0d363d8455514c13834e4a7e97f457930cbdfc009106239d75cbbec130985fac

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
Size

196KB
MD5

19eaa32a799fa546a8d7c965635f0f20
SHA1

fe03b7024762a411ca4ad58646dcc2d9ec529d88
SHA256

0d363d8455514c13834e4a7e97f457930cbdfc009106239d75cbbec130985fac
SHA512

57e3738ab88bf12546d872d383e33a5af5e98eb46b0af31e21380b7dfa99003da58683b2fb2b430bb97457b6c5e43c52bb930304d3eb08f8181cc7cff3aba4cd
SSDEEP

3072:Q3OHRcho84LJYsDcXvm191q0rbFlvWlodPaBoMbM:Q3Oxz84LmsIg11rbzuvBoMbM

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (80) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TaUIUMEQ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	TaUIUMEQ.exe

Executes dropped EXE 2 IoCs

Processes:

fUQMUwQc.exeTaUIUMEQ.exe

pid process

4836 fUQMUwQc.exe
3920 TaUIUMEQ.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4836	fUQMUwQc.exe
3920	TaUIUMEQ.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exeTaUIUMEQ.exefUQMUwQc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fUQMUwQc.exe = "C:\\Users\\Admin\\jGwQUkMY\\fUQMUwQc.exe"	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TaUIUMEQ.exe = "C:\\ProgramData\\mAsQoYIg\\TaUIUMEQ.exe"	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TaUIUMEQ.exe = "C:\\ProgramData\\mAsQoYIg\\TaUIUMEQ.exe"	TaUIUMEQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fUQMUwQc.exe = "C:\\Users\\Admin\\jGwQUkMY\\fUQMUwQc.exe"	fUQMUwQc.exe

Drops file in System32 directory 2 IoCs

Processes:

TaUIUMEQ.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	TaUIUMEQ.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	TaUIUMEQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
1196	reg.exe
4828	reg.exe
2540	reg.exe
2536	reg.exe
3092
712	reg.exe
3028	reg.exe
2304
1992	reg.exe
1120	reg.exe
2540	reg.exe
1080
1260	reg.exe
624	reg.exe
5040
5048	reg.exe
2040	reg.exe
2460
872	reg.exe
2960	reg.exe
1260	reg.exe
2328	reg.exe
5016	reg.exe
2032	reg.exe
2816	reg.exe
3840	reg.exe
3840	reg.exe
444	reg.exe
60	reg.exe
1168	reg.exe
4864
3856	reg.exe
3316	reg.exe
3932	reg.exe
4824	reg.exe
212	reg.exe
3252
5100	reg.exe
1004	reg.exe
3568	reg.exe
3776	reg.exe
3156	reg.exe
4396	reg.exe
3616	reg.exe
3864	reg.exe
4804	reg.exe
1260	reg.exe
4440	reg.exe
2068	reg.exe
3440	reg.exe
1496	reg.exe
2460
1152	reg.exe
4336	reg.exe
3624	reg.exe
1652	reg.exe
4484	reg.exe
2380	reg.exe
5040	reg.exe
2380	reg.exe
4408
4348	reg.exe
2436	reg.exe
620	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe

pid	process
2168	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
2168	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
2168	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
2168	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
3772	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
3772	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
3772	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
3772	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
4228	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
4228	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
4228	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
4228	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
3948	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
3948	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
3948	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
3948	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
3444	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
3444	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
3444	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
3444	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
1460	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
1460	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
1460	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
1460	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
4196	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
4196	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
4196	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
4196	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
1068	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
1068	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
1068	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
1068	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
4548	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
4548	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
4548	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
4548	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
4456	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
4456	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
4456	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
4456	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
4392	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
4392	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
4392	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
4392	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
1388	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
1388	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
1388	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
1388	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
3984	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
3984	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
3984	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
3984	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
3680	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
3680	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
3680	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
3680	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
4328	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
4328	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
4328	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
4328	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
3528	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
3528	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
3528	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
3528	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

TaUIUMEQ.exe

pid process

3920 TaUIUMEQ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

TaUIUMEQ.exe

pid	process
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe
3920	TaUIUMEQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.execmd.execmd.exe19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.execmd.execmd.exe19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.execmd.exe

description	pid	process	target process
PID 2168 wrote to memory of 4836	2168	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	fUQMUwQc.exe
PID 2168 wrote to memory of 4836	2168	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	fUQMUwQc.exe
PID 2168 wrote to memory of 4836	2168	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	fUQMUwQc.exe
PID 2168 wrote to memory of 3920	2168	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	TaUIUMEQ.exe
PID 2168 wrote to memory of 3920	2168	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	TaUIUMEQ.exe
PID 2168 wrote to memory of 3920	2168	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	TaUIUMEQ.exe
PID 2168 wrote to memory of 3904	2168	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	cmd.exe
PID 2168 wrote to memory of 3904	2168	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	cmd.exe
PID 2168 wrote to memory of 3904	2168	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	cmd.exe
PID 3904 wrote to memory of 3772	3904	cmd.exe	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
PID 3904 wrote to memory of 3772	3904	cmd.exe	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
PID 3904 wrote to memory of 3772	3904	cmd.exe	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
PID 2168 wrote to memory of 2924	2168	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	reg.exe
PID 2168 wrote to memory of 2924	2168	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	reg.exe
PID 2168 wrote to memory of 2924	2168	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	reg.exe
PID 2168 wrote to memory of 3436	2168	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	reg.exe
PID 2168 wrote to memory of 3436	2168	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	reg.exe
PID 2168 wrote to memory of 3436	2168	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	reg.exe
PID 2168 wrote to memory of 3776	2168	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	reg.exe
PID 2168 wrote to memory of 3776	2168	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	reg.exe
PID 2168 wrote to memory of 3776	2168	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	reg.exe
PID 2168 wrote to memory of 2912	2168	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	cmd.exe
PID 2168 wrote to memory of 2912	2168	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	cmd.exe
PID 2168 wrote to memory of 2912	2168	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	cmd.exe
PID 2912 wrote to memory of 1896	2912	cmd.exe	cscript.exe
PID 2912 wrote to memory of 1896	2912	cmd.exe	cscript.exe
PID 2912 wrote to memory of 1896	2912	cmd.exe	cscript.exe
PID 3772 wrote to memory of 3152	3772	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	cmd.exe
PID 3772 wrote to memory of 3152	3772	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	cmd.exe
PID 3772 wrote to memory of 3152	3772	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	cmd.exe
PID 3152 wrote to memory of 4228	3152	cmd.exe	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
PID 3152 wrote to memory of 4228	3152	cmd.exe	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
PID 3152 wrote to memory of 4228	3152	cmd.exe	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
PID 3772 wrote to memory of 3856	3772	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	reg.exe
PID 3772 wrote to memory of 3856	3772	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	reg.exe
PID 3772 wrote to memory of 3856	3772	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	reg.exe
PID 3772 wrote to memory of 2256	3772	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	reg.exe
PID 3772 wrote to memory of 2256	3772	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	reg.exe
PID 3772 wrote to memory of 2256	3772	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	reg.exe
PID 3772 wrote to memory of 3632	3772	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	reg.exe
PID 3772 wrote to memory of 3632	3772	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	reg.exe
PID 3772 wrote to memory of 3632	3772	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	reg.exe
PID 3772 wrote to memory of 2960	3772	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	cmd.exe
PID 3772 wrote to memory of 2960	3772	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	cmd.exe
PID 3772 wrote to memory of 2960	3772	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	cmd.exe
PID 2960 wrote to memory of 4752	2960	cmd.exe	cscript.exe
PID 2960 wrote to memory of 4752	2960	cmd.exe	cscript.exe
PID 2960 wrote to memory of 4752	2960	cmd.exe	cscript.exe
PID 4228 wrote to memory of 5112	4228	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	cmd.exe
PID 4228 wrote to memory of 5112	4228	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	cmd.exe
PID 4228 wrote to memory of 5112	4228	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	cmd.exe
PID 5112 wrote to memory of 3948	5112	cmd.exe	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
PID 5112 wrote to memory of 3948	5112	cmd.exe	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
PID 5112 wrote to memory of 3948	5112	cmd.exe	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
PID 4228 wrote to memory of 1312	4228	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	reg.exe
PID 4228 wrote to memory of 1312	4228	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	reg.exe
PID 4228 wrote to memory of 1312	4228	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	reg.exe
PID 4228 wrote to memory of 2032	4228	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	reg.exe
PID 4228 wrote to memory of 2032	4228	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	reg.exe
PID 4228 wrote to memory of 2032	4228	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	reg.exe
PID 4228 wrote to memory of 1132	4228	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	reg.exe
PID 4228 wrote to memory of 1132	4228	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	reg.exe
PID 4228 wrote to memory of 1132	4228	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	reg.exe
PID 4228 wrote to memory of 4224	4228	19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2168

C:\Users\Admin\jGwQUkMY\fUQMUwQc.exe
"C:\Users\Admin\jGwQUkMY\fUQMUwQc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4836

C:\ProgramData\mAsQoYIg\TaUIUMEQ.exe
"C:\ProgramData\mAsQoYIg\TaUIUMEQ.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
2⤵
- Suspicious use of WriteProcessMemory
PID:3904

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
4⤵
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
6⤵
- Suspicious use of WriteProcessMemory
PID:5112

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
8⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:3444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
10⤵
PID:3736

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
12⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:4196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
14⤵
PID:3092

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
16⤵
PID:3440

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
18⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
20⤵
PID:464

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
22⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
24⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
26⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:3680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
28⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
30⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:3528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
32⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
33⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
34⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
35⤵
PID:2536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
36⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
37⤵
PID:2652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
38⤵
PID:2728

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
39⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
40⤵
PID:60

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
41⤵
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
42⤵
PID:2816

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
43⤵
PID:4260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
44⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
45⤵
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
46⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
47⤵
PID:3628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
48⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
49⤵
PID:3064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
50⤵
PID:2820

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
51⤵
PID:2524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
52⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
53⤵
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
54⤵
PID:4020

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
55⤵
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
56⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
57⤵
PID:3564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
58⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
59⤵
PID:372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
60⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
61⤵
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
62⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
63⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
64⤵
PID:2356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:4884

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
65⤵
PID:2524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
66⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
67⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
68⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
69⤵
PID:1076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
70⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
71⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
72⤵
PID:2988

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
73⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
74⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
75⤵
PID:3668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
76⤵
PID:3856

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
77⤵
PID:2360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
78⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
79⤵
PID:4920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
80⤵
PID:3904

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
81⤵
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
82⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
83⤵
PID:3668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
84⤵
PID:2664

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
85⤵
PID:3092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
86⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
87⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
88⤵
PID:1856

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
89⤵
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
90⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
91⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
92⤵
PID:624

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
93⤵
PID:928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
94⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
95⤵
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
96⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
97⤵
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
98⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
99⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
100⤵
PID:2960

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
101⤵
PID:4172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
102⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
103⤵
PID:4452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
104⤵
PID:5040

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
105⤵
PID:3040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
106⤵
PID:396

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
107⤵
PID:4716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
108⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
109⤵
PID:4072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
110⤵
PID:3988

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
111⤵
PID:3892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
112⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
113⤵
PID:532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
114⤵
PID:3680

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
115⤵
PID:4432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
116⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
117⤵
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
118⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
119⤵
PID:4020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
120⤵
PID:4612

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
121⤵
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
122⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
123⤵
PID:4232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
124⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
125⤵
PID:4000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
126⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
127⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
128⤵
PID:3524

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
129⤵
PID:2472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
130⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
131⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
132⤵
PID:3932

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
133⤵
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
134⤵
PID:2308

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
135⤵
PID:4852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
136⤵
PID:3156

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
137⤵
PID:4840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
138⤵
PID:444

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
139⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
140⤵
PID:4892

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
141⤵
PID:2188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
142⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
143⤵
PID:1100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
144⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
145⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
146⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
147⤵
PID:4660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
148⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
149⤵
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
150⤵
PID:4160

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
151⤵
PID:2232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
152⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
153⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
154⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
155⤵
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
156⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
157⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
158⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
159⤵
PID:1260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
160⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
161⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
162⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
163⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
164⤵
PID:1708

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
165⤵
PID:2432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
166⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
167⤵
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
168⤵
PID:2704

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
169⤵
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
170⤵
PID:5056

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
171⤵
PID:2096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
172⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
173⤵
PID:2640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
174⤵
PID:2664

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
175⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
176⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
177⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
178⤵
PID:2704

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
179⤵
PID:5000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
180⤵
PID:3564

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
181⤵
PID:3572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
182⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
183⤵
PID:2664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
184⤵
PID:4832

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
185⤵
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
186⤵
PID:116

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
187⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
188⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
189⤵
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
190⤵
PID:2804

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
191⤵
PID:4852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
192⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
193⤵
PID:3856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
194⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
195⤵
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
196⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
197⤵
PID:940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
198⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
199⤵
PID:4232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
200⤵
PID:712

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
201⤵
PID:2464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
202⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
203⤵
PID:1264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
204⤵
PID:2372

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
205⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
206⤵
PID:4020

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
207⤵
PID:3160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
208⤵
PID:3108

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
209⤵
PID:4484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
210⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
211⤵
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
212⤵
PID:4852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
213⤵
PID:464

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
213⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
214⤵
PID:3380

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
215⤵
PID:3680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
216⤵
PID:940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
217⤵
PID:3048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
218⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
219⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
220⤵
PID:756

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
221⤵
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
222⤵
PID:3568

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:3380

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
223⤵
PID:2132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
224⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
225⤵
PID:4856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
226⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
227⤵
PID:1472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
228⤵
PID:3336

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
229⤵
PID:4124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
230⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
231⤵
PID:712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
232⤵
PID:4396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:4892

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
233⤵
PID:4840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
234⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
235⤵
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
236⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
237⤵
PID:3504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
238⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
239⤵
PID:1196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
240⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
241⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
242⤵
PID:4128

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
243⤵
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
244⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
245⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
246⤵
PID:2692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:4840

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
247⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
248⤵
PID:4948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
249⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
250⤵
PID:4920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:4708

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
251⤵
PID:940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
252⤵
PID:2704

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
253⤵
PID:4224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
254⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
255⤵
PID:3960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
256⤵
PID:3932

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
257⤵
PID:3388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
258⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
259⤵
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
260⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
261⤵
PID:3632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
262⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
263⤵
PID:5016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
264⤵
PID:5104

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
265⤵
PID:3492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
266⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
267⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
268⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
269⤵
PID:1020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
270⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
271⤵
PID:2256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
272⤵
PID:2952

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
273⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
273⤵
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
274⤵
PID:5060

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
275⤵
PID:60

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
275⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
276⤵
PID:3832

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
277⤵
PID:1268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
278⤵
PID:4396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
279⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
279⤵
PID:2168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics"
280⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
281⤵
PID:4612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
278⤵
- Modifies visibility of file extensions in Explorer
PID:3232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
278⤵
PID:2232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
279⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
278⤵
PID:3108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scscswQs.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
278⤵
PID:3692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
279⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
276⤵
PID:3924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
276⤵
- Modifies registry key
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
276⤵
- UAC bypass
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgUgQsks.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
276⤵
PID:4336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
277⤵
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
274⤵
- Modifies visibility of file extensions in Explorer
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
274⤵
PID:5084

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
275⤵
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
274⤵
PID:2380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
275⤵
PID:4224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYEgYowc.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
274⤵
PID:3564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
275⤵
PID:4716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
272⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
272⤵
PID:4544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
273⤵
PID:4128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
272⤵
- UAC bypass
PID:2472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HcQMsUIo.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
272⤵
PID:1472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
273⤵
PID:3932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
273⤵
PID:1068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
270⤵
- Modifies registry key
PID:2032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
270⤵
PID:1312

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
270⤵
- UAC bypass
PID:1856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HcQMcgos.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
270⤵
PID:3736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
271⤵
PID:5016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
268⤵
PID:3524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
268⤵
- Modifies registry key
PID:4828

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
269⤵
PID:4884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
268⤵
PID:1396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAsIYAAo.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
268⤵
PID:3580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
269⤵
PID:3632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
266⤵
- Modifies visibility of file extensions in Explorer
PID:1792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
266⤵
PID:60

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
266⤵
- UAC bypass
PID:4920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YuAIMIQk.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
266⤵
PID:624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
267⤵
PID:3564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
264⤵
- Modifies visibility of file extensions in Explorer
PID:1712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
264⤵
PID:2916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
265⤵
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
264⤵
PID:1196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kqckIsME.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
264⤵
PID:1736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
265⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
262⤵
- Modifies visibility of file extensions in Explorer
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
262⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
262⤵
- UAC bypass
PID:1312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\COkUYoog.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
262⤵
PID:4580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
263⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
260⤵
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
260⤵
PID:3524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
261⤵
PID:3160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
260⤵
PID:1092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEcIsEYo.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
260⤵
PID:4660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
261⤵
PID:2464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
261⤵
PID:888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
258⤵
- Modifies visibility of file extensions in Explorer
PID:4128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
258⤵
PID:4848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
258⤵
- UAC bypass
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqQQEccc.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
258⤵
PID:2468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
259⤵
PID:2664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
256⤵
PID:3560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
256⤵
PID:2700

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
256⤵
- UAC bypass
PID:4856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
257⤵
PID:2816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hikgockE.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
256⤵
PID:5068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
257⤵
PID:3856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
254⤵
- Modifies registry key
PID:1168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
254⤵
PID:424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
254⤵
PID:4828

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
255⤵
PID:3480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NKMgsgsA.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
254⤵
PID:1836

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
255⤵
PID:4020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
- Modifies visibility of file extensions in Explorer
PID:1780

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
PID:3156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
252⤵
PID:3524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ceUMkggA.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
252⤵
PID:3340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
253⤵
PID:3160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
PID:3764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
- Modifies registry key
PID:3440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKIQYcoI.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
250⤵
PID:5072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
- Modifies visibility of file extensions in Explorer
PID:1164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:4408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:3840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
- UAC bypass
- Modifies registry key
PID:212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mgwUskUM.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
248⤵
PID:5116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:1736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
- Modifies visibility of file extensions in Explorer
PID:2372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:4660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
- UAC bypass
PID:116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgcMkYcc.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
246⤵
PID:4440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:3480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
- Modifies visibility of file extensions in Explorer
PID:5028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
- Modifies registry key
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
- UAC bypass
PID:4392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PyQkswQk.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
244⤵
PID:2080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:4884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
- Modifies visibility of file extensions in Explorer
PID:4160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
- Modifies registry key
PID:3840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
PID:2472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HMIMUsgM.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
242⤵
PID:4708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:4328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
- Modifies visibility of file extensions in Explorer
PID:2692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:2436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
- UAC bypass
PID:4440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xAgEkMQs.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
240⤵
PID:2464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:3144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
PID:60

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwAkkcAU.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
238⤵
PID:3564

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:4396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:3672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
- Modifies visibility of file extensions in Explorer
PID:2908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:3156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:3996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
- UAC bypass
PID:1300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAEgIwwo.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
236⤵
PID:1472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
- Modifies visibility of file extensions in Explorer
PID:2524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:3560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
- UAC bypass
PID:3672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MqoYowkA.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
234⤵
PID:5060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:3040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
PID:2956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:1036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FeQEAUww.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
232⤵
PID:2200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:4044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:3108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:4916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
- UAC bypass
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TkccgkUU.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
230⤵
PID:2248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
- Modifies visibility of file extensions in Explorer
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:1200

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
- UAC bypass
PID:4948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:3160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TCccooAk.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
228⤵
PID:5096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:1072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:1036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
- UAC bypass
PID:2956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cUIkcQYs.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
226⤵
PID:1568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
PID:1100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:2960

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
- Modifies registry key
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGUEAcEQ.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
224⤵
PID:4288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:3744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:5000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:4892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
- UAC bypass
- Modifies registry key
PID:4396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:4140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IQQYAIQI.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
222⤵
PID:444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:3252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
PID:4916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
- UAC bypass
PID:3960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GiskUAsM.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
220⤵
PID:2068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
- Modifies visibility of file extensions in Explorer
PID:3160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
- Modifies registry key
PID:3156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
- UAC bypass
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqQcEgQk.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
218⤵
PID:4824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:3808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
PID:4396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
PID:4140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkkQEkYk.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
216⤵
PID:2844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:1736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
- Modifies visibility of file extensions in Explorer
PID:2820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:4840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
PID:1300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYUYwkYw.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
214⤵
PID:4224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:4484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
PID:1200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:3612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
- Modifies registry key
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOIYEAUs.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
212⤵
PID:4944

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
PID:2576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:4348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
- UAC bypass
PID:2920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EoIgYcww.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
210⤵
PID:2132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:1312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
PID:2960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
- UAC bypass
PID:3616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qscMYcgE.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
208⤵
PID:1736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:4916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
- Modifies registry key
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
PID:3340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oicgAksQ.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
206⤵
PID:1200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:5048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
- Modifies registry key
PID:2536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:4232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:3840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
- UAC bypass
PID:2568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LiosQEok.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
204⤵
PID:4172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:4852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
PID:464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkccAwMA.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
202⤵
PID:5072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
PID:4580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOkUwwMY.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
200⤵
PID:3492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:4156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:3996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
- UAC bypass
PID:3680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIsAkIwo.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
198⤵
PID:2844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:1748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KIwIAgIU.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
196⤵
PID:3932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:1076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
PID:3744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:5084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
- UAC bypass
PID:452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICcYYMoU.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
194⤵
PID:3436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:4868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
PID:3156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:3612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWkkgAwk.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
192⤵
PID:5080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:3144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies visibility of file extensions in Explorer
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:3988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
PID:3668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tGIMwAQM.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
190⤵
PID:2248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:1036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
- Modifies registry key
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:4072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKwwQsUo.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
188⤵
PID:4044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:1260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
- Modifies visibility of file extensions in Explorer
PID:4824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VikIgIwU.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
186⤵
PID:2432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:5080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
- Modifies visibility of file extensions in Explorer
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:1832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- UAC bypass
PID:464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mgocsAYU.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
184⤵
PID:4396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
PID:1036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:3568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMYEIksc.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
182⤵
PID:3924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
- Modifies registry key
PID:3624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
PID:4660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aOEckUAc.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
180⤵
PID:2256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:1200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:5104

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
PID:4840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwskAAMY.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
178⤵
PID:3988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:4612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
PID:4824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- UAC bypass
PID:4536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCoQEocQ.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
176⤵
PID:3480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:4716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
PID:3840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:1644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
PID:1168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xSocEUIw.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
174⤵
PID:2460

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LaAYcwsk.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
172⤵
PID:4268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:3856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
PID:3336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:4260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
PID:4172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOIYEEIU.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
170⤵
PID:3108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
PID:3580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:4824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- UAC bypass
PID:372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MEYQMQIQ.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
168⤵
PID:2400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:1092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies visibility of file extensions in Explorer
PID:3436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:1156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
PID:3776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SAgoYsAw.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
166⤵
PID:4864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
PID:1504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:4396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
PID:2364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ugoEUMck.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
164⤵
PID:4780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:1472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
- Modifies visibility of file extensions in Explorer
PID:4892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:4224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
PID:3040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VmoEkEck.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
162⤵
PID:5000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:5104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- Modifies registry key
PID:1652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tAIAQQYg.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
160⤵
PID:4920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:4292

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\taossUAI.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
158⤵
PID:4976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:4124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies registry key
PID:5016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
PID:4340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySQcUoAs.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
156⤵
PID:4744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:5048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies registry key
PID:4484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
- Modifies registry key
PID:60

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- UAC bypass
PID:3504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iqooIQEE.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
154⤵
PID:624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:3160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies visibility of file extensions in Explorer
PID:1156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:1904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmEMEEUY.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
152⤵
PID:4292

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:4288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies visibility of file extensions in Explorer
PID:3040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- UAC bypass
PID:1792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icQYQcsg.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
150⤵
PID:4476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
- Modifies registry key
PID:4804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZwUMIwME.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
148⤵
PID:3048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:3336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
- Modifies visibility of file extensions in Explorer
PID:648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgckQsQE.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
146⤵
PID:1856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:3232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:2524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nosgQsgY.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
144⤵
PID:2172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:4612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:3624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kaIAQkIk.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
142⤵
PID:3380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:4020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
- Modifies visibility of file extensions in Explorer
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QWcYogkE.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
140⤵
PID:4916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:3572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
PID:1264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- Modifies registry key
PID:712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESMscwAg.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
138⤵
PID:1396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
PID:3160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:1020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- UAC bypass
PID:1748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ouIgQEQM.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
136⤵
PID:2920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies registry key
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
PID:3692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIMckwQs.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
134⤵
PID:1196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:4612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies visibility of file extensions in Explorer
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:2032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- UAC bypass
- Modifies registry key
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tUsUIAoM.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
132⤵
PID:2952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies visibility of file extensions in Explorer
PID:5080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:3560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
PID:5000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOsoAkQE.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
130⤵
PID:712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:1264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:1804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
- Modifies registry key
PID:620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
PID:4784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AmwMoQYw.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
128⤵
PID:1748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:2364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:4484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- UAC bypass
PID:2432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\akcUoAgk.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
126⤵
PID:3024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:4580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies visibility of file extensions in Explorer
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:2132

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- Modifies registry key
PID:1152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQgMYksg.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
124⤵
PID:4072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:2032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
PID:1792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:3864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- Modifies registry key
PID:1260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WeYAcAsU.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
122⤵
PID:4716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:4456

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- UAC bypass
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkYIssIc.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
120⤵
PID:1644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:3996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
PID:2988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:4288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:4392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaIUQMwM.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
118⤵
PID:5088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:3676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- UAC bypass
PID:5000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tksAwUcU.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
116⤵
PID:1152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:1168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:4848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
PID:4124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqQMwAwU.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
114⤵
PID:1260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies visibility of file extensions in Explorer
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:1164

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- UAC bypass
- Modifies registry key
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SQooAMws.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
112⤵
PID:1488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
PID:1168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:4260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WYYcIUso.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
110⤵
PID:2396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:3436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:4852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- UAC bypass
PID:3064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYUscQkQ.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
108⤵
PID:1264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AooAAYoI.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
106⤵
PID:2480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:2640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWwIgwII.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
104⤵
PID:4348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:4840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
PID:2004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMIoQQME.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
102⤵
PID:3776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:2888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:3692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwEAAMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
100⤵
PID:4072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:3144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
PID:3924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:2664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
PID:1196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\piMYkQgM.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
98⤵
PID:748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:1396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
PID:2572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:1856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
PID:1120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMMsIcYY.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
96⤵
PID:712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:5084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKAIIkks.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
94⤵
PID:5096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies registry key
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CkwgwMYU.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
92⤵
PID:60

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:3996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
PID:3380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqEkwQws.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
90⤵
PID:2436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:3580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:3764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmYAMEMk.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
88⤵
PID:2288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:3188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:3572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYAAgsAI.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
86⤵
PID:4744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:4580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:3564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
PID:2704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LKAkYQck.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
84⤵
PID:1004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:3188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
PID:216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OegEcckc.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
82⤵
PID:4716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:5016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:4080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:4708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KAAkAMIQ.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
80⤵
PID:4100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMkUAoIA.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
78⤵
PID:2248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies registry key
PID:3568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:4304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:4392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SckUYkAo.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
76⤵
PID:2536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies registry key
PID:1260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:2468

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BwgsQQIg.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
74⤵
PID:992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
- Modifies registry key
PID:1196

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUYEoAUk.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
72⤵
PID:3840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:3904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:5060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:4072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:2168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOUAMcwk.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
70⤵
PID:940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:4912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
PID:3776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\usgksYgs.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
68⤵
PID:4828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
PID:4708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
- Modifies registry key
PID:1260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yUUgwkUo.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
66⤵
PID:4780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
- Modifies registry key
PID:1120

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:2132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUAUcwAU.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
64⤵
PID:116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:1164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
PID:3336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:3436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JoEUgAcE.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
62⤵
PID:4976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
PID:3492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:3924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:5024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fyAAQUUs.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
60⤵
PID:2328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:1472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
- Modifies registry key
PID:3840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:1036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:1160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HgAAUIcM.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
58⤵
PID:2380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:2336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
PID:2168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:3988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dSogosYY.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
56⤵
PID:4172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:4884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
- Modifies registry key
PID:3932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AuYkAsEQ.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
54⤵
PID:3776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:4808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
PID:3840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:4148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:1160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QyYkoAkY.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
52⤵
PID:2308

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SAwIwYUA.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
50⤵
PID:1168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:1780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:1360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOAAQkgE.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
48⤵
PID:1300

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:2700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:3744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:4580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:1036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XaUYwkUM.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
46⤵
PID:1020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies registry key
PID:2436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCowwcco.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
44⤵
PID:2328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:1396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies registry key
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:2920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:4640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOkYcEsU.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
42⤵
PID:3564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:3024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:2380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:2004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
PID:372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWMAIMks.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
40⤵
PID:3524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies registry key
PID:2960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:4160

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
39⤵
PID:3528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
PID:1172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ooMIkwAg.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
38⤵
PID:3340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:3480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
PID:3856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:3764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EOQgAcgs.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
36⤵
PID:2328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:3316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:3580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEMEkkcc.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
34⤵
PID:3668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:1264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:3932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
33⤵
PID:4784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:2888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EssIAckI.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
32⤵
PID:4792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:3776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:5096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:3412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:4476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
PID:1652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Pwsokwwo.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
30⤵
PID:3028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:3748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:2256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:2336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
PID:3064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DesQAkUE.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
28⤵
PID:3856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:2376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
- Modifies registry key
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:3040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCUsQsQs.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
26⤵
PID:4744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:4912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
PID:3092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:4712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOgMIscQ.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
24⤵
PID:4784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:2468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:1652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:5032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- Modifies registry key
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSYogUUI.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
22⤵
PID:3152

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:1460

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\isgskYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
20⤵
PID:404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:3924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asAUsUcg.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
18⤵
PID:2816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:4768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
PID:1504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:3808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
PID:368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jwMMMsMc.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
16⤵
PID:3744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:1856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:3528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:4336

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jaoUsQoM.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
14⤵
PID:1568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:1080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
PID:4232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:4020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
- Modifies registry key
PID:2328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUwwwQQs.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
12⤵
PID:5088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
- Modifies registry key
PID:1992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOgQMYEM.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
10⤵
PID:2144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:2572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
PID:3516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
- Modifies registry key
PID:4348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:4712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCwwgcMA.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
8⤵
PID:2952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:4780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
PID:1312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:2032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:1132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIIwIUEE.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
6⤵
PID:4224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:2308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:2256

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:3632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ygUoAQwU.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:4752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:3436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
- Modifies registry key
PID:3776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISEUMkEk.bat" "C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
Filesize
312KB

MD5
d12d28d49c22936dc7c37c25db65347c

SHA1
5e781610ee387df4d6e6cb52fd98219dbb642122

SHA256
47138bb9069292bdb75cd25f9a99c145ce0e3aa05fbf178868b2a17df9cdec26

SHA512
4fc36ca011d8c9b351ed3c8027f8d02cf6712c93013f4914d4cd4b5772b459a4894d7a7e2d79445d4918be699258a2b6f30109fca407a3928f1474f5037bbe81

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe
Filesize
786KB

MD5
17009a20c652bf189c52621c2d469aa0

SHA1
cd8507a88155dc7c508169093f4a59ff63514b40

SHA256
f073af920ed1a73414da16a36199b556feadf8e38c5109128e331de2c01a2800

SHA512
7a191f6e4a3db1c1aaebe33eb94c095eaddb6a8dc1daeccb06ad6ab88df7bb599560d50a897b00aafeb12e54447a58291418b34823397724ac9fdecd52fcf8c0

Download Submit
C:\ProgramData\mAsQoYIg\TaUIUMEQ.exe
Filesize
179KB

MD5
f54d05ed04665fb59f8b68675178fc7f

SHA1
b8ef3cfaf077567c260863de98c1fbd5dbbc2b2b

SHA256
1de0d51813eca8aeebe7681634e0e994cfccd9465570fb4222e4993e5ab418a6

SHA512
45e4c9c782754ae8e40761ae45005098d95675fd3cf483e2a780dc82c164ddfc3260f56dba9168ef1127f28d91a553b4eeddf896fc644a79875b702ede4f1f1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.exe
Filesize
192KB

MD5
8155e0401a9db61b584cb8a1436455c1

SHA1
70c11521a5beeb0124c8b41aa4b4f08351df6395

SHA256
50578215e4333841ca26c604ecec01962877659a6bf544eb44984341ff149a1f

SHA512
607bc2e594f5a9cbf8dc81b2a2b9d2b6178807269eecbf9c2742d10d9c69a6515a1765b4b8c2b179e864f60acce610b7f8a97535d524b1764c4a5eb57e78b1ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.exe
Filesize
190KB

MD5
8ed2d81beb7d4006f2dcf2865ab1092a

SHA1
1e781b02202abda2dedba3c648b899751d836d6e

SHA256
8fbd035f9f5a1085b0fd97cc8d3015bd5cabfc3a99f332852069a531c6e37e93

SHA512
1d58183b4a5b9814bc65d705cfc42f68821f9c5eaae41e27c8a88ff14cb072e7aeb637b9162985529e0e3185afb347f138634313cc5d4316f6f0faa880ab3858

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe
Filesize
198KB

MD5
1381d5adeb5191c59332e1a03e14bcca

SHA1
93abf276404aa67414fd33af95d7e6d5d68c4ca8

SHA256
8eeae85fe58a8e6afd28d35e61bc945a0f01e7742e5b5a2246775d1e8afb1a15

SHA512
0d6601eab25c8dcdb208d21ac2ff7d7b47b36afc95425a2cf5a20938d1fc82da20c3b95145730de36d43cd99a1e5cedbd46cbd335582961ad8de2ae7d66cfedc

Download Submit
C:\Users\Admin\AppData\Local\Temp\19eaa32a799fa546a8d7c965635f0f20_NeikiAnalytics
Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQAM.exe
Filesize
210KB

MD5
2d3ee2b9554667aed3d44d82447af630

SHA1
dd59d1eb01dc64ca5db954847acae6c8069489b4

SHA256
2ff3eeede23be0983faafba69ca8b6a6eb8d4ee3554f7f1eabfb62c1c77d8ce6

SHA512
92bfd2e5493dd52c1464e0ac7725016e603be5c6821f0813a3d16ea001eb0451a432c84311ec1c2e72b67e7997283b57ea3cefb196696b65fbf509ecec193f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUEQ.exe
Filesize
578KB

MD5
36512fa3dfbe967294dec641ea7d1cd1

SHA1
bcabe0fd2e011047ce43e82b7b6bf6142b1e5ba8

SHA256
ee4ed3ebc00d9b3040e11a44997d92dc05d838770b66703283f713eab2aa2b03

SHA512
4fd7d667775b7d12cf9aaf10f974e996c84066a65b712bb817dd48c884ba733e75e2e12a0c9cd6a65e54269e650359b38e2c34e00738a58b810a7b8eb00ea304

Download Submit
C:\Users\Admin\AppData\Local\Temp\AksY.exe
Filesize
184KB

MD5
8165b5670a656010151adea1b594a64c

SHA1
a6ddb748708d7a0d8baa0d87ccb98ed0d4fc6e5d

SHA256
b2513b1cc35b919045e525dc5ef2d94ee67ee55c1f68a60959adebd0a394eff3

SHA512
4bdb8a4519f06c977b68628824d30aeaac623ce0a2339b992fa4980c8802571b61d4c5b25aadf47c3db2dde3d62fef6b76e74e5b6cc4cbfd3f1454523cf59f11

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAYe.exe
Filesize
185KB

MD5
60a1af6fdba591d7f03c3aa514403207

SHA1
72b4fa246802f4f839dffd309f399a64c88b2ba2

SHA256
18aea3916fe6fab6d82332a7168056861f5b168ab45b0e14e45c460db2d6506d

SHA512
3e9b63740582e2ef173378f864d3590cf954cbe7ae08d0d29eaa6be2e58871af2ce865bde3135249918e0c4df69cafffeeee60e397da5825656716ab09ea761e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQka.exe
Filesize
316KB

MD5
2e41d469f4754379b57b06c833abd71e

SHA1
56176da0d438a072c4c2ee4bb31f5f4cc0af4b7b

SHA256
e0970216250ec462f0e5aea2de30d942cef7c4e4d8783e3f32086aa58e19fab9

SHA512
d049cf41578b55e50be7e3cb7d7d0a66305b9bd27623e70732eb1f7653ae84e104c5c2d4a6a3e8a64457fe3dc7f6a7452752f9ef6fff220cc9dd9c850064a666

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgQs.ico
Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CggE.exe
Filesize
199KB

MD5
e4f4c60bcf85b585593a61ab8812f4c7

SHA1
5c2ffb638076abe71ea10a28cf0861451bcf3732

SHA256
683dc82449165b7c64000610fdd21ef730657124a700ebe46ee599262291a2b5

SHA512
05c5db69ec8d45e9e65f45d2da4c1d8d68b8e2dccd371cca228324f300aa80c11bb5627beee79db796337b2e081c87830e6632730cc532d7f3420d7442911259

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwsW.exe
Filesize
184KB

MD5
55f88611a92a0f00dd520c77c0ac52d7

SHA1
f19ed192d6be9b1907d97692d9f218a74884a636

SHA256
86579c5fa1929a7713856b1379bbead73de6899fb52712bb5ffd1d579de40ebe

SHA512
385982efc97cb767035bd33d398482e1e3a6aa6b77980d7abbebe99348faa22c859e876d3aaf363cced4800c05692920ff0b595c0ac2f9f2d325f043a96c7708

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMgS.exe
Filesize
210KB

MD5
138c28231cb0d4308615473245edea29

SHA1
ad44e1c6d74dc95a81ece57e1fa8e1d88c3ed6a0

SHA256
5907dbf89f0d2c40b10890a5a8db282deac341b346eee802bfee9df2f38ae7e3

SHA512
a9b121fa00a4f1557fa754d7a8997440213fdacfd04dfc67a9f2f689ef2748e8eca75d87b8565f2c075e147ace8df5fc3b9c7c49be49bed072bb36c60f1e6715

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkIK.ico
Filesize
4KB

MD5
383646cca62e4fe9e6ab638e6dea9b9e

SHA1
b91b3cbb9bcf486bb7dc28dc89301464659bb95b

SHA256
9a233711400b52fc399d16bb7e3937772c44d7841a24a685467e19dfa57769d5

SHA512
03b41da2751fdefdf8eaced0bbb752b320ecbc5a6dbf69b9429f92031459390fe6d6dc4665eebe3ee36f9c448a4f582ac488571a21acc6bba82436d292f36ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EocQ.exe
Filesize
187KB

MD5
50d6877d76d4a887dbf97e5870f82bae

SHA1
ade4ef003f3808bac1785ed748e274feafcb2a0c

SHA256
876f88803a02febfe8741f03c4810bc88aad077b09920e2fa7da6281ad216716

SHA512
a93452e6288c7f586b7a5b06d12ce0c8522cd79f3de6cca44b980f273d265db2d8ba27abdef670b20c85bfa01ca38c152a12a2b99038409c129fb134730e5fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsAk.exe
Filesize
200KB

MD5
6bdc1e99dc7c2a302226b5cec6bc91c6

SHA1
f3c7725731e0eb6742e3961c49b7fc43914f3895

SHA256
01df964a931e6521f5f12621be523d30f31482ba4cc13e964adc0c4aef681d82

SHA512
0361f14491520208d4ccf375278d3e113746c18cdebff58023cd66aa365d64337b4183a39781a68c9bb606234ab56fcf43db2850a8aeec5a20ce0fc62c3a8fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMYy.exe
Filesize
208KB

MD5
96bd3d6eaa6308563c0e1e457118aab8

SHA1
1f84e5fe2fcd2dae5a2de236ea4ac1a7000eb92f

SHA256
6c282443e719ce986f739a1bc58c5769fc16e2e3f4fa227bcda1484f82724ed4

SHA512
5b67ba41fd09e58a413adeecd3827c332bf314c37b7dc4d91a4cc26b0098a8a94bf60de6d9181a478546dd9ef04e6dee03bba34483f142b6bf0736e52111bb4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYYA.exe
Filesize
254KB

MD5
0015506967b7ef63bce09a1b3fea1d3e

SHA1
a2266d67940f09f23bd91e9a5692f959c1c32a32

SHA256
58827dc9d71c8d787346c77eb6975156f02c907fe370350d4f7af2ac9ba0d825

SHA512
0d05bbfcf6b4c7e373b5f207f711651d6e84aee996f388cde399a29fefe4fcaa25127b7a6addb398e0e7869f21b585bca2d4406f9d3788020b54e758f088cd1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYwK.exe
Filesize
186KB

MD5
d62889792bb12f0ef37679ffc0e64095

SHA1
a75ce1fe482cda14b50a72e6f6d06a8bbe981b73

SHA256
574821d7183f2529d6a18ae00f3a85cc0b6f48f8349c950217c731f9dcb10585

SHA512
0a75fe01c765bf91f406e541bd7c30d17ec45337deab4710aa59904c471e30e9e6d65b613e4f9fbd52ee31fc735f6cf4d79e90c5fc3f4a86c6da80d00f675b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAYu.exe
Filesize
199KB

MD5
e4fcef29a0f761c7ab084203c49ca26e

SHA1
daa54a5d00d841ce39770c304806698eaa672886

SHA256
e43a94ccf70e8c5c42961e714ba7a8bce6ea24ea46545d6cac863299a10fabd5

SHA512
58311e42cab75541193c64b507ffc80e8b3e1049b7dca08d50f36d56a89f0e6482abbb56cf0e52a549ed7c8e366be78d0af6641926b9630b9c7ac9a444e57c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISEUMkEk.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUoo.exe
Filesize
319KB

MD5
b610cc2dd8addb8ff0461a1f9ec5f980

SHA1
757632522c69167b15c98949f9ea65e43d98ee6e

SHA256
e997ccdcad0624e83f0aeb633fbb8171075b3ff722002bd1fa9267a66892e330

SHA512
e0efe4e4927f2f67f433bee09620ab13b3bb2dc8b92086682d7fa1be76bef7cb750d80b631b9d2386edf020f5b7f721de2521f9137aede5c8e13e40877162efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iscq.exe
Filesize
200KB

MD5
3b3fadc72baf1487193ec57990836049

SHA1
a99042b0e0154aed8a9c210742f771eab04ba938

SHA256
74d627f1648ac11eae2e50d1ac9f1f655e3ad5cba1069fb206f657915a19d79c

SHA512
f2cfa87f5f9da1fb7c538d07ee9b84620089846db09ff5fa9fc7ae2ddb47ae8a657b3e98c869bf5d2efc60c98b93a5eef2c0692b05a21efa05047a9d8e816e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgMG.exe
Filesize
192KB

MD5
28d7536167bf6b27106aa0f23d6566ff

SHA1
4aa7783ff07d4ac0dda11d0478790c829fb2ac66

SHA256
812a25461d90f18dad9103f3575c4a427d1d07a317cd9963705b47c8e08facfe

SHA512
73dc200c7d3c082eecf82c34320eff585e2e7e2feb2a7c15c69ff888f7171aa7c68f4490e945ba8827e015beeb8aa0b69d38a24095e134fc17b556d5acc7a002

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEQO.exe
Filesize
238KB

MD5
8ef47d7717c52219b5e7318e57ac9285

SHA1
57aeb3bd2457027ff26b4bf840ed3d75629fde4d

SHA256
6b46d1dbe71f6c92bc799ae5e3303bed2f392619fd0d2a60318ca9511ad9e513

SHA512
90233b1609be1b6395f0c2383969116d8f29f0506a30dc5a748dba92c339156bbece892f2271cd0282ff02dcb6a20a99beb24d0008adfb14b9ad08c756cd7227

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEgQ.exe
Filesize
189KB

MD5
ea85fee918c966a6d91061e8ca2d83b6

SHA1
faed402ca33caa4ff1e1aa1e81317dcdf2cd81e5

SHA256
9c62fe03f9181f5c649f36ffd606ec656fb723b50f1a2696680a8e4c9a54a5a7

SHA512
fa31ae1667ef22e3d1280ed882749ac58cf6e1f8dfd0c9ec908b12154e05e4aaa6d199b7644f28d41fdf5d0046f2ef6925b39a60f52e936f6e3c4ae738f17bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQkW.exe
Filesize
790KB

MD5
1b7a3339543bfab1a32a7d54e40d49d8

SHA1
0cf86adbf7b62e1dca2bbd55d808d1d314ff173b

SHA256
130c8a4deb50144a75024762ebead6619e46383218e68a442f3fb001dbbc924a

SHA512
89885c7d07fe9a61a81695329b5e974b9fc2a5860c8afab1816c339d325dbf6563b4785ca7fef00990babc25197270397c590ad35bc4ea84f9462e8f12aa64a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYge.exe
Filesize
196KB

MD5
4622604efaab12a28e03f61f72c52fc6

SHA1
e19064ebdd81b18c905de4df200635ab943d90ce

SHA256
470986b5cf7381c6336cc2f50134c45e4bef920fe0b46bfae0fb574e513e63aa

SHA512
fa7027a56fe02a052e3acd7a3d37cfb36f03f382aa36f9e2f5c1b97fd4db3f0320bc22cc6d4e2c207447205f03044ae253af01e50c1ec07e9838c18ecc72e62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoMS.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mwso.exe
Filesize
197KB

MD5
b12793e3cca9b06a7b1fad4ecf2818f8

SHA1
ce8429c8c0bb0ab7649dc7a1944729a339b0a17e

SHA256
e536a9b3a937517efd143d255d9c96f9b536ce6650b295a9b317613b91376cf8

SHA512
4765c3cbf2cf5767e687b94623100c46176c1657b80a4ebda39f10887b15d99049c6b62cd81df9f383435d63869735045d61c3b3beb1d5cca4cc95a97438da9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAUs.exe
Filesize
183KB

MD5
dfb1980a46044249ccceeb48096536fc

SHA1
5acc8dc770d934ed5520f16f81eed5d97f7029de

SHA256
0d4810d76da8fc010a856c83344900dfab42b753c8688270a706e21e2596b91d

SHA512
cd3282634ea4eccbfd4f58320a9dc1f60de045f34d7b0f7caed36d06a777fe4c9a6745b89e2ade5238c6d0c04d98739bee7e2f2d71193c3a6648fb6f8d7bc8a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIoS.exe
Filesize
191KB

MD5
ad2213fb432a48b4d83c665d6102fc97

SHA1
83e23a64215f1d61d4eedb1d006b0b2a6a269511

SHA256
fb727f32717587956cf7a6f37336dce8ac5072918bcf0813493b65fbf1373899

SHA512
8a1b0146e0627ae241daff19e447e07c85a7d560fe9269f0d0bf7eab7d805b8c8b1880ac3c749e4396fa49288e8aec566f2de1b216b912ea082ac07b0abffc98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Okow.exe
Filesize
194KB

MD5
767bcb92b88ce6995df65d9a1c8447eb

SHA1
214409a81617a2d2f20dcaa1990e6eec5a93ec4a

SHA256
b15842f96fccc2597645a1ca5507165c22dc7825cfe91b6dbbeb0bb289b07c88

SHA512
5a28265a6ed58233bc1b0bf4619e6e00917ea9a4f1c35ea4becf1dec1de56020aafe714d4a02ccf52aa0d3ccb4a8e5c1cca814f001172e437748efa9c41b5947

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsoK.exe
Filesize
184KB

MD5
4c68732854eb1fd7ffc9e08a150e0b63

SHA1
308b9616ee27639aab05534070228c065aeb2e24

SHA256
9bdb1247b2eab3e15856b51fab4f7fb4f00912dff3cce998e2ebe9250f1dcc8c

SHA512
d77abf0404fc3c5c7139cb7d5002cfb97233cfcc8da9f6b98a8674007b2ff461e45fe2f0987f00d16126c872c4d8e46a45280e9a273bc7613b13f6da1956a7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwoK.exe
Filesize
204KB

MD5
a1bf0e00570ad5a9bb964aa466d400f6

SHA1
92206c7ecd9d23ebedbe4df7bf100ed45d945a60

SHA256
a83b3519e67e03c4fabf90a03ce7b3fe67265416949b57ff2022e180392366af

SHA512
1de0703f94782191e22245e1dece8b197eda49fab084c0152201d862364623f67a29df3e503a4a1d4cd9acebb66b0ee0b0e7d4941f26c7ef5e49eecb0b0d7cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIMu.exe
Filesize
202KB

MD5
2e396a15fe4047e2aa716c5c18e224a9

SHA1
5f4f6ca7978d713d226f6d41f4a75a8337979577

SHA256
517965db46f0ed24e7682803abf44bf57e64ba7502c4937f205d520784485953

SHA512
7ee5029e55abe8dfb3e69c76dd909efe9ccdc34f81a40200be689e90628d3a4296ecf70b8d238001af2512f978da87877571fa4236900f2aeb25abdb8d9071df

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQQM.exe
Filesize
224KB

MD5
6deb11873c1ea2b641365ec034524fe2

SHA1
c6b771996330391109750b418e91071e89c0d808

SHA256
a078fc0d4ad860f8f06c4804ed28f3c3d3be4863943fff2db17f4f8c5975e813

SHA512
73305a4c460aaa8948d4f8798604a79d08d22f4aef73ae9bc535aad5268184d949ebaf14a7888f06ee426be3f3e0b4343a103c760d289af5d5e54d60584ce689

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQoc.exe
Filesize
196KB

MD5
f2c06c9199f17219ae475311b827cddd

SHA1
e1594c3bb981100bee3f659f005ba6547b2d945d

SHA256
517a60cc2d5395ccf646d75f8965cb2d56b39175b19396e7bd2031b9f87aa01b

SHA512
5e4c347cf881daaa3dd07cfe1a57af2646a199a74fc90ae6fbe082e7b2147f29ea8d400b6815b54e3af347987f92c659b3f2e1f9de287e96933f9347e4c1fa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsoC.exe
Filesize
619KB

MD5
6df2d3faf9290e93132fe235d1740578

SHA1
12b5a0cebefea55c24e9a0f91d8dbd0bf44a20ed

SHA256
82567a253323a32cb9f593473b17648902c19db48d002e4b3adc168aa4b8fef6

SHA512
e63914bb8955db5faabf40ae187aa9860e33c831863fe424b4a946a4acd66dc79edf99c644a2f7bba67ffd433f4e401d5c7791913be54f57c6498f2bb86979b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qssu.exe
Filesize
591KB

MD5
e7eda74ed578f566492bc36bf403495e

SHA1
5c179d3580f2f08f1ed3064366c93f80881a324b

SHA256
cfadb41a6b4df1fd59941b38ad4642092c394e5125f84281ce58894546ec5ff5

SHA512
0f7ab465f77c0ba8d696180a43c3da65d0efe937425ac9f467094e04be0600c4c358127b96d38318b66522dfb1e25c89e134da5b54b738ee96f6e24ca189dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skcs.exe
Filesize
826KB

MD5
be0563bc689595dc46a822814d49c383

SHA1
f3c2f20f9db477431bc4f178f00072b4f5967077

SHA256
2daf57fe8644da0ec1b9b66141d01e4a8bbecda894e7d79ed25a1d1202fdea99

SHA512
9d9195339e53b451b7fad107921792e802f0fb7dc650512fa72f45df281b925aad5a14bf4ae403f79ae1b575d9fb099845aef4da5d465fe3860be039dd994e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sowi.exe
Filesize
807KB

MD5
e77876a63ff35bb0a2660316434fe616

SHA1
91936464d3439aa8e5c3a5ad220974014a4dab9e

SHA256
48d937b480b48b5d8e19c459ad8aa694fd25b4645fdbc010fa613ed3a57a15ab

SHA512
cf7abeaeba80203a0ccf550e833a7713f5adb54b2aebba4f330a4591d1781eae142043b9893758c98e13fb936f9cb9aa042ab2fde4e00ea7cbf1722ea268dd45

Download Submit
C:\Users\Admin\AppData\Local\Temp\SswI.exe
Filesize
194KB

MD5
43751e29bed0d11b6dee7183d13d07a7

SHA1
bca4c0bea815ae0e4005af4ce8e1985d98996196

SHA256
a0d657bc96274fd50490e536487614ab1a8db98c14cc0a85e4806b2413e3cf5a

SHA512
961bd98da095a26de8698120d9947fb9cdaf8f10ad23ff559bc1442e36bd0a7ec266030ed0893b7c95965c67203b4dbe865c33e6c82f26a739e855e721e8ef4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UoMI.exe
Filesize
822KB

MD5
68ef31607f62953d76e542d92552245f

SHA1
ab98ad5ba143ad26853df404dcc307933b006706

SHA256
13cb6dd3ad11774e4d743f1fac792f039f526238f65774b9fa4f30dedb2b3f9b

SHA512
0adb4a681ed66316ea095e908edcdb0f2ee5b4e933548602c2e1cc3c620fb3baabed2116c10b143730d9b2b5ad0e99e88f29927bec5e8e59b7a7afcdb51af1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ussq.exe
Filesize
736KB

MD5
9c7886dad94695f8e55dcd6b3b90a479

SHA1
917e0860210eaec48f19ff4e1574c3e8db73c88c

SHA256
5766347f0577ab43e0ed392623c101d54cc07e0f34077d2049456fd81d4dede8

SHA512
64f449f32e66076f2813ff653275ae3ee2b1edccfd1e28e6b83246595a93cb4ab4e9a13861cb650840db2171fb3afa12e7460e1504b3648831d856158e6b7663

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAIs.exe
Filesize
639KB

MD5
59dc835b67240c2ad5d08f74ba183216

SHA1
08a6ab065da0c6564f8d1b0131cc7c36b503c91f

SHA256
62eefac4b6bd8c631525fea07a42a727b41ce0e2228aade7e01d360931fcf57a

SHA512
2cbb04825c0a76304569749f02980d54b070d7f40c38843cefc2890a75b92938df49537662b39e6690987929459e7dcf944a99e7226f890fcf96452fc8a50870

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkgY.exe
Filesize
313KB

MD5
069266a8d8bbca650cd99169269278b2

SHA1
ebd8161d6d99561dce7b0ddf9c7de6658fe74994

SHA256
9709cdb2a227448416e1b00e41d4cf9c8e335cfc995bf0c0d6b531e9c4008731

SHA512
360dc4787bd3bf4f6c30e7da3d2e276c3210709d490bfbe380423a1a96dd77f4dbcda879f3a22d8d9f780ede033f3973b9eccfcc4006923bc9435eaaffc241bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkkQ.exe
Filesize
217KB

MD5
bc7f431547304dcd22694f80dd106cef

SHA1
98beefc8770a841cda42215f65cdbb4235a82c0f

SHA256
e0cebe39087be8a1d1c7b1c60843c5e122ada876b97d61ef865de19a020bdea7

SHA512
feaab53a85633c91b25f60c90d1ee8a9b3468cb4fca9529720aed63ecdff91f8276bd53f5b5979c1193356e88ba66addb38d4c8a4db39639e8737f9cc55c298e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkkU.exe
Filesize
1.8MB

MD5
f9aef9b4dfd588a57746e09d6b2d1a74

SHA1
cf7c421f06c671302f63da61bb217684c990a254

SHA256
f3289999270723496243c9b8471998b92e5b26ccf8152bd0bf377a15cdb6f02c

SHA512
127f55734e06478c02e9ac19e6f565351f72098ef0a8b70de7ce0b23fbd5457cb8dbec05f3b7220301e7f6206502665e458f579d914dd4edf69a8eb5a8e4dd19

Download Submit
C:\Users\Admin\AppData\Local\Temp\WoUY.exe
Filesize
640KB

MD5
00f30acef1b1ec36479db42c80fc41be

SHA1
cd3d0fd9cf4775a485b9140401e13ab4a4a0f0b4

SHA256
055462d80e42b1be460aecd66c0cbcf3c376af7a4f492f9a069d2cac38141a2d

SHA512
2fc4f4c9d36795d12c9213c0cef216da7052c1a659481d29a7dce818d74f27e4d86002094c2ce772dfca5b91fa5be4fd31e962d301edabe2c30b5bc0be5fea7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEIe.exe
Filesize
434KB

MD5
42c5941bc0e59d71003870c0ec14bb13

SHA1
d04cdcec4a60d4636d7dfbe0592331da6e86dd89

SHA256
5a017e27b2ffaa3fcb6f996e9092b4fdf8c9ce2c705750f7a949b1e21e78a294

SHA512
2dafa07cdcd681976bcbd4ef78bea840fe068cb9f40ef80e9cf91be64f2af5e8faff6b44e2bc5e45e0c239c74901fc58a2ae59fa463faa13a847705986fb1bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ycwq.exe
Filesize
1.1MB

MD5
11f50976cf98989bba103dc0d93071d7

SHA1
393f3f6bc2fdb0724dfc81e333899dc870c050ba

SHA256
3323f33b62bbb43b71e940a8df3d98d525ce72fd9d7dc99b3f1a31806d6c554f

SHA512
7c71097f564f4d738578aaa9790e7b6c744d849d28bb60c7e8b03432964387f4ae28a5634f8e25171cc5083e4f6676f647e64285d475364af6e1979bea9b1aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQAy.exe
Filesize
216KB

MD5
742d5234419fe8f022a6de489916cda5

SHA1
a8db62e0a710c296b00d64059bdb2d741ed311f5

SHA256
2be699aa6118c87a95f265db0103f069bcf9a75422b5321eec88e7356cea9a1e

SHA512
0549a3815587f52b71c399764042ad901cd483a757c130bc297f5140216456a815bbda70e4b6464230eb424851f86610c10b4522004879fbbae0337bf2b416e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQIc.exe
Filesize
209KB

MD5
2875e6feb8f3973da12f003ec8784ab7

SHA1
471306fa6cda1b7c9ab639b7ed73634954a1cfa0

SHA256
dc66a1dd15aafce141401080f0709dbdae24c394399294d9a5922eb74055dc0a

SHA512
922f61053f75784f3512e49d08007cb6adc9f2dbe66e44a806cf5e7935ac71d921cf73c11db48aaffdf9ccc59f980721890a12f42e4d2af71b2e0cdbc4a45f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUIE.exe
Filesize
652KB

MD5
07a074e000f7aaa03387a95fdf4c3ef3

SHA1
be028bcc752598b44014313a7ebaaef098fca085

SHA256
9d2382780dbe2f80e61061f2305b073ba83eb9749a71afa50185efc96f8e111a

SHA512
4768d1adfbd15388b35f75c8327dd3839839777a19613250a3e660e8a4b42bfae7ed389e098c9a3c402368cfcbba207243d0e9c97664fd7a2e4b99b2847593b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUkO.exe
Filesize
203KB

MD5
e62f972893012d9b626658c2777b7eab

SHA1
33c4c31175f3ed38c9a1af2cc9d9ed6d6b226e0b

SHA256
f66300c36512ec07d1f5dccca33a12ca9e1c33d92ee2a7d1baac81b9f5e88e29

SHA512
4f0b78c1d8996379c56c16b614c0f0539af68b61022c83f3cab5572bef06dba4f753799a80bb2f9c258632a4adb2c6e90298b0b6299fea4b22e1581d62379748

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYQC.exe
Filesize
695KB

MD5
10cff93ee1b4377c799ff35eff3b3685

SHA1
10c3176f493356abac9ab0017e4e35bcc4a85af3

SHA256
a7a381a770140d064162f298fc5a69e5f7e237b77258736dc122874900226419

SHA512
fee44794f363a7e3c5c9c96116668d318648b83b529392ef3e65b25091dcffd026c5b207cc53deb34cdf9556764c55d3c7cee916ef34b327a36702b9dffe2cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\acow.exe
Filesize
439KB

MD5
bbef94f3e35db4e5e5002fe3e4a92b53

SHA1
df3939edf9cd4c28315128346488f32a123c6324

SHA256
7842661adc0e0f01e1ab8cac55dd1ec2c61b9bbabd23f09946ae26542752ccd1

SHA512
0b11a9579c1e0aa5dd82a5d5f6b821fad3283367f01b97b77968fdf3b2e70f3f6f5120f2af7c7070ee3f85366839a687dc91e7d5760e63159d262eac3264e7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\askM.exe
Filesize
200KB

MD5
eb3e5f9868d167026e1925fc559faa61

SHA1
92f5de29d344be75e68986402e38e87cf08f464a

SHA256
482f7244c4bb31226f2b9ab8ffe8ccd787eaae470eaa4221839bb19a4f6b8cdc

SHA512
7e9b5c9fe9bf82b55b6a8a66bcb781c4ef22d6fa0e66601832870866bcc965a6396724d53a7c85e0e94bdebe9dc81ac7faf0aabe3c1d93a1660865e4d8145d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\awgY.exe
Filesize
212KB

MD5
78c66c913cb81ff99ebbae57df81e83c

SHA1
0c76a4988f2bce5b3ec722ad3c840f6b29f90824

SHA256
b9fee632698eb224564c7e1bf6ddc7505812b066bc6cab2349d5ed44001586c4

SHA512
2eb5f5e3713eaeae2aec6d5f61e8c4881512b0ac49d522b8326e20ec7d250708d9d91f00de1a953944effe53adc0745d14e711eb5ef14c5cc394dfdf49f80a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUsW.exe
Filesize
208KB

MD5
3e6fbbcec6de9d4c8816fc0cc15b13ab

SHA1
d767e9abb97d05a984586a93765fc57b3f67454f

SHA256
2d3bf1bdd3d9acb5cb2e9dd6b5b2eeb17b6b13681b7c516a9e2f96cc0805c91b

SHA512
6bb3634751c18a7f504ddcdf75888b8dd8012046eef915164f2331d935c87323213802eb25fe061433b2307a3824665b8ac435fa1d6c8e3d28a4d52c45681019

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYgm.exe
Filesize
195KB

MD5
1bed5199144005e9bddea49c0730424d

SHA1
1b2579b3fa73ac69a93dd08fe12a4699a5d342bc

SHA256
071678e6051c799c87b96d1044a1445450992897420e06d089cb3eb97018b52d

SHA512
73b36532aae41e54bae8b3354e3428b0eed8bc1c99ddd94ed9693cccd6ed051fa3835d72cf15b691740ba8b38ab654bb1cb09ef4f51de1159c49da5171ec5170

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccIw.exe
Filesize
535KB

MD5
e512e87f4dbeb6c403c88a3632e3e6c8

SHA1
7cb19af4271fef566334a4b0ce5a0215bf6721db

SHA256
d46126f4385f30a9c77ed97e6e9943cb08d449c24b05559605738c2e13179a7b

SHA512
3701aedf57c0a2a7df66f4723de042696bc406e088207e64fd8cd62759aa5d37c2f42da8838807e0ababadc3e4e5939725472a30f688b78c7dbe910b3ad5eece

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgIA.exe
Filesize
202KB

MD5
c5b56785cc160d74ea4280e205b049a2

SHA1
43f9b24c8a743f8de78f05d8fd87f8d88be22dc2

SHA256
7c6c1fdcd17eeb01b8e938c2f076b4428ad29ced20709ad078d3648c23ed7bb8

SHA512
4a14343609307b02560868c40566fbeada87a8257ac458753906c99bbb0dd2ff3063d4b69acc7a8727eb1f91f3e02fda1f32f191aefbdec414dc438d558b711f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwoU.exe
Filesize
633KB

MD5
e6bc80327bf1e95a6b65b307c378cac0

SHA1
4d82ab7404ef8c21168616fd885a90994968cb16

SHA256
bff9ac7c8875faa888a6b336dd3dee0d053c1e8e5e93e010b8c408256f8284b6

SHA512
e5051a4bc31c44b2ae9d24709dda05b2da9e0f815904f5a32637d224255fece2ecc651cf7abdf139801a5beb7b8cbf4ec912aa566b1365bb1d3d766579f81983

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIwq.exe
Filesize
191KB

MD5
0d13f96accd319e6d9e98e6eaf8f5c9d

SHA1
69bc596394cc9aaf56c9e19859cf26852950bc68

SHA256
036702a2125130e3b68fc3a508f7c9e919ae59d07029b7d45774ad0fffb3d25c

SHA512
14f2ef2c203c95c0e023ad655d47d4363f57f952d24138376f84308d017e6490a2bd564d23c568acadc0477a8a08c113f046d9674656b3f77b71c13c6388cc00

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQIe.exe
Filesize
204KB

MD5
8a242c4b8390a47459302b843de5eecf

SHA1
960117435809c9047f99c53a864afb591e80163b

SHA256
28d3d5d2d2d8464a5f05347524304cebf63d3aed2045f014e4ca9281c05d0a34

SHA512
bbe7f38e09cf3e034d174a3436cfb072ecb66e3d28f6618bca79b18fc44ac044d40a610393601928e7b74f139ae6c8955898ce39b3edb4e3f4fb13be60781f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoYK.exe
Filesize
917KB

MD5
4f4333c33e0e28a6ec34566329218c21

SHA1
7e4fe14a25edebb11762ade631cef4fb633b20ab

SHA256
a058904b8cf675935eb526ae258c94b8a12ffc1533fec6cd618296da88e55bd5

SHA512
2829f7ee1e25b7ea7aaa0e476d88b43640de2fe3087a63f991870d0d0ed595ca847b40edf2156e326e1f61d0f4f65e092d9ab715599ed97a143b24c2aa984ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewUc.exe
Filesize
247KB

MD5
deaeaf75188f06775b463aee2de2e44b

SHA1
bb3f7504ec4125011d8cbdeab9c1235a5b407f6d

SHA256
5c3eb2caa40a8d4311f61978379a467d56325d77d54ac7097493395152e91eff

SHA512
b65ef687185112898a6ba7d3be5354fe2d0619b76e8cb4bf9c4f68b70babf6ab175d24c6890124b579def8f1c76a3f0152017d1c63d16f9f4d77bd5cc1ac25c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAQm.exe
Filesize
184KB

MD5
7a8fb17312b5b26ce444d23625b04c60

SHA1
ce63e409f8f7b51185e63bf3336958dca1bc4a2c

SHA256
f7565316782572e6da08a53287154403648a86ab1aae012e44e0866d0b9af75c

SHA512
02a4608d6084d6eb4017abde8b2456e2c5f59e3d19d0c99119d54c36da82c33528794f57d7f5d20ed47f16aaf2e790a198f7e9410c2864d41aa303f0894e3de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAwO.exe
Filesize
811KB

MD5
95d23287539d5ca8ff42d7f8d8821a88

SHA1
9c1c1c2adb85046c33221bf75b3c85b396edec43

SHA256
774ce3ff271180eede90d9c9280fa69c967db22f689919e7a730a87dd98b52c3

SHA512
df1785ff71a4f736fefee7ccd4efdc66b13ee7203dea89eca65d3a12cffa675aeea50282c94d6869b99ffbec2ea6585b94bad77a3fa1c63f5c357238cb44b7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEMM.exe
Filesize
200KB

MD5
7504ac6e2b6186951acf9f331f10f759

SHA1
de8ef44d732ac9341c05b09d10867fe54753c58c

SHA256
c6e1478e67aee33ad61e596883bcc0eb184d72d5f43537806c48af30b4b18087

SHA512
667c44606669a41ef8fc9a775408c9a03e31c29808373a50b0dd659c6e711f46441bb837c2dba3c52bc42caaea4dd6bbb8b49f32e7cb3d95a5ffeede98d9d224

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEMe.exe
Filesize
203KB

MD5
d65aac41d6883f777f3ae3a3606f479a

SHA1
4888fd16aa63a9a54d24d7c9ad3bfc337147f0ad

SHA256
8952a3663081ffc07d8edeaa71c1a2329ba1432433ddaf2bebdf57aba384f4f9

SHA512
c6c134d33e232d2e20a96dcb5dc97d1f2301cb1c2cc8e04d3d64df3ce8e82214f58c7998f9b2d19f5a602a7bc8ea8f1b77d67ff8bf26751664975f6fd1ef7f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEsy.exe
Filesize
226KB

MD5
aa34f468b469024f43387bbd9b0725f0

SHA1
662515ba38c46a9d55a3d2420ae59f2c93220dd2

SHA256
6e43cffa6dbf451fb18bb89ad9a263229c3e909710cfb06f8676387ed61fe81a

SHA512
f3d5aec4b961c8ff4f8bca21e5f4453fa46a8be83317e3e66096c962fa9f50ab2524e1a1b3ffaadef92fdd9569430a120dca3f8f4f362b0e0cbfaa401774c479

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYoO.exe
Filesize
194KB

MD5
0ed7d9c866a0432cbd345250cbe1da32

SHA1
c9591e069637421cd36398c56d138cc86e411fec

SHA256
a0cef88447d892fdad400cfab0c89f48b46f794801485285cf3c2d24516fe3bd

SHA512
f1f10a1514b6e6efd1960f46bc9a01e5339d319819f4c97d279b521b38f436bc225ebce56d1b613f0e4d99be04ad2abc458e29a3deca01d45716d4f6ff740de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMUk.exe
Filesize
826KB

MD5
43bdac7236faacdd5d8d068cbbeeb9d5

SHA1
845b608b6c1782fe8347bc77e4a2f403ce53887c

SHA256
3f0fe3578a6d15fd1a9db9403789a162792c78d6fd6b7ac967b84b2711c56b5e

SHA512
612db2648a0150b1249ba02c8634cb59cf89fac067143af66b7c2cce8006bed8f23dc27212c42d79de7d26f82b1934496e703e74a0a896ebeeaffa088f5536ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIUs.exe
Filesize
205KB

MD5
53b7ef5eeba3fce159389e1973765de6

SHA1
0d5df2a3b6c2edfe1915c100acdabd23b1194d26

SHA256
b8249570b2bc96e56d9639659747d57afcead45b84a6ae0d9d104fbe20cd414f

SHA512
c413513c292959987d508d065a6252ab2aabb747152b0a84f3f45622ab001679254bf036f7d64290d2616e038be4058d52f2f46a1c3663f60c664258a6316b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYok.exe
Filesize
206KB

MD5
0330c9b83c7b2214da0f1886a7ad4834

SHA1
7da6bebf3a1b679f26469235377bfc6df343ac06

SHA256
695f5473367b5fc5471f35e7284ee366a5372538ef177c30528a817664b9de38

SHA512
26d51bc78c3a5e968c0d3e2b0ff85370f6066abed200d926519cf343df05d0475cf38018f0280e89900556847ef7602f4d446b80b92f1bae6e681d2290ae766f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgMW.exe
Filesize
627KB

MD5
acd3dbc0a1d8776345c359f03d524d00

SHA1
0caf9626cbb8b54a3627d9ff3fc2f06fcab8b70f

SHA256
a14a13a43d34e6fb009f38bf893120c0cdfd5ec87d385aa3e5496599c9729834

SHA512
c205eaa5227ff83abc4d55ed0d4633fe933d6cbf366e8c63335ee114808cff4e34be779b6b4557947427975da040d2e1ed3bce5fc16cc1d0ac2f8b81cadc50bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\koYa.exe
Filesize
194KB

MD5
69257014079cd6347e57e8f5f4c5f532

SHA1
a6144242a0f4aadfabb9494915f5f4742a183661

SHA256
18452225a1608f0914d03b30b4a07742244faf5f9dd898d94f81c0858fd995cd

SHA512
fe42aee6f5dff8d94667a28678dcabcca75c3b2b01d6a5d1a88df59caeb89cb255143a7ed5b03b810de71bb986bf11433f62da4f38c3550a3949e738cfe91dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEwO.exe
Filesize
225KB

MD5
ba8799959b5a5ff17c05dcba32a806ff

SHA1
df1302ff33884e5353f88bfea4c262615dc682a2

SHA256
6bfb164fcc1b3e89de41e00440f5c3f96c2c031341caaef1bc8816bddbc9c4ff

SHA512
9259e5514783395e4fb7f08cf722628118db36308a9043440c19c0cf92985040daece265ac035edd4267cb272db7968867af8e79d03f2a21394dcf9f63a40188

Download Submit
C:\Users\Admin\AppData\Local\Temp\mskY.exe
Filesize
204KB

MD5
5edba6cd099e100d8b3775825381fb81

SHA1
b087244f185c7d7345980bc46b145eb093346079

SHA256
f1131eb9c34e97be79d225171c14c5b3c4b12e7f5bd77bdee694c021707a4d72

SHA512
33d95b49ee7a9eb93db21b51b54ccfd3685cf076d1be2599c9570e78706b009d6fd1ee2581463dc07efd07f46df23b4e9593425f853e2601a9690aba15fe18e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwUC.exe
Filesize
770KB

MD5
d25cb4ec3402079b2fef3c749bf955de

SHA1
d3ac8a2ae446fbbfd04a6d24254e56aeb1a20a58

SHA256
2942bdf28019b98f54d4e9f7e9cfb2cb35547aa8af29a7158dd36a53fbcc7487

SHA512
53bad38d7f0400b5a6203814961f181b8658ffdc5cefb02f7b647195b0afbdc5f90d4a04da78fff6b5d696f7022b4acb7f555ba32a35fe3249dd57309f3bf54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMUi.exe
Filesize
189KB

MD5
08b183ce08986d7b46c0b822161b2768

SHA1
82772dd15451791e5ebb76b6b4c4ab4d04f17398

SHA256
2fadf73c2b645513d62b1fa5e50b707ef7602d85e23c20336f5bfcd247877e14

SHA512
8720926d9e4b5cb950156433da7b7827beda0bbe8eb9f771263e0b781d24452ff89b881ad22e556d1086b64fe88534666f13d4409186fa257ee7d2e7d6bfe937

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYIs.exe
Filesize
798KB

MD5
c3cafdeab294639e8a70159053be11da

SHA1
623aad94d7da2a7917cb4423bde36003264c87b9

SHA256
983557e8f70351773f6ce8b455a9e81e6356fcf6b3110bbda0189a1b3f6b5284

SHA512
2e6055d144164a2c713b3e7a08b79615b66bbadab125fcfeebaa8e3ea7bf068fb97296075637bed5e2e1c47e29141abe82654386ed9c58a12ddff716bf176a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\osEQ.exe
Filesize
194KB

MD5
820829053af7f09d4be34fc60aec3181

SHA1
c4ff2718a05bbdda26ae5089eafee5f9d78e8e99

SHA256
3fd5688546315be3dbe8ae16c73a44ae6b418d2ac8ce34bc8a280fcc9d2d2a79

SHA512
2e2e5d3d77eeebffa643418940def8b07aa9d73b337992a9315e5121fb01d1c1249787acd5535ad35e0e8c76a921c8d687e4d93cac3bfe3bf29cc708a9ba4907

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIQC.exe
Filesize
244KB

MD5
1af66c57f2d4a09fc337677f31371fd6

SHA1
75af2a9f8f4468ce4479d67d13b91167285993f8

SHA256
ceb47cfda9ff86316add4f71b94a06499ab16c2f8807d2c88f8d09744c52e497

SHA512
c76fd54def64b3f22d2454698ef523c2a28fd8083a7e489cf468c40dacdc5116edb6dfac03ed12f2999bf02b33aa2df6a8a83a06db567ff09ca80b5f84e6640f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUUg.exe
Filesize
198KB

MD5
3367698723b9cf40a3f5f47486218331

SHA1
d2669730c8759e2384ceb1f6c433aac5ea06083c

SHA256
ad2203b7bcd5c48b960c68fb9c53065fc146e2a67051fb5f6068d6943b87057c

SHA512
cedc8ee86faa049852fadfde7229b11ea0db3479744478f97756aff5348acc326175b73578509bef568529b3e4134283a78aaac7b0ba3c3a14f61944a9ddcb4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUUw.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAEc.exe
Filesize
185KB

MD5
50b4af8b8f75543bfe80240697970be4

SHA1
bc7106ac775e61fadeb00131a08d1670366ef5e3

SHA256
caa840590d3501452eeabf50d5847331bfe5316d0344d261f89c1b7f75804f3a

SHA512
91b4bc4838b8ae899340ceb9f32add49891e4689c8d0c7ceae283a2de2643fea91c3d7d72b9dca3b005bc13da05a203f19cfd4dcd2a7ef09217c083f4647026e

Download Submit
C:\Users\Admin\AppData\Local\Temp\skoS.exe
Filesize
195KB

MD5
0544209edb10db91511f440de8c62274

SHA1
b4e23f983428236f967186432d6a0bdf27d264e0

SHA256
0af3b94b4825a9cc3982e2ad55d7579b3133f7c6f0b1106496564bef3d0e76bf

SHA512
28fa124cc9cd187c27b546d0782f6cd382b109d56c9314cc37fa791a6d3749215f3d26aabe6609affff9966c6a62bdeba365a16912771953eaf3e7c9270d4fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\skwC.exe
Filesize
5.9MB

MD5
9a734b456680d9d98a520e9263915ccf

SHA1
a57e37934ba1ca28e9b6e8c7cfb82b9f07496142

SHA256
7eda231d6b64984c97239ac5c706507c8ee55f111bbfea21e205c972057282f2

SHA512
247de7f5fea898bf9aa8c7c0ce6060b705f639f78d2623fb8cf467ec303af0282fe99821e515e3d7437e3d5542a16d2a117d51e73c3b338bf1d475140ca47c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssEg.exe
Filesize
195KB

MD5
9d5458d3cbe982211ac32ed96d32af7e

SHA1
b6dbecf0c38ae22302428c2fadf8acc3d86d6f96

SHA256
6c966aaf1581a697fbc900fbe69b7514a518e7466d02a695a97bc5cd0fe23a79

SHA512
8903b8c3d3f9ae18f4d56fd725f3328d0239e79cae1eecddad64482bb81988bebfc8ff6b26cd8209459d07f1a450f08afce8040e175a13f9a1cd14b5b3f1e2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQEA.exe
Filesize
200KB

MD5
4d34cc772f0f46716aeb28ae9adf5cab

SHA1
d0cb865fb895365e2e19a02a3a3fb71741537d32

SHA256
d6f050ce4ecc7beeb22c482fe5d396487f154cdcde7df9a7bbcc1363be23515b

SHA512
80a425ef2b8152b3cade458c2ccdce7a26df20b59aefb6a6066176eae3b8bfc439456e4eab12544113c079793bf13f60efef4173c60885815d2263bc205f62b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucYa.exe
Filesize
185KB

MD5
a7ca4ee23a80279fcc571c53e3e68f21

SHA1
37720e43ee82e3aa39ee0680a7afab7870d0f878

SHA256
bf33e07600cfc47b91d7407a5a33d78a55f0e273d53848960b86dacf0dc19aae

SHA512
a8fac3efc62e93063e13b3c737dfba4c8cbb7cf5cdf7c5a15d5548d477b5b1642f7b95a84a2b50d653dbf6d01826343aac8eefccba790288ec4d52924b9ad823

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIco.exe
Filesize
183KB

MD5
53e09a415ff303946283da1f63b0cf70

SHA1
6be9d3bcf094137804d5273cb05d2bf95d2a62e8

SHA256
ddd6eb48e3c704dba81964490324e8a4f0a141df6e177be0894f76b5966a8a28

SHA512
1ee18366008c4bb63b675acb75f8ed11b76a9ae97703dbcfc45f3bcc43c7c13dcf651ce388ea0cfbbfd83d6811db5e3303c4e618995a219c41ff981bc6132717

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQYw.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQgo.exe
Filesize
195KB

MD5
a388c98f3f2e955d17805ec89efaec47

SHA1
1860b68557baa379fe1727fc4066650577ccb2d2

SHA256
5558b4435808f5848012c437562262fbb2e80b3a6874ed4b5a7759e970416981

SHA512
4457064a9c2a20bbca20827a1d8d379b0925c22a642c60a1d39b8d6c1895219b9bc696bf14c132648f87256f4fefc15fca49dc1088b217bced5f5c14e3a019e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYoe.exe
Filesize
202KB

MD5
f012987b761b44d4492cd1ef31b4583d

SHA1
c4f37c0d66e7508fd8e435041b3380c6a603d9bb

SHA256
8fc072c7609bc229a42da4fe926cd200f5a794affea2a4450a0eb34d6aba878c

SHA512
d79bf0ca0739868492c54d998e81f63def9f17bee651ff10898ce956892ff9d93368f55ebf51b0eda251f65c05ff7d234f0cbdbc458bc3862dc5ba09f485e6d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcwQ.exe
Filesize
206KB

MD5
44d61037ecdc27e5289bd3bd47276914

SHA1
438854979de410b393559a2d0f2332121612be89

SHA256
d67f8f759a7d0526b8be5e89f16795c0aa05ada143041eda4ece21e5e4283ee7

SHA512
88bcd7777122578e3e4de176b2ee7d539d72a41212382f99a3fa8d98074c5ce32bbdf4b05ea74943538da9afbf6682bd1e0c158c16215929f6940d9f854a4f44

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgMs.exe
Filesize
632KB

MD5
6435b78a23673435de41b7ded2afbcc5

SHA1
9d250fc4870ee14e1e8793583e6bfac87de1269d

SHA256
7a252864a8a7fd7f0779060e296238cc8141767155b3d1ddfbd9d2a222af50ec

SHA512
77f91a59ba9819f38eeeeb488f772c841617dcb5ff907f439f9b5a822c1906b4970a6b470dacc0863f1aca68318676b96d3bdc754ee2b0d71e0b25b9c50bc9ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\wksM.exe
Filesize
199KB

MD5
2954a233045abc8f7d2194cfc52cddc5

SHA1
be42a98739a2faf17c0fc83ce66b4aa08a8f95c9

SHA256
761907d7e424b4e3378ea28e6742e4c401dcd6b9f13a4b449f33aa7aa5c0aee9

SHA512
864dd9e5ecd2d0b3624a0a5ff562c905e30340a5a022893169fb4e077cc78cb4bf2bed7d00225f3d53acbcc6ae00d1d9022c4fb601fc77d5bf7b025eb3c819cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsMC.exe
Filesize
196KB

MD5
7d4b5a5771243581d6510fd9be9c7b0d

SHA1
4da937d064739e58d096662998739f66b5d9f09b

SHA256
f2869ea80b9a4d559c2cd909be767b50920573053236ba59f45534f44a944c59

SHA512
5ebe4a8b86f74b0a3c6304bbdc13018f0fd225ed7836056467889ac65fa0f1b832ab4936cc89f39cb1e91e8b584e3235ea59d212371ad9879f0fdd2fe1e2acd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwsW.exe
Filesize
200KB

MD5
6c44eefc7de6423ce85558fc82a9d8e3

SHA1
6376980d21dad3fdbd1e1e94d010d330ef0746fd

SHA256
d898bd6f20a114d6fe779bd1e3bb52786b2ce1623dfd6d4cf7ab946011678100

SHA512
23e981943e43b02ae0b5cf233dd61139d93e81da12d7745348f6ad93c3cd1c7981e6107dfd395ba94b8666e7bdd2f7b5d226971bbac276c781c5b75edaaee6e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEcY.exe
Filesize
534KB

MD5
e57c7d9ea09f5a1118861ae313b02969

SHA1
acb4d82b6eea83e0553b77a81d7a08c35546778e

SHA256
2f01c144ca214979c40e4053f0139fddd8577df0b3ed605721fbb02a00d64a3c

SHA512
59ab2a8c4b36dbf83f5a47aa41aa474deb36ec3a1607dcb283ed82c50f027130dde320066ec456094a99c9d6819fdaa3d5a0094fd1b23628a68855b9b46155fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMgY.exe
Filesize
229KB

MD5
f5369b56bb1fdc1dbac4d12d6200d4a6

SHA1
a89ed55bf6422c56fc30b4969905f715add817ed

SHA256
f3a754eeb5716959ed46c682fe9b4fdc051401bd37733e7174f2c311d9afa44f

SHA512
06d9f69a04de1a8a8156748df23fe41ea2781a9999786557592c7e6b0e907c60355bf4e12e8645c0fd1044605de6872f04b9a683f7a3b4b1cd92c65fcd1af626

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMwy.exe
Filesize
530KB

MD5
9812ec399b55018afb0bfdaecf5ffd2b

SHA1
06d537bcd038659852f5e2e02b046982929e6b0c

SHA256
a3aabbde259454140ecf44e601da3bbea26caecfd03e499680f1bd92a43d43c8

SHA512
15fca56ed09054a1d1732deed0d983c7fab00da501322039eeb809e19adf2841105d841a5df607ead4c54cd95cc7bb0d0b7cc5f7ef343969a6423ba1d71a4972

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQsI.exe
Filesize
5.9MB

MD5
17705b31e564524a8fce230831e95e15

SHA1
3f859f943b2494343a7ef3494c62e3350750a849

SHA256
48c675a7b90ad35b57b909701e547d25db489eec556354ba6dd9b831e5111770

SHA512
6678a82f7c05586d015790843cd6c2f9a74b263bb77b58866712b8037cd8589f4bf9d7edd53c03c050526d1f960c9de51ed4207c785fd21a9530dc20e3fcdbe1

Download Submit
C:\Users\Admin\Downloads\ResolveInvoke.wma.exe
Filesize
1.0MB

MD5
6bde93b3868b902a522c06594a0a12e8

SHA1
8dcd2f455040fba7a77ab64ae5fa6a1b9a76889d

SHA256
082b8cc53ca3922fadf5409de75639e940c27b0d3065b6ba7999f322e13a6107

SHA512
be78858b98b75b4b273cd54a6a6691e5f19358498075a88bd34fa54a040112cc83fc9109c94f3e045025ca31a42b4415eaa4c17f3d748c51c71b872007da1969

Download Submit
C:\Users\Admin\Music\SkipUse.doc.exe
Filesize
466KB

MD5
a2b23bed3d087520bcec87528b71eb2f

SHA1
e133617b1b80972cc13f709a318ea9a371de0843

SHA256
a8fc83d64f78eec4eaaeaef04137c3e7e619abfcfbc0accceafc650c1e8fe263

SHA512
81a8e668698d5051c8294ff02dff4398b5c12cc4c44767eaae8a127cc2fe0d61f1c0e8a08cf5b8cfd9ad694ee85b38170fb7c6a53ff5fdcd4a8ae5dd9150656b

Download Submit
C:\Users\Admin\jGwQUkMY\fUQMUwQc.exe
Filesize
182KB

MD5
59f277d698033364aa7883b8bc8ade8f

SHA1
0453e62a7e09c67670bcf86c01d5e1a3d0860c0d

SHA256
e294abf5140471e51708b20c01cb8b552706b5b4f8d077125e49ec2aad113970

SHA512
118892a1e29b9b86b3a8a811a072fdcef70e8544cf8e73c1bbb0b75cbfffd91bad52f20c09d808fbf195773853cdc7612f5b6f4aff9d385c5f57aece9e80ffe9

Download Submit
C:\Users\Admin\jGwQUkMY\fUQMUwQc.inf
Filesize
4B

MD5
fd051a7427e10186672e43891f6114cf

SHA1
a39fbbef37424b7c6ded17e1c066f0f8dd173aa1

SHA256
917e299d9ebc764c45a937bacd16f7423bff529570fd1a71755b3ad2b16593d6

SHA512
1778047562449b97514b6a1cab2927776ddfc4904765d1d6ff8920ca2d2b10928d902e163bb3e46e72019e5c1e9e70c36d989656b3f739d884b53d268eaaf005

Download Submit
memory/372-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/372-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/928-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/928-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1068-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1068-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1076-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1076-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1784-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-523-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3064-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3948-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4196-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-102-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4920-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-518-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download