Malware Analysis Report

2024-09-11 00:55

Sample ID 240616-zm678a1emr
Target 0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe
SHA256 1feb00369bf35e3cea4e82b1a6c055c97ba76a4b94785ed4117dc3f1751d529a
Tags
neshta persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1feb00369bf35e3cea4e82b1a6c055c97ba76a4b94785ed4117dc3f1751d529a

Threat Level: Known bad

The file 0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer

Neshta

Neshta family

Detect Neshta payload

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Modifies system executable filetype association

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-16 20:51

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 20:51

Reported

2024-06-16 20:53

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe
PID 2408 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe
PID 2408 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe
PID 2408 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe
PID 856 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe C:\Windows\svchost.com
PID 856 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe C:\Windows\svchost.com
PID 856 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe C:\Windows\svchost.com
PID 856 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe C:\Windows\svchost.com
PID 2384 wrote to memory of 2764 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2384 wrote to memory of 2764 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2384 wrote to memory of 2764 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2384 wrote to memory of 2764 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2764 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2764 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2764 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2764 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2712 wrote to memory of 2792 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2712 wrote to memory of 2792 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2712 wrote to memory of 2792 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2712 wrote to memory of 2792 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2792 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2792 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2792 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2792 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2804 wrote to memory of 2556 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2804 wrote to memory of 2556 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2804 wrote to memory of 2556 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2804 wrote to memory of 2556 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2556 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 2556 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 2556 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 2556 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 2328 wrote to memory of 2916 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2328 wrote to memory of 2916 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2328 wrote to memory of 2916 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2328 wrote to memory of 2916 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2916 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 2916 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 2916 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 2916 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 2092 wrote to memory of 2232 N/A C:\Windows\svchost.com C:\Windows\svchost.com
PID 2092 wrote to memory of 2232 N/A C:\Windows\svchost.com C:\Windows\svchost.com
PID 2092 wrote to memory of 2232 N/A C:\Windows\svchost.com C:\Windows\svchost.com
PID 2092 wrote to memory of 2232 N/A C:\Windows\svchost.com C:\Windows\svchost.com
PID 2232 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 2232 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 2232 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 2232 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 2936 wrote to memory of 1268 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2936 wrote to memory of 1268 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2936 wrote to memory of 1268 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2936 wrote to memory of 1268 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 1268 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 1268 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 1268 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 1268 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 2824 wrote to memory of 1448 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2824 wrote to memory of 1448 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2824 wrote to memory of 1448 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2824 wrote to memory of 1448 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 1448 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 1448 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 1448 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 1448 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com

Processes

C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1587490944-1046002439-59954063153267882-131064247819891989862267541830450107"

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe

MD5 0ca63c647b8e67d38cbf559b9898d048
SHA1 eef9e0a44ca4b083303c2e4504863f6504e4557a
SHA256 abc56d42f1dae372a621abfebac9d2e7218421f7beb8e645dedaf5263fefbdaf
SHA512 688f96b2f386cf690cbd539f5d04d752acf584ae9b7e5ceecd5fa3a44d88b31de8f97498a8cf96dc6f338815b0c5a26e48e849e763963483f8b961d50788c6bc

C:\Windows\svchost.com

MD5 36fd5e09c417c767a952b4609d73a54b
SHA1 299399c5a2403080a5bf67fb46faec210025b36d
SHA256 980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA512 1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 cf6c595d3e5e9667667af096762fd9c4
SHA1 9bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512 ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

MD5 02ee6a3424782531461fb2f10713d3c1
SHA1 b581a2c365d93ebb629e8363fd9f69afc673123f
SHA256 ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc
SHA512 6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

MD5 566ed4f62fdc96f175afedd811fa0370
SHA1 d4b47adc40e0d5a9391d3f6f2942d1889dd2a451
SHA256 e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460
SHA512 cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

MD5 58b58875a50a0d8b5e7be7d6ac685164
SHA1 1e0b89c1b2585c76e758e9141b846ed4477b0662
SHA256 2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae
SHA512 d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

memory/2384-31-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2764-30-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\directx.sys

MD5 558acd87cc0fbdee52b4e6329989156a
SHA1 8d91dea94100f6cd0a478c442f7f485048d65f0a
SHA256 e709a0f07094b765f2e5a2da6eed054a9794ba456307b60e37da0b2321455722
SHA512 ddd68aad310deb46e5fc83c80ffd9e0badd328a4626707eb28ec76a8f89f4d69207a262e3f6a6381ff18c99ae7f7bf7a1f15cb1df463743a1a47798736b12355

memory/2712-45-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2792-44-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2804-59-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2556-58-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2328-73-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2916-72-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2092-86-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2232-85-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2936-101-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1268-100-0x0000000000400000-0x000000000041B000-memory.dmp

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

memory/1256-163-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2276-162-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3008-168-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1484-183-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1724-182-0x0000000000400000-0x000000000041B000-memory.dmp

memory/328-201-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1156-200-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1248-219-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1544-220-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2540-230-0x0000000000400000-0x000000000041B000-memory.dmp

memory/640-229-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1636-243-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2488-242-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2460-274-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2176-289-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2764-290-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1740-273-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2564-298-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2712-297-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2780-313-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2804-312-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2820-322-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2728-323-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2044-331-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2568-330-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2092-339-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2136-338-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2816-347-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2928-346-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2732-354-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2736-355-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1444-362-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2288-363-0x0000000000400000-0x000000000041B000-memory.dmp

memory/672-370-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2148-371-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2536-379-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3004-378-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1916-387-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1256-386-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2644-395-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1108-394-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1040-167-0x0000000000400000-0x000000000041B000-memory.dmp

memory/848-403-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2308-402-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1812-141-0x0000000000400000-0x000000000041B000-memory.dmp

C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe

MD5 2f6f7891de512f6269c8e8276aa3ea3e
SHA1 53f648c482e2341b4718a60f9277198711605c80
SHA256 d1ee54eb64f31247f182fd62037e64cdb3876e1100bc24883192bf46bab42c86
SHA512 c677f4f7bfb2e02cd0babed896be00567aad08304cbff3a85fcc9816b10247fedd026fee769c9bd45277a4f2814eabe6534f0b04ea804d0095a47a1477188dd6

memory/1312-140-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1752-411-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2132-410-0x0000000000400000-0x000000000041B000-memory.dmp

C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE

MD5 41b87061bb3a2ffc31e3f74b3d575328
SHA1 579039f93ea8dd62986253f0d9f3ed3cc0e6deec
SHA256 3a36c66c1aa202ce5d2bdf617d4dae08774faf51ed51020391d06347c9f56b14
SHA512 54284e62251317d24cad368425786b0a63dbce8a978c1713ef00e1c0d78eea00d98b3c8a6acb9c868f326e4e331583282e402e5f829a3426f12ce49444e9268a

memory/2116-419-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1536-418-0x0000000000400000-0x000000000041B000-memory.dmp

C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

MD5 3ec4922dbca2d07815cf28144193ded9
SHA1 75cda36469743fbc292da2684e76a26473f04a6d
SHA256 0587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801
SHA512 956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7

memory/2824-117-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1448-116-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 20:51

Reported

2024-06-16 20:53

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedge_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.37\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\notification_click_helper.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedgewebview2.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4180 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe
PID 4180 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe
PID 4180 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe
PID 728 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe C:\Windows\svchost.com
PID 728 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe C:\Windows\svchost.com
PID 728 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe C:\Windows\svchost.com
PID 4904 wrote to memory of 1700 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 4904 wrote to memory of 1700 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 4904 wrote to memory of 1700 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 1700 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 1700 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 1700 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 736 wrote to memory of 1144 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 736 wrote to memory of 1144 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 736 wrote to memory of 1144 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 1144 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 1144 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 1144 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2264 wrote to memory of 1512 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2264 wrote to memory of 1512 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2264 wrote to memory of 1512 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 1512 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 1512 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 1512 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 4176 wrote to memory of 4188 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 4176 wrote to memory of 4188 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 4176 wrote to memory of 4188 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 4188 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 4188 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 4188 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 1504 wrote to memory of 972 N/A C:\Windows\svchost.com C:\Windows\svchost.com
PID 1504 wrote to memory of 972 N/A C:\Windows\svchost.com C:\Windows\svchost.com
PID 1504 wrote to memory of 972 N/A C:\Windows\svchost.com C:\Windows\svchost.com
PID 972 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 972 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 972 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 2304 wrote to memory of 3168 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2304 wrote to memory of 3168 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 2304 wrote to memory of 3168 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 3168 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 3168 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 3168 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 3764 wrote to memory of 536 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 3764 wrote to memory of 536 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 3764 wrote to memory of 536 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 536 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 536 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 536 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 3164 wrote to memory of 1228 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 3164 wrote to memory of 1228 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 3164 wrote to memory of 1228 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 1228 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 1228 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 1228 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Windows\svchost.com
PID 4400 wrote to memory of 4660 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 4400 wrote to memory of 4660 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 4400 wrote to memory of 4660 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 3212 wrote to memory of 660 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 3212 wrote to memory of 660 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 3212 wrote to memory of 660 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 660 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 660 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 660 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE
PID 3024 wrote to memory of 740 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3976,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4196 /prefetch:8

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\0705F6~1.EXE

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe 79638dfb95d4959f4aa0c26d21575c16 6M1KFvLHS0G8FDwVRU6TNw.0.1.0.0.0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv 6M1KFvLHS0G8FDwVRU6TNw.0.2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\0705f6add07db52ebbb86e12aed54640_NeikiAnalytics.exe

MD5 0ca63c647b8e67d38cbf559b9898d048
SHA1 eef9e0a44ca4b083303c2e4504863f6504e4557a
SHA256 abc56d42f1dae372a621abfebac9d2e7218421f7beb8e645dedaf5263fefbdaf
SHA512 688f96b2f386cf690cbd539f5d04d752acf584ae9b7e5ceecd5fa3a44d88b31de8f97498a8cf96dc6f338815b0c5a26e48e849e763963483f8b961d50788c6bc

C:\Windows\svchost.com

MD5 36fd5e09c417c767a952b4609d73a54b
SHA1 299399c5a2403080a5bf67fb46faec210025b36d
SHA256 980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA512 1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

C:\Windows\directx.sys

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4904-18-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1700-28-0x0000000000400000-0x000000000041B000-memory.dmp

memory/736-30-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1144-34-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 558acd87cc0fbdee52b4e6329989156a
SHA1 8d91dea94100f6cd0a478c442f7f485048d65f0a
SHA256 e709a0f07094b765f2e5a2da6eed054a9794ba456307b60e37da0b2321455722
SHA512 ddd68aad310deb46e5fc83c80ffd9e0badd328a4626707eb28ec76a8f89f4d69207a262e3f6a6381ff18c99ae7f7bf7a1f15cb1df463743a1a47798736b12355

memory/2264-42-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1512-46-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4176-54-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4188-65-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1504-66-0x0000000000400000-0x000000000041B000-memory.dmp

memory/972-76-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2304-78-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3168-82-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3764-90-0x0000000000400000-0x000000000041B000-memory.dmp

memory/536-94-0x0000000000400000-0x000000000041B000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

MD5 8ffc3bdf4a1903d9e28b99d1643fc9c7
SHA1 919ba8594db0ae245a8abd80f9f3698826fc6fe5
SHA256 8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6
SHA512 0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

memory/3164-128-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1228-132-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4400-140-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4660-149-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3212-150-0x0000000000400000-0x000000000041B000-memory.dmp

memory/660-167-0x0000000000400000-0x000000000041B000-memory.dmp

C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

MD5 bcd0f32f28d3c2ba8f53d1052d05252d
SHA1 c29b4591df930dabc1a4bd0fa2c0ad91500eafb2
SHA256 bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb
SHA512 79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe

MD5 e7a27a45efa530c657f58fda9f3b9f4a
SHA1 6c0d29a8b75574e904ab1c39fc76b39ca8f8e461
SHA256 d6f11401f57293922fb36cd7542ae811ab567a512449e566f83ce0dcef5ff8e5
SHA512 0c37b41f3c075cd89a764d81f751c3a704a19240ad8e4ebab591f399b9b168b920575749e9d24c2a8f0400b9f340ab9fea4db76ff7060d8af00e2b36ac0c4a54

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe

MD5 e316c67c785d3e39e90341b0bbaac705
SHA1 7ffd89492438a97ad848068cfdaab30c66afca35
SHA256 4fc8b9433b45c2607cbdf3d1c042c3918b854c9db3ade13b5bb2761d28f1c478
SHA512 25ec433c10adc69305de97107463be74d7b4768acca27886498485e8bc2c8b099994e6c1c6c09a7e603816203d6b18e509fb79f24992915eb802f59bcb790090

C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe

MD5 6f87ccb8ab73b21c9b8288b812de8efa
SHA1 a709254f843a4cb50eec3bb0a4170ad3e74ea9b3
SHA256 14e7a1f2f930380903ae3c912b4a70fd0a59916315c46874805020fe41215c22
SHA512 619b45b9728880691a88fbfc396c9d34b41d5e349e04d2eb2d18c535fffc079395835af2af7ca69319954a98852d2f9b7891eff91864d63bf25759c156e192ee

C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe

MD5 0511abca39ed6d36fff86a8b6f2266cd
SHA1 bfe55ac898d7a570ec535328b6283a1cdfa33b00
SHA256 76ae68fc7c6c552c4a98c5df640cd96cf27b62e7e1536b7f7d08eff56fcde8b8
SHA512 6608412e3ed0057f387bafcddcb07bfe7da4f207c7300c460e5acc4bd234cec3362191800789eb465eb120ec069e3ed49eabb6bd7db30d9e9245a89bb20e4346

C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE

MD5 e5589ec1e4edb74cc7facdaac2acabfd
SHA1 9b12220318e848ed87bb7604d6f6f5df5dbc6b3f
SHA256 6ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67
SHA512 f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE

MD5 3b0e91f9bb6c1f38f7b058c91300e582
SHA1 6e2e650941b1a96bb0bb19ff26a5d304bb09df5f
SHA256 57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d
SHA512 a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\elevation_service.exe

MD5 f6d23b507a70dc334edc1f7a83f23f35
SHA1 faad9c7cc838feca898f79a59ee3fc172b4c793b
SHA256 66c7ddec71930588f69aa9b2ea682a4b5e166ff4d12e3a053b6bc73b44f24992
SHA512 cce30fb7085c6b833532b5d64c6d2c9af9a5dd9b1b74832a2c526ea1944c360bbdb7e0d65de6f9db068a650c0abcd65490e33240618e8e8fd0da0348dd00022d

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\pwahelper.exe

MD5 845705026ff8f5de0faf8dbe21af17bd
SHA1 f206a88626d19d7c403ef89df86562d5f4f24ed4
SHA256 9e502b3fffdeacabc600f39cc176c3d31e19dfbb9036d30177e164d96ba5278f
SHA512 79bc46c1d00d373e9b6f33385330b62a7f1447300721ed356c0fc235ec3e5c79a55fb740591d54259828f2b804898e4fb078ffc3bffbbe3980d6c1224aa4d3be

C:\PROGRA~2\MICROS~1\EdgeCore\124024~1.80\MSEDGE~2.EXE

MD5 fc3622c190003839a2dc11c8ee0606b5
SHA1 bcabad43d44ca4ef5b5e1724c5cba2f538fcd9b0
SHA256 c2da0bd463ffbfaa67f49830740207468164afd5e56fd7c75109de0fd82d6313
SHA512 091aa3050a28e91d2017d3146dc7bbc0989b470ac015550d82d6592e32c1125b7f4dd1d712f7912e3aeb90aac1f065fbad632f8ab4fb1e4caa599fe4bcd0c9a1

C:\PROGRA~2\MICROS~1\EdgeCore\124024~1.80\MSEDGE~1.EXE

MD5 8d02e12a6e12a15882584f2ce59c93cb
SHA1 d868bf3c491e5f8cd1c9dd0e11f962408053a655
SHA256 0eb172c21b63cce9fb42a2692a2b298c2e9800ff0d74994956d8bd82029ec897
SHA512 19155cdd269430f6f2c88a3e404f099548166a0f7c333148db38dbee964323b51e6b90715b2d2d16f786a1b59147f74160e308eb66bc737a9fd26a7b3485247a

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\notification_helper.exe

MD5 34544d091fb8dae9ac95a60a22afff2e
SHA1 440204b9318a7d3e8ab9d3972fe52d55a1861bc5
SHA256 5f71ecbff05e5db13aad9061527c0077d9c38a6c99453353f7bb18a9e922d85f
SHA512 eb5fc7f263bdee0d1b384f533763577eeb2b4fc5ae16c07d15dd50fbaf963189aace15fcf5d23ca2a33810b62a677af5c36cc2fb31135a579dd731f791d20225

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\INSTAL~1\setup.exe

MD5 3c6af29363b09b1fe010b098eb483da8
SHA1 a3eb972dad6881268d5aec7db7a5b3112d0d5f82
SHA256 82ff701fb161ceff3a018b7a744a71c9e88b7009e32792499b742c2b0a88ec01
SHA512 6fbff42fca39c93a972e55b227f05a507ea494a4cd22a0e09c578c144bb9bc3eea9ab8402ffa1f1c7e10bd53c4384e68049aeb51d729629cc9f0624d0fd747fa

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\identity_helper.exe

MD5 f4c739b8d39e94691f85aca0f3007eed
SHA1 8f0ba5301a025835a024dcf9312fdddf8d49cba2
SHA256 95cfee63090a0368c1d5e49a7e6d3b0f219a6ff1fb4e835bbab9e7689d273d47
SHA512 ef35fb3857a8a192223bf5f49cd9f7a4007fbb5c34171a3f42900dad1db7b4d1b20804b2c1c296ad4950942d0a92c4d5ab8e495aeed0e350bc4f216cdfff8b4b

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\cookie_exporter.exe

MD5 452b247061b3cf1def0aceee27b4a522
SHA1 2ce1a0ce564e41095691184682518826db1d7e9c
SHA256 484ca6e9fbfea88a939ff7cc511ac52b40631554efaf35ffc210dd56f2b2d9fa
SHA512 d395a82ac1e4e4a926b91e8ee465a2f457f20e011822c08ad17282378382dfe980b13b979db9aadce201df41c27922f77ba4c18b81c336744cfcf955b42c1f21

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\BHO\ie_to_edge_stub.exe

MD5 ac0d708bbcd017ea66c1e5342769247f
SHA1 80ac2eba3acd2c5cd46b5dd0d7d4e50bc1dcd832
SHA256 9bad891baaba2084cb551b981b9eec735f3a9482b51b4b3abbabf76dbc217cd2
SHA512 4bc2f1d9d86407776a725a97f80f8ffd88c5139977ee84bbefd7e01b37a4665f1ccf23bde4ac3f9bcaf8bb4159868577153bf93bb07abc4e7924b12019cb18a2

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE

MD5 400836f307cf7dbfb469cefd3b0391e7
SHA1 7af3cbb12d3b2d8b5d9553c687c6129d1dd90a10
SHA256 cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a
SHA512 aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8

memory/3024-253-0x0000000000400000-0x000000000041B000-memory.dmp

memory/740-257-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2424-263-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4580-265-0x0000000000400000-0x000000000041B000-memory.dmp

memory/756-271-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1772-273-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1640-279-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3992-286-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4852-287-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4940-294-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4724-295-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1128-297-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3728-303-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2748-310-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2684-311-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3212-313-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1804-319-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2908-321-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2160-327-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2264-334-0x0000000000400000-0x000000000041B000-memory.dmp

memory/324-335-0x0000000000400000-0x000000000041B000-memory.dmp

memory/956-342-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5056-343-0x0000000000400000-0x000000000041B000-memory.dmp

memory/800-345-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4068-351-0x0000000000400000-0x000000000041B000-memory.dmp

memory/740-358-0x0000000000400000-0x000000000041B000-memory.dmp

memory/972-359-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1608-361-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1512-367-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2736-369-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2108-375-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4560-377-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3992-383-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4168-390-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3744-391-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4284-393-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1096-399-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4380-401-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2684-407-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4528-409-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1804-415-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2920-417-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1552-423-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4920-425-0x0000000000400000-0x000000000041B000-memory.dmp