80363080de8ff10d5702532b3e1cb112b848f12cb21608fc4868cc2ae8a1303a

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
Size

268KB
MD5

156c0c82cc6ec79b5e510a32ffb4c320
SHA1

3fba51da6a341e3d4d75342de7bf0765e2fe5fed
SHA256

80363080de8ff10d5702532b3e1cb112b848f12cb21608fc4868cc2ae8a1303a
SHA512

8d636830f305bba2c35b863a8138ac946be8f1278344c22c207fc1bb25391d13024379e7cca98c4848831be54de2ad05432d1cbf725e408db4cee9a2a2e76b58
SSDEEP

6144:fI5amBA/dOi5QBF12xiBS8HP3MHlqngE:g5XB8D5QBF1fU8HfMFqgE

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (83) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Blocklisted process makes network request 2 IoCs

Processes:

flow pid process

27 4188
28 4188

flow	pid	process
27	4188
28	4188

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SGoEAQcg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SGoEAQcg.exe

Executes dropped EXE 2 IoCs

Processes:

SGoEAQcg.exeigQEcQwQ.exe

pid process

3412 SGoEAQcg.exe
3176 igQEcQwQ.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exeSGoEAQcg.exeigQEcQwQ.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SGoEAQcg.exe = "C:\\Users\\Admin\\JeoIgsMk\\SGoEAQcg.exe"	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\igQEcQwQ.exe = "C:\\ProgramData\\RaMcUYMA\\igQEcQwQ.exe"	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SGoEAQcg.exe = "C:\\Users\\Admin\\JeoIgsMk\\SGoEAQcg.exe"	SGoEAQcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\igQEcQwQ.exe = "C:\\ProgramData\\RaMcUYMA\\igQEcQwQ.exe"	igQEcQwQ.exe

Drops file in System32 directory 2 IoCs

Processes:

SGoEAQcg.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	SGoEAQcg.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	SGoEAQcg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
1124	reg.exe
2040	reg.exe
3004
2620	reg.exe
1124	reg.exe
4908
1660
5116	reg.exe
3696
4856
1272	reg.exe
1648	reg.exe
4712	reg.exe
1328	reg.exe
1392	reg.exe
3256	reg.exe
1352	reg.exe
2240	reg.exe
2792	reg.exe
4704	reg.exe
3516	reg.exe
4692	reg.exe
4580	reg.exe
1984	reg.exe
4332
1648	reg.exe
1396	reg.exe
2372	reg.exe
4616	reg.exe
4584
4172	reg.exe
100	reg.exe
3020	reg.exe
4996	reg.exe
660	reg.exe
4692	reg.exe
3964	reg.exe
1560	reg.exe
3532	reg.exe
1060	reg.exe
1824	reg.exe
2324	reg.exe
3948	reg.exe
5112	reg.exe
2396
844	reg.exe
732	reg.exe
2068	reg.exe
1204
4532
792
3300	reg.exe
5052	reg.exe
1912	reg.exe
2252	reg.exe
1828	reg.exe
3704	reg.exe
5044	reg.exe
100	reg.exe
4552	reg.exe
4400	reg.exe
3492	reg.exe
1124	reg.exe
4592	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe

pid	process
2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
3492	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
3492	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
3492	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
3492	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
3980	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
3980	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
3980	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
3980	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
4400	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
4400	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
4400	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
4400	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
3532	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
3532	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
3532	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
3532	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
1216	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
1216	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
1216	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
1216	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
816	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
816	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
816	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
816	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
4496	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
4496	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
4496	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
4496	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
4584	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
4584	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
4584	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
4584	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
3960	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
3960	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
3960	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
3960	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
4624	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
4624	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
4624	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
4624	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
1324	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
1324	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
1324	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
1324	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
916	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
916	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
916	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
916	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
4960	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
4960	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
4960	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
4960	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
552	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
552	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
552	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
552	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SGoEAQcg.exe

pid process

3412 SGoEAQcg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

SGoEAQcg.exe

pid	process
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe
3412	SGoEAQcg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.execmd.exe156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.execmd.execmd.exe156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.execmd.execmd.exe

description	pid	process	target process
PID 2356 wrote to memory of 3412	2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	SGoEAQcg.exe
PID 2356 wrote to memory of 3412	2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	SGoEAQcg.exe
PID 2356 wrote to memory of 3412	2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	SGoEAQcg.exe
PID 2356 wrote to memory of 3176	2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	igQEcQwQ.exe
PID 2356 wrote to memory of 3176	2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	igQEcQwQ.exe
PID 2356 wrote to memory of 3176	2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	igQEcQwQ.exe
PID 2356 wrote to memory of 1464	2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	cmd.exe
PID 2356 wrote to memory of 1464	2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	cmd.exe
PID 2356 wrote to memory of 1464	2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	cmd.exe
PID 1464 wrote to memory of 3492	1464	cmd.exe	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
PID 1464 wrote to memory of 3492	1464	cmd.exe	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
PID 1464 wrote to memory of 3492	1464	cmd.exe	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
PID 2356 wrote to memory of 1824	2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	reg.exe
PID 2356 wrote to memory of 1824	2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	reg.exe
PID 2356 wrote to memory of 1824	2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	reg.exe
PID 2356 wrote to memory of 3720	2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	reg.exe
PID 2356 wrote to memory of 3720	2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	reg.exe
PID 2356 wrote to memory of 3720	2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	reg.exe
PID 2356 wrote to memory of 3984	2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	reg.exe
PID 2356 wrote to memory of 3984	2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	reg.exe
PID 2356 wrote to memory of 3984	2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	reg.exe
PID 2356 wrote to memory of 3948	2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	cmd.exe
PID 2356 wrote to memory of 3948	2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	cmd.exe
PID 2356 wrote to memory of 3948	2356	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	cmd.exe
PID 3492 wrote to memory of 5068	3492	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	cmd.exe
PID 3492 wrote to memory of 5068	3492	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	cmd.exe
PID 3492 wrote to memory of 5068	3492	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	cmd.exe
PID 3948 wrote to memory of 4996	3948	cmd.exe	cscript.exe
PID 3948 wrote to memory of 4996	3948	cmd.exe	cscript.exe
PID 3948 wrote to memory of 4996	3948	cmd.exe	cscript.exe
PID 5068 wrote to memory of 3980	5068	cmd.exe	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
PID 5068 wrote to memory of 3980	5068	cmd.exe	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
PID 5068 wrote to memory of 3980	5068	cmd.exe	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
PID 3492 wrote to memory of 3736	3492	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	reg.exe
PID 3492 wrote to memory of 3736	3492	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	reg.exe
PID 3492 wrote to memory of 3736	3492	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	reg.exe
PID 3492 wrote to memory of 2924	3492	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	reg.exe
PID 3492 wrote to memory of 2924	3492	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	reg.exe
PID 3492 wrote to memory of 2924	3492	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	reg.exe
PID 3492 wrote to memory of 3684	3492	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	reg.exe
PID 3492 wrote to memory of 3684	3492	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	reg.exe
PID 3492 wrote to memory of 3684	3492	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	reg.exe
PID 3492 wrote to memory of 2576	3492	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	cmd.exe
PID 3492 wrote to memory of 2576	3492	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	cmd.exe
PID 3492 wrote to memory of 2576	3492	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	cmd.exe
PID 3980 wrote to memory of 712	3980	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	cmd.exe
PID 3980 wrote to memory of 712	3980	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	cmd.exe
PID 3980 wrote to memory of 712	3980	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	cmd.exe
PID 2576 wrote to memory of 4840	2576	cmd.exe	cscript.exe
PID 2576 wrote to memory of 4840	2576	cmd.exe	cscript.exe
PID 2576 wrote to memory of 4840	2576	cmd.exe	cscript.exe
PID 712 wrote to memory of 4400	712	cmd.exe	reg.exe
PID 712 wrote to memory of 4400	712	cmd.exe	reg.exe
PID 712 wrote to memory of 4400	712	cmd.exe	reg.exe
PID 3980 wrote to memory of 1408	3980	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	reg.exe
PID 3980 wrote to memory of 1408	3980	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	reg.exe
PID 3980 wrote to memory of 1408	3980	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	reg.exe
PID 3980 wrote to memory of 2532	3980	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	reg.exe
PID 3980 wrote to memory of 2532	3980	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	reg.exe
PID 3980 wrote to memory of 2532	3980	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	reg.exe
PID 3980 wrote to memory of 1256	3980	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	reg.exe
PID 3980 wrote to memory of 1256	3980	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	reg.exe
PID 3980 wrote to memory of 1256	3980	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	reg.exe
PID 3980 wrote to memory of 1156	3980	156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2356

C:\Users\Admin\JeoIgsMk\SGoEAQcg.exe
"C:\Users\Admin\JeoIgsMk\SGoEAQcg.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3412

C:\ProgramData\RaMcUYMA\igQEcQwQ.exe
"C:\ProgramData\RaMcUYMA\igQEcQwQ.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
2⤵
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
4⤵
- Suspicious use of WriteProcessMemory
PID:5068

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
6⤵
- Suspicious use of WriteProcessMemory
PID:712

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
8⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:3532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
10⤵
PID:4792

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
12⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
14⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
16⤵
PID:3100

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
18⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:3960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
20⤵
PID:4348

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
22⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
24⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
26⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
28⤵
PID:3688

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
30⤵
PID:2676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
32⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
33⤵
PID:4540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
34⤵
PID:3540

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
35⤵
PID:448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
36⤵
PID:4172

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
37⤵
PID:4300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
38⤵
PID:3688

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
39⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
40⤵
PID:440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
41⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
42⤵
PID:3076

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
43⤵
PID:4816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
44⤵
PID:1824

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
45⤵
PID:4592

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
45⤵
PID:2612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
46⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
47⤵
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
48⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
49⤵
PID:3360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
50⤵
PID:3548

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
51⤵
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
52⤵
PID:4124

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
53⤵
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
54⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
55⤵
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
56⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
57⤵
PID:2008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
58⤵
PID:3280

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
59⤵
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
60⤵
PID:3984

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:3540

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
61⤵
PID:4840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
62⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
63⤵
PID:792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
64⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
65⤵
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
66⤵
PID:2712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:2328

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
67⤵
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
68⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
69⤵
PID:4124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
70⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
71⤵
PID:2008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
72⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
73⤵
PID:3660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
74⤵
PID:4440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
75⤵
PID:3664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
76⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
77⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
78⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
79⤵
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
80⤵
PID:1624

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
81⤵
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
82⤵
PID:4692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
83⤵
PID:2800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
84⤵
PID:4280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:5104

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
85⤵
PID:3084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
86⤵
PID:4820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:3980

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
87⤵
PID:3592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
88⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
89⤵
PID:744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
90⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
91⤵
PID:2456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
92⤵
PID:812

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
93⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
94⤵
PID:2340

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
95⤵
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
96⤵
PID:3028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:3928

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
97⤵
PID:2604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
98⤵
PID:3416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
99⤵
PID:4064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
100⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
101⤵
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
102⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
103⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
104⤵
PID:916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:1028

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
105⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
106⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
107⤵
PID:3424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
108⤵
PID:5072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
109⤵
PID:1308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
110⤵
PID:5052

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
111⤵
PID:4208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
112⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
113⤵
PID:2156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
114⤵
PID:1652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
115⤵
PID:1420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
116⤵
PID:1612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:4816

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
117⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
118⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
119⤵
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
120⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
121⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
122⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
123⤵
PID:4988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
124⤵
PID:4672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:3416

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
125⤵
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
126⤵
PID:1700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
127⤵
PID:3960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
128⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
129⤵
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
130⤵
PID:844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
131⤵
PID:1088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
132⤵
PID:4508

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
133⤵
PID:1688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
134⤵
PID:4672

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
135⤵
PID:3348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
136⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
137⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
138⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
139⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
140⤵
PID:4832

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
141⤵
PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
142⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
143⤵
PID:4648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
144⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
145⤵
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
146⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
147⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
148⤵
PID:2572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
149⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
150⤵
PID:3408

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
151⤵
PID:3280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
152⤵
PID:4516

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
153⤵
PID:4592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
154⤵
PID:4840

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
155⤵
PID:2228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
156⤵
PID:1624

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
157⤵
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
158⤵
PID:2112

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
159⤵
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
160⤵
PID:916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
161⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
162⤵
PID:3524

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
163⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
164⤵
PID:4192

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
165⤵
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
166⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
167⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
168⤵
PID:3520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:3664

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
169⤵
PID:388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
170⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
171⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
172⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
173⤵
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
174⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
175⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
176⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
177⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
178⤵
PID:4784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
179⤵
PID:1828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
180⤵
PID:3928

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
181⤵
PID:2548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
182⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
183⤵
PID:4676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
184⤵
PID:3532

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
185⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
186⤵
PID:3252

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
187⤵
PID:4172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
188⤵
PID:3076

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
189⤵
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
190⤵
PID:1272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
191⤵
PID:3084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
192⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
193⤵
PID:3276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
194⤵
PID:2532

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
195⤵
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
196⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
197⤵
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
198⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
199⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
200⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
201⤵
PID:792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
202⤵
PID:2444

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
203⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
204⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
205⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
206⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
207⤵
PID:1392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
208⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
209⤵
PID:4816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
210⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
211⤵
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
212⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
213⤵
PID:2512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
214⤵
PID:3688

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
215⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
216⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
217⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
218⤵
PID:4172

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
219⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
220⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
221⤵
PID:4692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
222⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
223⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
224⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
225⤵
PID:4784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
226⤵
PID:4172

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
227⤵
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
228⤵
PID:4192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
229⤵
PID:448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
230⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
231⤵
PID:944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
232⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
233⤵
PID:440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
234⤵
PID:2500

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
235⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
236⤵
PID:4832

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
237⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
238⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
239⤵
PID:3520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
240⤵
PID:4712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
241⤵
PID:4776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
242⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
243⤵
PID:2588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
244⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
245⤵
PID:4568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
246⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
247⤵
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
248⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
249⤵
PID:1404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics"
250⤵
PID:2548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
251⤵
PID:4124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
PID:1624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
- UAC bypass
PID:1308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwQUYwcw.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
250⤵
PID:4832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
PID:404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:3348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
PID:4592

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMQkMAss.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
248⤵
PID:1272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:4820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
PID:368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:3232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
PID:4496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYwIUwYI.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
246⤵
PID:1984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:5088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
- Modifies visibility of file extensions in Explorer
PID:348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
- Modifies registry key
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
- UAC bypass
- Modifies registry key
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HesgsIEY.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
244⤵
PID:1244

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:4120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
PID:2056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
PID:5104

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\koggYAIg.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
242⤵
PID:768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:3256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
PID:1400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWAswUoA.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
240⤵
PID:3984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:3492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
- Modifies visibility of file extensions in Explorer
PID:2572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:4580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
- Modifies registry key
PID:3964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIwUQEgM.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
238⤵
PID:2296

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:4868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:4784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
PID:1216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:3348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
PID:4692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xkoEEYME.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
236⤵
PID:3324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
- UAC bypass
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ViYMUgso.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
234⤵
PID:4820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:4288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
- Modifies visibility of file extensions in Explorer
PID:3252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:2968

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
- UAC bypass
PID:2068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fCoEkMEE.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
232⤵
PID:2736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
PID:5004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
PID:1612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYgwgYos.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
230⤵
PID:3096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:1820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
PID:2572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:4676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
- UAC bypass
- Modifies registry key
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewEEEwgw.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
228⤵
PID:3520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:4888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
- Modifies visibility of file extensions in Explorer
PID:3300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:492

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:1368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
PID:4712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:3976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okAAkQQc.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
226⤵
PID:1664

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:2588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:3324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
PID:1068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:4520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
- UAC bypass
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQUMUIUM.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
224⤵
PID:1576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:4924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:4508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:2572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuEEgowY.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
222⤵
PID:4992

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:1812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
- Modifies registry key
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feYIkcEA.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
220⤵
PID:3532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:4920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:1368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
PID:2592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
PID:2724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUwwwUMg.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
218⤵
PID:944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:1996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
- Modifies visibility of file extensions in Explorer
PID:3096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:4668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:5080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKcYUsQY.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
216⤵
PID:4400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
- Modifies registry key
PID:1396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:1216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oMUsUQss.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
214⤵
PID:4120

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:3300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
- Modifies visibility of file extensions in Explorer
PID:2676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
- Modifies registry key
PID:2240

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
213⤵
PID:448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
- UAC bypass
- Modifies registry key
PID:1912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WisgIscs.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
212⤵
PID:792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:5052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
- Modifies visibility of file extensions in Explorer
PID:3408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:1204

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
- UAC bypass
PID:916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEAckcso.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
210⤵
PID:368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
- Modifies visibility of file extensions in Explorer
PID:3180

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:4172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
- UAC bypass
PID:3964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEMQgAEE.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
208⤵
PID:1700

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:2800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
PID:2612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:3348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:1368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
PID:3660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUgcIMIc.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
206⤵
PID:2284

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:3980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
PID:4692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:3004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
PID:4124

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:1060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XoogMcwU.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
204⤵
PID:5112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:4060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
- Modifies visibility of file extensions in Explorer
PID:2592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:2296

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:3280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
PID:3232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KucAcQQo.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
202⤵
PID:2184

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SmIAwAMQ.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
200⤵
PID:2512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
199⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:1296

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
PID:660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmsckIsw.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
198⤵
PID:4372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- UAC bypass
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bGsocQQU.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
196⤵
PID:2444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:1420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
- Modifies visibility of file extensions in Explorer
PID:2576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:4816

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
- UAC bypass
PID:3256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xUwkEEIo.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
194⤵
PID:492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies visibility of file extensions in Explorer
PID:2592

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
- Modifies registry key
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- UAC bypass
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XuAYcwMY.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
192⤵
PID:4320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:2548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies visibility of file extensions in Explorer
PID:1352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:5004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
- UAC bypass
PID:4704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FyAgoMos.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
190⤵
PID:4832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:2472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:4924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
PID:2548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
- Modifies registry key
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
PID:4372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOMogMEE.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
188⤵
PID:2612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:4068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:3492

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:3524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- UAC bypass
PID:2688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOccwoMc.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
186⤵
PID:3012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:4056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
PID:388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kWMQcUso.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
184⤵
PID:4872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
- UAC bypass
PID:4044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AyswssII.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
182⤵
PID:3976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:4060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
- Modifies visibility of file extensions in Explorer
PID:3716

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:2620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:4916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwsQcQYc.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
180⤵
PID:852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:1816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies visibility of file extensions in Explorer
PID:3916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:3660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:4064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
- UAC bypass
PID:792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOgIsIMk.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
178⤵
PID:4288

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:3172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:1888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies visibility of file extensions in Explorer
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:1032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:1068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
PID:3964

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
177⤵
PID:844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYAYQkUU.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
176⤵
PID:4424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
PID:4996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:3688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:3976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
- Modifies registry key
PID:100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JcMwccUs.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
174⤵
PID:4400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:4916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
PID:4652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\focgYIAc.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
172⤵
PID:1688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:4520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
PID:3172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
- UAC bypass
PID:4064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AYQYUsQs.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
170⤵
PID:4320

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:5088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:4924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
PID:844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:1920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:1392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wugYQAEc.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
168⤵
PID:3100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:4872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies visibility of file extensions in Explorer
PID:2572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:3276

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:4840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- UAC bypass
PID:2444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmAowgIg.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
166⤵
PID:1028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:1652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:1420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies visibility of file extensions in Explorer
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
PID:1688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ssEowMoE.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
164⤵
PID:2712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:4860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
- Modifies visibility of file extensions in Explorer
PID:1152

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:4772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:1824

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:4580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
PID:1600

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMYIEEsk.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
162⤵
PID:4976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:3492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
PID:2228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:3960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQEQwQkc.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
160⤵
PID:1408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:4920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
PID:3004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYQkQIgs.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
158⤵
PID:5044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:4916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies visibility of file extensions in Explorer
PID:4992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:1236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:1328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wesYUIUw.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
156⤵
PID:2600

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:3716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
PID:2492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EAgkoMgs.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
154⤵
PID:4496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
PID:4772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:4348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- Modifies registry key
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IykMcsQc.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
152⤵
PID:4580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies registry key
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
PID:4920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CukYwoQc.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
150⤵
PID:4192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:1060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:1392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
- UAC bypass
PID:440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\diwQQsEE.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
148⤵
PID:4784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:4508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:3660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:3152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCMYgEkY.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
146⤵
PID:5036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
PID:4820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
PID:2496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:2456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsMgMwgg.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
144⤵
PID:2240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:5104

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
143⤵
PID:5032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:1164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMogMIcM.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
142⤵
PID:4908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:2588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:3212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
- Modifies registry key
PID:1984

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
141⤵
PID:812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
PID:3360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OuQkgcIY.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
140⤵
PID:3592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:2676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ogYossgs.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
138⤵
PID:4524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
PID:1888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:3232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- UAC bypass
PID:1368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UaoUAMAE.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
136⤵
PID:3928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
PID:944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
- Modifies registry key
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
PID:4320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGcsQkEA.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
134⤵
PID:4372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:4652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
PID:4044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:4840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- UAC bypass
- Modifies registry key
PID:4172

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bKYIwEkU.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
132⤵
PID:3532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies visibility of file extensions in Explorer
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
- Modifies registry key
PID:1060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
PID:1800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYwAQUok.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
130⤵
PID:4524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:3520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies registry key
PID:2620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
- Modifies registry key
PID:1824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\neIwsUQI.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
128⤵
PID:1368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies registry key
PID:100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:1244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGwgckQQ.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
126⤵
PID:2000

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:2472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:4064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies visibility of file extensions in Explorer
PID:5072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
- Modifies registry key
PID:1392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- UAC bypass
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwsEMAYQ.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
124⤵
PID:1996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:4704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:5056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
PID:1236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:1216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iocEcwoU.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
122⤵
PID:1068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
- Modifies registry key
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:4772

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- Modifies registry key
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LWkEAkAc.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
120⤵
PID:3688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:3020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:3028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:3716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- UAC bypass
- Modifies registry key
PID:1124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HMUYIIUg.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
118⤵
PID:4784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:3172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
PID:792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:4384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- UAC bypass
PID:4432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NgEwgkgA.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
116⤵
PID:368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1328

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- Modifies registry key
PID:1648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nwIgEAMo.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
114⤵
PID:4860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:3688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:4772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:1204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CCEIAoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
112⤵
PID:5032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:3664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
PID:2632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- UAC bypass
PID:4820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:2800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mCAEQUQc.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
110⤵
PID:2592

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:5004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
PID:4816

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:1348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
- Modifies registry key
PID:4580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:2232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWAUAEwE.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
108⤵
PID:4548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:1392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:3704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:4056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:3532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YycIAsUA.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
106⤵
PID:368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:3960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCgkQoIo.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
104⤵
PID:2252

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
PID:4520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:4840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
PID:5108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\doogUMgA.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
102⤵
PID:5004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:3696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:2380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
PID:1328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nmkkMokw.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
100⤵
PID:2632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:1348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
PID:2576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:1400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- Modifies registry key
PID:4692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yCMUIQAM.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
98⤵
PID:3532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:4524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
PID:1136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
PID:4916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WucEAQgU.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
96⤵
PID:4068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:3716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
- Modifies registry key
PID:4616

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:4124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QaowwsMU.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
94⤵
PID:1216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:4520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
- Modifies registry key
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAYMcsII.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
92⤵
PID:2232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:1420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:3144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:3408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fCIgcwEI.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
90⤵
PID:4860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies registry key
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:4840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- Modifies registry key
PID:1124

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FAoMIkcA.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
88⤵
PID:5004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:1136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies registry key
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:2612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:2060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
PID:3212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:1912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwwUgcwM.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
86⤵
PID:2492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:2056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:1060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:4192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
PID:812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:1352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGAAcUkY.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
84⤵
PID:3232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:4816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:5056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- Modifies registry key
PID:4996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kiMkscoU.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
82⤵
PID:3144

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:3172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:3012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:2712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QockkIUs.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
80⤵
PID:1756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:3672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkEgAUIw.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
78⤵
PID:4924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
PID:3716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:4508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NaMgkQYo.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
76⤵
PID:4068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:4060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:1912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:3360

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:2496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:1420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMkcIAUw.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
74⤵
PID:3984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:4888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:3076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:4704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\luUAsIUA.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
72⤵
PID:916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:3688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:4752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKMQIQwU.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
70⤵
PID:1888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:3592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:1068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
- Modifies registry key
PID:660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
PID:744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKMQYsMQ.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
68⤵
PID:548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:4952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
- Modifies registry key
PID:1352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
PID:4172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIAIoccc.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
66⤵
PID:2068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
PID:2540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:4208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:1204

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:4300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYAUUkwI.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
64⤵
PID:4812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:2372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
PID:3672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGAwkEIA.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
62⤵
PID:4540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
PID:2800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
- Modifies registry key
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:3664

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:1044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JGkosAwI.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
60⤵
PID:1396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:2576

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:4524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIUwQocI.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
58⤵
PID:2060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:2428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:4712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAQEUEos.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
56⤵
PID:3436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:1088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:2456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
PID:3048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEwMYEAI.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
54⤵
PID:3172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:3928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
PID:1896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:2632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:3960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKkAwkUU.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
52⤵
PID:3408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
PID:5104

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
PID:4668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKwEwIog.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
50⤵
PID:1464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:3276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:8

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:1392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmkogwsE.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
48⤵
PID:3660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:1652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:1912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:3048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LsAkwIws.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
46⤵
PID:2792

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:3300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:4580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
PID:4700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
45⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xuQUcwkY.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
44⤵
PID:2356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:2328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:5108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:1420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bmUccMkQ.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
42⤵
PID:1320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:1276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:3660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:1664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- Modifies registry key
PID:3256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOoEkYYI.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
40⤵
PID:4704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:3180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:1620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
39⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
- Modifies registry key
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
PID:1652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEwkscYk.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
38⤵
PID:3152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:4208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:2592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oSkUkwYo.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
36⤵
PID:3300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
PID:732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
35⤵
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:4816

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
35⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KaIMEEwQ.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
34⤵
PID:1204

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:3756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies registry key
PID:3516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:4712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
33⤵
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ooUUwskw.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
32⤵
PID:4400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:1392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
- Modifies registry key
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
PID:1896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuoAQsAQ.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
30⤵
PID:3028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
PID:1368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIgQQIcg.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
28⤵
PID:1124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:4852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
- Modifies registry key
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:3140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XgoAUcsE.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
26⤵
PID:3264

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:3100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:4972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:3716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heMYokQk.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
24⤵
PID:4496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:4692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:1060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IUcQYkAo.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
22⤵
PID:4140

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
PID:2632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:4192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWscQcsU.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
20⤵
PID:3240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:4068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eyoEwQAA.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
18⤵
PID:4660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
- Modifies registry key
PID:4400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
PID:760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GuYIQAsk.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
16⤵
PID:4432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:3424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWgcwkoM.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
14⤵
PID:4772

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:2092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
- Modifies registry key
PID:3492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYQQAUgE.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
12⤵
PID:3000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:3348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
PID:4844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:4524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naYwUYcU.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
10⤵
PID:4208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
- Modifies registry key
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsIYcsQA.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
8⤵
PID:3416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:2532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:1256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OckUsUYQ.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
6⤵
PID:1156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:4960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
PID:3736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwsEcsAs.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:4840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:3720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:3984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emUwUQIk.bat" "C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:4996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4752

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3276

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RaMcUYMA\igQEcQwQ.exe
Filesize
191KB

MD5
8908afc5cfdf42c1dcc03cfede498e1e

SHA1
18e9ebba1ea4646af0f8a86b6f0be51e47cc4a7d

SHA256
161e2be392938720f3c272aaf57f157a418987f210d8e074e0805c24c45861b9

SHA512
ac5d396963aa62b9bbd565ca5882c6b3d2f8c62751363427244df17762e0b30a8203068074fd64e58499af960a2ad62083de8191c48ac2f78cc020f2895fd415

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe
Filesize
201KB

MD5
6fbc43b8b9ca04c176a8fc76a1be9968

SHA1
6d182db67afeacdde2f927707844bd1757121617

SHA256
b4c719417bb054035225b213161161d1024f378e82835c3d87419bedcfb65fd4

SHA512
bdde156131a56b6bcbc663ff4efa51feb96ba99f1257ae2416a1af0dd84c7fcda9d3eceab3f6b87c4cbf85d9b417a6f411f7dd2a32dfa86d45869ec122bb417c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe
Filesize
184KB

MD5
824355661db68792bc310bfb75e25889

SHA1
d4735b36ac22ae45b30ad2e66f99c5cd375dd6a9

SHA256
860f189d332f25a6b0f290245765cc95b6ec0989b0a08cbec08ce6b2ff0f54fe

SHA512
fe5f5dc6c0234bdc60fb83fbec49d9a63186b054986f313efeaea7234071c32a4c41dc1c1ce3e147287346144c6c3d7c96cc3b0c397fffb430e7412ff9daca7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe
Filesize
194KB

MD5
2b90481ac8af97bbf0ee32f63c6c98dd

SHA1
dabdd7ea28034cd684e23d8d44ccc799b5fa8b2f

SHA256
3a01e2fcc919b4d2f08b58712c9c1f875b8abf4535a1df87ee88232418710d9f

SHA512
408bcc0b09fdf1960b4cdae622b93ffb8cbf2faa4a9d6ec164074a3c05c79d07710d730c44615752175056f15eaffcb2c24bed645c134d0be5fa5cab057697b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe
Filesize
203KB

MD5
9373f9af0924e66f264f4cb1a336da29

SHA1
b174f308da682cb0dfc1044477f4282bdbfd851d

SHA256
d3737e1c638368442234e6b09f651e0290012275c53a351aebd537f91a7d6edf

SHA512
1773ba934f6ccdca963e9884f933e71a75998f489915b9ade900c28eb86c23bbc6b1de0e44363b99c4aa7c1954d534783c958ad56b5f29f3bba63c6f135e23af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe
Filesize
185KB

MD5
d1c4941f6630c00e239684c2d468243f

SHA1
8e66e9fa119c6acd1954c14c201252bcc2e113e8

SHA256
392996e208b2525f2d54ab8c60e732db88aa56cada8b5e087c75a70df5a5d435

SHA512
53effda8b73dab9443f21f5a1c5a6cef5d05e2e11396d823274bf0126deb0e43d86a84e00c196673733a1feea51799e45779d59bef0bf6d6d695850a8e1e7cd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe
Filesize
213KB

MD5
848c0a66b2e18e8db439a22971ffacdc

SHA1
c56b2e516ce6cf6cda2dd4b387ca3daead40b9af

SHA256
625cde3905120c85e5dcb1ef5869aa66da51323787758378a190fbe2b599f0d7

SHA512
414e325c83d703fce8923c18d527c6f531952f7e5d8e7b4b90eeb345af848e9d0e3a2a540db8514a4fcbb14a025768e6203be30611dbdbb30d68b4eedb838166

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe
Filesize
196KB

MD5
ffbbfb7245ccbe6e6ad648057f37e61c

SHA1
298b75d0f66458d2cd45457868973d9a2b7a730d

SHA256
91f624dae9a40f4ba490350e75e2cad1e0a38ff7745519afa5fd5a6833a68571

SHA512
ef6ede1dbf84d5477e0fc17d5a2c743343e34c63c740aad583ca6d25c38438a8f700d7630f33798debe4fe4e2d531e87f9114c5c910c050d3fd04a2c7f47b7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe
Filesize
199KB

MD5
e0a50681275c1505ddaf23e3e08a3324

SHA1
ef00814a0a351440833ff7d094bee82d5d934109

SHA256
7aa955bb4590b121e5b85afc29e81fc0c1b07e8cc52c5f3ac40195503b7c2b80

SHA512
517a8b24d0f3a8048d7e5782d081c1a6a3bb06327ed414b125cc086f36e1b8fb8514e1d74744de8125e801b97692bd1d25343013b83a694896b52e4d3ae5d079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe
Filesize
183KB

MD5
dabe1bdcbeba789eb107a46ff4c2cbbe

SHA1
c6c973055d06fc84482effea9145870cafe7b4df

SHA256
8fd4c4c3b6c76048f71e7d1fc32f647c456d47778c8fb7027a207775af5d9183

SHA512
194a69fbcfb8c673eaad16af7afd5b1ffccb34b201a692cad2535e2d1456a34d5a4ed9b4671e9feaeadf7c8c306f54e7511c34d5c8afe0212786b656ab62321e

Download Submit
C:\Users\Admin\AppData\Local\Temp\156c0c82cc6ec79b5e510a32ffb4c320_NeikiAnalytics
Filesize
69KB

MD5
1bc5b77f3e50b7fbe12c792ee438da45

SHA1
5bd2ef6030d665aa615147512a0fea3055930cc6

SHA256
ea3b1238a38f72b330aac53364bd0a0481946b93fc757dde7314ce3319f1840e

SHA512
62139dfa1f200687b847462c76ff4979c4892ecfe65ff5e8c06822ca771da3bd3db472aa8bdaa61b4ba359e493cf51882f9731e3fbfa2d496dac8cba03332905

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIQu.exe
Filesize
203KB

MD5
52f1a83e08d3bdd7eeb832f62a85b6e4

SHA1
95068b814ae745ba68226e965729448a0cc2764e

SHA256
3b7abd784b62a91f93725ccff7749630ac190b5514fa07abb10e714316e1ec56

SHA512
8eb5086bdf05f5aaf31e2b6fb510f19b4490b015a169f8e5c326cd2ad5dd12242ed903e28e504423bc2095ba778c4932c4c9ad9d051cc80bb564b09623890ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUgS.exe
Filesize
717KB

MD5
ecefab8bc162d9d110016720e798ad23

SHA1
5e1e7af47e64df011c0c9da06713bf66becb0b4b

SHA256
261d68dad673b16462c629cf22ea240aedbff2f3face92d005b84a7e49cec8ab

SHA512
3d4809ebd46d054ab7bbe70eef7d357f809b289bb94730755e94481493bcdd5eab44a009330ed022e1ebd7032ad1c12397aeb70aa8556e06a5a4232d98829703

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcMG.exe
Filesize
243KB

MD5
ac37f46df182ca562122ec26497e565c

SHA1
1868e5d15c1fcb2086c9d154356a9018b1a974b4

SHA256
e33f07cc32b332a566b32f6135726198d4018165a954332a301c2e7c23a782cc

SHA512
bba6988d8829f5515b94706458c282006065f8ce1d53911a32f0ccbd0d800a6e664e44895757be59811b4e56d89a04ef4a8fcceb4769201bdda0eefec8f20bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQMU.exe
Filesize
193KB

MD5
2b4657eec8cce0563008a00a7e29bc19

SHA1
d03302f7ec18db84bf95bac7ec8a2f2bbe94d834

SHA256
def0995e702f355bb2526e78942a2244e5d3f7117b248272be33adc6031970d5

SHA512
d9021f43d7a22a246a5d804b8b166e3bdfaad87f690aeb734a22f7abe8ca28b26873e4e6e47e76f727b011419fee4325fcd2c760ddf6a7fca61493a48439241f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkEo.exe
Filesize
182KB

MD5
6569dc0c2ec9553ed1dbb945d2bc01a9

SHA1
bee078b4ccfc5a135cfb25ceb05433366cf66e23

SHA256
391f13ea93b5295fbfc4df9bb59cf8ade923befde7f16cfc4a9b740c5ea2a34f

SHA512
b562fd0356c41f9c9a6b8809aa3ece39052a9ff13b5e822365a7afd7ab2272dfeebdc7fe426ebdc538940eacd38dffbd85e7c62654e03a146cbdb00b43181431

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEII.exe
Filesize
191KB

MD5
fdbbc17d4ea8bf0c9af40b1d68b59bac

SHA1
77a5d9626f9bc7be1d5b995b31120a16a052c240

SHA256
75a14b66c28cbea8a89236d1f6a9d27165121b1ea9be4d8401abfd0b270d7489

SHA512
0a9c19ee1451257389bf36353fa06f065382ee6231f98893158ee630bd6ddc60c46af3677c62c179e12dc5f6da14ab2294cb71040ba9eeea67b8df1c39e03f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMAG.exe
Filesize
199KB

MD5
003d910158955c14e7057323c5a80887

SHA1
f9444337187e9d92e9023343319e3dc44646c73c

SHA256
17c58c91403ba93809eb1928c508b4c257717dba541c807fe8403ffece40d85a

SHA512
02805c2e2a6b6059461a911db3ce7c4aea71b3a0c644b93b71750e12d1cafc5628a23d97625f8d9a7bbd5201b7315c891f2ac8a1fa57fcfb41caaf98fe86f3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYkA.exe
Filesize
638KB

MD5
5f5bcc3e4cbbd43ab9263b64c2123e94

SHA1
d4ba27b267b528c961b5cb9ad67ada6b470f0eb9

SHA256
ea68f769260bca10f62b161ec788f12d06427e5c2d5972147fd9bb1b333424ea

SHA512
32ca3c4623ced966d0e9389351b19b5951f0ea433f52befdfedb283c78719dbd917222b01cb98c8d1d6a653dcee060e6472b55259e9c2375bfa99368dcf3abae

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEkQ.exe
Filesize
653KB

MD5
d1e4571e649ab26b9c32d79f439a1ae1

SHA1
df2014ba83033091a6385e65c0ff547dc96f1d1f

SHA256
a08ba27548997259e3b022f12302eec588d26d0e096678aaf6cc322b80e1f8c2

SHA512
ef08eb27dc92205c443026a2dd0d63d9f505f3f3f932d1ea83aeab75796855874fe63be730ef684fd1f5941599a10ca13d75b73c83a3f180f173ded842b5ab1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIoY.exe
Filesize
191KB

MD5
c059cf9f0390c5b4ddca5c68b670b268

SHA1
50d7c5834c95e24ffc05fd87fb32594965e01a4b

SHA256
0adb7f608e62ca856d82e34acffdf5a147ea46952aaebdce194b2d31abc3c18e

SHA512
492a53cd28f8c359ee4a63a2027144afca77d6c25be802227d7612c3be0b324411a6c85f15f396ab8cd0af1a998ec3b88b4dba28fc43eff63be34cabeed52145

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMMo.exe
Filesize
196KB

MD5
0c2327b92806bfabbc981583c9d92d17

SHA1
1a3c1d0f283642aacefa329c9fc0563723d5f2ed

SHA256
f40483d51da1589126d90bef2e80faba03e2a3d586a04c42b7eca504815d1395

SHA512
ebaa720f9293b19a3e3d75cc0346d4e5f32f1076082b65f95f6f361f7272b17f4ae84e8d1700e951217bc266e01b0b53122d80c89f677c47e24e04c238e6b102

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQgQ.exe
Filesize
200KB

MD5
e4ea6711a95cdd922f01456bcf7251d1

SHA1
c23c267e5e0684645165a278ef55033e072b696e

SHA256
1477cbd29761506158d29b5b6de474d02b562e6e494c4ed2a00f6367d1f5d5c9

SHA512
2d78496c5a172f7599b6b0923989b7d24709c83732b4312c430372aeaf767b309ebcd07bc5790286e0847e9e121b775e5f32625c5d4b8702a71e991070d5dfb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQkO.exe
Filesize
311KB

MD5
d059bc8e8b1ab44d5e71f60cfd1c42b7

SHA1
d85624cd516f3fb914af5108bf85520bb2a2a08f

SHA256
e450893b17ba0f8f1e05d618a109914560a7252b2cb1d89236ced11270f45ec5

SHA512
5d1ec74565400fd4301aa1ca6d6bcf5d4428f2cd105f7875e2221a3f6631985e7c1c623d4524bd66678b40e447b3ef2db9f60f9833e632d4f339f5eeabd75249

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUgu.exe
Filesize
810KB

MD5
b7d95b583d0fabccaa781ffb9aa3bcb9

SHA1
9257f209a4307ada28280600df8e8803b8c0e627

SHA256
7ca23875fef97ab5f2b8e3760a7c641fddba16694b4b66e777f629bd3fbc5079

SHA512
e7c7722b554d32f1d023e15e8a1c69815b4c83d8d160c30c907b62975baef01a1fb6a5841995894f2f4d3d769889380c419db95d99c1972e21bad4a3824dea86

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcYe.exe
Filesize
199KB

MD5
9a8773eb5faf9902f34ad7732dd58f45

SHA1
b357030a1ff48b29c87fba89921b9830aecbcb0a

SHA256
2fb804156a2f1c9e8ddd45be139ffcb01b37578c40e6c2522e233a610277295c

SHA512
c5894ace978cf3b06dd2ca10326dd61bbbe63032da79e91002bbef75c005dc1bf3f86d3f52e2c64a5c67ed13ab8479b93df07c1905de942ca40100086fa75314

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkUw.exe
Filesize
214KB

MD5
d1b8390ed890ed9fe62e8a6b72886631

SHA1
7cbb24c49b987e2eb7ed3ef0bb059dce0da2a275

SHA256
cdb94419a211f0b9cf5c55aac99d97d51d5d5c03315bdea892dd7be1368a4894

SHA512
93a6a2d554278f51063489eda4480c11d5f453cb570e422268b6f8dd1df7c6e37e506032af53fac29d7b0d6d945ddc3b849908947ae784fa1e54874dbbad4d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kkou.exe
Filesize
184KB

MD5
b532e85f9845c8dbe0e9190134ace475

SHA1
d26814634a80cc319d735c83a892542ffcae2d28

SHA256
813b17034dd3af6ce6566b231e6be162302d0fe96ea36c6cf2e5874dc16d40de

SHA512
e8e7bc141873025014537521660d1083a9007f21af7ff7e24513aeb0f10efbcad43ef26f895834a7a350726a3a0144d3f54c6416f30e9a5cdcf8959b661d2e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ksss.exe
Filesize
198KB

MD5
064af5bca7613c3b0a7326a3dd3a8167

SHA1
8e88e68aca3632241f7a0781c8201c6e21aeeae1

SHA256
8bcd70a30f48445380fcc3bde2a1d08c336404c804751ce13ad40e4ef11ad882

SHA512
596070aba726ee91ca9e0fdd183821105703e94b3457fb77d4ab22c140b4a3ad541d6862957a509ace1d3fb0e3be62aa8e7205e21bc4a5ca853c5c43920e3b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEII.exe
Filesize
183KB

MD5
eb418ccd72da1803c177cd6ca2c9e511

SHA1
1d5042241d6a97a5c6eb156a350d93009985068c

SHA256
1fec508e4b13714ab683b3576a2f1b44a4ae5eec19a64aaec025ce2ad9e0f284

SHA512
d3bdb69c5ecae46fa749e069c496ad97e0ac494c4a9dc207b8bf1a088d99611bba6ae32eb7cd096f120e14ce94294c7bb2370c02610a6ab77846154055ce8ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMok.exe
Filesize
726KB

MD5
42d8d4e0c0f37f4e7e189b154d15d9c5

SHA1
71c74badc25e0928b506db995c9d3d00b3914c44

SHA256
d60f7bd7b34934b06f650f3149339af615aecd265d3d63c1d89cccd2fd4ca425

SHA512
4e551fa166b4152cbb3cdbb8a564f14cfa347402fa821526124a76120affafa575ae9150b5f53397ed4533da77bc9b3ad93d7339adaa8fa159c4e23c80f2e01f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQUE.exe
Filesize
5.9MB

MD5
bc90c2c394827f9106aff4a59a0479e8

SHA1
ab74a6889a569a9e8ada337130432d94949601d3

SHA256
773a4ebbafd920432bf91a4c1405fdfee74bf8571d211c749519c405416f79da

SHA512
fd2f42bc34a35187f036f22e71f812adddb50eb82905223f315f62e4def8d6f6854d731ce72abf607eaf856c7e6ae963819a1a3e1c8e22790d083c20a242d736

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQoC.exe
Filesize
190KB

MD5
29ab883c895b3159b075cc4fbf4b7e4a

SHA1
939a1b6f7fcfdc150a49b3fdbd16fe89bcada599

SHA256
2da5b5ded92695cddf11dee588e7c419f87ddcf9c44a9b85215c069965a13fb5

SHA512
9f76e90bcfb80f59fdb936c32f4ffa11d87c2aadade273fb1d6dd30a3f0212c59bbd1154cac3145ce3d47664176f333731c96dd78c9e51ba2c7ebd6387acd60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\McoA.exe
Filesize
192KB

MD5
fecc75256efb65791e71490111869fba

SHA1
8795941e9d06c67a3cc5dc4da3a134fa18e0f1e1

SHA256
3655c6cba6fb47759aa4e44432820d9b853eb3c6997d9ac5026ed86e4cc5bc94

SHA512
f86646f44364c104d92ee77abdc99ea602a8db54f700b01ed60cf9e690760bbdb3a0fcfebe059120fe352f1961f795702aea030106bc9628d99ccd05f4b7f24d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsoW.exe
Filesize
195KB

MD5
b43c4d6aa60d0f128588087eddf6db47

SHA1
c4d7a27abe4d363dfd116fe379f2c8aa39a8afdf

SHA256
384c21535fce4318622eaa34a524e3b1a98f6ded64fb0f3474324ee1eac540b0

SHA512
6398cf9ef399bf22922fce317d292f5e9641629211acd89deddfe0453e2c28fcc71c64558a996d8820c463794726e678e94a7d7bd321d1266820b5b1040cafa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEMI.exe
Filesize
204KB

MD5
982880c630039afeeda566d7dd5ae124

SHA1
3711f4286eb4548b0858116c61defbea5b7bf0fe

SHA256
30c55293fcb8d41adbbbdde890fe53e4849a0011df4ba5c6373f9647a1b1c4a8

SHA512
5b9340a93e7fd623593011a12611ee39b47edc1905692fbaf7781104649e11b239278632494cc4b201d5c76d54eff634eda940dee31446d45f4e1156a417dc75

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQYs.exe
Filesize
205KB

MD5
7ab289db44b98a118ea7efeb28b7335b

SHA1
40c42bbe023847ed6cfd7b155051224cc8b4443a

SHA256
533425ff6223458fd191c51766dbda3e2cc6a8e53bc02c7091ae4b08c30e035e

SHA512
b580f1b9d7cd0615359a5ccff889447caa26879147b0d6c674e6331fe2335094a3e254e519fd2bbbf979d3d51f788b84d4fe718ba3516f32e0d8422c6cbc7dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkMW.exe
Filesize
881KB

MD5
4396af58a1f254faffa4629371bc4bc8

SHA1
b598e38678ee0e972b0bd9059995038fbc2c5bc2

SHA256
9c5a16309f52e117a8c6bd9373923fb5986aa3a1e8d729398ec9132fefb09812

SHA512
93f892c7c7b5bf7b4a814b5325e3979b6311759af297b4f75cb3376068aca8def95f34227dbfa1f400844fad6f35e0787e7839a11ef4c76f7da87831396f9818

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIEC.exe
Filesize
5.9MB

MD5
26b64a6dea087f2fafb5737d53085045

SHA1
45fea76e6c231cdb2fd905da5e2efaf2b4c5d6e2

SHA256
256520b3b3528bb83bc2031d30df9120690c6bb0b50e04a9dbd8381885b70e3a

SHA512
3c0f240c864043ca7339d9abb1bb4192b3166229c386837a71ec98f137ef5504c1ee8eb75f156c2bd77babd34f643b43b0494fc48305932b9c69ed6b9fa97af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qssg.exe
Filesize
1004KB

MD5
28a8b6218fc2952219bb7c192c448713

SHA1
441c53a125db545e50770fa7f3ea065aa00a9fab

SHA256
2252dbfc5abfa351e096c92998a0a79e6f923dfde5283bb77a9ae2d570f07db1

SHA512
dec4a83a76872a4bac89d252b836480bb3ae9f90fdf172fded0beca62bf6594174dd3606f70af9df1cce7fb6dc302b5a87dfb73764ff72561a6635bc980b55f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEAe.exe
Filesize
217KB

MD5
02a0a8185af2c34545f8b5e8eb8ece56

SHA1
58dc5d5fdeefff5cf1fe0e4ee7c7f22bb8ac5a5f

SHA256
d75c270ae80d834a914f82bffe916651678044e953f4927442c3eb34bec78224

SHA512
8575696e5408face1e9abece006a69270f9f8c75ae51207945b8154f8e02c1ff5d5b02a370c84c4260b6de795e0a88a7b71956a83c16d1c9c60e1363611ccd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYQe.exe
Filesize
248KB

MD5
5edea0261fc6a52044d94331d6509ea0

SHA1
4e51256b68162df54d7cc01201ffda85af49fcb5

SHA256
292150d016fedf4e07f5a4fbc33d2eb1bb59e8096d621b9d13dbd9d162854778

SHA512
5d3572c9583ab1ab7769def6b1f53add4b56fdc50d85a6f757d916bfd563cc88f732d0b48c54f0b730bebb3eb11a56e83b3c3b4166b9e17a6f9d16312b3eb6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scgs.exe
Filesize
213KB

MD5
5496cb0ebd5094b7d57ec2b4f7a1b1de

SHA1
1730290a7e47d748571b68274aef5ce95b2057fd

SHA256
d1eb9e6192832b1871b17df81f4347e61b04df5ead0be51784766aede92b697b

SHA512
17a2eaf98796fc07f07e3122ad583639bb777d5994dabcff5d2fdf6d246036e6cfd55ea15b6a208f908dcf42ead63ce228ec00c84ed09725d67fc665094514d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgcO.exe
Filesize
184KB

MD5
ec0d31d66235da640475f65e9158b261

SHA1
d69b0e835993a8d6d4a8d7649ed8c7b209861e8b

SHA256
12276b26a59885f81c8dc0cc3c27ad8ba13b463d975164a57888c67078150e87

SHA512
f1f7376fbdc8373668e817ad6b86cc925ae0fd74d60804a277e8fbd1cec076b5019f11f178ee2b627291cc029d38812c30e8c8c36d51edb6db29ef3babb89bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoQA.exe
Filesize
212KB

MD5
0ab172f0362ae20ee0fb9d4c64b2098c

SHA1
715dd4f18f2402ad5f1721a586a2293c555c8209

SHA256
11bc92bbc72aa3d5f55249862f0b9b2a881368205d5e719ffb53053882154b88

SHA512
500cb5834d7111dbe2cd14af78c146a2fe5170a982d6bf58af474a6701dd75a9bb69c527c3794f7d6f44f968a5506ec35052abeff5c5882e1bf26faf17a3f372

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAUm.exe
Filesize
798KB

MD5
58e10e146ef2c812708f92e0aa8369f6

SHA1
354ecdfb247363ac66cb221cb955ce54b39908b6

SHA256
bd61de10b6161009da4df33e25b9d5e4eb8386c514ed0db850e61fc4f70630a6

SHA512
b0a8fb23f8c62ae8ffc1dbdd78644ed6bf86ce9c4631859b4ce590acbffefddbd0f966fbc6f053030f690757a38c6daaee973219456b6789f28753bad1294977

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYYG.ico
Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ugga.exe
Filesize
188KB

MD5
40fe66b418593aa4836266504d1059d4

SHA1
5d984f85956fdbe9bcfac0a75e31ba1d06a931ca

SHA256
846009e2e7c8a31ba3c974cf0b754d883822d9dc1e23992b0fa7b0c01b0f0ca8

SHA512
c83639292df566b898f9420e0561be959384c22ce3e0572ed20a4bb9f65961c6a40589f085b4cd63657cd5bce4d49b769a86cf7f473e3a6cb053a65aa77f3355

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkEU.exe
Filesize
646KB

MD5
af7c368e4cde683f45b33dfafa522eb3

SHA1
1d0ca231d3e41b3e60362529b7dc8539ec05e690

SHA256
81e36cc66a99df07d354b1b60c5aa3967d3d371ef7572e594b4830857c7c453d

SHA512
4f5e69b29a4f4fbe66cf0e6b19c2937fa92c7b28da8446eb0ff09284347a16ac039bcf338bda20f135bb0662b240437f24652036273a5453ee673ae3fbed0b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uskm.exe
Filesize
186KB

MD5
5e2d7dd32ac0aaa081ce6f40738f832b

SHA1
6254794beb9069224fb70b375c59dd3a609f58f7

SHA256
ca2f07981aeb71e63502e822c9726816f9c7e0a7a21b8fb08310cbfd0098d4f3

SHA512
332bc7f1a1232b6ce6497b67094fa001e87fb928d2bf2fe6847449317b8054cedc6a59b161dbab3f6dd06806624e6d4db9266df39b1b60918b726d936283b541

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEMw.exe
Filesize
841KB

MD5
7d85f9d9b2c0758652c9556d4dd0e2fe

SHA1
7dac1d17555ebde25f24bb230d7f49e821fc500c

SHA256
a80cda6ef59f2ac58d9e23de978be5c94a1badd2c9911ec556181624d17249e9

SHA512
07f6b6fc039c0fbc9cf05ebef494493ec50511c78b85460509b9f296ca051a877b7eed911971ba7bd87c1b92c2bd6950139ded2d3804ed6232270cebbbd2ee4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEQo.exe
Filesize
228KB

MD5
a39ec4b1f6c0a2df9f019e59e9f9ebe6

SHA1
efa7bb652d707819d4e90eb3e6d2bbc103ae50d2

SHA256
5d27b755fd27f2db39efffc7ccacb8a23cf7bfa0b750b08c0d6e555c23f060cb

SHA512
7e7f40783d4b7b3f2c94f3089c5d233f533cb1a4b3d99ae0bf524433c16cb59ace099bbab8669ef2795bf82406b7ab62abb8ee4383183ff2ae658d602150b89a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIMA.exe
Filesize
198KB

MD5
cb87e23c71114b777df30613e818a077

SHA1
189f21b3e14fba83e42548b93dbdc77aa27b2647

SHA256
d6fb086c1ba7a84d55b4cb42eb1d81f74e1b8c35502c9a9046b8aa7d0e153c9f

SHA512
9d9be9216187ec61b607813eaebf646e03eabb2e12c07dd90f9e5189e800b0553514ed7448f6f1fa04683399aa8a8b4fb4f855122150ab33ab2a6031ac8bc9be

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIce.exe
Filesize
201KB

MD5
06dafabdaff353ba9e25aca743dc8996

SHA1
5f9da7782845c6736b9bb2ccaa8f4fdf17f50ce0

SHA256
0a505408990062d9a19b41f74cbb75d8a46814dc1a7fa54ec7a6628c3b534fb5

SHA512
f320bfe369ee5f40b614275204ad644947edd69b427de86d1b5f563c3ed22440bbe457b118b0d42e349d51530bf10a6309d4e24fbaf14c282035ac270c88f10c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQgI.exe
Filesize
633KB

MD5
5c346efafca43e5b32d4ac8d13871546

SHA1
165bf98b350888c0a8cf581ace30053b0ccb98b2

SHA256
6dfdb9e84310369b0eec9ee00555173e979d0edf990ea95f3f3679442e14da63

SHA512
152b86198ec7b73f230b0c141b0ca624943f6dd644e8497abd835e93ca475fd4351fc8a087435d7a67b159d6a637162785cc9156ed4259acf1623b955847be7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYAa.exe
Filesize
542KB

MD5
7bc73daa35d124c0083cafcd07e262ea

SHA1
64bda501455a823a0703ab05e3f7b264d97a3dfa

SHA256
d5fd2a227951084ff1d7d984769714bda5b2a7be94fdc93c18f54c88a102bbf5

SHA512
f07d6ad03dc3d7f0d6ea48e2eaadac00ca8616db81c1d95be4096eb544c553cfe2a815157cfb21a944212791b677079c1dd9937c3787c98f0961fdd6468bc1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WswW.exe
Filesize
759KB

MD5
66b182b1bd4259daf5dd68cdf7c86f95

SHA1
d6d6281aa1cf18c5a09169a9280e634eb4c3e21c

SHA256
c9e191ec32b07fe8472a4ff0d98a0ce19d9f134b5cb69b0b101a8407efc64b77

SHA512
5d5005c5f14bf9ffaf6d5c5a884c9e58dfa48614c25baa74c873cd82e28ad8e4000b58b40be5e3e0b0bf2441c9640fc30f825eb36e11ebf608b4af7fb3508fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwYO.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUIg.exe
Filesize
205KB

MD5
17beaec7484b33770f08ec66d700cdb4

SHA1
926869c77a109394a377bbfd3876e18bb4792fd8

SHA256
294fd881de56e1bddc4f7589bb098c3038717693c40527565002736c5b412e6a

SHA512
85435181998dbeba3e4f523fbaca33e87a4676fe0871980d62e771c03d1c4dde9a7cef821f69c349605b9b16e34d1043f66804ab6ad0bbb630358adbee28b42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUMu.exe
Filesize
195KB

MD5
b9138f4a589d69374c8df9b7b6360433

SHA1
3fbdf95ff102a7fb88ec1fe04628969fb964471a

SHA256
9b55acf6d05d340c4760e6ad6aafced60329c3713fca234c9c0c1c7a585103af

SHA512
0b2da87918f11bd0126a936aed3c90ecb610f451eaa32f5f0f79e91b7770525a25eab5ccaa1955a6205d27cc3992399141baa84322f385d69280b7205a598c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\agES.exe
Filesize
647KB

MD5
2adb09a6e295bc636f378034adb1de06

SHA1
d945aceea9130be024aa49081bc641d5585de7e9

SHA256
75f1a73d39be52b6bbfabde28f2bd5cb46121c8362fb24cfbbe1cf9653d267bb

SHA512
6ab0dcfabe15de0c011bdacfa1a2e3af98a6c84773b62b4035f90f02e1b2c3385f1917d14795afcff9fecd727403fac721a855df0a08498beb6b1cec0e95f030

Download Submit
C:\Users\Admin\AppData\Local\Temp\akgU.exe
Filesize
573KB

MD5
a80ab59e1e930a992056238b6c3def62

SHA1
786dc30d362ce638cb56a846960309f595af4495

SHA256
1f8167453ab624e1d11ee855ef7f993dccfbdf00cf9831d7d16ebdffb7075945

SHA512
9cd8fdd0f649378247bbaaf17b19178a1f08be3add0f5cd2b0d5b9b22a1d2456c161394b2d5be599b20f2c5c181b68113d0334f53146141c22d6d5df76adbc3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\awUM.exe
Filesize
561KB

MD5
4e927900e934577e19b8e781145eb722

SHA1
3b1e9193c090a9816d3370107817d9b7b325f145

SHA256
2a25adbf70257d7bdb0a98a969fedeccd3b7a610d38ecb07bb91ec6f1ed244bd

SHA512
cff38d0678e81b6f6c27666b00011490d25033d24d2be897a0bb8422fc431246f417d00db097d36811402802493bdff52fd17a55323ee74e4d1d9343ccb6cd62

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccYA.exe
Filesize
203KB

MD5
9454ab765f4cdcba978709d3b95f8350

SHA1
17652646c694963b52d5c98974930921bdbe2477

SHA256
81927d5c7dc0ba84a1544b0673c8c59317af947eaf0f52c8ee5b48fb2d8d02ef

SHA512
ba1475cfdfa70d4a03ae91322fca48ef1c4efa7dbba3337d749bc32b8acb6b77671d28480f8df0df50c5ad647d5c9f9c08e78e79b5374be1e8b92e5678bb6421

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckAK.exe
Filesize
202KB

MD5
110bf9c4401c17f6c3bffdb73a693c5e

SHA1
a1f0456819f82888f09520ff05abeafdb5e98219

SHA256
0ca4eacd6097a71f0d0e3d1e29fb57f2c6a2d6df1892608962531e7f3437032b

SHA512
724f2c136869401ce4504e97d3c5fe4f30fdcfede5b47bba45aabc1fca5f56d443f3fbda425b726889d84a8e99161fd562f8fd3be23475ef63085f1ee18bf73e

Download Submit
C:\Users\Admin\AppData\Local\Temp\coIk.exe
Filesize
196KB

MD5
0e6d70f56c8aca1e15366dd3dd303398

SHA1
6d1e2d625d9da02a9339deaa9c115e36f718485d

SHA256
cd4cfe94276ee37951dd60d442eb8b303072e59e034a475975830ffbf95587a5

SHA512
200b89773b9da6c927abc33b4039a54f1858052d69052f9bf76acdd48cf158aae46dd949673f832decf96f7fc04fdbe719b77a95873c0790948ffa8d1f7b36e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEUu.exe
Filesize
214KB

MD5
ab2160ae58d2f177560088e87e883ad9

SHA1
5cb846a5264baa182ebd08fd206fe3cfde7ff378

SHA256
559f4421b79538841ee6b36c01d17b96c02ed2389e3e8172437f2008ef43e4a6

SHA512
f302b93962e2c6a14ab831198096bdfb411105a9c8897df04915bcd3f6ada73f9972d6d8a6387a6bcda509939ea32e81958f95c55d0d66bd1a78e99d97ffa0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIUm.exe
Filesize
184KB

MD5
bf15dd3cb7343f85c579ec7264fd8340

SHA1
0a6778f2ae675d30250ba0474f66318566f727d5

SHA256
8e39b018e07eb09b552b6d3e6a1a1ed28ffc6e0e1b9b6a89e308856aa6acb3cb

SHA512
943c7b324dc99794dd3f636625a333c218a73ba8a15f00f686006650c11bdf7d919d1607a1e5cb0c17507e42e5641b9bdf8594dcdfd9306526e683dc4c56a242

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUUO.exe
Filesize
224KB

MD5
9b8c13e3140df6a9a1bcd073bbc08d42

SHA1
8b6bfdc57eec4c9bd24adca2b36d809b082883ac

SHA256
abb574dfda1d3e8515364302e821bcc846c14371528b765dc476ee971f96e0a5

SHA512
71c7a26e675fb50561df01972a9763d735e791a95bc29a0390fdad4e7bd1d656cbe69d6665863bd624bf7cd8231bc145f17667887d8df8c4f42ebf234aee90d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYQm.exe
Filesize
207KB

MD5
3b08dcf6781c958529245e2f15a3cec5

SHA1
2f570f42ff9d53fdc1915999a5315151537a333d

SHA256
6b2fc400a0a48f8badaf5ca419f98062e9b916e26fef8e04e420afbe0ba20871

SHA512
22269871cfd2ee36190ff1dda355af8bc96863bae825d5e9372ddd29f8fa9e813e68bde1082239d00d9d4474b93b975ca06ad5dcd7f0af41369b13c07a2d84bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYki.exe
Filesize
194KB

MD5
7f74702c14eeee64d992bc6a862c1d18

SHA1
8155437a909025b2568bef7e3f1cc85fe98407b0

SHA256
5c7f5cd609bcd90191b3b2466b40c71a0082c5c8f4f4254cc737f9710b5f6007

SHA512
417c7f39cb400f989ae409901107684db57a6199e5796aa25fcf806fa810f48fe6d3c619f36482534ecb73321a870929eb8726e3e680d7919e02b270ba514796

Download Submit
C:\Users\Admin\AppData\Local\Temp\emUwUQIk.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eocI.exe
Filesize
199KB

MD5
0ed1ac40a857ab03486b81f0c3c01831

SHA1
47fd10f2b74c0c917e6621734e22b774f1eb7096

SHA256
bbb3343bfed95f1dfe9ceb4290d67e7597b8b9923cd411a8fa4e9b97ab328407

SHA512
d0800845dad5cd0448dacdf6d029ed495ee64ceac46b1572cfb0873bfade8d68ab96d861034e0ce1ca7fd771931972b2f1f57ed3c5cf673c51878d8ae194e0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\eooC.exe
Filesize
201KB

MD5
e544ad1a761c97dab725312c5bde65af

SHA1
250273bc096105c16370d59b81044ca087a81039

SHA256
e595d1c34c082ecde5bb273c24a32854ad1e2429edb488da6486d6419169d5ca

SHA512
2cf1d18f250bb56c5b1dab9a716294adc7a9f324e336205dbdaad12ec835aca1ad3fa9ccc6a2ecb578f44fe83c66ebd8aea4c8559bef35795a896582b1fe741e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAUS.exe
Filesize
325KB

MD5
cf1aac37108d99bf3dbeebe63e296ce7

SHA1
426ff1ba0626b0f6eec6c16498e93ff09f3aeefc

SHA256
256d4b0fe1926f2d88a7cac857cdbd61d2692d08bf46da7c85bd00869ecaaa57

SHA512
f53f0305215e72590283937d3bc62b39ed1e832b54570d097386fa5d83f366308d2138ed7fc12373dcb359c326ae0b0431e9ad95235d52824770407f65883ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMEe.exe
Filesize
837KB

MD5
91eeffa0c0136a3a6e74bf06c362c28e

SHA1
a11359de597448d8ab1fd29241348dc667f79b8e

SHA256
d2b7b7f9027cb6fbc5b281c200e242c2834d3a2f834cd4194c64a17f0d524e3e

SHA512
0ed9d5e9944d79ec63c6ba8e61aa8563e7c569d25f613ef66f331efe00d0d8aed5a3783a8fb8a26cb1360e8722581a54ae854937d8fa94671beb07608fe4da5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIMm.exe
Filesize
809KB

MD5
2ce8491ea15ba71dedbe0cad16a957cc

SHA1
c935b7ebd70a3a9fff0f6b64e4dde482f68bb9c5

SHA256
88879d98670321d46dfdcb443dbbbe84d3e2d94f2c9feb1054e72506fe8d20ef

SHA512
4021a39cb31765290dd2c44cd0c44ae3d4a517bfd6df5ab750e12bee9473943fc1fc6a18882ec45d405d54d860daa5e9aa463d04b141d2a6ec29aa302e7d5a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioQM.exe
Filesize
971KB

MD5
e819404ecba2b545d90b28ad694216d1

SHA1
f3378b20dcf40eed21b966de550b992bc589deb3

SHA256
fcce084d5d865abfff01b0e5f955cc983c80ec6b8b2621a9f0aaa00d79c070e9

SHA512
0087e13f630ace40777bf6f59ddf03b0dc78e4ec81c4c324214899bb975f3c9e24ed02fee5991100cc37e9b7ef6e026c05dc5c48237f30f815dbe008e1b378a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\isMk.exe
Filesize
307KB

MD5
cb872c8dbb2af762993e9d5fe4c4662e

SHA1
7f7edc0257acd324c1dea7978769a761e0b12bf8

SHA256
d9f4c88d3c5870d831873cfa4fe2a97d65b3cc4da9b0f226557074ca1be4f356

SHA512
08ba42e1abb8198b3e3af167e0f2ddbeb25c07fd62325a939ae6cdf085f50f05401c50297bf1ab83ad0e53d569a09cc21927845bca4af337aa5f86b72c5f7f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEcY.exe
Filesize
1.5MB

MD5
60980e27ab07c14de9d4eb4a6ed67775

SHA1
81a1e1fd76b47684b9652f7b8b4492a8c3820a81

SHA256
a47b2238f28dc19c789b8aee11952583317db7de181ba1454bc8d5fe917d3813

SHA512
2a53740f150d9aea75f2d307c8fcd104a7a6529332a554c83119d3631af6a3c7a3ec263581de93975d20f3430ddab56dc137c2cdfd0401d6438d6f14b51cbcdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEoc.exe
Filesize
1.9MB

MD5
3493bfb3b946cbce934adbc9bfde128d

SHA1
15990366b9601182d9dfae86406083d779139e05

SHA256
bd8302b72e33ea77157738ce1c3ac61d3c15968efc5b820ce0ab01bff7fd9d5c

SHA512
2938da5ea95d1b4e1aa79c403151dbc0b7026fd647f7c183f2fa6859a09f4c4d73e3c64a837ac35147e2680dfb09f7a0acac2ccac0ef59937d304bd82bb9d6c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcQG.exe
Filesize
873KB

MD5
0ac6e5a1a548ad543e199b59edf65b4f

SHA1
dcfed52ccd2579f8ab29d56019bbcd9952bb7307

SHA256
865fbd18c5d2bdc18f0e8ef93793a7d1d11be1b8e5632b9e2b6fec011fb0c52c

SHA512
6ac28b568d08f488e138d6dee554247e0214212d724cf57924792348f4236e27a5cfe6e86c2d8c0a3071240afa891cc6937db1d9bda28c1d8a2167b41f2d6477

Download Submit
C:\Users\Admin\AppData\Local\Temp\kckw.exe
Filesize
420KB

MD5
a28e95a8da066d86d99ab60fb165da62

SHA1
090748353e6f59489eaa0b1dc704db8bdf9b27d0

SHA256
624507ad4272b13f717ff9d74d1c3c04214dacc109b06b2897ff5484361e9e6d

SHA512
0680615293f91c6caf97550c802468b43a6e211c6089928f805ad435bec4743cd9f5da6d61f65aafc507acbe71b57e959202d7de6886ffa462a11ae7ff60f34e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwsa.exe
Filesize
194KB

MD5
dd2c68df420e80b9926daf178a50eefa

SHA1
faffca1e2f17247afc33de8eb61e8e8c8cbd92b4

SHA256
9d66fb1c4366491f5a685c03a4ac57ad39360bdc7c6f59bea7fa08d93c4af4f2

SHA512
1005a62d339e2fac32c517d7bbf52776a4d2dde0532d82cf2d8188b8501cb59c1a9440167ecd49289911ed305f77a0281887f60e3ac460341228d2d6e1f0ff3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAks.exe
Filesize
191KB

MD5
760e617fd3fea74d6bab7c553dddb678

SHA1
519531fbfd270529b90aa82665ad7032b9fb4df4

SHA256
ee4f760df896c22cb383159df78deb309865c11d810b7430f889b12e3e2192b7

SHA512
f7faaf0eec7d4e5916ce97055890b8b398ced801e9d38ee9957f922a8b3e490b0aa07c618b19fc597d4737535e38d11aef4f48eece6245ed7d3749ebee9826fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIse.exe
Filesize
201KB

MD5
77699e0e61db959306dee775d21a8d93

SHA1
9b09e1d9dde96dc73c581bbdcd5486e7fa4383fe

SHA256
baface8dadf77952a986a1c29a29a23b6553acc98e74a50c1bd5ec3ff5b22944

SHA512
46519e36c1b45b596194ae032670b47650c83214656fcd73cd05c8efb6e1524e7bad7d10a971b726fe7573344597818f55d941cf3eb6f450fe797810062886f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMYy.exe
Filesize
201KB

MD5
0a06a4dbc436d0544c3ee55955a69435

SHA1
c36e8bb841549c5fdf3c7bb2d8e2d7f1d00e8cfc

SHA256
bd994f467e0d7f6ca99fa4c997da7c0cb6765e9607a647f3d07ad7aebe8e34f1

SHA512
c40bd364481893eadf9ce68ca0f51a01c17f74639dc85c8a8498590593f8ddd27fb2004761f0522323b6c3de3bb556ff6dd0085931d9188467e36c9d9fcd1ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYkK.exe
Filesize
323KB

MD5
d3b89459fc6bfd2579c4ac79fd277a56

SHA1
198ac3ba1d1f16c774e8b51a605c353406117f8b

SHA256
489159b1e7edad7f3bec4ebe407be2e82353562e1539d09c0c0b57eb8767dd80

SHA512
c1d38026d0608ba9a452864a34ae86fa5548fcfebc9b15325c820c1abef56e29da6197131d0c25c8343372d4c890cb8554bb69d73c0f9637df1511ac89194b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcUc.exe
Filesize
671KB

MD5
dac7c54daaec71404bbea5ba1e7bc553

SHA1
55fd15b258194532c78bd24d38ebd0321c3528cc

SHA256
f6dc503a31ce7a451a9b70d0a2b45c774eebcd8a50023441295c013247406823

SHA512
97a58ed619ecb334e2de5191eac73367952493b5c3889d3b4e58c6698928f004f5f6c1423756c86e721dbc1a2fc57c595fbd90ef7898a64a1dccfc9b32f78e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qccY.exe
Filesize
1.8MB

MD5
f2dd871d515110ae958eef50372fdca0

SHA1
5468929e87988c421f198b66233808c197b1f262

SHA256
d26e9685e836e6736f81f5ee652763d380de1fe55592c8ede6b2fa6773f64c00

SHA512
8def66f0772b3e270f6e616765d800f85192a3274750c82274b6ffc634d73d2e486ec3c2c28d2420e88e14bc5842c335b52f73973610a931ee35f47dea6f4102

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcwU.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\qogI.exe
Filesize
191KB

MD5
e7b8e9fb70e1639f0778bba6e82f4993

SHA1
70a01003aee02f667755db5ad840ee3fa811f32c

SHA256
9d7f9375ce024f9b45f4fdd1585113ff42a1048231db179a49b3b6e99159f970

SHA512
46d2fb03ac45c290ff547f725299aac29698af9dab3d25d01c331c414eb07cddb411ac47e691db93b1895af68a9cf7f940e281b285cc4dfb62dad147a317b162

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwce.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAIc.exe
Filesize
186KB

MD5
144935e5c15472f8a7ef60139cae7eb0

SHA1
828df86e22d83c99184a3a2d9854596189c56ed8

SHA256
df6fee63c859b35ab12bfa0729c8d32319d6ef7ed01b6da50b2c008feed3d8bd

SHA512
91c3c2987759ea447ee7b7f4ee15c811e71868e8e12d2302d0b1420f801764fabc11f83c7fe4d53a148914eb471a35b6ebcded72c07c51787d0f653615bd08d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIQY.exe
Filesize
210KB

MD5
ca1d0b5e5ef2ea385ad01953f1a7bf0f

SHA1
567ba71d7031060ba4dba33e1171ed5592acb168

SHA256
d409061f18427c5a28628819b797e96453c569cc93a3281d1bf431199401b4f0

SHA512
8a27bc5659d5d30848c0c4371245a98f6cccdab95e4aed8035deb3d008cb937552335aba29d55101186dcd5dd8736fa070e11a0a628183986cd7fd0e1ec723a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMQw.exe
Filesize
635KB

MD5
f1a27fb1996ea9a92ff2e47b3d64422e

SHA1
b7017e36ec7f793083f5373bc0e4a699550047ab

SHA256
1925d29adb18799a6ada15f4479c0f6d466b1e512118aa8d0169255fb97279d4

SHA512
8dbfccb55895f2e1d44f3a60345e166df1a162911a7011676254ad867f960206cd5b2c04322dfec40aa55be1fd54527ece74c6458d809e2b3057c456260f3806

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMkc.exe
Filesize
200KB

MD5
b9fd6602d17ffaa49f742ebf5741fa0c

SHA1
34b1e08e7a17b54277aa1bbc769e174784c94697

SHA256
223bad8f88a9380365839ba6b92371e7ac41b8b504ccbf696f0b2b58efde0ed7

SHA512
17e5a92ff5554f42aed520c4de5459401ad0cb0fc3ba1b511a7095d7add47e33106beb414381cbc888066741fb3edf543dc707824619b9e818ac11efdcbd2e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\scAs.exe
Filesize
215KB

MD5
2accbe65604357e83fb10971988f2f76

SHA1
09c04af349690eeafb284f0648858a0355366959

SHA256
b14cddbbe3c5702c9b3a19ad91979027946caa698c4a3e32c7504de450198e33

SHA512
226357a402e7e1b031a404e1d13eaec78c282dd88b7c2225a14dfa81ea5a0a2b575eddd810f1c1e7b88b559b0f2196f3da085fe323de8ec2c4f989a41c7344aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\sosc.exe
Filesize
186KB

MD5
5fae1dd232c0ecbad3a154d6bfcd0d84

SHA1
1338cdbf2dbb4780d88826e6dc0c3f5467de8617

SHA256
f88746d5f735c56dfab37922846a73ffcc9cb1cd60f48407de1d00697bfea6c7

SHA512
509c66a814be1b320d691c971ccda4c551d07f42d34acdf3e556e88c731476f9c99c61274cc7a1e57f1302c6f0f8d70c7072697db0ad38412a055f423b97dd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sowU.exe
Filesize
230KB

MD5
47ad56ce26ca9dcad3d2dcc0e54c050a

SHA1
32446869d7c22a28ae7379e5b9f286a2c3dee2d0

SHA256
1293d4bcddcf9f41b2a5f626ede9871e6a51b801480a2eefa2356ea58f5c16be

SHA512
28d154c9f5e04308a88358ca597ae33dd0228a38ed33356829d8510c457c8bcc84ae10338dc062e343bdf8a609de6089c46dd3dfd27977ca044bbac86a039c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAsI.exe
Filesize
192KB

MD5
31f7b8bbe3239a49d7a614bd8c931545

SHA1
f0b7548dc813f55711cb9eb04ad62eb300423d98

SHA256
c44bc16be08c7e2b29caaebd2db04303bfacef06bd708c911840dca3a1cecac6

SHA512
d41ca2e179d746cec15327f0058737f9b7c93a101ec5ec3b9802be5d436de7024a0eb0fd99e00d907877288d73c60387dbf07947cbeaece8fdf3eabc80a6959f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMMC.exe
Filesize
803KB

MD5
de0504b71ea0dd7169e808b2e26b1749

SHA1
774f0c8e72b9bd85d0334e9331d7c19afba77160

SHA256
d13f70794683345b8777c1a3a3b44b8af1d3042434e2ac75a8ef34bdff8e4f03

SHA512
91546503acb973835f456c5bc0c1417f5f3fcfa2c17345b529a4af8fcfcc86be5a193ab452392d0c1c18e2f3a69246229302d7ea0c4747d3b809b0f110cef6a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUMU.exe
Filesize
203KB

MD5
10ab04eae6e45a357145ab8f0a20d067

SHA1
18b220828fdf7f72394e0876fb32b2d6443a5fdd

SHA256
397979e4c1442f8ac20a7194fb5fdbc00a8218565ef866f296a4087683b5adaf

SHA512
f1fce6398eb42685d39fa6f44155b882696f978c8bf688cd70f485de5c604cbfaf9d88045cbb9736afde08e1a65cd3ef45a5de9ba536a60deb05676c0a30e712

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwcg.exe
Filesize
189KB

MD5
709fdc8e884f95cb91bc70e32afce2bd

SHA1
d950b7dd34cf6e8b720414b5a10cf8000f7d5e3c

SHA256
7587610e2e93caa7d4d93f1a11ec2bcef3440ff6f497157806246772c0254618

SHA512
f79f356a29f758b8d7dfe616941ef8e0ca746b835df39d49c4e115ec661e9df6c04f7a06b97195ed4895d6ab068cfecdb1c9ff724ab8d5abff444309ec026c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEAC.exe
Filesize
200KB

MD5
e07cbcda60ef6889c42f600ca7b5c81c

SHA1
5da561253cf6c531126be75f75237822e6e8a0a8

SHA256
6af86538d86d92653c880e199fc63e885baa3f160f79397fb45f7d48425d2a16

SHA512
d2df23d06ed6aec6cf8d46b641164ced7f4cd1034b65a194cdea6fd872f469f701ce1cd0c80683b54f1f042e860c85e3b72ce8201347a65a10efa7e1a237675b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMcC.exe
Filesize
229KB

MD5
38915d3590106b434be16e055815003e

SHA1
9532b187352b692eb7571691c161bb48c320df51

SHA256
9f76857146a859f069d23e103d0babc48c8903ee634c17676f3f86db419d6136

SHA512
ca9dfe7fa47affc292e1a1fdcc26e19d4932fe0648cd5b3f37ecb9441a91c4e2885f25e12e3835a52a4803706b0de1245947225a1b3d65a383a76e3a701ba65f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkwc.exe
Filesize
826KB

MD5
b5bde797fc2f11832d72b1b7677485eb

SHA1
29b0f697d5818ffb13db3769d97ef9704f4a2f6a

SHA256
90e304ede9a2b3e38b609b97e2abe9d05893669994f15b30008fab83d5004afd

SHA512
e4ed7fc8a7cef5942169dac1ea1e76b850e499c82c95e0095526aeb449a9ef912f9ea6ffbdcc88c899f808906e446cea6dfd76d012a38364dc7617820e0326de

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsIu.exe
Filesize
195KB

MD5
f4d1dfff632f98a2f937f30859c52a05

SHA1
33dbfa3424027245fcb3bb46345560e6cf50289f

SHA256
d30ab015d962d6c122efc6cdbf788fbcc467eb29f34517fb254d0b3543ba41f0

SHA512
a87185394d7f0413e9915e0b0364314c5fa60fc562b87e49e49a01a2f10f696a238fa3c63848fc7e99cee752f6a1d7680711b424ae766e34769d0a8b069d1ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQMM.exe
Filesize
809KB

MD5
db966b5866dcf437a2f8bb461687d3d7

SHA1
3ce9efa82a53a265ff6e3f3ec62044dc55d539ed

SHA256
8e51c984a32af8659453917a32187fd9f055be7e655b83247fdec60a85a4ee34

SHA512
02ca9c3f225416f91ef9dade0120858a6902e6899ececc3387719cfd320ce6cc9bffbbbec6ff2d8d843744aa1409f81d5c4cb3804307e8d8f8def825d877faae

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYkw.exe
Filesize
789KB

MD5
b5fcccdc92952eda81df8fb89dca12ec

SHA1
ee23b87635a23693de76613d79b432192932f1b3

SHA256
6887d95894dcbd65616d80ae370f339976b3f9027797d99eddb1337a6ce313c1

SHA512
a2c9615957052ed440a8d92c00c1d1f6e811baf676ba515fef05b418e92e80513ee1aebd8f27b59df23d85472732979faee98f42b947b2ff24f0674339d39740

Download Submit
C:\Users\Admin\AppData\Local\Temp\yggm.exe
Filesize
776KB

MD5
640d4f6fc2280ece650fe992501b5145

SHA1
9567d1d7bdfcfa4389b735ebf7a7a8a459b32360

SHA256
ac7640a05f43ecb5ade0ffc6e078474b2086e5053bc9bf5163bd112802198e23

SHA512
8803b11acf02a5571d16d0469f6bd63bfc8f86d6908aff8466a8986ed5e4b6f8b8c470ba35132f858d39f4c0991c94687d2227e36bd12ca0baec1715bc777359

Download Submit
C:\Users\Admin\AppData\Local\Temp\yswG.exe
Filesize
209KB

MD5
02d704a81444c7f49d5e7e451351fccc

SHA1
997697d99e1cfd876549c425d64bfde5387d5927

SHA256
87c3c60edc1e06267be582f626efec017690ae78e4c8e2048f9af952aa60932c

SHA512
e5f55bea7db514a5164ef95c25ac630f7b055c56eedd0618f38decf622a07c3403167933c153c26dabaf30dbc6a0f423e3473f3d480004b2716a30d4f2ac6f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywkk.exe
Filesize
199KB

MD5
c0b22216ff4cd9470b6ae2461d9c071d

SHA1
7680c6977b2438bd8d0862ee304c529a1950ef87

SHA256
0e09a6575636b2bdc9a101b41d8e538ae8c745dde0e1e2e69279e122f60c410f

SHA512
0bc738d2ea9bc963b1b0d6b10f6d69cf60300e25a41ba82114eb8bac9fa8b723bd49ff8b0957caf4f6fbe8c06985d247f1d2594b8b22663e82e4c8adda0b6255

Download Submit
C:\Users\Admin\AppData\Roaming\SetConvertFrom.zip.exe
Filesize
895KB

MD5
572b9bbdd5d4473962f323eb0a38b028

SHA1
9da1a01d5aee1e79567e10b3b1af3d452738e243

SHA256
95fb0b3efec82bdd8957073dde7c5d3da8b3a736965f4fb3646f120f8735bd39

SHA512
2625bc1e6f24da13fd45a1d15409b6fbaeffea22dcad31ee4d80fdd1ec806e7fd273682d8b5fb6328169a7edb08a31c8317e0eb432bdec2ae11f338ea1ac2a20

Download Submit
C:\Users\Admin\JeoIgsMk\SGoEAQcg.exe
Filesize
195KB

MD5
55e44c0c3e1bf40a8d7eba1765ac44f6

SHA1
4f4c61a7e5f9deb3fe83dabc1c0e9d65e497668d

SHA256
8f1398c75645ae8783f4fa6bd0a522c7c76a64ddc1b966f411fd276765a62e2f

SHA512
336b297479a84fe5dbd0ee47bc12cd1f3e28487fd1e1b2e32f6167b9023c13f49d055b6cb59c06b254228193a4a2349d3e873dc1553b5917519e116e937a69eb

Download Submit
C:\Users\Admin\Pictures\CompressStep.bmp.exe
Filesize
847KB

MD5
6213ea6a13773df7b0d6c04dfd02fb6a

SHA1
4db381311b5d0e5416952c0f62008714a5f234b2

SHA256
3190bee9992b88fe124a9b74250ae83d9c72c6086a0cd6d17b8b458634157950

SHA512
5003a4f7e3d8caa59c236cd2c2003706317f74e021ca9af110bb36c5006f556dfef40acd2df1dafc2da12f3379f179cc87a7178ee368a649631a040eb81e1f0d

Download Submit
memory/448-233-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/448-216-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/552-207-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/552-194-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/744-497-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/792-365-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/792-375-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/816-96-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/816-83-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/916-153-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/916-169-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/996-241-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/996-257-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1028-318-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1028-303-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1216-67-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1216-84-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1272-314-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1272-326-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1324-157-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1612-515-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1612-502-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1996-440-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1996-427-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2008-336-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2008-347-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2008-398-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2008-411-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2356-179-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2356-20-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2356-195-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2356-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2404-335-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2404-327-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2456-506-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2456-494-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2604-523-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2612-289-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2612-276-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2800-468-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2800-456-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3084-470-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3084-478-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3176-15-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3240-516-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3360-307-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3360-294-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3412-7-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3492-16-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3492-33-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3532-70-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3532-58-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3592-488-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3592-474-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3644-445-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3644-460-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3660-407-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3660-422-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3664-418-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3664-431-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3960-116-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3960-133-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3980-269-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3980-254-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3980-29-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3980-46-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4124-389-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4124-402-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4300-229-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4300-245-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4304-343-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4304-356-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4400-43-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4400-57-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4496-92-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4496-108-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4540-219-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4540-203-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4584-370-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4584-120-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4584-384-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4584-104-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4624-145-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4624-134-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4816-280-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4816-265-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4820-449-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4820-436-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4840-352-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4840-364-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4960-165-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4960-183-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5004-393-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5004-380-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5056-298-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5056-285-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download