5104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:5052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:4580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwMAwgwk.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
82⤵
PID:2544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:2572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:3196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:3488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:3768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkIMQkQQ.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
80⤵
PID:548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:3476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:3764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:4468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqwEEMUM.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
78⤵
PID:2696

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:2012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:2852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:4124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwEggIYU.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
76⤵
PID:2412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
PID:3120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:4872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
PID:3648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:4564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KkgQQYoc.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
74⤵
PID:2644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:3976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:4468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:2928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:3232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eukIIswo.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
72⤵
PID:4352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:4604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:1472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies registry key
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:1592

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:3888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
PID:3616

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:4756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\isQocAso.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
70⤵
PID:4492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:3892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
PID:5048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:1528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
- Modifies registry key
PID:4688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
PID:4204

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:2892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcIEAYUs.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
68⤵
PID:4744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:4472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:4796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fyEEgkQA.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
66⤵
PID:2644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:5052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:3332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
PID:3380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWsgYwEs.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
64⤵
PID:4940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
PID:868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:2128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:4500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
PID:2360

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:3680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUAwEIQs.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
62⤵
PID:5104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:4756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:4236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgEoQcQs.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
60⤵
PID:2892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:3096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:4952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:3772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KccwYgsQ.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
58⤵
PID:908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:3680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:2752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- Modifies registry key
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OaMUUcEo.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
56⤵
PID:3888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:4196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies registry key
PID:824

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:5112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQUUsEok.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
54⤵
PID:3468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
PID:3824

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:4128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZekYkQsY.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
52⤵
PID:2300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:2012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:1276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BsoUUEsY.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
50⤵
PID:4936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:3256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:1472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:3308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XMUEYQQo.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
48⤵
PID:4624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:4128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:3932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:4952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWIosYUw.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
46⤵
PID:2624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
PID:3616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
PID:4476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
45⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\esUwgoEU.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
44⤵
PID:4544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:2032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
PID:5004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:2852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqkQYYcg.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
42⤵
PID:1680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:1528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:4952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkAkkMcU.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
40⤵
PID:4564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
- Modifies registry key
PID:3096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKEkswoY.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
38⤵
PID:2412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:3976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:2928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:1428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGQckggU.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
36⤵
PID:1860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:1008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:3932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwsMoUEc.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
34⤵
PID:4304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:4004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
33⤵
PID:4296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:2984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQsgIgcY.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
32⤵
PID:3244

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:4412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:5104

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCcAQwEk.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
30⤵
PID:4348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:5084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:1172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
PID:1012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ooQUAYEw.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
28⤵
PID:3472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
- Modifies registry key
PID:3648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQkQYcww.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
26⤵
PID:4128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:2244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:2432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMEYYIkU.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
24⤵
PID:1792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:2476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:2064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mgwQQkEA.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
22⤵
PID:1472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:5052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:3476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
- Modifies registry key
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RkMMoMoM.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
20⤵
PID:4500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:5108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
PID:3976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:4004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:3424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkgEQcUQ.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
18⤵
PID:2420

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:1948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:1792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
PID:4152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TyUEEQAw.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
16⤵
PID:2196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:2292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:2064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:1472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fWEgMUMo.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
14⤵
PID:3940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:4844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:4236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:4500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sysIUwAQ.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
12⤵
PID:4940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
PID:668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:3880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
PID:3976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mecsMgoI.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
10⤵
PID:1528

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
- Modifies registry key
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
PID:3492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cwQAEYgM.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
8⤵
PID:4952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:3940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOscYIIQ.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
6⤵
PID:1512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:4404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:3776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:4744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:4204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zAcAUAQw.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:3332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies registry key
PID:4004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:3548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DOksUQoM.bat" "C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:404

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:1792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2224

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
Filesize
307KB

MD5
a223a95e9370e05d0340ac18f9557754

SHA1
00befb6c9de925590a263c13178297e9260e10ba

SHA256
f735fd3e0cce49745013f0efe9114ebfd8af6ac8df08b5423b49fdb4aef0b0cc

SHA512
b9406dc3a34c68d590838e1e5d6e98230a5b8fe56080a82454c53818f4d2e2f2a5e58ae902ec5efd3bd3825ed4014dc4408145b784bf635e184941a6f55102f8

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
Filesize
231KB

MD5
a960f2ca0e4ccafcd8a6af170de8a1b1

SHA1
2997cf3000f65997932b73b5c262a832ec6acf92

SHA256
295054376e9f3c5945fe63698fdcbea36cc464d66ae5a98b6ca9de296e9db272

SHA512
6734a37a4650a01d536c2773426e648276991c9335a92cfdd38459579642786791c7971062847ff01d14f37902d57ad47f9f2f8b3f82997c5da8cd320cc5333c

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
Filesize
218KB

MD5
cfefe3a2024479544b7591e41cab2584

SHA1
6c9a46e58a2184e11bd8770b19b678d1d163860b

SHA256
0bcb4cf377bb9e468f7874966108a5354b4f4c21fd44bd1470bb52697862ac62

SHA512
9a8cac3873eeb713a5240a349d14ca4d2d58ae22f5435677003a2993032d666a889007230ca3a3111c783b830abe7391245b926c3ee2f786b75fa17c73ae1cb7

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe
Filesize
785KB

MD5
ab4c19baf50ebe94c932e722de5b11a7

SHA1
a6a1e0e96367a5a7d8a014027386d7ffc3d15b3e

SHA256
03fb614e7d266425d1ccf05b078930c81370b87f88073a146a7322445783dd41

SHA512
37b823878a0fe01363b89486ddac73b11226965c21c2e2f0f5363dac8af5d71674fccfe421636d877f05575c1ab89e81a5f40860bf44d320889be5bcf803fdb5

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.png.exe
Filesize
197KB

MD5
6e8bf95fccf20bf78c3b02ea6f6931ad

SHA1
ddb37b88c68c0200a7660f35442d6066251dfbdd

SHA256
0d321ef93c93f7cb2ce5c02eaf129e30d2f06e322ef6bb0bd9da0145b14963c1

SHA512
75e4d6ffe6d09d7e415328f2cec124bf8276ab86a1f7dc5a53028502731d8a964907d496e639140add3ce781b87c1fea7a54811705cd8afc8ac2c9df0f2309c9

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
Filesize
656KB

MD5
199858fb8ec3891fa88665a6ee0f79f0

SHA1
b6df1b10b4e3dc61dc53a3e32e3fab3f84fe6413

SHA256
bd2eafa70b33f3309bdecbc0816a3adee876f7c709c72e5931e2846cea5b975e

SHA512
ff03ec273493dc73f3f2f90fd4717c54b6bd8d80f5fd19879524741b8998a9e0991da6a8d6809d6bb2b9a97447aeda968ffd5adbb7c664373cbc5558f4a91ddb

Download Submit
C:\ProgramData\QmoYckIo\issIocYw.exe
Filesize
193KB

MD5
e1b97ceac1b1fe60a1fe638f08c888bd

SHA1
b19dfe73bf3ab361b6978cd1bf606520976ef3f5

SHA256
aa91c3f6d7478513d3e39e9cc8b7fa8b221fce263a66f0b09ddfb8027a948679

SHA512
e4bdc023196bef9dd8b8aeefb0837aee4247be94cbdacdf49ae7c51eec11f3839907b2f99549c2c5d2b934aa829bb9d1a42b7730780cc406df88526de8a86e91

Download Submit
C:\ProgramData\QmoYckIo\issIocYw.inf
Filesize
4B

MD5
bf3f8e9ef6a74d6b394d95bfcc7f24fa

SHA1
49dfdeeecfb013b4adbe0cde467c84e1a088b796

SHA256
08c495c70d88e93f7f3760308ac3af887f4ad313d137699b28debaa7787edcde

SHA512
7fa95f100838d46f4810b43325efb6bd4233735412cbe4afcf5c1961cf83e73aecc95d3068c114217fc93371f6af6676c1aa90f849d0f0cbf7f8db3a71f89e1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.1_0\128.png.exe
Filesize
203KB

MD5
57c3bbdd46f64c5511d8cb4a5f2f4acb

SHA1
44da2634d5742dc235178bce67a9d25e9ebb7fdc

SHA256
b76424b9cd2cfe0ffef8952adacc12351f09132178e5b6d135cecb8234fe36ea

SHA512
f7a09c41deed3aee0cbd955e323410cda046ed075f46d69a7e40e2fa2ea8c7650144e45399c594228410635d13b4ff04efafb6e58868916624083c20e9d4f4df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe
Filesize
186KB

MD5
0c9423972c83eacbece2e4d3bd48013f

SHA1
29b158f779855b734af74f0b89177f167ab50f07

SHA256
ab13679a86783c4ec34e476d02459ad8a6250ef4af05c3d4260e580f4cb4adce

SHA512
14f8bf8924201baec1eab17729a3e656e15fcbdd91b3fe195af5eb72aa9e8a71cc5c6d6ddca844e0008c9f9c544a9ece927d084032c712ece40a99b607680717

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe
Filesize
195KB

MD5
2f88914aad1d908469f4047ffb4a903b

SHA1
a098161d6c5d7aa6b55eb3bfa58058e83aac8b20

SHA256
41db8e895f9b7685e24c6e12fcbbed57a6e2e96b46b0afeb62307e465acd50f2

SHA512
f21cfc3174fcd34d070a649a4a4b0d8f14bd78347f77b6e5244b2651aaa77a4e5df4771c19d6252fbe5ee3dbf2a485b0fc3dc6f34bd7c9bf031a680f790dc3d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe
Filesize
220KB

MD5
e83dae1acf42053bfa37e6e6b46ad357

SHA1
088634ddc7ad68e795b6bc0ac056b3c16679745d

SHA256
baa21850305c6a5c36186172fee7597e0bbc130d38a70cdbc0c5286d351847ba

SHA512
15a6a57da457bd1447354c5e4e9a645db7ba14a47008023a7ec36f111edec9fe0fa4da3e2b6a60bfc0f1435ea4f04465d05862388c7dbc1886d008727cd8bc63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe
Filesize
201KB

MD5
b551e58793d90a5d78afcdaa09df76f9

SHA1
4644cabece5dac652a2a05c1aa6a8f2359b5d224

SHA256
797c9e72855d402900eecf289366d2547650e5cb4fda2fbffbde3ec09caeca17

SHA512
5c28efd113b7db2065b32872afc86bd9edd00f6f7f5a7fd80128d8991215f3002dc770fa2af6234c77eaa954f9bd19b4d2a95f5c4903228e5b2525122803afed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe
Filesize
194KB

MD5
20b05292b1dce26d6eddaca5be6e531b

SHA1
c4e3de180d17d627470e89b9187420bb88b30da8

SHA256
b823b0704e1a475aa61a1ca860f942b32763dd25421f8440fe96b6c9bd0d9c56

SHA512
c4afa1e0eb00b0c267e8656399c52e22ff3322f51113e16e8df8a46231222fff00a79f63281ca64bf12243ec1cef2f0ca94df17e00f95ed785c2fb2675ede15f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe
Filesize
198KB

MD5
48b4393146a6831af48e8a86b409c336

SHA1
0875b8e4c47a73bd6445c99c8b677e830b594e5f

SHA256
b83dc6d7e3e0b688875bea6faf8e32675578811d5728f14226f6bdae4b932427

SHA512
506a7b654872a18343c57306840018afe93fd70083d4044c63b72ecb7d1bf9aac95831769662e402c534d3e97b51f2ba1d03c49d75e64f7b339786f59a939646

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe
Filesize
181KB

MD5
b17665142950b7b8cf91f728956947c6

SHA1
a12e8e42261ac946b379d7cb4233dcfcd4fdf140

SHA256
3952705f94209da5e9d31ccfeac789ba32d6295598cebdb9de15da077f79d005

SHA512
0c47b5ed6e3731df0799558bf160aba41969960af49034cb777ca9be3e51f7c00390f4215e76b7ab60f498de720a524cada24bf4b28da81b185fa9a3a37424ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe
Filesize
207KB

MD5
cbc031afa5d64ae4e703c840e9bba7b6

SHA1
703e06f7ce186b38c7947abf8c2149bc60061f77

SHA256
331c198cbe4cce109aa2f85c2b0b5d07a1bd8edc2c9f95260e27724d19c398a2

SHA512
10b03df8c1de537d65412eb290567a65fec864e3f6e632c4af043ee8c30ac73907621f464d5678076468e2fb60eebbedca32f1eeff30c18d3568a8cbdc1cbad7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe
Filesize
204KB

MD5
b96c2a987d2326b12c9dc842b711cc67

SHA1
f0898d49b119f59a29dce0c31e8e0add7a63a4a9

SHA256
63d027ef70a3c2d790dbcf1de2760cf61774052d8432cc32289b7222bd62f750

SHA512
12881596a8ab80e596aac0b780459dd4f18ff5e3d98acf870189e7692ad97defecdabc0de25dc771930e8dbfd6f8801e0aa856f0c7ef3b6afc62d9d72c6ba0da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe
Filesize
184KB

MD5
8646f5cf2d78eaaad93a75874932d06b

SHA1
37c4888050d64e431b08b46a3fd88620d3dd7fd0

SHA256
4a032fd1e62875cc7a35e647ba2fb43154d0d2081786b6604380ea9d05ca0bcb

SHA512
16cd1171e4782c41ee60942c791ab7f5a3b11b3d55f1f3d8b0e77ed02b56efa22145da90f38f6676c0debd382867091ac0a07cbd684a61b145c053caf4e8acd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe
Filesize
180KB

MD5
9e7d6fb378cb017e36cac5e544b8625d

SHA1
00c18c3165ed6e261e257b35a5be4739c4f13530

SHA256
283f16e558b972ad14003c3b797f4578d53fd6ec3e6dbd5cb0dabfcaafe55f89

SHA512
74e1aecfaa679e211a2a0f29ead07cc430d2a19fb7042fc90fe7db1ec03e2c48f19fae88a46df421713ba109cf05c452703dc18703b1813e87dc9a272218024e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe
Filesize
195KB

MD5
08ddd86d3823bf2e643ef6ecbd743d62

SHA1
5edab460541331ceb4e8fa08aec2c6048953a97c

SHA256
6176c1ae6200478a9c823761e708c98635c2bc8282804dfba1d4bac9054889e0

SHA512
e638ba9949ad70fcc37727f0c994a8f3169527deb9127e733f5f6dfaa51de9a6f7da1c8d35404d4d6fd59cb18e88cb10ae4a0235a8eb6233d5f0d612afe66202

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEom.exe
Filesize
349KB

MD5
6d312f7ffb67eb4e4c97c26abdd7820a

SHA1
a20c786dedec05248ff026b58167c18a29fc24c1

SHA256
86410161079dc5ee079fea71314f1ef11f37bf244b5592b0307c861e5047f0aa

SHA512
f5440b37a0ee1d40e15eabbf9f0038dfe755d29b410ec23c2e7a74f412b011fd16f57073be09694bd56f7de17f4332d0e684a107883681f56c37176c48824736

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQEo.exe
Filesize
497KB

MD5
32a0c0644433ef2df2816f3b1db117ea

SHA1
d6764c60b5b0d712f31401bf11a2810b7749bcbc

SHA256
fbb397b6fb47c6318d410f22976f659e876b5457d5255b376948b7a2cc8d26fd

SHA512
d777abbafad7e2c04fe5974dcbf6f85d407f6d18d0580024f385b3c6cf17d9ade9f90a8398cdadfbd54e7df5bf4977f81ecce3c68909dcdc798d0dc49fac02e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUkg.exe
Filesize
188KB

MD5
1e7839074acdceeb94158641d975d134

SHA1
cab8ecf5d6c65f73060ee632da8ce343a3c79e50

SHA256
f3d9f660515b14bf6f154f2834f0decf93b4b98e469eb4133be3e0856409ecd7

SHA512
38051242b6453d75044fd33665e55b5217d5fe52ffdb2087b4b69c4531d4c57195a53d114c75f261ca2b6f985d6312ebc648d05b68bfca74a5d12341e08cfbdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYAM.exe
Filesize
1.7MB

MD5
b783c80a1c516eaa0a21728f895d9583

SHA1
057fcc0784791d343c6fc00b03ca8acc87ed603f

SHA256
102ea35734c2f41682a76b1ba25b5797eae2628db36424f80a9783328dca2bd1

SHA512
12b68e0c4b1debe97f7aad13830b32129a82f162bda101fcab935495eea3edfc5108b0f52810201e0d006919229ad579eaa71fdd4ac8d58530319e7e29a65ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\Asce.exe
Filesize
680KB

MD5
6d4bada5ee1b03e4cd18f595f979ae10

SHA1
331b5caac33f6acc47fb10fb1a58b2425a626faa

SHA256
8ba5139132df15a50091d65219c53554bc263703288e2ae366da9b1afd9e8512

SHA512
4ee228bd7f99bf7c7c36e365fa73912fc791c19fa624efdaf5e40777bdcbe361500092f3e0a356413a453c5329ec98b66ceb149f4e6a8a0d90153eb7568d5c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQEG.exe
Filesize
237KB

MD5
2ce88672962bbe4f43ed4d3e56a771da

SHA1
2945ebd465641d5deb61a096da7f3e84d769204c

SHA256
a63d5748408bc9af2f54817b9b559786642d45158d99ad8c6a33f08d2794d393

SHA512
e2e00488d02dc074f03b7f1220d3bfe3661f0ba365c5acdc91133fa144f511f15f4ee4f89186519e1c7b7e31b79228156ed3d395d2f991e3796478004627d81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUgw.exe
Filesize
202KB

MD5
2b369385c64a1de96ad329bfd274391b

SHA1
5a3437b052f457745ff6c2fa2c385d7c5a63c050

SHA256
942d41be7d2930f52d3ceb33f19ba6506e3d10da4c84d3b0f11cc8688f15365f

SHA512
e26b783ba189f7d3e33a0c26ea4ce9fbff78c333820675859cf1526bdb8febabc20fcd89f3f9be3a688ea3b130d0b7ac37915e685e9333092d3b8b9efd063e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYMK.exe
Filesize
190KB

MD5
d42589f67cb9ceb9f8fcd771b1c32f68

SHA1
cf1a2885ea30ad6123634cdb4a66ca4792346532

SHA256
6df8e262d724127bb4e4ed3f12f60d27d440202127bf9699892d0734e7e1f154

SHA512
dfde1be408b6c0d5c0fdc1bdc777ae22c86eac6393a8153e65cd6b72d0af005dd761ab0d666abaf23328f95eebdeb4c74885f58f108055206b5c5792fcb8feae

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOksUQoM.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcMk.exe
Filesize
203KB

MD5
d1140112ac23b45c97c4f2568e9ff952

SHA1
93e939325fcd10415e09800273aff0a4de995261

SHA256
c1a1ce0d84667344839a32b19e87b2ecd914aef5b943819394ceefb092ed4583

SHA512
35cbd258a048daf127cf9c7b8ffacb06f4021e57f65feb040836946d14c37cf7ed8c8a98831632b799be73506ecae67ab9d00dc264da289f3ec5fc24d258703e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcQq.exe
Filesize
833KB

MD5
2055864c88010afff0ac15a72537d3a2

SHA1
d6efc05541c6ed6750a974ba4a3ed23a47addc28

SHA256
92b28d16b2b42170714f043398b3e55972cebabde331a9986e78588073360988

SHA512
41db5c13a7d149ea6e702d0a1a2fad18e39ede79f8ca20c541ff58b071b32ea0e215b7ef77ef6db7404b1baa4b90ad01274828f82ca4db421d8378942d05ba73

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAwe.exe
Filesize
794KB

MD5
479bbac27e5ca82a319b2a9ec70cb679

SHA1
3eb9749c7516b0188c5a13243e285afb5763c974

SHA256
03689358848be5da73bd97e9e32a0a8bff88558c4821162a64a9b4a7d416bd3f

SHA512
35af9a0d2fcd550dcd2d525a262936de1648d59c117bef448a21ef8fe2cc594ed366f12ea3d2e9454311c0fc27617fd723fc76dd9c28447745f611c0564a4883

Download Submit
C:\Users\Admin\AppData\Local\Temp\GosO.exe
Filesize
483KB

MD5
e77ca91ab0d40e9092207cc9ff551227

SHA1
1c5460894f2b1fe3758c93c58cf613cfa9f3088c

SHA256
397b8da371252494e1980f2068e7590f4bf5e9b2c0c7a541642dc4790a0b4e36

SHA512
c45b7467acb51e2b3c2589773e0b05a0e1d9d175c6ba600b1cccdcaf9c231b70a6e2a6f7a82270c6c2c2f23b7a92f389eb5acf9a0b376a2a9085f7ee5756f046

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsEI.exe
Filesize
315KB

MD5
5c209ccb11548bfdff742d00231a0806

SHA1
99fb29938f486c5a5e789cb363b5f3d351c7e979

SHA256
390746df56fc7465ac884b5bbc25b88cb89d302d67f2a794f25c94b0bd9af34e

SHA512
8c4796ae2717a3a532b58c5a6e50687c2460d1e264a353c4e348df67dba64113355a8157169c2bb6dee87b783a4966eafd045399bc1d11efea1d43d6a62e94d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIks.exe
Filesize
651KB

MD5
8e212bbad219cb86038abadc69dbdf71

SHA1
9f993a65f3b6b562d0b8276fafa14b0e03a57720

SHA256
a30e8e7ad0aa99b3179a3f4617eee15a49cbdabed2cd9f37b6bb1fad8e488edf

SHA512
0eed7d80e523d37fa3a432d073d758817d80801e9041bff61c2b1e5e99af347dd42b5b8cbbec64552e2bf7b7bcfa19b692d045c64aa0a3a7735c8f5448f991ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMYC.exe
Filesize
206KB

MD5
f6c8c4001db20e209da50be0a00c24b4

SHA1
e9f3f5f7dc43e5ae81eebedd71ca8c057bf7bd31

SHA256
402aaf5a0b6fad6ec0c14f707a6248ca36af431f26a68baba4985a785de44c85

SHA512
4514df08ed41b65fc68762d4d06d6609ad0eae3348226a83e28ccc6d1c2439cd06e2218e8ebc6107a156d3294f152bff3460e69dc2fd5c2f0d7c2a86867efba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQgK.exe
Filesize
648KB

MD5
2addeea4ecc89e575e78c4624a13c9f2

SHA1
d57f6dea0b305335ffdedd986e239082af148eb6

SHA256
389df2ec1936ea5df806166151b8303a905668936b008d6a1dcecc111c46e09e

SHA512
e3e3c722a0dd6e6adf9d356d6d963be6508670888d6f54d2c82d6342bbb6b1848bba0723dba33741fb065ef640c2e2dc3bdc810275bcd87cface5874995e49d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAIM.exe
Filesize
198KB

MD5
005ad1720d277ecf959da2f2c3a6bd15

SHA1
1caa7deef5d3e749b1f8aab03c4f2cb75f7b2b87

SHA256
3d5930798d846a13a3c3ef418e8166536c034232efae4f1419d83111a00140b3

SHA512
4afb75e8860f68fd414cefbb5a31edab608191af9dd770b50cd42a3f120bef3c0a671fc25163e5b54ee71638f20dc5b858422149580b2c68b6a9cf3079a53cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAwY.exe
Filesize
196KB

MD5
1bdf5b91d23d1cf2a743034de5fc7481

SHA1
40ff0c7b8ea147280d934c31b9a0917fad3af58c

SHA256
800a9c81de2a753f2e6d7a539a5823ff8cdcd031401f818b66bbfe726df87861

SHA512
fb7bd6220ea2729142b2f2b6a670ad4e72bcd345b5b46be7524af2cda3212c9e514e9db1b34cf95f45400abe0d3308728663ad06196c0157a32003a4720a9c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEki.exe
Filesize
183KB

MD5
dc63160242c8609d6cf5d7051211833f

SHA1
ab619508429a1937f809969df95d71c60b30d80c

SHA256
b58af2c47f1be082b5a9247adccbb93ca90f7a29a8224d820f149ad1abd31a76

SHA512
46d1017e5a03241456542c65a0342ac5a7386b5793f87f93730623b780d2312410c185bbfda9b68649a986cd6754e2e3b5519e228bcf1079b47071ffa0e5f0c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mcsw.exe
Filesize
188KB

MD5
204a187f64787a4edb602dce31b5effe

SHA1
e2c01a4e67266154468d4a381bbcf5822017412d

SHA256
f0f160ea6f631758b22da29ecbe536f671d89235e984c6c8bf014b21a15ea883

SHA512
ef4d063741faad79b17213f77d85b0604da27078613887410db1944800d9bcd567b4c4c79a753bdc481cbfedb0e850843440c198a3e8555c55f94881947e6fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEIC.exe
Filesize
513KB

MD5
6ee5304a60e750cd73d1460f56b1b361

SHA1
343f3c1976c9019f11b2f6a4856f8d050a4bf976

SHA256
2045d35cc9902c3446cc62cf9393f9f944e9bee105dc250cd6d999bc32b034d7

SHA512
228afebc0c299d6679bb8599821366d64611907066ff1ec3792bc8d22142c384112cea3087f710ec747558b5f840ce0d1954515ed2bf68a9339155b778ffc47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsgG.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMMc.exe
Filesize
810KB

MD5
13b3f01c71e001f6ee127384ed4e6df4

SHA1
11dc4b21d8c083d25a7198d13d0d8306d8fa79dd

SHA256
6611209731dc902e44f78c4cb260522e2d9ab72710dd337cda7115ce58ad2e8e

SHA512
d29f9f135228ff2753b9bbee63cb6c6733617a8c9d52969a88a73dd4d02ad709cc678919c512a2b5cfc2b57af60675833d28ac97512530f4a7cce83bcfd1d6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUQI.exe
Filesize
244KB

MD5
e8f0142a3969140b7a00283023bcaa0e

SHA1
944b03a191aa1fb37ca1545cf66176c5748ae01f

SHA256
c6695bc84a3eb89b245a9fddae0c0c6f3aa8ab05df0019abf0be55dda0192b2c

SHA512
f5696623c603ebba533ace21f49551eb9a2a07d5d7fb58713c79524ffddf80dd10b04328eb313328628439b67e556a15e8230fc18d4c7242b591e9ea8b3c6713

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkAo.exe
Filesize
517KB

MD5
d8f29fbd91376ab649411e5575e79b28

SHA1
6e1977cc42fddb3c07e223a3a45f55980a81bc11

SHA256
206ae91b7dd9c0c6a022ba84de6e83a7a1472613fac4536bf47d3d65ad6c9490

SHA512
4becefc3269c7a07b2a55c4ee0538fc6f36b37db81b3b008a8b89cd4bc1cbf095a4fe56e694ae574c809e66d7f5887bdc72faad7e4496b9ad741a95cc8347c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qscq.exe
Filesize
185KB

MD5
e0846e02ff8f90ea8c856580c1bdcbee

SHA1
54cd063ca684cae63f4c137cfb08f0aa1469dd48

SHA256
353e4879171ae0073dc8972fa7eab5834bb15935c3919394f9f9ce29d851f630

SHA512
76243dd72f65a4ac86ad0b6205887873d7f5645457d2bb0c2d037e15fe97b086cd252f27b2b70484d988f1ad22086ca722905c7cdd4c271cabdbc73ba278b302

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQgm.exe
Filesize
197KB

MD5
ac912607dd13471759b7829a65993a55

SHA1
0818dc993da41dbc930bb42ffb965f25fb6313c0

SHA256
9b608ba7e47de922f3d25317dd347428d3a309558fe710b38a3a88456cc7573c

SHA512
0d1e5fb46b18d6718b81bb4795fee7ce1192c3b4f83ea95c3dd9b5a98b62bd2e6549bab73eb1d6fe50e831ec804d322f8a33f9824b9d90179b86489c20296e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYcG.exe
Filesize
215KB

MD5
c7a764ec64b921dde008a3b36c11850a

SHA1
b8470f8385bf689f67aa66695d5022b63f345051

SHA256
90d64c25908192829cf30d96c2bdbd7de4184253b6091d771448a41437e17b85

SHA512
9814e99140f1ad0f0408336221aca5b122efc35486cc84599aa19113212192e6b5aadf3d557896024e14f3adf84de7ecef6c71c4d40044ebc305e88f07fb3e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScEQ.exe
Filesize
227KB

MD5
be8e548985a7c53f501163f9d30439d4

SHA1
ee74048acbbd612410e4b1f8ee7f33846f733c86

SHA256
22c8d3539d47626e7de1fb96235c3f9c343476e6eb52d7020a6c5605769232d2

SHA512
eefcecf6674553d7f4f1c516960e428d288932258b82a3fcf55a88366e0887246de7db060a52755d648d16315d1138dd7f8494905fa332d6ac6e2c6e5bd5b931

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkwY.exe
Filesize
215KB

MD5
7c5fc533f9095bd3ac21e9245d3b82e2

SHA1
34d7dc746ca27d71fff52b7e9ccfafc66688f0c7

SHA256
f529528e3b969faacff851579dd4abee56904073fe65af1ab788d251665b3d98

SHA512
5d40d8255ea261a28edf0bd872752abf1479da8d2785e2a1a81272c51d05862c0d96f00ebbc9532fde61b5c9fb4c72d342a161f01486bad74c8f0660da8e6587

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoAm.exe
Filesize
190KB

MD5
ac3323c810c9de4de6c55164884fe222

SHA1
8b4641ec9c31b0be862c0e8d75641f9b527034e8

SHA256
70855228fdea038d2829c3dff117b8a0af07f914c3f4c06c701b41feeb74125f

SHA512
41a44fdbdf4cd97e8d9f96169259511897c2b6f995259a840ffed3d7395744009227af55dd04a31d3cb9570c03f1558794bf3b6a2d26648ee3b0bb2aa9131819

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUkc.exe
Filesize
1.0MB

MD5
ea8d9ceed00da9aab86618378a45807b

SHA1
ad9e93ed1c4b9df0f6251472a3b7f2ab60bb5210

SHA256
268acd195230900e56676d44ec618d1704a31a6ce53534282972ed6baaff2a8e

SHA512
46dd8796041017067d9a597d562042bd88839fd77fd97d8ed4656e5350c99d62db7170f70ef802402a4061bbd415d76488c3693a8554ade9d37dc4041d264c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Usok.exe
Filesize
186KB

MD5
308ed21549f773fe014dd39b2c7c7b62

SHA1
661ef4751c656c1239e1c08ef14340df53d3cc52

SHA256
16c0a430e21a8d7b2dc6c2e3102bb8fc94ba7802b4a91436c734c5dfd40a74f5

SHA512
79cef5294e3972d56f8d29590901a35a01f5148b290ff496e4e0f67f407118fe5509017bc3e64f1b407c643eb6e91202b67ea6471557f64398ba88049bf0dbcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQcw.exe
Filesize
5.9MB

MD5
ec0a0b2c1693107f4f6a6c9ad18134f9

SHA1
217b3eb238325399af9e99d286dd2420981e07e8

SHA256
9e2b471988f15ee880d1b70e466e4f37b21bd431d1389a715a56b0b560d02822

SHA512
23a9f774d1b1f086db08a24fcdb34d440af3010b16db2fa20bbb406b962b3af0ea49d0fac08952e7410ef9646b614647e6f169e2ae4af6aa89851e37de61b1c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYUu.exe
Filesize
182KB

MD5
ee33277e74bc6cd15182c52d4579b9b5

SHA1
760cb2dd3f0223a8ce9bf39ea5663513645b8c1f

SHA256
17675192948cf8b92fa64df3fbd6f59b1ba10759912a0d857f50aac9228e7f8d

SHA512
f6c59d0caa5da6c64f5ab0b4d5c1e5904dcc1b45dccea10038f6e4f1e0881f6f6a22f6d7607afc1fc7a6e2cb88e37daae9c1788ea95eb1bee9352b1e1398c4d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkAu.exe
Filesize
400KB

MD5
fd8d8438bf28189ec53f30b436617a32

SHA1
5e49b00be377f3bb4612619530d1f578249a807c

SHA256
e6e0775da29536591c2375f4d7d8e238afe70030c196c3631e11d25eca0ad9cb

SHA512
02e6c36ca4033741481fbbb15e60864072483cf7d953b777cdac01a4329b95e5c7c5bae64ba375c41cd9f9aba1007a1480cff0df67953fb05dee6cdb1df79453

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIYC.exe
Filesize
199KB

MD5
9a468a0036e56f2f71a35fc3659d7250

SHA1
5a88882fd9082360778c57160d669e1a40bf67d6

SHA256
214d3eb0b61a33e9820af6a2939bc9c3e31ccc4f2ee8b7314291a087d4951ee9

SHA512
fbde841469cac983778f6747b5f07723e2571dbfe242beb553e991204eb1a307ad3867123cd9242d5e53d7fe53c3dbf2a84e9c63bdd07a72da379437b1c7e4fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIcS.exe
Filesize
194KB

MD5
5541fb345edd1707166a3d410be5a707

SHA1
95637701c04c584b1be8d284a4178006be58247b

SHA256
ae4f08a34c84792d6cf58ca932200d3c3dcae5e2f98ef7fd47485dde19e79d10

SHA512
c531fd479a0ae520b90aa4a94faae1cee69291cc6d2a812717c36bcedb8255a0be4e751baee62fac57d767b9576f59d3a13ae90838aacfda5afd163ece2dada5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMEA.exe
Filesize
205KB

MD5
3655be3298e7832b3a31a047271fde2f

SHA1
65cbc35bd910391a706dd7fbf566cb6d55c0ec42

SHA256
b4f976d6538c27ea2552139c29790e3f692cfd7193839940f2067c948b56a085

SHA512
e093225081103e3008dbe0571972842e2912585890dce2805455cac64f7187364e25305e4d619c082f73db2deeb4863f650ceefb435ed8739ee438c102fc5528

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMEQ.exe
Filesize
181KB

MD5
3f8429c5c953c1cfdf171dcde82aa53e

SHA1
199bbea6efb35d4ba255103a5e761d41a862e7d9

SHA256
2cfe08117834b89fd8be305a6f5f724b11850647520841a88dcc2fadd40d57e4

SHA512
c9df957eab89e93c2aec68af3b701d3c2f18dca114fdf7c1f2df9b2232543a1b0cd7ebc40635172e9b203bc7591bee9e45b9086afbc5308e41c232b04f9f5f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMUQ.exe
Filesize
240KB

MD5
9323f7a351d9c97ca4668f7a1ba50cb2

SHA1
c2720fe6a4b6ab9950be05be62f52b71ca11daa1

SHA256
19f1afe7eaab02b526ca1563888336978197bcbaec4172ff74020fd9a38de3ba

SHA512
142d2abb165f83c17d7dbaf059843220a47126a674f4d12bc85452cc249bc139ba84023107d69fd6df876b76ce3d147ef7919bb8bd2ab4eb36848ddc67232908

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMwC.exe
Filesize
206KB

MD5
d475a4e49e1f80a4633b728ffb7210d5

SHA1
5d3620888404efdd2a5ff3e0ab3831e40ade02dd

SHA256
2d5ebcef698084fed5b29b6a7fabc2f0bf99142f210a35767f36b1a4c73bb7c1

SHA512
56886f67e799dfbd519e636df723fa4ed18ad9ca9901e084f484dc0af8b8d05ff0d15436a8ac1657be5fe6155b15aefd76f1a499f703b3053236be7f45490736

Download Submit
C:\Users\Admin\AppData\Local\Temp\YckA.exe
Filesize
494KB

MD5
3b3d8fd65751cba4304ae08ff169315f

SHA1
352447afce176cf4893375fa469b661c58722867

SHA256
becf73fd4ba0564603350fa1aaa9299ace8c20edfde5cf196d872da8f1cbccb7

SHA512
a584752309464863c4bff1e58a5b1f7ac48d510e27804873bafa62a4c15749114dd85af7171a9d00f49769fa098922de90cfab9d3d8d6e024c1aab2bf23f19ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkEI.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\YssA.exe
Filesize
5.9MB

MD5
3872a275368ee24809f777ea2fc7a9a6

SHA1
a5d0def01b459a3421a35e5b24068cfb00540193

SHA256
b506725c0f1e8b520f1323e51d2864af82b62d068f07e8c2153936a9ea2a34c3

SHA512
8e7694bb74dc17e717e903eb5dc0508efdb07e917d2ba419f7f1fd2d170fb46c1a740a5d829ca38dbb32ca6fe88b7b662f053160921ac54c8d99c120cab846bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwkM.exe
Filesize
1.2MB

MD5
24965cf10251c18fd4ec1a0b9db3e143

SHA1
81d7e66ca9a9360c2cf4a3d896e48d2c58cf5eda

SHA256
236c9b69ed44d81da9fdf16b629ec22b2756a821652cf81a7d8864cb7183c3a5

SHA512
7026aa36527de87b7a18b6771b7481d0868231bfb341e4505d1568d6e36806cf7df384e4ec1d2d67283a9e28c2525f06f3d77730b9176b2f244071fd3b4049d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUYa.exe
Filesize
185KB

MD5
f1e6cb5337c21b5e05c90e1be979e9a1

SHA1
ec774c4b2507b49793a9f1424a0a13b2b831372c

SHA256
209a6fd839f25b73abe617fe08e66f89d0a10b950700d306a5249e0f67b2a78d

SHA512
07489a2c22ceb24aebea3b24996e7f7643a65ba1352a72618bbae56a1cf2cc7e9b31b4c1c9d702099a1523d1b94f6052489c33d5dfb93929714cbb1a76806c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUwE.exe
Filesize
213KB

MD5
07256bc2ac87e5350ae44e25c18d6fe3

SHA1
c2de3461203e4805ff98e99947c3c0fd4b0782d3

SHA256
c0ef8e701ef922f8f650524bbe3bcd20e88c634b93d893d13a2d31063bb4ab0f

SHA512
ba5b5f8e0a91108c971c352545f46ffb2a056ab318f9a69a78ff7eb65682b1cfd8f34762f0af6a70f735fcc0a511ed9844262889731fc33fef9396e23765dff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\agQy.exe
Filesize
186KB

MD5
c65993f69cc3e611dfdfd285e0797a98

SHA1
cb772864f3f5b7b626275f09ec1f8f11d3298de4

SHA256
f48b631202242be115bccd3c62dfef691959400e3a6f5c85c7d5e84a25b0f999

SHA512
ad2e017323066ac4df0fa44d0f8198d51c88cb963455a5fa3309c46464b24e4c9b589469582f919a552e3773b79eb90f3fda715d33be4e50d145a2a6e2423ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\agsI.exe
Filesize
192KB

MD5
4392a8b43c4f321126d4abe3d6988a76

SHA1
dc756f842f9657842e339f65e75ab873e44aac9d

SHA256
c961409a7c2c8af1702cdd36c72174143c5383df173524b5895305230243bfbe

SHA512
df5834d77766b36ea16975d2e4cf85b02f1b0d1486ef2d9472a66c4b000c1cf707adf219c4621ac528c57d2f3c2d9949e3abf2a108e2298a0cf6679cf5e42799

Download Submit
C:\Users\Admin\AppData\Local\Temp\awQM.exe
Filesize
785KB

MD5
05ce4d003fa6bdde18b4c079265f5c64

SHA1
ccdbe65557544465688c4ad92c66529f8dce05b1

SHA256
5d9b40057b38f830f6b6d0e6d11cc8596bea6426a172450bf7ff987476631a04

SHA512
47f05fc848d1a8a2506e2ac9cd2be0ebb96e8a8604483629e7cf2a781ee642d3e2e2d36caf201c7f1ae22e53b396447b720e376daf8045e3acda975f78d809a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEgS.exe
Filesize
192KB

MD5
d0e5cb3e3f6ff6c2753551ef7b16aee6

SHA1
f3a4cdb00a933bb098455b94883da906d21f7eef

SHA256
d9f0221921e4ae778a6c342da2e8f31cc3b058ce63c2364083a6b7c17db4de75

SHA512
d58745568e242be2f49ebd8ece5924a61ebb7f44900d993e850e0b2beba89d0e8624393a75ad3d7c26ba66c2e299b268bda2de8a376a536880be942008404018

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIMm.exe
Filesize
830KB

MD5
ff2bd33f3783723fdbdf61c9ee7d5050

SHA1
d151ed2654ab4d6f13af66fc849907a96caa43de

SHA256
5343bfa2136377185152f84fe120f8ac678fe4468afe29e72f7cf2bcb9acd5f0

SHA512
0f3ce0f301bdeda81275476d953f91e2669abdde68687e742900ab98f9fe2ea718cd7b3408776f46fb0008e3e17dd376a52203c256e7fd809d6009e2bd542d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwYU.exe
Filesize
200KB

MD5
6beaf53330caabc969bc738e0b111e2b

SHA1
1c83e333af733477e8b5aa3a5a9c2fd75e200e5e

SHA256
f98b44e206aca8935888d0f54f76f4af07cf23b7ea48881ec260a47d60de6ff4

SHA512
f825591dac0ba511d0a8029d03a46f01bc110a0a292cd0ce756f8a6f08689e676f41ccd29d28bc47e31574638fd6e2f903bc1f09ee33d1394fee83254c64e3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIYE.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYIi.exe
Filesize
181KB

MD5
d3483ae71c9660abbca810999fa840de

SHA1
346a9dd776a0cb3565902a60eafeb1b3720e2464

SHA256
48f6e5d0b6859280998d0946908b9e5b14587f078defdbdc616ef4a0dcc46b99

SHA512
2ed8a21e608db73b86bc3699d052927911296bbee86c235b100757ba94b821d6de863a4c5a4b6e7ca0603e2e8b134edc2b30dd207298d62e1c98fe0881e1f6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebf37135bc754177868244c8b1c6f600_NeikiAnalytics
Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekIY.exe
Filesize
233KB

MD5
9497006fb8fc6237c4896d9c7b57b19a

SHA1
da6ad9b97c75724ec28a9e0349d6cad0db2ed007

SHA256
87033f14e952b2610af6a7654e1ddf9664c0d574979255863c02c18f9b3ec59a

SHA512
f416e6647022b7ac673a6f01409bf1f75c68f398fb4ada133080211ecf15f07716386620add285076363ccca6ccf50275151f0fb4daea06b95762626f4ca923a

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAIs.exe
Filesize
200KB

MD5
ba516c2aefb046e1ff9793846ad3ad22

SHA1
2400f8e59a7157ed7734a7601c75d8ca8798a757

SHA256
adf211e6eed3c584d04a44690363ca2e7a6e4f4e4d219d446ac96ccc5e4fd8f7

SHA512
e0365020277ef509eff2f40e882f42d76f72f76b81efc8d5daa72cde68c1c3ab0ba05058bc177f8d1b55d5acbcfd36526362e2a5d84f6078543072e348598bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEQq.exe
Filesize
650KB

MD5
215873acc054d8dcc493386dc8cd18ef

SHA1
cae1359878f7421f1078eadbd4cb41c549104df0

SHA256
8dfbab854949d67246450e289abd6d1dfaf3154024f34345379d2c9d4f736946

SHA512
43956c99650b1fbfc97e01ae0713eaf672479a19ff93dbec453c40c3848af4ad21b5bfea6e344123642c8bf002d9d937a803d29a4fe169263c791190194d9abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYwO.exe
Filesize
196KB

MD5
6daf9b89e7a26fc8109742c626b8b1ed

SHA1
4e80cd66f985befca405ebcd50041d833f2e3367

SHA256
56a424efa60808af9e411842fed6f83dd73c08a292408dbb28e68bda73b2d91b

SHA512
710512f5baadd1fdd67c9271ce44516269b9d0d8f12e9cf306968f1e0105a6b8815fe61a1572b7ef21aa07230a08f6a473715d1111fe28716c54637b7303b2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUgk.exe
Filesize
208KB

MD5
58f0bc008f299489f1abe7a4ad9349c6

SHA1
5aba2ee2a7da7a81d31588d012306fb8a2fd9dcf

SHA256
6ca891b4a49dcb4b289a955869c64d89240020f2b285c6fedecd7783cca0902c

SHA512
2f56d083ea92e46002252fcdd644203becc824a02fa0c44901ac808f9acf9039e1c16cdd6d09ea48469356a441f49745c3935fd8e000f113502c657f2b280061

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioci.exe
Filesize
189KB

MD5
f1de2b8972acd3632f23190f3ec052ce

SHA1
c1045273bd58fa3ea3e74b0c85087364df6b3cef

SHA256
2883d8ae6ec6552014376fcfa08724d8be75ccdf2d81f104908028474611a466

SHA512
c7dbe38d93677c58361251ec7031dcd84d467f119bb0ec5652bf07bef197f19c407622e4879ad6f0454a4d71442677dcf2e11887e586d028c3cb1e7dd49f2b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEoO.exe
Filesize
206KB

MD5
346f745240b927b239e3a5a89f812c31

SHA1
061c43f3e15301eea9d92d7a64c8f892784228a3

SHA256
6902b7a4091344b799415868c4fe9833f95d4277a5d1a5356fdd363a0c56f215

SHA512
4bfdda06b45cd10a32ba4fa49aaec3fa7d23cf0db1ddb5c07148f5f93c336e2238eb08a39667175e35e88eebc7602401dfcced0fe826cb581b0a806151c7e0e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMkO.exe
Filesize
642KB

MD5
16f2d55e4a493e40f6231dd9b72ac231

SHA1
0b1d626058b427ad71b081b219a2f7b22a6b47e7

SHA256
9b02de54291e8c11328f300d73a6ad49f2b518f4e87f6a2077a5576693697925

SHA512
55e0a20d71e515255ed0520a17e94668af27c9bdafbe8e0d6dacc2207e3ec3338e243134cb71661473a885d505c4ef617d90be493fe4032bd3d040d94d070e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMwg.exe
Filesize
538KB

MD5
3644ba2d62eca079a07d51f9d8e48c8f

SHA1
79313776ac889404df6bc02db88c2cd68e46ce1c

SHA256
cc7c81b463de6a4a0616341b673cc3c499fba7b288e73953df2ac5b4ce2097e2

SHA512
7b745e5076e4677fc720a7df4f5cb7d2ed03bbb4f181a82b9e06356186bd9c0d927015454f02cd2859d346815c46f31e0c8041272ce20c7eb447bd7c56363d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYEA.exe
Filesize
630KB

MD5
11d7e372b23cd83b6e2a84e4c8f850ef

SHA1
0a5026c93c09dfcbb0cfeb751e43b4835b6207a5

SHA256
254dfe59d32fffb1431f2fe9517c96a0225045e6dfc012f9ea79472398145c1a

SHA512
554581d899cc70d7a5be085145421ef274e8e542a338194425e6b615fc1bf84784b171bf98a1b61eb02dd61efb1c898b583a25b74d41919b900b272f3a197670

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcAa.exe
Filesize
205KB

MD5
8616e872472a95c657c1ed8f6aaeac92

SHA1
107877a6f24879ef53b741eea9004492bba0086e

SHA256
f12070da6dcd66c8deca31d715d765656f5b2bee0faa30e1db4e2c741febc5d8

SHA512
604990388292176d7065126e42d0e9f2bb5753da3d31e0cfd0593b6ed000ce39c638e23627f326f20309517e6fb0fe84361b85e0b68ee1a8b74dc818ec6d4387

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcoW.ico
Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcsw.exe
Filesize
790KB

MD5
1ae96b545c3e5dbd80c4d3755eb19108

SHA1
7f882e43874305479435cd74fa6fc105ebf2097b

SHA256
da20bc3413b1f987b57c05590d03771fa7908f6b513253d33e9649b9756ad965

SHA512
d562aeb8aa16afe941dd919cd7748c03a8f26de1899207f1774a88a3c8ba2f89e98382ee0712094ee1b63bdb9aa12a19a2535876905ad18d9a89fb7dc938295b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYEK.exe
Filesize
315KB

MD5
bfbefd76ba89ef38dd5548572f21ec06

SHA1
74184493cca2c59af803cff8dde9656177c940c7

SHA256
f8dd2a3c68769334e2b48aec0f586349145d8bbe08364d628362643a51532ee3

SHA512
9e3d166b81ea80b6fc8bba12284a326e6a7967ebe1b959203cc4fd71ad144400323ebad04a2b8e42a1e9ba2b7943a32f0d7348ab73839d2630214d4dcae9c80a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogAA.exe
Filesize
428KB

MD5
5413358c0ba62ec08d66c8e71f31b9c6

SHA1
9fc387fd7cf16acb521983562e2fa108adcc0216

SHA256
4dd966cbd337b58085ef37fc0393b927c65ba45e48459cd95c2e6fd10e9111f9

SHA512
59546715345f7ff2069baa914d60571bd95ed48c39fbfb7be2066d89e635a861671699325a08593404f18c0d616842519d5146bc3f9e60148a057328947fec47

Download Submit
C:\Users\Admin\AppData\Local\Temp\osUm.exe
Filesize
197KB

MD5
566edc2da5ae8476424f38318b20088e

SHA1
b0cc34bc87094d33f76bbd13d17c50e917d624c7

SHA256
1e5ef43ed4acd8c9462691e0c7720f381d34cc26a056f82bd720acdf27b1799a

SHA512
5663857a79747d8fb1ab7c700a3dd45d174af704ef025eec8a3349d6886670d4714cbeb30fc00929c0e27eb7fc64f0e4cb709e5cbfadb5aef146d62ee7647313

Download Submit
C:\Users\Admin\AppData\Local\Temp\owgg.exe
Filesize
206KB

MD5
688e0820ba8f0f3b37721a12dbc61701

SHA1
39790b0c3fc04f9143a3c15830a5d92ac3d46fdd

SHA256
1fc18244526034f1c73f20472008a2d9251c6cdd577edf6ec0a4bdee941196f3

SHA512
63f63be8e2f91d773821a25c0b9625ff1a12bfa43bd429cbdcaa6b90b871dd1c5c8f1673d9c91f6107c48bf538363b0d0c85f756bc69fc573cd0dd7c19be4249

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEYG.exe
Filesize
187KB

MD5
7f64b352aae04cca6f76f0341add131a

SHA1
bdfd91ffd05a4406017ea5fbcf62f1da6cc6fb8e

SHA256
c6fcc2c186c6f8ca817476a2afa014a4581699857fe028f2d2b7329c263d5f4d

SHA512
68ce27956f9ae765c0406921eba1da6faf922866d83626446f047384dbe662f3f40a25f35450e982a5bf0c2fcd6486bf2bcdd78e0801c5c379bdabe3e66784c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgQA.ico
Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAES.exe
Filesize
185KB

MD5
959405d5f918d98f75d289cacaf3d7bf

SHA1
1eda934fb7d60e890a74b5f381b094f8ceea9c86

SHA256
f47a80e382c37b96d665ec75cf6dadf3ca5d28d42f59454a8ae46269d683fe08

SHA512
2cdfffd9feea2fd917824fce47d5f67aa474091dc718b654168ab2a3787ff39e69945e3ba7a01d8857eb217ca01462e60dc6234321af992f4d0f14971904eaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIIC.exe
Filesize
569KB

MD5
5a4b207c9d927f0b33d67298a4841a6e

SHA1
9e53bf001ac154287c560cf8d7ef036e9ee6b7d5

SHA256
7af9c25695066aa2a9fd85eb75615aeb8d915b89645dca32bf9c5124a8e1af5f

SHA512
d7bf56da9592cc2300c67cf4c4b72dc9356126f03e0fb3ecea20e8b588d5dbf18999a8842686f3a5d73ad815e7b52b9448e7e5f14642899b624fbe6f5c71f0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYky.exe
Filesize
315KB

MD5
bba0292a6e1af300c0f5a092083ee3eb

SHA1
c6cb685f61e63de7e355d9c8dd1af438954d04d1

SHA256
f12e894f356618f44dd76be4f4445497ca780cd215de07dfd7c575fe584eaded

SHA512
3bb4cb1c98db942face3637b01fc2995a2c5660db2ed922785574b6ab1703560280189b21ab0e81c5ff368f5feb9dd352f149af48aa6ec3de2bd2d06fd46b4a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\scke.exe
Filesize
247KB

MD5
ab485157b2bb315ade529cf0f9ca8431

SHA1
349a7057940122dbc62b6f86577aa21e1a312d25

SHA256
41ff74626f04853e29703d97d6d62b25ca082fb811f06edf9bdd972854421f71

SHA512
b060c4e141479af29e443e589b11da527ca7a7f2b7b24d3f1aa15fc628ec8e98f237c936a4e8c426cc22ad6de202bf13d40320cb35ac1c054d5953242c943647

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEAW.exe
Filesize
210KB

MD5
56469432dadcc62571504bc559aab228

SHA1
98f353f7dc34eff0be1f78f84b8f689e24049ef7

SHA256
450085fc710afcf77c0e92984dfd187025b19faca7026805e7169db7d2ebc0f9

SHA512
1ea1773d21f902cf59cfc996c2800ef8ec43512d7429c206df1cb940895ee1d876e8dd996989c5b5bdb39276510dfa2e20b966044bee8b958cdf7234f8619288

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEss.exe
Filesize
5.9MB

MD5
926b5d49cb87f5453414cf9cb9977bd5

SHA1
425f8a9ff7d58e80bc9176486e3bc4ee460425f5

SHA256
6fb9a667258327d6cd43a8b2b5d44c74f0b8b03a3795159d0c1d6e6ea582bbbd

SHA512
4d9be4e6aa5a12ed22dc6fbad093c932c438570f42ab8af974b92e03d96d10a5ec124b4c6576cdf9b851123ef52c0f967b9d979cb1325ad273c7ff1e05b7fa61

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEwm.exe
Filesize
200KB

MD5
75616bb7fa85574e1f9de7415ee62c65

SHA1
6b475ded7c28f7e25206d8b5f3fcd721e3a9e5c6

SHA256
ef4408b514535c78863a20fd90a474d27202db9dae46db94805e1abc4bd2b5bd

SHA512
18be266b8b3edd2024120ac1111dc3934ca0d2c9f61d109c1c732bc4665dc5a195ac2f09165aa5fecbbe5fa797eb0a851af1d400e46fe34e46d9f2c735bf93be

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukkE.exe
Filesize
194KB

MD5
91aa6a80ef1a45684463d6ce2d42e624

SHA1
94aa1e36d63698252a651cba7e6454ae8bc677f6

SHA256
29909dd487f45830f5af275f72f1fd9869cfe513822dba9be10a2b1fbc23c1ff

SHA512
c08da4fcb1e742c40105d1f52ad3635b8a312e411ab23d212759d09fac4563258c7eb47d7aeff02ce9673ee8f4d8e40f4d92add8507f16ffecd4c28259251c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoEa.exe
Filesize
577KB

MD5
23f64b8d85d005efc2a80653b38e1617

SHA1
06ad88f21010468d1bb5c2d7fc6d8a9213aeb214

SHA256
cf2d69218b1e30867a838fd04ad20e30da8003053c6773f146d32876867fd242

SHA512
d5454c6daac48020719b62e751eac7e741dec43e8882a4016d4b7adbb5387ce530e1220f4f8d1e6dcb43cfbf1f3248ad706c37a3730b6bef2bea1f428fd485f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIoC.exe
Filesize
203KB

MD5
9a6a1858a0cf828be40d4a5f216ad2a8

SHA1
e25a69ae91c7fe2dd75abb55053042f15a124b5c

SHA256
e6c849b9d02a3150a800d0a92a277127ba05879bc7f32631b46729399e28c8fc

SHA512
ed004f13430af1636e8f4743df4de0d9a9d44a43c1453bfa6db4b37ac90000d5db462afaee6d3f205060f775041270777203454203539b8302dccfaf2fdc65c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYoY.exe
Filesize
203KB

MD5
6a48c6bcfd43d666cdac2cbb9de7a893

SHA1
0d4a243b2d48aa5c36ad2ea44effb2d40577591a

SHA256
be5007bbf61f1149a0f5dddb0451b32b7a26f3d10261a8dcf0e252d625f4b40a

SHA512
9727251498c0f18fc1cd50183b6eefcf61826b600dd090aa9e7cc19f68d6add8b9fc8510d672848496e774ec5ff729a7a98e8008cc1f5c840b74675540e2c539

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkMU.exe
Filesize
358KB

MD5
e8f35ff776ef436be1b33a0c09d83239

SHA1
f5275e779802ff6d67b959ae4c35f06dab5516e3

SHA256
f246f1be7ce5f42ccd8c8305aff25bb67ff0bc59a47db099b6162cc00401ee60

SHA512
949b4f090acdff8931652cd5c4f4d676745119b208e9ea9b39410a931945aac0ede5efc9ad25fad94c799c9d0ec89878173cd7c40fb1990f0c13c684c4865eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsAq.exe
Filesize
185KB

MD5
45dd297e3fdf17ef975e6235ee32af4c

SHA1
26f382683b34e28a0af14efb3c88e335a3ab31fd

SHA256
718f7c8c0dfdee4c5db53ccc39b34fbb14ebce27eccbf26a2b81b63066f7bb9a

SHA512
be3724aafaa5709b25d71098964aecf9856b6b2cdf77964d6bcd4e68c5f430dd92aed5dd44559dd0132f9722f49e6bed39b7cd6614cf317e847aa6ee623b5c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsks.exe
Filesize
188KB

MD5
c2bca3baad69c53bb593d74320192e7b

SHA1
aa2b87e7fee963558df2f1bfc5e11fd411a7035c

SHA256
ffc1fc8c52169e6d681cde938c42450ec642342e7700ae4157a2cf6e92296e4f

SHA512
9f278878c402ad1fe5735b2a615684a714d87f0d0f333bc5db4ef69e15b73d2546b6de4f97013f3b50ab2609963860ddd81408ba406c284a377439aed501c7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIsI.exe
Filesize
812KB

MD5
97e098bb9599017c2c58839764011bc7

SHA1
fd4d24e58bacbd62baabc1709dfe8c0c5aff3a1a

SHA256
d36944dc954114642a6a20129db67571d3b79c1727275e4811a0b4dc50d74e27

SHA512
0ceb25577d5e0747a2840dd371bf95c4a57efcb140ba25d2d82ad83867a044303441a90c77b308f06448371fabe0503621297873007824a69fdee055f10704db

Download Submit
C:\Users\Admin\AppData\Local\Temp\yook.exe
Filesize
190KB

MD5
54d803c9ec402c0ec84f8fbce9eb7845

SHA1
e67591377cb4bee34900a7c491276cd61f96107e

SHA256
e330188e0eaad74b6df0179641f2e5da9e6c3c481541890ec344a658989e255f

SHA512
94cb8ec435bdffa33bdbfccd9dc56682a5bade768e4509ca387508aadb82f038c553d1cb00963241bab27fc101f110ad03051982562136727e5b69f4792a3dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywMY.exe
Filesize
208KB

MD5
7fd443c1cca0b87f5e92191455f3e624

SHA1
0017e53dfc5ed7b2427730ccb4df7dee6183d9c7

SHA256
ed23791b610133c4a6e648a4baa9d5287b0d6111faba50617f4dbab701b73087

SHA512
490c26a4a2b52a1764e66b061ad73ebf929285c1ec3cf476b6fec0fa47c230426898848b948c1b9ad2d7e2be04bf7ef1ba6a69bb20e3b8d509e6b866690368c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywsc.exe
Filesize
584KB

MD5
c52b5bd0213de93a3a3f9d6a6fd7c91e

SHA1
4283b48d3f339958dad621d566bf8d5f3892bbbc

SHA256
12f43903a12de23872fb90435223fcb9c846cbc4782bd540adedc66675da50cf

SHA512
565daf9971dc22712eb34d4e40065f342d03346faec57322e5c6a807deb90c3876633bbcfe8195dcf60bda230cc8ad1cfa035c476ef772ba7a9bad7db0550354

Download Submit
C:\Users\Admin\RwUEUogA\wOEgMYgc.exe
Filesize
194KB

MD5
746dfc66a34ac8fc5be0b6ffff87ecf3

SHA1
c69ede09199706618d7f13d2d7d7aa15d8b0c163

SHA256
923ca17a32f0b30486afb0663852847230125bf2cffe35da9b051f54a42b3627

SHA512
a333c26ff28e78b04649021b218e75b6c0574591eb679cf301da40761b5ac52b2fe96ccc3b4f8fa03bfaf6e20811bf823a3fc1ed0aab3bd816d550e1a032e185

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe
Filesize
384KB

MD5
afc7908816fe74eb2a2cd1aa0ff5c714

SHA1
6ada376759a9dbc5d282bda04f1eb5d7bddae933

SHA256
a82c66f9001fbc5de1a9d85ca521a82b9ce7011b397dbc0496ef9e1650939478

SHA512
c7d19c5fb3463736ebff3592c7cf0c2d54a12aa4ecd8501ec3d74a7dff3f6f6770c97f7e8de421878f2242c5f3b005e8f74612067678b0e4f1fee5bb18500f50

Download Submit
memory/208-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/208-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/388-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/388-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-43-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-58-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1212-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-530-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-543-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1852-6-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1876-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1876-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-524-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-523-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3388-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3388-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-34-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3848-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-15-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4940-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-92-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download